diff options
| author | graysky | 2022-10-15 14:31:41 -0400 |
|---|---|---|
| committer | graysky | 2022-10-15 14:31:41 -0400 |
| commit | 790af04c8a4b4cf39498b1a96528229e6704e695 (patch) | |
| tree | 2df704e794c82905cb90042a6f887393e2678f70 | |
| parent | eac1e41745ffa9f881f99deba886e2da1095dc8b (diff) | |
| download | aur-790af04c8a4b4cf39498b1a96528229e6704e695.tar.gz | |
Update to 6.0.2-1
15 files changed, 45 insertions, 670 deletions
@@ -1,6 +1,6 @@ pkgbase = linux-ck - pkgver = 6.0.1 - pkgrel = 2 + pkgver = 6.0.2 + pkgrel = 1 url = https://wiki.archlinux.org/index.php/Linux-ck arch = x86_64 license = GPL2 @@ -11,42 +11,24 @@ pkgbase = linux-ck makedepends = tar makedepends = xz options = !strip - source = https://www.kernel.org/pub/linux/kernel/v6.x/linux-6.0.1.tar.xz - source = https://www.kernel.org/pub/linux/kernel/v6.x/linux-6.0.1.tar.sign + source = https://www.kernel.org/pub/linux/kernel/v6.x/linux-6.0.2.tar.xz + source = https://www.kernel.org/pub/linux/kernel/v6.x/linux-6.0.2.tar.sign source = config source = more-uarches-20220315.tar.gz::https://github.com/graysky2/kernel_compiler_patch/archive/20220315.tar.gz source = ck-hrtimer-5be918e798e2c2cc94fa7dd0f6f031921a4f7598.tar.gz::https://github.com/graysky2/linux-patches/archive/5be918e798e2c2cc94fa7dd0f6f031921a4f7598.tar.gz source = 0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch source = 0002-mm-vmscan-fix-extreme-overreclaim-and-swap-floods.patch source = 0003-Bluetooth-fix-deadlock-for-RFCOMM-sk-state-change.patch - source = 0004-wifi-cfg80211-fix-u8-overflow-in-cfg80211_update_not.patch - source = 0005-wifi-cfg80211-mac80211-reject-bad-MBSSID-elements.patch - source = 0006-wifi-mac80211-fix-MBSSID-parsing-use-after-free.patch - source = 0007-wifi-cfg80211-ensure-length-byte-is-present-before-a.patch - source = 0008-wifi-cfg80211-fix-BSS-refcounting-bugs.patch - source = 0009-wifi-cfg80211-avoid-nontransmitted-BSS-list-corrupti.patch - source = 0010-wifi-mac80211_hwsim-avoid-mac80211-warning-on-bad-ra.patch - source = 0011-wifi-mac80211-fix-crash-in-beacon-protection-for-P2P.patch - source = 0012-wifi-cfg80211-update-hidden-BSSes-to-avoid-WARN_ON.patch validpgpkeys = ABAF11C65A2970B130ABE3C479BE3E4300411886 validpgpkeys = 647F28654894E3BD457199BE38DBBDC86092693E - sha256sums = 8ede745a69351ea0f27fe0c48780d4efa37ff086135e129358ce09694957e8f9 + sha256sums = a13c26388cacccb684cd9f51109596a280c8186b7e95174d31ee7c5718e95c9d sha256sums = SKIP sha256sums = 6ed43ed093ec7dcbbac286edc204873edfa77e380ac43c8cc2f40b2965ac1aa3 sha256sums = 5a29d172d442a3f31a402d7d306aaa292b0b5ea29139d05080a55e2425f48c5c sha256sums = 85b197dbe033264925b4803b3c8907ed73b967061c098e269eacd5575d6da34b - sha256sums = ef7a2c6f17b6a8aca10871003afa47c1dca17d56ca5a194062ebba6b9f6a24c9 - sha256sums = 6a51df34248c14c1a8af6aee404b6c788611da15659401867e8cea75b8d3dee2 - sha256sums = 4bd3fd1f025435429d1cdb1d4d70b30b957b8b2c0993f05e7d5cd459ed698ff6 - sha256sums = 675b4ed06c1f812b34cc08b50a5d4e0252e439670c600c8a7c203d04887c19f5 - sha256sums = 59afea6cef75bfa06e624123b49e03fb3ae7e47c5cc14f269aed053569381105 - sha256sums = 3d51b87761b2a6c8238222260cce44c3269df7d852512d58523509b10fa6e31b - sha256sums = fc75fc3747a4d9d87aa8db1e7adeae7980d14af96d1ea40d081994c7be981359 - sha256sums = 01f0b2ebd3da6406f43ebbd775583b8b982d227e2c00eb3ce857dd101ddbbb84 - sha256sums = fe792302abc37bcfb8c55a200e68496f848a9ffb0183a3f56acb7125a782c881 - sha256sums = bf75dbfbfdcaef2b4732b33711ab9dcaec2533812ad8261def6594754e7b7122 - sha256sums = a8f83077419461dcc7733e4c386f8bac5bea179f464e6ec6dc00cbf220c5ea8e - sha256sums = 9a477f560a74476d89a3e874fbddec8a1df242f5dac1e7a4f84bab2afad24789 + sha256sums = 44da7179cd7ec2eb4a5e5b170a7f68bb1508a2e2694f943bf131bbd81dfddc8c + sha256sums = d6c9579937204568f3bb57b2f45c1f5aedb0596a9358a58bbbcd74dc8bad1735 + sha256sums = 23254c5dd2006cf83a605bf39d575a5ff3f3bf647dff2902b4a8ed66358b8459 pkgname = linux-ck pkgdesc = The Linux kernel and modules with ck's hrtimer patches diff --git a/0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch b/0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch index a014cb31cb96..b32154cdd7bd 100644 --- a/0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch +++ b/0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch @@ -1,7 +1,7 @@ -From b5ac0998149a1f64664c8869829f200cfb2ce2a5 Mon Sep 17 00:00:00 2001 +From 767b739b11e38223e147a890243923856b6bc9b9 Mon Sep 17 00:00:00 2001 From: "Jan Alexander Steffens (heftig)" <jan.steffens@gmail.com> Date: Mon, 16 Sep 2019 04:53:20 +0200 -Subject: [PATCH 01/13] ZEN: Add sysctl and CONFIG to disallow unprivileged +Subject: [PATCH 1/4] ZEN: Add sysctl and CONFIG to disallow unprivileged CLONE_NEWUSER Our default behavior continues to match the vanilla kernel. diff --git a/0002-mm-vmscan-fix-extreme-overreclaim-and-swap-floods.patch b/0002-mm-vmscan-fix-extreme-overreclaim-and-swap-floods.patch index d058449ac796..209ad61d2ed2 100644 --- a/0002-mm-vmscan-fix-extreme-overreclaim-and-swap-floods.patch +++ b/0002-mm-vmscan-fix-extreme-overreclaim-and-swap-floods.patch @@ -1,7 +1,7 @@ -From 2535fbde890f14c78b750139fcf87d1143850626 Mon Sep 17 00:00:00 2001 +From 53d3043700195a20fe3d308707e43b90b6bff0b1 Mon Sep 17 00:00:00 2001 From: Johannes Weiner <hannes@cmpxchg.org> Date: Tue, 2 Aug 2022 12:28:11 -0400 -Subject: [PATCH 02/13] mm: vmscan: fix extreme overreclaim and swap floods +Subject: [PATCH 2/4] mm: vmscan: fix extreme overreclaim and swap floods During proactive reclaim, we sometimes observe severe overreclaim, with several thousand times more pages reclaimed than requested. diff --git a/0003-Bluetooth-fix-deadlock-for-RFCOMM-sk-state-change.patch b/0003-Bluetooth-fix-deadlock-for-RFCOMM-sk-state-change.patch index cfaeb7a44543..e0850e65a544 100644 --- a/0003-Bluetooth-fix-deadlock-for-RFCOMM-sk-state-change.patch +++ b/0003-Bluetooth-fix-deadlock-for-RFCOMM-sk-state-change.patch @@ -1,7 +1,7 @@ -From 430daaab3c78de6bd82f10cfb5a0f016c6e583f6 Mon Sep 17 00:00:00 2001 +From f5f2d7131ea930f307fbbf101c93e2493821f687 Mon Sep 17 00:00:00 2001 From: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com> Date: Mon, 4 Oct 2021 14:07:34 -0400 -Subject: [PATCH 03/13] Bluetooth: fix deadlock for RFCOMM sk state change +Subject: [PATCH 3/4] Bluetooth: fix deadlock for RFCOMM sk state change Syzbot reports the following task hang [1]: diff --git a/0004-Arch-Linux-kernel-v6.0.2-arch1.patch b/0004-Arch-Linux-kernel-v6.0.2-arch1.patch new file mode 100644 index 000000000000..8af808f6afae --- /dev/null +++ b/0004-Arch-Linux-kernel-v6.0.2-arch1.patch @@ -0,0 +1,25 @@ +From 73f7ff22000ba10b3498c3e14858d67698ebf2c9 Mon Sep 17 00:00:00 2001 +From: "Jan Alexander Steffens (heftig)" <heftig@archlinux.org> +Date: Sat, 15 Oct 2022 15:58:54 +0200 +Subject: [PATCH 4/4] Arch Linux kernel v6.0.2-arch1 + +--- + Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Makefile b/Makefile +index aa449693ad09..5f72ddf03bb0 100644 +--- a/Makefile ++++ b/Makefile +@@ -2,7 +2,7 @@ + VERSION = 6 + PATCHLEVEL = 0 + SUBLEVEL = 2 +-EXTRAVERSION = ++EXTRAVERSION = -arch1 + NAME = Hurr durr I'ma ninja sloth + + # *DOCUMENTATION* +-- +2.38.0 + diff --git a/0004-wifi-cfg80211-fix-u8-overflow-in-cfg80211_update_not.patch b/0004-wifi-cfg80211-fix-u8-overflow-in-cfg80211_update_not.patch deleted file mode 100644 index f944b77c058a..000000000000 --- a/0004-wifi-cfg80211-fix-u8-overflow-in-cfg80211_update_not.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 5e0bd0c090c9b39c05613f59baaf1b21f0dc16c3 Mon Sep 17 00:00:00 2001 -From: Johannes Berg <johannes.berg@intel.com> -Date: Wed, 28 Sep 2022 21:56:15 +0200 -Subject: [PATCH 04/13] wifi: cfg80211: fix u8 overflow in - cfg80211_update_notlisted_nontrans() - -commit aebe9f4639b13a1f4e9a6b42cdd2e38c617b442d upstream. - -In the copy code of the elements, we do the following calculation -to reach the end of the MBSSID element: - - /* copy the IEs after MBSSID */ - cpy_len = mbssid[1] + 2; - -This looks fine, however, cpy_len is a u8, the same as mbssid[1], -so the addition of two can overflow. In this case the subsequent -memcpy() will overflow the allocated buffer, since it copies 256 -bytes too much due to the way the allocation and memcpy() sizes -are calculated. - -Fix this by using size_t for the cpy_len variable. - -This fixes CVE-2022-41674. - -Reported-by: Soenke Huster <shuster@seemoo.tu-darmstadt.de> -Tested-by: Soenke Huster <shuster@seemoo.tu-darmstadt.de> -Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning") -Reviewed-by: Kees Cook <keescook@chromium.org> -Signed-off-by: Johannes Berg <johannes.berg@intel.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - net/wireless/scan.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/net/wireless/scan.c b/net/wireless/scan.c -index 0134e5d5c81a..f59bfc09ca60 100644 ---- a/net/wireless/scan.c -+++ b/net/wireless/scan.c -@@ -2279,7 +2279,7 @@ cfg80211_update_notlisted_nontrans(struct wiphy *wiphy, - size_t new_ie_len; - struct cfg80211_bss_ies *new_ies; - const struct cfg80211_bss_ies *old; -- u8 cpy_len; -+ size_t cpy_len; - - lockdep_assert_held(&wiphy_to_rdev(wiphy)->bss_lock); - --- -2.38.0 - diff --git a/0005-wifi-cfg80211-mac80211-reject-bad-MBSSID-elements.patch b/0005-wifi-cfg80211-mac80211-reject-bad-MBSSID-elements.patch deleted file mode 100644 index fa3db444f5b6..000000000000 --- a/0005-wifi-cfg80211-mac80211-reject-bad-MBSSID-elements.patch +++ /dev/null @@ -1,59 +0,0 @@ -From 8493abdd8f425b7940001fe0324e63b207c90f56 Mon Sep 17 00:00:00 2001 -From: Johannes Berg <johannes.berg@intel.com> -Date: Wed, 28 Sep 2022 22:01:37 +0200 -Subject: [PATCH 05/13] wifi: cfg80211/mac80211: reject bad MBSSID elements - -commit 8f033d2becc24aa6bfd2a5c104407963560caabc upstream. - -Per spec, the maximum value for the MaxBSSID ('n') indicator is 8, -and the minimum is 1 since a multiple BSSID set with just one BSSID -doesn't make sense (the # of BSSIDs is limited by 2^n). - -Limit this in the parsing in both cfg80211 and mac80211, rejecting -any elements with an invalid value. - -This fixes potentially bad shifts in the processing of these inside -the cfg80211_gen_new_bssid() function later. - -I found this during the investigation of CVE-2022-41674 fixed by the -previous patch. - -Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning") -Fixes: 78ac51f81532 ("mac80211: support multi-bssid") -Reviewed-by: Kees Cook <keescook@chromium.org> -Signed-off-by: Johannes Berg <johannes.berg@intel.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - net/mac80211/util.c | 2 ++ - net/wireless/scan.c | 2 ++ - 2 files changed, 4 insertions(+) - -diff --git a/net/mac80211/util.c b/net/mac80211/util.c -index efcefb2dd882..3d097386b2b9 100644 ---- a/net/mac80211/util.c -+++ b/net/mac80211/util.c -@@ -1442,6 +1442,8 @@ static size_t ieee802_11_find_bssid_profile(const u8 *start, size_t len, - for_each_element_id(elem, WLAN_EID_MULTIPLE_BSSID, start, len) { - if (elem->datalen < 2) - continue; -+ if (elem->data[0] < 1 || elem->data[0] > 8) -+ continue; - - for_each_element(sub, elem->data + 1, elem->datalen - 1) { - u8 new_bssid[ETH_ALEN]; -diff --git a/net/wireless/scan.c b/net/wireless/scan.c -index f59bfc09ca60..bce44485374d 100644 ---- a/net/wireless/scan.c -+++ b/net/wireless/scan.c -@@ -2143,6 +2143,8 @@ static void cfg80211_parse_mbssid_data(struct wiphy *wiphy, - for_each_element_id(elem, WLAN_EID_MULTIPLE_BSSID, ie, ielen) { - if (elem->datalen < 4) - continue; -+ if (elem->data[0] < 1 || (int)elem->data[0] > 8) -+ continue; - for_each_element(sub, elem->data + 1, elem->datalen - 1) { - u8 profile_len; - --- -2.38.0 - diff --git a/0006-wifi-mac80211-fix-MBSSID-parsing-use-after-free.patch b/0006-wifi-mac80211-fix-MBSSID-parsing-use-after-free.patch deleted file mode 100644 index 298ab5a7ef95..000000000000 --- a/0006-wifi-mac80211-fix-MBSSID-parsing-use-after-free.patch +++ /dev/null @@ -1,107 +0,0 @@ -From 384bd01f765209d69225481340a19707553ccf45 Mon Sep 17 00:00:00 2001 -From: Johannes Berg <johannes.berg@intel.com> -Date: Wed, 28 Sep 2022 22:07:15 +0200 -Subject: [PATCH 06/13] wifi: mac80211: fix MBSSID parsing use-after-free - -commit ff05d4b45dd89b922578dac497dcabf57cf771c6 upstream. - -When we parse a multi-BSSID element, we might point some -element pointers into the allocated nontransmitted_profile. -However, we free this before returning, causing UAF when the -relevant pointers in the parsed elements are accessed. - -Fix this by not allocating the scratch buffer separately but -as part of the returned structure instead, that way, there -are no lifetime issues with it. - -The scratch buffer introduction as part of the returned data -here is taken from MLO feature work done by Ilan. - -This fixes CVE-2022-42719. - -Fixes: 5023b14cf4df ("mac80211: support profile split between elements") -Co-developed-by: Ilan Peer <ilan.peer@intel.com> -Signed-off-by: Ilan Peer <ilan.peer@intel.com> -Reviewed-by: Kees Cook <keescook@chromium.org> -Signed-off-by: Johannes Berg <johannes.berg@intel.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - net/mac80211/ieee80211_i.h | 8 ++++++++ - net/mac80211/util.c | 30 +++++++++++++++--------------- - 2 files changed, 23 insertions(+), 15 deletions(-) - -diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h -index e192e1ec0261..9583643b7033 100644 ---- a/net/mac80211/ieee80211_i.h -+++ b/net/mac80211/ieee80211_i.h -@@ -1704,6 +1704,14 @@ struct ieee802_11_elems { - - /* whether a parse error occurred while retrieving these elements */ - bool parse_error; -+ -+ /* -+ * scratch buffer that can be used for various element parsing related -+ * tasks, e.g., element de-fragmentation etc. -+ */ -+ size_t scratch_len; -+ u8 *scratch_pos; -+ u8 scratch[]; - }; - - static inline struct ieee80211_local *hw_to_local( -diff --git a/net/mac80211/util.c b/net/mac80211/util.c -index 3d097386b2b9..4fc3d545e666 100644 ---- a/net/mac80211/util.c -+++ b/net/mac80211/util.c -@@ -1503,24 +1503,26 @@ ieee802_11_parse_elems_full(struct ieee80211_elems_parse_params *params) - const struct element *non_inherit = NULL; - u8 *nontransmitted_profile; - int nontransmitted_profile_len = 0; -+ size_t scratch_len = params->len; - -- elems = kzalloc(sizeof(*elems), GFP_ATOMIC); -+ elems = kzalloc(sizeof(*elems) + scratch_len, GFP_ATOMIC); - if (!elems) - return NULL; - elems->ie_start = params->start; - elems->total_len = params->len; -- -- nontransmitted_profile = kmalloc(params->len, GFP_ATOMIC); -- if (nontransmitted_profile) { -- nontransmitted_profile_len = -- ieee802_11_find_bssid_profile(params->start, params->len, -- elems, params->bss, -- nontransmitted_profile); -- non_inherit = -- cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE, -- nontransmitted_profile, -- nontransmitted_profile_len); -- } -+ elems->scratch_len = scratch_len; -+ elems->scratch_pos = elems->scratch; -+ -+ nontransmitted_profile = elems->scratch_pos; -+ nontransmitted_profile_len = -+ ieee802_11_find_bssid_profile(params->start, params->len, -+ elems, params->bss, -+ nontransmitted_profile); -+ elems->scratch_pos += nontransmitted_profile_len; -+ elems->scratch_len -= nontransmitted_profile_len; -+ non_inherit = cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE, -+ nontransmitted_profile, -+ nontransmitted_profile_len); - - elems->crc = _ieee802_11_parse_elems_full(params, elems, non_inherit); - -@@ -1554,8 +1556,6 @@ ieee802_11_parse_elems_full(struct ieee80211_elems_parse_params *params) - offsetofend(struct ieee80211_bssid_index, dtim_count)) - elems->dtim_count = elems->bssid_index->dtim_count; - -- kfree(nontransmitted_profile); -- - return elems; - } - --- -2.38.0 - diff --git a/0007-wifi-cfg80211-ensure-length-byte-is-present-before-a.patch b/0007-wifi-cfg80211-ensure-length-byte-is-present-before-a.patch deleted file mode 100644 index 3c93f6a4c898..000000000000 --- a/0007-wifi-cfg80211-ensure-length-byte-is-present-before-a.patch +++ /dev/null @@ -1,50 +0,0 @@ -From e0cf328c54cd10bd4e8a24527e906b313c844468 Mon Sep 17 00:00:00 2001 -From: Johannes Berg <johannes.berg@intel.com> -Date: Thu, 29 Sep 2022 21:50:44 +0200 -Subject: [PATCH 07/13] wifi: cfg80211: ensure length byte is present before - access - -commit 567e14e39e8f8c6997a1378bc3be615afca86063 upstream. - -When iterating the elements here, ensure the length byte is -present before checking it to see if the entire element will -fit into the buffer. - -Longer term, we should rewrite this code using the type-safe -element iteration macros that check all of this. - -Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning") -Reported-by: Soenke Huster <shuster@seemoo.tu-darmstadt.de> -Signed-off-by: Johannes Berg <johannes.berg@intel.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - net/wireless/scan.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/net/wireless/scan.c b/net/wireless/scan.c -index bce44485374d..fa7d94f505b0 100644 ---- a/net/wireless/scan.c -+++ b/net/wireless/scan.c -@@ -304,7 +304,8 @@ static size_t cfg80211_gen_new_ie(const u8 *ie, size_t ielen, - tmp_old = cfg80211_find_ie(WLAN_EID_SSID, ie, ielen); - tmp_old = (tmp_old) ? tmp_old + tmp_old[1] + 2 : ie; - -- while (tmp_old + tmp_old[1] + 2 - ie <= ielen) { -+ while (tmp_old + 2 - ie <= ielen && -+ tmp_old + tmp_old[1] + 2 - ie <= ielen) { - if (tmp_old[0] == 0) { - tmp_old++; - continue; -@@ -364,7 +365,8 @@ static size_t cfg80211_gen_new_ie(const u8 *ie, size_t ielen, - * copied to new ie, skip ssid, capability, bssid-index ie - */ - tmp_new = sub_copy; -- while (tmp_new + tmp_new[1] + 2 - sub_copy <= subie_len) { -+ while (tmp_new + 2 - sub_copy <= subie_len && -+ tmp_new + tmp_new[1] + 2 - sub_copy <= subie_len) { - if (!(tmp_new[0] == WLAN_EID_NON_TX_BSSID_CAP || - tmp_new[0] == WLAN_EID_SSID)) { - memcpy(pos, tmp_new, tmp_new[1] + 2); --- -2.38.0 - diff --git a/0008-wifi-cfg80211-fix-BSS-refcounting-bugs.patch b/0008-wifi-cfg80211-fix-BSS-refcounting-bugs.patch deleted file mode 100644 index 642f295fb2bf..000000000000 --- a/0008-wifi-cfg80211-fix-BSS-refcounting-bugs.patch +++ /dev/null @@ -1,96 +0,0 @@ -From 2cb3d7db56158ac04ae96f11b8839ebb71387884 Mon Sep 17 00:00:00 2001 -From: Johannes Berg <johannes.berg@intel.com> -Date: Fri, 30 Sep 2022 23:44:23 +0200 -Subject: [PATCH 08/13] wifi: cfg80211: fix BSS refcounting bugs -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -commit 0b7808818cb9df6680f98996b8e9a439fa7bcc2f upstream. - -There are multiple refcounting bugs related to multi-BSSID: - - In bss_ref_get(), if the BSS has a hidden_beacon_bss, then - the bss pointer is overwritten before checking for the - transmitted BSS, which is clearly wrong. Fix this by using - the bss_from_pub() macro. - - - In cfg80211_bss_update() we copy the transmitted_bss pointer - from tmp into new, but then if we release new, we'll unref - it erroneously. We already set the pointer and ref it, but - need to NULL it since it was copied from the tmp data. - - - In cfg80211_inform_single_bss_data(), if adding to the non- - transmitted list fails, we unlink the BSS and yet still we - return it, but this results in returning an entry without - a reference. We shouldn't return it anyway if it was broken - enough to not get added there. - -This fixes CVE-2022-42720. - -Reported-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de> -Tested-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de> -Fixes: a3584f56de1c ("cfg80211: Properly track transmitting and non-transmitting BSS") -Signed-off-by: Johannes Berg <johannes.berg@intel.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - net/wireless/scan.c | 27 ++++++++++++++------------- - 1 file changed, 14 insertions(+), 13 deletions(-) - -diff --git a/net/wireless/scan.c b/net/wireless/scan.c -index fa7d94f505b0..56a876b15598 100644 ---- a/net/wireless/scan.c -+++ b/net/wireless/scan.c -@@ -143,18 +143,12 @@ static inline void bss_ref_get(struct cfg80211_registered_device *rdev, - lockdep_assert_held(&rdev->bss_lock); - - bss->refcount++; -- if (bss->pub.hidden_beacon_bss) { -- bss = container_of(bss->pub.hidden_beacon_bss, -- struct cfg80211_internal_bss, -- pub); -- bss->refcount++; -- } -- if (bss->pub.transmitted_bss) { -- bss = container_of(bss->pub.transmitted_bss, -- struct cfg80211_internal_bss, -- pub); -- bss->refcount++; -- } -+ -+ if (bss->pub.hidden_beacon_bss) -+ bss_from_pub(bss->pub.hidden_beacon_bss)->refcount++; -+ -+ if (bss->pub.transmitted_bss) -+ bss_from_pub(bss->pub.transmitted_bss)->refcount++; - } - - static inline void bss_ref_put(struct cfg80211_registered_device *rdev, -@@ -1741,6 +1735,8 @@ cfg80211_bss_update(struct cfg80211_registered_device *rdev, - new->refcount = 1; - INIT_LIST_HEAD(&new->hidden_list); - INIT_LIST_HEAD(&new->pub.nontrans_list); -+ /* we'll set this later if it was non-NULL */ -+ new->pub.transmitted_bss = NULL; - - if (rcu_access_pointer(tmp->pub.proberesp_ies)) { - hidden = rb_find_bss(rdev, tmp, BSS_CMP_HIDE_ZLEN); -@@ -2023,10 +2019,15 @@ cfg80211_inform_single_bss_data(struct wiphy *wiphy, - spin_lock_bh(&rdev->bss_lock); - if (cfg80211_add_nontrans_list(non_tx_data->tx_bss, - &res->pub)) { -- if (__cfg80211_unlink_bss(rdev, res)) -+ if (__cfg80211_unlink_bss(rdev, res)) { - rdev->bss_generation++; -+ res = NULL; -+ } - } - spin_unlock_bh(&rdev->bss_lock); -+ -+ if (!res) -+ return NULL; - } - - trace_cfg80211_return_bss(&res->pub); --- -2.38.0 - diff --git a/0009-wifi-cfg80211-avoid-nontransmitted-BSS-list-corrupti.patch b/0009-wifi-cfg80211-avoid-nontransmitted-BSS-list-corrupti.patch deleted file mode 100644 index f776ae1f3bde..000000000000 --- a/0009-wifi-cfg80211-avoid-nontransmitted-BSS-list-corrupti.patch +++ /dev/null @@ -1,57 +0,0 @@ -From d6eee5062ee22666776128a759f4ae1c7fda975e Mon Sep 17 00:00:00 2001 -From: Johannes Berg <johannes.berg@intel.com> -Date: Sat, 1 Oct 2022 00:01:44 +0200 -Subject: [PATCH 09/13] wifi: cfg80211: avoid nontransmitted BSS list - corruption -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -commit bcca852027e5878aec911a347407ecc88d6fff7f upstream. - -If a non-transmitted BSS shares enough information (both -SSID and BSSID!) with another non-transmitted BSS of a -different AP, then we can find and update it, and then -try to add it to the non-transmitted BSS list. We do a -search for it on the transmitted BSS, but if it's not -there (but belongs to another transmitted BSS), the list -gets corrupted. - -Since this is an erroneous situation, simply fail the -list insertion in this case and free the non-transmitted -BSS. - -This fixes CVE-2022-42721. - -Reported-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de> -Tested-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de> -Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning") -Signed-off-by: Johannes Berg <johannes.berg@intel.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - net/wireless/scan.c | 9 +++++++++ - 1 file changed, 9 insertions(+) - -diff --git a/net/wireless/scan.c b/net/wireless/scan.c -index 56a876b15598..a12c30ad9e5a 100644 ---- a/net/wireless/scan.c -+++ b/net/wireless/scan.c -@@ -423,6 +423,15 @@ cfg80211_add_nontrans_list(struct cfg80211_bss *trans_bss, - - rcu_read_unlock(); - -+ /* -+ * This is a bit weird - it's not on the list, but already on another -+ * one! The only way that could happen is if there's some BSSID/SSID -+ * shared by multiple APs in their multi-BSSID profiles, potentially -+ * with hidden SSID mixed in ... ignore it. -+ */ -+ if (!list_empty(&nontrans_bss->nontrans_list)) -+ return -EINVAL; -+ - /* add to the list */ - list_add_tail(&nontrans_bss->nontrans_list, &trans_bss->nontrans_list); - return 0; --- -2.38.0 - diff --git a/0010-wifi-mac80211_hwsim-avoid-mac80211-warning-on-bad-ra.patch b/0010-wifi-mac80211_hwsim-avoid-mac80211-warning-on-bad-ra.patch deleted file mode 100644 index cc74abec1f9a..000000000000 --- a/0010-wifi-mac80211_hwsim-avoid-mac80211-warning-on-bad-ra.patch +++ /dev/null @@ -1,40 +0,0 @@ -From dffea9220217da59cb0621d7291708255e059699 Mon Sep 17 00:00:00 2001 -From: Johannes Berg <johannes.berg@intel.com> -Date: Wed, 5 Oct 2022 15:10:09 +0200 -Subject: [PATCH 10/13] wifi: mac80211_hwsim: avoid mac80211 warning on bad - rate -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -commit 1833b6f46d7e2830251a063935ab464256defe22 upstream. - -If the tool on the other side (e.g. wmediumd) gets confused -about the rate, we hit a warning in mac80211. Silence that -by effectively duplicating the check here and dropping the -frame silently (in mac80211 it's dropped with the warning). - -Reported-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de> -Tested-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de> -Signed-off-by: Johannes Berg <johannes.berg@intel.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - drivers/net/wireless/mac80211_hwsim.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c -index 1f301a5fb396..ee34814bd12b 100644 ---- a/drivers/net/wireless/mac80211_hwsim.c -+++ b/drivers/net/wireless/mac80211_hwsim.c -@@ -4526,6 +4526,8 @@ static int hwsim_cloned_frame_received_nl(struct sk_buff *skb_2, - - rx_status.band = channel->band; - rx_status.rate_idx = nla_get_u32(info->attrs[HWSIM_ATTR_RX_RATE]); -+ if (rx_status.rate_idx >= data2->hw->wiphy->bands[rx_status.band]->n_bitrates) -+ goto out; - rx_status.signal = nla_get_u32(info->attrs[HWSIM_ATTR_SIGNAL]); - - hdr = (void *)skb->data; --- -2.38.0 - diff --git a/0011-wifi-mac80211-fix-crash-in-beacon-protection-for-P2P.patch b/0011-wifi-mac80211-fix-crash-in-beacon-protection-for-P2P.patch deleted file mode 100644 index 121488cd0707..000000000000 --- a/0011-wifi-mac80211-fix-crash-in-beacon-protection-for-P2P.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 4ac9b9177145094ee165fa8e35172df4e1611139 Mon Sep 17 00:00:00 2001 -From: Johannes Berg <johannes.berg@intel.com> -Date: Wed, 5 Oct 2022 21:24:10 +0200 -Subject: [PATCH 11/13] wifi: mac80211: fix crash in beacon protection for - P2P-device -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -commit b2d03cabe2b2e150ff5a381731ea0355459be09f upstream. - -If beacon protection is active but the beacon cannot be -decrypted or is otherwise malformed, we call the cfg80211 -API to report this to userspace, but that uses a netdev -pointer, which isn't present for P2P-Device. Fix this to -call it only conditionally to ensure cfg80211 won't crash -in the case of P2P-Device. - -This fixes CVE-2022-42722. - -Reported-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de> -Fixes: 9eaf183af741 ("mac80211: Report beacon protection failures to user space") -Signed-off-by: Johannes Berg <johannes.berg@intel.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - net/mac80211/rx.c | 12 +++++++----- - 1 file changed, 7 insertions(+), 5 deletions(-) - -diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c -index 45d7e71661e3..211de01bf615 100644 ---- a/net/mac80211/rx.c -+++ b/net/mac80211/rx.c -@@ -1967,10 +1967,11 @@ ieee80211_rx_h_decrypt(struct ieee80211_rx_data *rx) - - if (mmie_keyidx < NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS || - mmie_keyidx >= NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS + -- NUM_DEFAULT_BEACON_KEYS) { -- cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev, -- skb->data, -- skb->len); -+ NUM_DEFAULT_BEACON_KEYS) { -+ if (rx->sdata->dev) -+ cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev, -+ skb->data, -+ skb->len); - return RX_DROP_MONITOR; /* unexpected BIP keyidx */ - } - -@@ -2121,7 +2122,8 @@ ieee80211_rx_h_decrypt(struct ieee80211_rx_data *rx) - /* either the frame has been decrypted or will be dropped */ - status->flag |= RX_FLAG_DECRYPTED; - -- if (unlikely(ieee80211_is_beacon(fc) && result == RX_DROP_UNUSABLE)) -+ if (unlikely(ieee80211_is_beacon(fc) && result == RX_DROP_UNUSABLE && -+ rx->sdata->dev)) - cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev, - skb->data, skb->len); - --- -2.38.0 - diff --git a/0012-wifi-cfg80211-update-hidden-BSSes-to-avoid-WARN_ON.patch b/0012-wifi-cfg80211-update-hidden-BSSes-to-avoid-WARN_ON.patch deleted file mode 100644 index 1442bba20f91..000000000000 --- a/0012-wifi-cfg80211-update-hidden-BSSes-to-avoid-WARN_ON.patch +++ /dev/null @@ -1,94 +0,0 @@ -From 83f0bb0a1c9ad62891443a68a81a5f70abc3964c Mon Sep 17 00:00:00 2001 -From: Johannes Berg <johannes.berg@intel.com> -Date: Wed, 5 Oct 2022 23:11:43 +0200 -Subject: [PATCH 12/13] wifi: cfg80211: update hidden BSSes to avoid WARN_ON -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -commit c90b93b5b782891ebfda49d4e5da36632fefd5d1 upstream. - -When updating beacon elements in a non-transmitted BSS, -also update the hidden sub-entries to the same beacon -elements, so that a future update through other paths -won't trigger a WARN_ON(). - -The warning is triggered because the beacon elements in -the hidden BSSes that are children of the BSS should -always be the same as in the parent. - -Reported-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de> -Tested-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de> -Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning") -Signed-off-by: Johannes Berg <johannes.berg@intel.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - net/wireless/scan.c | 31 ++++++++++++++++++++----------- - 1 file changed, 20 insertions(+), 11 deletions(-) - -diff --git a/net/wireless/scan.c b/net/wireless/scan.c -index a12c30ad9e5a..39fb9cc25cdc 100644 ---- a/net/wireless/scan.c -+++ b/net/wireless/scan.c -@@ -1607,6 +1607,23 @@ struct cfg80211_non_tx_bss { - u8 bssid_index; - }; - -+static void cfg80211_update_hidden_bsses(struct cfg80211_internal_bss *known, -+ const struct cfg80211_bss_ies *new_ies, -+ const struct cfg80211_bss_ies *old_ies) -+{ -+ struct cfg80211_internal_bss *bss; -+ -+ /* Assign beacon IEs to all sub entries */ -+ list_for_each_entry(bss, &known->hidden_list, hidden_list) { -+ const struct cfg80211_bss_ies *ies; -+ -+ ies = rcu_access_pointer(bss->pub.beacon_ies); -+ WARN_ON(ies != old_ies); -+ -+ rcu_assign_pointer(bss->pub.beacon_ies, new_ies); -+ } -+} -+ - static bool - cfg80211_update_known_bss(struct cfg80211_registered_device *rdev, - struct cfg80211_internal_bss *known, -@@ -1630,7 +1647,6 @@ cfg80211_update_known_bss(struct cfg80211_registered_device *rdev, - kfree_rcu((struct cfg80211_bss_ies *)old, rcu_head); - } else if (rcu_access_pointer(new->pub.beacon_ies)) { - const struct cfg80211_bss_ies *old; -- struct cfg80211_internal_bss *bss; - - if (known->pub.hidden_beacon_bss && - !list_empty(&known->hidden_list)) { -@@ -1658,16 +1674,7 @@ cfg80211_update_known_bss(struct cfg80211_registered_device *rdev, - if (old == rcu_access_pointer(known->pub.ies)) - rcu_assign_pointer(known->pub.ies, new->pub.beacon_ies); - -- /* Assign beacon IEs to all sub entries */ -- list_for_each_entry(bss, &known->hidden_list, hidden_list) { -- const struct cfg80211_bss_ies *ies; -- -- ies = rcu_access_pointer(bss->pub.beacon_ies); -- WARN_ON(ies != old); -- -- rcu_assign_pointer(bss->pub.beacon_ies, -- new->pub.beacon_ies); -- } -+ cfg80211_update_hidden_bsses(known, new->pub.beacon_ies, old); - - if (old) - kfree_rcu((struct cfg80211_bss_ies *)old, rcu_head); -@@ -2360,6 +2367,8 @@ cfg80211_update_notlisted_nontrans(struct wiphy *wiphy, - } else { - old = rcu_access_pointer(nontrans_bss->beacon_ies); - rcu_assign_pointer(nontrans_bss->beacon_ies, new_ies); -+ cfg80211_update_hidden_bsses(bss_from_pub(nontrans_bss), -+ new_ies, old); - rcu_assign_pointer(nontrans_bss->ies, new_ies); - if (old) - kfree_rcu((struct cfg80211_bss_ies *)old, rcu_head); --- -2.38.0 - @@ -68,8 +68,8 @@ _subarch= ### IMPORTANT: Do no edit below this line unless you know what you're doing pkgbase=linux-ck -pkgver=6.0.1 -pkgrel=2 +pkgver=6.0.2 +pkgrel=1 arch=(x86_64) url="https://wiki.archlinux.org/index.php/Linux-ck" license=(GPL2) @@ -93,37 +93,19 @@ source=( 0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch 0002-mm-vmscan-fix-extreme-overreclaim-and-swap-floods.patch 0003-Bluetooth-fix-deadlock-for-RFCOMM-sk-state-change.patch - 0004-wifi-cfg80211-fix-u8-overflow-in-cfg80211_update_not.patch - 0005-wifi-cfg80211-mac80211-reject-bad-MBSSID-elements.patch - 0006-wifi-mac80211-fix-MBSSID-parsing-use-after-free.patch - 0007-wifi-cfg80211-ensure-length-byte-is-present-before-a.patch - 0008-wifi-cfg80211-fix-BSS-refcounting-bugs.patch - 0009-wifi-cfg80211-avoid-nontransmitted-BSS-list-corrupti.patch - 0010-wifi-mac80211_hwsim-avoid-mac80211-warning-on-bad-ra.patch - 0011-wifi-mac80211-fix-crash-in-beacon-protection-for-P2P.patch - 0012-wifi-cfg80211-update-hidden-BSSes-to-avoid-WARN_ON.patch ) validpgpkeys=( 'ABAF11C65A2970B130ABE3C479BE3E4300411886' # Linus Torvalds '647F28654894E3BD457199BE38DBBDC86092693E' # Greg Kroah-Hartman ) -sha256sums=('8ede745a69351ea0f27fe0c48780d4efa37ff086135e129358ce09694957e8f9' +sha256sums=('a13c26388cacccb684cd9f51109596a280c8186b7e95174d31ee7c5718e95c9d' 'SKIP' '6ed43ed093ec7dcbbac286edc204873edfa77e380ac43c8cc2f40b2965ac1aa3' '5a29d172d442a3f31a402d7d306aaa292b0b5ea29139d05080a55e2425f48c5c' '85b197dbe033264925b4803b3c8907ed73b967061c098e269eacd5575d6da34b' - 'ef7a2c6f17b6a8aca10871003afa47c1dca17d56ca5a194062ebba6b9f6a24c9' - '6a51df34248c14c1a8af6aee404b6c788611da15659401867e8cea75b8d3dee2' - '4bd3fd1f025435429d1cdb1d4d70b30b957b8b2c0993f05e7d5cd459ed698ff6' - '675b4ed06c1f812b34cc08b50a5d4e0252e439670c600c8a7c203d04887c19f5' - '59afea6cef75bfa06e624123b49e03fb3ae7e47c5cc14f269aed053569381105' - '3d51b87761b2a6c8238222260cce44c3269df7d852512d58523509b10fa6e31b' - 'fc75fc3747a4d9d87aa8db1e7adeae7980d14af96d1ea40d081994c7be981359' - '01f0b2ebd3da6406f43ebbd775583b8b982d227e2c00eb3ce857dd101ddbbb84' - 'fe792302abc37bcfb8c55a200e68496f848a9ffb0183a3f56acb7125a782c881' - 'bf75dbfbfdcaef2b4732b33711ab9dcaec2533812ad8261def6594754e7b7122' - 'a8f83077419461dcc7733e4c386f8bac5bea179f464e6ec6dc00cbf220c5ea8e' - '9a477f560a74476d89a3e874fbddec8a1df242f5dac1e7a4f84bab2afad24789') + '44da7179cd7ec2eb4a5e5b170a7f68bb1508a2e2694f943bf131bbd81dfddc8c' + 'd6c9579937204568f3bb57b2f45c1f5aedb0596a9358a58bbbcd74dc8bad1735' + '23254c5dd2006cf83a605bf39d575a5ff3f3bf647dff2902b4a8ed66358b8459') prepare() { cd linux-${pkgver} |