Skip to content
Snippets Groups Projects
Select Git revision
  • 6.6/linux default protected
  • lts-pre-prod-v5.15.161-android_u-cve-241018T060950Z
  • lts-v5.15.161-android_t-cve-241017T225452Z
  • lts-pre-prod-v5.15.161-android_u-241018T060950Z
  • lts-v5.15.161-android_t-241017T225452Z
  • lts-v6.6.53-rt44-preempt-rt-241016T031527Z
  • lts-v6.6.53-linux-241016T015643Z
  • lts-v6.6.53-linux-cve-241016T015643Z
  • lts-v6.6.52-rt43-preempt-rt-241011T142630Z
  • lts-v6.6.52-linux-241011T090312Z
  • lts-v6.6.52-linux-cve-241011T090312Z
  • lts-pre-prod-v5.15.161-android_u-cve-241009T230053Z
  • lts-v6.6.50-rt42-preempt-rt-241002T180333Z
  • lts-v5.15.161-android_t-cve-240930T120437Z
  • lts-v6.6.50-linux-240930T011355Z
  • lts-v6.6.50-linux-cve-240930T011355Z
  • lts-pre-prod-v5.15.161-android_u-241009T230053Z
  • lts-v5.15.161-android_t-240930T120437Z
  • lts-v6.6.50-rt42-preempt-rt-240925T173613Z
  • lts-v6.6.50-linux-240925T091328Z
  • lts-v6.6.50-linux-cve-240925T091328Z
21 results
Search by author
  • Any Author
  • Nicola Sparnacci Nicola Sparnacci nicola.sparnacci
1 author
  1. Nov 19, 2021
  3. Oct 25, 2021
  5. Sep 27, 2021
  7. Jun 23, 2021
  9. Jun 09, 2021
  11. Apr 27, 2021
    • Johannes Berg's avatar
      cfg80211: fix locking in netlink owner interface destruction · ea6b2098
      Johannes Berg authored 
      Harald Arnesen reported [1] a deadlock at reboot time, and after
he captured a stack trace a picture developed of what's going on:

The distribution he's using is using iwd (not wpa_supplicant) to
manage wireless. iwd will usually use the "socket owner" option
when it creates new interfaces, so that they're automatically
destroyed when it quits (unexpectedly or otherwise). This is also
done by wpa_supplicant, but it doesn't do it for the normal one,
only for additional ones, which is different with iwd.

Anyway, during shutdown, iwd quits while the netdev is still UP,
i.e. IFF_UP is set. This causes the stack trace that Linus so
nicely transcribed from the pictures:

cfg80211_destroy_iface_wk() takes wiphy_lock
 -> cfg80211_destroy_ifaces()
  ->ieee80211_del_iface
    ->ieeee80211_if_remove
      ->cfg80211_unregister_wdev
        ->unregister_netdevice_queue
          ->dev_close_many
            ->__dev_close_many
              ->raw_notifier_call_chain
                ->cfg80211_netdev_notifier_call
and that last call tries to take wiphy_lock again.

In commit a05829a7 ("cfg80211: avoid holding the RTNL when
calling the driver") I had taken into account the possibility of
recursing from cfg80211 into cfg80211_netdev_notifier_call() via
the network stack, but only for NETDEV_UNREGISTER, not for what
happens here, NETDEV_GOING_DOWN and NETDEV_DOWN notifications.

Additionally, while this worked still back in commit 78f22b6a
("cfg80211: allow userspace to take ownership of interfaces"), it
missed another corner case: unregistering a netdev will cause
dev_close() to be called, and thus stop wireless operations (e.g.
disconnecting), but there are some types of virtual interfaces in
wifi that don't have a netdev - for that we need an additional
call to cfg80211_leave().

So, to fix this mess, change cfg80211_destroy_ifaces() to not
require the wiphy_lock(), but instead make it acquire it, but
only after it has actually closed all the netdevs on the list,
and then call cfg80211_leave() as well before removing them
from the driver, to fix the second issue. The locking change in
this requires modifying the nl80211 call to not get the wiphy
lock passed in, but acquire it by itself after flushing any
potentially pending destruction requests.

[1] https://lore.kernel.org/r/09464e67-f3de-ac09-28a3-e27b7914ee7d@skogtun.org



Cc: stable@vger.kernel.org # 5.12
Reported-by: default avatarHarald Arnesen <harald@skogtun.org>
Fixes: 776a39b8 ("cfg80211: call cfg80211_destroy_ifaces() with wiphy lock held")
Fixes: 78f22b6a ("cfg80211: allow userspace to take ownership of interfaces")
Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
Tested-by: default avatarHarald Arnesen <harald@skogtun.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      ea6b2098
  13. Apr 08, 2021
  15. Apr 07, 2021
  17. Apr 05, 2021
  19. Feb 01, 2021
  21. Jan 28, 2021
  23. Jan 26, 2021
    • Johannes Berg's avatar
      cfg80211: avoid holding the RTNL when calling the driver · a05829a7
      Johannes Berg authored 
      Currently, _everything_ in cfg80211 holds the RTNL, and if you
have a slow USB device (or a few) you can get some bad lock
contention on that.

Fix that by re-adding a mutex to each wiphy/rdev as we had at
some point, so we have locking for the wireless_dev lists and
all the other things in there, and also so that drivers still
don't have to worry too much about it (they still won't get
parallel calls for a single device).

Then, we can restrict the RTNL to a few cases where we add or
remove interfaces and really need the added protection. Some
of the global list management still also uses the RTNL, since
we need to have it anyway for netdev management, but we only
hold the RTNL for very short periods of time here.

Link: https://lore.kernel.org/r/20210122161942.81df9f5e047a.I4a8e1a60b18863ea8c5e6d3a0faeafb2d45b2f40@changeid


Tested-by: Marek Szyprowski <m.szyprowski@samsung.com> [marvell driver issues]
Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      a05829a7
  25. Jan 22, 2021
    • Johannes Berg's avatar
      cfg80211: change netdev registration/unregistration semantics · 2fe8ef10
      Johannes Berg authored 
      We used to not require anything in terms of registering netdevs
with cfg80211, using a netdev notifier instead. However, in the
next patch reducing RTNL locking, this causes big problems, and
the simplest way is to just require drivers to do things better.

Change the registration/unregistration semantics to require the
drivers to call cfg80211_(un)register_netdevice() when this is
happening due to a cfg80211 request, i.e. add_virtual_intf() or
del_virtual_intf() (or if it somehow has to happen in any other
cfg80211 callback).

Otherwise, in other contexts, drivers may continue to use the
normal netdev (un)registration functions as usual.

Internally, we still use the netdev notifier and track (by the
new wdev->registered bool) if the wdev had already been added
to cfg80211 or not.

Link: https://lore.kernel.org/r/20210122161942.cf2f4b65e4e9.Ida8234e50da13eb675b557bac52a713ad4eddf71@changeid


Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      2fe8ef10
  27. Nov 11, 2020
  29. Oct 30, 2020
    • Johannes Berg's avatar
      cfg80211: initialize wdev data earlier · 9bdaf3b9
      Johannes Berg authored 
      
There's a race condition in the netdev registration in that
NETDEV_REGISTER actually happens after the netdev is available,
and so if we initialize things only there, we might get called
with an uninitialized wdev through nl80211 - not using a wdev
but using a netdev interface index.

I found this while looking into a syzbot report, but it doesn't
really seem to be related, and unfortunately there's no repro
for it (yet). I can't (yet) explain how it managed to get into
cfg80211_release_pmsr() from nl80211_netlink_notify() without
the wdev having been initialized, as the latter only iterates
the wdevs that are linked into the rdev, which even without the
change here happened after init.

However, looking at this, it seems fairly clear that the init
needs to be done earlier, otherwise we might even re-init on a
netns move, when data might still be pending.

Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
Link: https://lore.kernel.org/r/20201009135821.fdcbba3aad65.Ie9201d91dbcb7da32318812effdc1561aeaf4cdc@changeid


Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      9bdaf3b9
  31. Sep 28, 2020
  33. Aug 07, 2020
    • Waiman Long's avatar
      mm, treewide: rename kzfree() to kfree_sensitive() · 453431a5
      Waiman Long authored 
      
As said by Linus:

  A symmetric naming is only helpful if it implies symmetries in use.
  Otherwise it's actively misleading.

  In "kzalloc()", the z is meaningful and an important part of what the
  caller wants.

  In "kzfree()", the z is actively detrimental, because maybe in the
  future we really _might_ want to use that "memfill(0xdeadbeef)" or
  something. The "zero" part of the interface isn't even _relevant_.

The main reason that kzfree() exists is to clear sensitive information
that should not be leaked to other future users of the same memory
objects.

Rename kzfree() to kfree_sensitive() to follow the example of the recently
added kvfree_sensitive() and make the intention of the API more explicit.
In addition, memzero_explicit() is used to clear the memory to make sure
that it won't get optimized away by the compiler.

The renaming is done by using the command sequence:

  git grep -w --name-only kzfree |\
  xargs sed -i 's/kzfree/kfree_sensitive/'

followed by some editing of the kfree_sensitive() kerneldoc and adding
a kzfree backward compatibility macro in slab.h.

[akpm@linux-foundation.org: fs/crypto/inline_crypt.c needs linux/slab.h]
[akpm@linux-foundation.org: fix fs/crypto/inline_crypt.c some more]

Suggested-by: default avatarJoe Perches <joe@perches.com>
Signed-off-by: default avatarWaiman Long <longman@redhat.com>
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
Acked-by: default avatarDavid Howells <dhowells@redhat.com>
Acked-by: default avatarMichal Hocko <mhocko@suse.com>
Acked-by: default avatarJohannes Weiner <hannes@cmpxchg.org>
Cc: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Cc: James Morris <jmorris@namei.org>
Cc: "Serge E. Hallyn" <serge@hallyn.com>
Cc: Joe Perches <joe@perches.com>
Cc: Matthew Wilcox <willy@infradead.org>
Cc: David Rientjes <rientjes@google.com>
Cc: Dan Carpenter <dan.carpenter@oracle.com>
Cc: "Jason A . Donenfeld" <Jason@zx2c4.com>
Link: http://lkml.kernel.org/r/20200616154311.12314-3-longman@redhat.com


Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      453431a5
  35. Jul 31, 2020
  37. Jun 05, 2020
  39. May 31, 2020
  41. May 25, 2020
  43. Apr 24, 2020
  45. Mar 20, 2020
  47. Dec 13, 2019
  49. Sep 11, 2019
  51. Jul 26, 2019
  53. Jun 14, 2019
  55. May 24, 2019
    • Manikanta Pubbisetty's avatar
      {nl,mac}80211: allow 4addr AP operation on crypto controlled devices · 33d915d9
      Manikanta Pubbisetty authored 
      
As per the current design, in the case of sw crypto controlled devices,
it is the device which advertises the support for AP/VLAN iftype based
on it's ability to tranmsit packets encrypted in software
(In VLAN functionality, group traffic generated for a specific
VLAN group is always encrypted in software). Commit db3bdcb9
("mac80211: allow AP_VLAN operation on crypto controlled devices")
has introduced this change.

Since 4addr AP operation also uses AP/VLAN iftype, this conditional
way of advertising AP/VLAN support has broken 4addr AP mode operation on
crypto controlled devices which do not support VLAN functionality.

In the case of ath10k driver, not all firmwares have support for VLAN
functionality but all can support 4addr AP operation. Because AP/VLAN
support is not advertised for these devices, 4addr AP operations are
also blocked.

Fix this by allowing 4addr operation on devices which do not support
AP/VLAN iftype but can support 4addr AP operation (decision is based on
the wiphy flag WIPHY_FLAG_4ADDR_AP).

Cc: stable@vger.kernel.org
Fixes: db3bdcb9 ("mac80211: allow AP_VLAN operation on crypto controlled devices")
Signed-off-by: default avatarManikanta Pubbisetty <mpubbise@codeaurora.org>
Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      33d915d9
  57. May 21, 2019
  59. Feb 06, 2019
    • Johannes Berg's avatar
      cfg80211: pmsr: fix abort locking · 73350424
      Johannes Berg authored 
      
When we destroy the interface we already hold the wdev->mtx
while calling cfg80211_pmsr_wdev_down(), which assumes this
isn't true and flushes the worker that takes the lock, thus
leading to a deadlock.

Fix this by refactoring the worker and calling its code in
cfg80211_pmsr_wdev_down() directly.

We still need to flush the work later to make sure it's not
still running and will crash, but it will not do anything.

Fixes: 9bb7e0f2 ("cfg80211: add peer measurement with FTM initiator API")
Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      73350424
  61. Nov 09, 2018
    • Martin Willi's avatar
      nl80211: announce radios/interfaces when switching namespaces · c90b670b
      Martin Willi authored 
      
When a wiphy changes its namespace, all interfaces are moved to the
new namespace as well. The network interfaces are properly announced
as leaving on the old and as appearing on the new namespace through
RTM_NEWLINK/RTM_DELLINK. On nl80211, however, these events are missing
for radios and their interfaces.

Add netlink announcements through nl80211 when switching namespaces,
so userspace can rely on these events to discover radios properly.

Signed-off-by: default avatarMartin Willi <martin@strongswan.org>
Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      c90b670b
    • Johannes Berg's avatar
      cfg80211: add peer measurement with FTM initiator API · 9bb7e0f2
      Johannes Berg authored 
      
Add a new "peer measurement" API, that can be used to measure
certain things related to a peer. Right now, only implement
FTM (flight time measurement) over it, but the idea is that
it'll be extensible to also support measuring the necessary
things to calculate e.g. angle-of-arrival for WiGig.

The API is structured to have a generic list of peers and
channels to measure with/on, and then for each of those a
set of measurements (again, only FTM right now) to perform.

Results are sent to the requesting socket, including a final
complete message.

Closing the controlling netlink socket will abort a running
measurement.

v3:
 - add a bit to report "final" for partial results
 - remove list keeping etc. and just unicast out the results
   to the requester (big code reduction ...)
 - also send complete message unicast, and as a result
   remove the multicast group
 - separate out struct cfg80211_pmsr_ftm_request_peer
   from struct cfg80211_pmsr_request_peer
 - document timeout == 0 if no timeout
 - disallow setting timeout nl80211 attribute to 0,
   must not include attribute for no timeout
 - make MAC address randomization optional
 - change num bursts exponent default to 0 (1 burst, rather
   rather than the old default of 15==don't care)

v4:
 - clarify NL80211_ATTR_TIMEOUT documentation

v5:
 - remove unnecessary nl80211 multicast/family changes
 - remove partial results bit/flag, final is sufficient
 - add max_bursts_exponent, max_ftms_per_burst to capability
 - rename "frames per burst" -> "FTMs per burst"

v6:
 - rename cfg80211_pmsr_free_wdev() to cfg80211_pmsr_wdev_down()
   and call it in leave, so the device can't go down with any
   pending measurements

v7:
 - wording fixes (Lior)
 - fix ftm.max_bursts_exponent to allow having the limit of 0 (Lior)

v8:
 - copyright statements
 - minor coding style fixes
 - fix error path leak

Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      9bb7e0f2
  63. Oct 02, 2018