Add E823 device ids and convert conditional expressions to a more
appropriate switch statement.
Signed-off-by: Bruce Allan <email address hidden>
Signed-off-by: Tony Nguyen <email address hidden>
Tested-by: Andrew Bowers <email address hidden>
Signed-off-by: Jeff Kirsher <email address hidden>
(cherry picked from commit e36aeec0f4e551a7fe01758e652d135638b4865b)
Signed-off-by: Michael Reed <email address hidden>
UBUNTU: SAUCE: io_uring/af_unix: fix memleak during unix GC
When io_uring GC skbs are removed from the hitlist, they are not free or
put back anywhere, leading to a memory leak. Put them back into the
sk_receive_queue, which means they will be processed and eventually
released.
CVE-2022-2602
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Acked-by: Andrea Righi <email address hidden>
8e7fcdd...
by
Pavel Begunkov <email address hidden>
UBUNTU: SAUCE: io_uring/af_unix: defer registered files gc to io_uring release
Instead of putting io_uring's registered files in unix_gc() we want it
to be done by io_uring itself. The trick here is to consider io_uring
registered files for cycle detection but not actually putting them down.
Because io_uring can't register other ring instances, this will remove
all refs to the ring file triggering the ->release path and clean up
with io_ring_ctx_free().
Cc: <email address hidden>
Fixes: 6b06314c47e1 ("io_uring: add file set registration")
Reported-and-tested-by: David Bouman <email address hidden>
Signed-off-by: Pavel Begunkov <email address hidden>
Signed-off-by: Jens Axboe <email address hidden>
CVE-2022-2602
[cascardo: small context adjustments]
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Acked-by: Andrea Righi <email address hidden>
UBUNTU: SAUCE: wifi: cfg80211: update hidden BSSes to avoid WARN_ON
When updating beacon elements in a non-transmitted BSS,
also update the hidden sub-entries to the same beacon
elements, so that a future update through other paths
won't trigger a WARN_ON().
The warning is triggered because the beacon elements in
the hidden BSSes that are children of the BSS should
always be the same as in the parent.
Reported-by: Sönke Huster <email address hidden>
Tested-by: Sönke Huster <email address hidden>
Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning")
Signed-off-by: Johannes Berg <email address hidden>
CVE-2022-41674
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Acked-by: Andrea Righi <email address hidden>
UBUNTU: SAUCE: wifi: mac80211_hwsim: avoid mac80211 warning on bad rate
If the tool on the other side (e.g. wmediumd) gets confused
about the rate, we hit a warning in mac80211. Silence that
by effectively duplicating the check here and dropping the
frame silently (in mac80211 it's dropped with the warning).
UBUNTU: SAUCE: wifi: cfg80211: avoid nontransmitted BSS list corruption
If a non-transmitted BSS shares enough information (both
SSID and BSSID!) with another non-transmitted BSS of a
different AP, then we can find and update it, and then
try to add it to the non-transmitted BSS list. We do a
search for it on the transmitted BSS, but if it's not
there (but belongs to another transmitted BSS), the list
gets corrupted.
Since this is an erroneous situation, simply fail the
list insertion in this case and free the non-transmitted
BSS.
This fixes CVE-2022-42721.
Reported-by: Sönke Huster <email address hidden>
Tested-by: Sönke Huster <email address hidden>
Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning")
Signed-off-by: Johannes Berg <email address hidden>
CVE-2022-42721
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Acked-by: Andrea Righi <email address hidden>
There are multiple refcounting bugs related to multi-BSSID:
- In bss_ref_get(), if the BSS has a hidden_beacon_bss, then
the bss pointer is overwritten before checking for the
transmitted BSS, which is clearly wrong. Fix this by using
the bss_from_pub() macro.
- In cfg80211_bss_update() we copy the transmitted_bss pointer
from tmp into new, but then if we release new, we'll unref
it erroneously. We already set the pointer and ref it, but
need to NULL it since it was copied from the tmp data.
- In cfg80211_inform_single_bss_data(), if adding to the non-
transmitted list fails, we unlink the BSS and yet still we
return it, but this results in returning an entry without
a reference. We shouldn't return it anyway if it was broken
enough to not get added there.
