diff -Nru backport-iwlwifi-dkms-8324/debian/changelog backport-iwlwifi-dkms-8324/debian/changelog --- backport-iwlwifi-dkms-8324/debian/changelog 2021-06-23 06:26:41.000000000 -0300 +++ backport-iwlwifi-dkms-8324/debian/changelog 2022-10-25 10:41:55.000000000 -0300 @@ -1,3 +1,10 @@ +backport-iwlwifi-dkms (8324-0ubuntu3~20.04.5) focal; urgency=medium + + * Apply fixes for CVE-2022-41674, CVE-2022-42719, CVE-2022-42720 + and CVE-2022-42721. (LP: #1994525) + + -- Thadeu Lima de Souza Cascardo Tue, 25 Oct 2022 10:41:55 -0300 + backport-iwlwifi-dkms (8324-0ubuntu3~20.04.4) focal; urgency=medium * Disable build against kernel newer than v5.4. (LP: #1932158) diff -Nru backport-iwlwifi-dkms-8324/debian/patches/0001-cfg80211-hold-bss_lock-while-updating-nontrans_list.patch backport-iwlwifi-dkms-8324/debian/patches/0001-cfg80211-hold-bss_lock-while-updating-nontrans_list.patch --- backport-iwlwifi-dkms-8324/debian/patches/0001-cfg80211-hold-bss_lock-while-updating-nontrans_list.patch 1969-12-31 21:00:00.000000000 -0300 +++ backport-iwlwifi-dkms-8324/debian/patches/0001-cfg80211-hold-bss_lock-while-updating-nontrans_list.patch 2022-10-24 15:33:25.000000000 -0300 @@ -0,0 +1,37 @@ +From a5199b5626cd6913cf8776a835bc63d40e0686ad Mon Sep 17 00:00:00 2001 +From: Rameshkumar Sundaram +Date: Mon, 11 Apr 2022 14:37:51 +0530 +Subject: [PATCH] cfg80211: hold bss_lock while updating nontrans_list + +Synchronize additions to nontrans_list of transmitting BSS with +bss_lock to avoid races. Also when cfg80211_add_nontrans_list() fails +__cfg80211_unlink_bss() needs bss_lock to be held (has lockdep assert +on bss_lock). So protect the whole block with bss_lock to avoid +races and warnings. Found during code review. + +Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning") +Signed-off-by: Rameshkumar Sundaram +Link: https://lore.kernel.org/r/1649668071-9370-1-git-send-email-quic_ramess@quicinc.com +Signed-off-by: Johannes Berg +--- + net/wireless/scan.c | 2 ++ + 1 file changed, 2 insertions(+) + +Index: backport-iwlwifi-dkms-8324/net/wireless/scan.c +=================================================================== +--- backport-iwlwifi-dkms-8324.orig/net/wireless/scan.c ++++ backport-iwlwifi-dkms-8324/net/wireless/scan.c +@@ -1849,11 +1849,13 @@ cfg80211_inform_single_bss_data(struct w + /* this is a nontransmitting bss, we need to add it to + * transmitting bss' list if it is not there + */ ++ spin_lock_bh(&rdev->bss_lock); + if (cfg80211_add_nontrans_list(non_tx_data->tx_bss, + &res->pub)) { + if (__cfg80211_unlink_bss(rdev, res)) + rdev->bss_generation++; + } ++ spin_unlock_bh(&rdev->bss_lock); + } + + trace_cfg80211_return_bss(&res->pub); diff -Nru backport-iwlwifi-dkms-8324/debian/patches/0001-cfg80211-refactor-cfg80211_bss_update.patch backport-iwlwifi-dkms-8324/debian/patches/0001-cfg80211-refactor-cfg80211_bss_update.patch --- backport-iwlwifi-dkms-8324/debian/patches/0001-cfg80211-refactor-cfg80211_bss_update.patch 1969-12-31 21:00:00.000000000 -0300 +++ backport-iwlwifi-dkms-8324/debian/patches/0001-cfg80211-refactor-cfg80211_bss_update.patch 2022-10-25 08:29:53.000000000 -0300 @@ -0,0 +1,205 @@ +From 3ab8227d3e7d1d2bf1829675d3197e3cb600e9f6 Mon Sep 17 00:00:00 2001 +From: Sergey Matyukevich +Date: Fri, 26 Jul 2019 16:39:32 +0000 +Subject: [PATCH] cfg80211: refactor cfg80211_bss_update + +This patch implements minor refactoring for cfg80211_bss_update function. +Code path for updating known BSS is extracted into dedicated +cfg80211_update_known_bss function. + +Signed-off-by: Sergey Matyukevich +Link: https://lore.kernel.org/r/20190726163922.27509-2-sergey.matyukevich.os@quantenna.com +Signed-off-by: Johannes Berg +--- + net/wireless/scan.c | 171 +++++++++++++++++++++++--------------------- + 1 file changed, 89 insertions(+), 82 deletions(-) + +Index: backport-iwlwifi-dkms-8324/net/wireless/scan.c +=================================================================== +--- backport-iwlwifi-dkms-8324.orig/net/wireless/scan.c ++++ backport-iwlwifi-dkms-8324/net/wireless/scan.c +@@ -1319,6 +1319,93 @@ static bool cfg80211_bss_type_match(u16 + return ret; + } + ++static bool ++cfg80211_update_known_bss(struct cfg80211_registered_device *rdev, ++ struct cfg80211_internal_bss *known, ++ struct cfg80211_internal_bss *new, ++ bool signal_valid) ++{ ++ lockdep_assert_held(&rdev->bss_lock); ++ ++ /* Update IEs */ ++ if (rcu_access_pointer(new->pub.proberesp_ies)) { ++ const struct cfg80211_bss_ies *old; ++ ++ old = rcu_access_pointer(known->pub.proberesp_ies); ++ ++ rcu_assign_pointer(known->pub.proberesp_ies, ++ new->pub.proberesp_ies); ++ /* Override possible earlier Beacon frame IEs */ ++ rcu_assign_pointer(known->pub.ies, ++ new->pub.proberesp_ies); ++ if (old) ++ kfree_rcu((struct cfg80211_bss_ies *)old, rcu_head); ++ } else if (rcu_access_pointer(new->pub.beacon_ies)) { ++ const struct cfg80211_bss_ies *old; ++ struct cfg80211_internal_bss *bss; ++ ++ if (known->pub.hidden_beacon_bss && ++ !list_empty(&known->hidden_list)) { ++ const struct cfg80211_bss_ies *f; ++ ++ /* The known BSS struct is one of the probe ++ * response members of a group, but we're ++ * receiving a beacon (beacon_ies in the new ++ * bss is used). This can only mean that the ++ * AP changed its beacon from not having an ++ * SSID to showing it, which is confusing so ++ * drop this information. ++ */ ++ ++ f = rcu_access_pointer(new->pub.beacon_ies); ++ kfree_rcu((struct cfg80211_bss_ies *)f, rcu_head); ++ return false; ++ } ++ ++ old = rcu_access_pointer(known->pub.beacon_ies); ++ ++ rcu_assign_pointer(known->pub.beacon_ies, new->pub.beacon_ies); ++ ++ /* Override IEs if they were from a beacon before */ ++ if (old == rcu_access_pointer(known->pub.ies)) ++ rcu_assign_pointer(known->pub.ies, new->pub.beacon_ies); ++ ++ /* Assign beacon IEs to all sub entries */ ++ list_for_each_entry(bss, &known->hidden_list, hidden_list) { ++ const struct cfg80211_bss_ies *ies; ++ ++ ies = rcu_access_pointer(bss->pub.beacon_ies); ++ WARN_ON(ies != old); ++ ++ rcu_assign_pointer(bss->pub.beacon_ies, ++ new->pub.beacon_ies); ++ } ++ ++ if (old) ++ kfree_rcu((struct cfg80211_bss_ies *)old, rcu_head); ++ } ++ ++ known->pub.beacon_interval = new->pub.beacon_interval; ++ ++ /* don't update the signal if beacon was heard on ++ * adjacent channel. ++ */ ++ if (signal_valid) ++ known->pub.signal = new->pub.signal; ++ known->pub.capability = new->pub.capability; ++ known->ts = new->ts; ++ known->ts_boottime = new->ts_boottime; ++ known->parent_tsf = new->parent_tsf; ++ known->pub.chains = new->pub.chains; ++ memcpy(known->pub.chain_signal, new->pub.chain_signal, ++ IEEE80211_MAX_CHAINS); ++ ether_addr_copy(known->parent_bssid, new->parent_bssid); ++ known->pub.max_bssid_indicator = new->pub.max_bssid_indicator; ++ known->pub.bssid_index = new->pub.bssid_index; ++ ++ return true; ++} ++ + /* Returned bss is reference counted and must be cleaned up appropriately. */ + struct cfg80211_bss *cfg80211_get_bss(struct wiphy *wiphy, + struct ieee80211_channel *channel, +@@ -1524,88 +1611,8 @@ cfg80211_bss_update(struct cfg80211_regi + found = rb_find_bss(rdev, tmp, BSS_CMP_REGULAR); + + if (found) { +- /* Update IEs */ +- if (rcu_access_pointer(tmp->pub.proberesp_ies)) { +- const struct cfg80211_bss_ies *old; +- +- old = rcu_access_pointer(found->pub.proberesp_ies); +- +- rcu_assign_pointer(found->pub.proberesp_ies, +- tmp->pub.proberesp_ies); +- /* Override possible earlier Beacon frame IEs */ +- rcu_assign_pointer(found->pub.ies, +- tmp->pub.proberesp_ies); +- if (old) +- kfree_rcu((struct cfg80211_bss_ies *)old, +- rcu_head); +- } else if (rcu_access_pointer(tmp->pub.beacon_ies)) { +- const struct cfg80211_bss_ies *old; +- struct cfg80211_internal_bss *bss; +- +- if (found->pub.hidden_beacon_bss && +- !list_empty(&found->hidden_list)) { +- const struct cfg80211_bss_ies *f; +- +- /* +- * The found BSS struct is one of the probe +- * response members of a group, but we're +- * receiving a beacon (beacon_ies in the tmp +- * bss is used). This can only mean that the +- * AP changed its beacon from not having an +- * SSID to showing it, which is confusing so +- * drop this information. +- */ +- +- f = rcu_access_pointer(tmp->pub.beacon_ies); +- kfree_rcu((struct cfg80211_bss_ies *)f, +- rcu_head); +- goto drop; +- } +- +- old = rcu_access_pointer(found->pub.beacon_ies); +- +- rcu_assign_pointer(found->pub.beacon_ies, +- tmp->pub.beacon_ies); +- +- /* Override IEs if they were from a beacon before */ +- if (old == rcu_access_pointer(found->pub.ies)) +- rcu_assign_pointer(found->pub.ies, +- tmp->pub.beacon_ies); +- +- /* Assign beacon IEs to all sub entries */ +- list_for_each_entry(bss, &found->hidden_list, +- hidden_list) { +- const struct cfg80211_bss_ies *ies; +- +- ies = rcu_access_pointer(bss->pub.beacon_ies); +- WARN_ON(ies != old); +- +- rcu_assign_pointer(bss->pub.beacon_ies, +- tmp->pub.beacon_ies); +- } +- +- if (old) +- kfree_rcu((struct cfg80211_bss_ies *)old, +- rcu_head); +- } +- +- found->pub.beacon_interval = tmp->pub.beacon_interval; +- /* +- * don't update the signal if beacon was heard on +- * adjacent channel. +- */ +- if (signal_valid) +- found->pub.signal = tmp->pub.signal; +- found->pub.capability = tmp->pub.capability; +- found->ts = tmp->ts; +- found->ts_boottime = tmp->ts_boottime; +- found->parent_tsf = tmp->parent_tsf; +- found->pub.chains = tmp->pub.chains; +- memcpy(found->pub.chain_signal, tmp->pub.chain_signal, +- IEEE80211_MAX_CHAINS); +- ether_addr_copy(found->parent_bssid, tmp->parent_bssid); +- found->pub.max_bssid_indicator = tmp->pub.max_bssid_indicator; +- found->pub.bssid_index = tmp->pub.bssid_index; ++ if (!cfg80211_update_known_bss(rdev, found, tmp, signal_valid)) ++ goto drop; + } else { + struct cfg80211_internal_bss *new; + struct cfg80211_internal_bss *hidden; diff -Nru backport-iwlwifi-dkms-8324/debian/patches/0001-mac80211-mlme-find-auth-challenge-directly.patch backport-iwlwifi-dkms-8324/debian/patches/0001-mac80211-mlme-find-auth-challenge-directly.patch --- backport-iwlwifi-dkms-8324/debian/patches/0001-mac80211-mlme-find-auth-challenge-directly.patch 1969-12-31 21:00:00.000000000 -0300 +++ backport-iwlwifi-dkms-8324/debian/patches/0001-mac80211-mlme-find-auth-challenge-directly.patch 2022-10-25 10:40:51.000000000 -0300 @@ -0,0 +1,94 @@ +From df30e28a445852c4879cced498a3d76ca315775e Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Mon, 17 Oct 2022 14:46:00 +0200 +Subject: [PATCH 1/3] mac80211: mlme: find auth challenge directly + +There's no need to parse all elements etc. just to find the +authentication challenge - use cfg80211_find_elem() instead. +This also allows us to remove WLAN_EID_CHALLENGE handling +from the element parsing entirely. + +Link: https://lore.kernel.org/r/20210920154009.45f9b3a15722.Ice3159ffad03a007d6154cbf1fb3a8c48489e86f@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +CVE-2022-42719 +(cherry picked from commit 4191c3002c1ebfed473a7a2960ab0486cac64d89 linux-5.4.y-rc) +Signed-off-by: Thadeu Lima de Souza Cascardo +Acked-by: Stefan Bader +Acked-by: Cengiz Can +Signed-off-by: Stefan Bader +--- + net/mac80211/ieee80211_i.h | 2 -- + net/mac80211/mlme.c | 11 ++++++----- + net/mac80211/util.c | 4 ---- + 3 files changed, 6 insertions(+), 11 deletions(-) + +Index: backport-iwlwifi-dkms-8324/net/mac80211/ieee80211_i.h +=================================================================== +--- backport-iwlwifi-dkms-8324.orig/net/mac80211/ieee80211_i.h ++++ backport-iwlwifi-dkms-8324/net/mac80211/ieee80211_i.h +@@ -1569,7 +1569,6 @@ struct ieee802_11_elems { + const u8 *supp_rates; + const u8 *ds_params; + const struct ieee80211_tim_ie *tim; +- const u8 *challenge; + const u8 *rsn; + const u8 *erp_info; + const u8 *ext_supp_rates; +@@ -1615,7 +1614,6 @@ struct ieee802_11_elems { + u8 ssid_len; + u8 supp_rates_len; + u8 tim_len; +- u8 challenge_len; + u8 rsn_len; + u8 ext_supp_rates_len; + u8 wmm_info_len; +Index: backport-iwlwifi-dkms-8324/net/mac80211/mlme.c +=================================================================== +--- backport-iwlwifi-dkms-8324.orig/net/mac80211/mlme.c ++++ backport-iwlwifi-dkms-8324/net/mac80211/mlme.c +@@ -2962,14 +2962,14 @@ static void ieee80211_auth_challenge(str + { + struct ieee80211_local *local = sdata->local; + struct ieee80211_mgd_auth_data *auth_data = sdata->u.mgd.auth_data; ++ const struct element *challenge; + u8 *pos; +- struct ieee802_11_elems elems; + u32 tx_flags = 0; + + pos = mgmt->u.auth.variable; +- ieee802_11_parse_elems(pos, len - (pos - (u8 *)mgmt), false, &elems, +- mgmt->bssid, auth_data->bss->bssid); +- if (!elems.challenge) ++ challenge = cfg80211_find_elem(WLAN_EID_CHALLENGE, pos, ++ len - (pos - (u8 *)mgmt)); ++ if (!challenge) + return; + auth_data->expected_transaction = 4; + drv_mgd_prepare_tx(sdata->local, sdata, 0); +@@ -2977,7 +2977,8 @@ static void ieee80211_auth_challenge(str + tx_flags = IEEE80211_TX_CTL_REQ_TX_STATUS | + IEEE80211_TX_INTFL_MLME_CONN_TX; + ieee80211_send_auth(sdata, 3, auth_data->algorithm, 0, +- elems.challenge - 2, elems.challenge_len + 2, ++ (void *)challenge, ++ challenge->datalen + sizeof(*challenge), + auth_data->bss->bssid, auth_data->bss->bssid, + auth_data->key, auth_data->key_len, + auth_data->key_idx, tx_flags); +Index: backport-iwlwifi-dkms-8324/net/mac80211/util.c +=================================================================== +--- backport-iwlwifi-dkms-8324.orig/net/mac80211/util.c ++++ backport-iwlwifi-dkms-8324/net/mac80211/util.c +@@ -1047,10 +1047,6 @@ _ieee802_11_parse_elems_crc(const u8 *st + } else + elem_parse_failed = true; + break; +- case WLAN_EID_CHALLENGE: +- elems->challenge = pos; +- elems->challenge_len = elen; +- break; + case WLAN_EID_VENDOR_SPECIFIC: + if (elen >= 4 && pos[0] == 0x00 && pos[1] == 0x50 && + pos[2] == 0xf2) { diff -Nru backport-iwlwifi-dkms-8324/debian/patches/0001-UBUNTU-SAUCE-wifi-cfg80211-fix-u8-overflow-in-cfg802.patch backport-iwlwifi-dkms-8324/debian/patches/0001-UBUNTU-SAUCE-wifi-cfg80211-fix-u8-overflow-in-cfg802.patch --- backport-iwlwifi-dkms-8324/debian/patches/0001-UBUNTU-SAUCE-wifi-cfg80211-fix-u8-overflow-in-cfg802.patch 1969-12-31 21:00:00.000000000 -0300 +++ backport-iwlwifi-dkms-8324/debian/patches/0001-UBUNTU-SAUCE-wifi-cfg80211-fix-u8-overflow-in-cfg802.patch 2022-10-24 15:26:57.000000000 -0300 @@ -0,0 +1,48 @@ +From 56bb60990443e74bc4ef92d09f910f38cfc6bb54 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Wed, 28 Sep 2022 21:56:15 +0200 +Subject: [PATCH 01/13] UBUNTU: SAUCE: wifi: cfg80211: fix u8 overflow in + cfg80211_update_notlisted_nontrans() + +In the copy code of the elements, we do the following calculation +to reach the end of the MBSSID element: + + /* copy the IEs after MBSSID */ + cpy_len = mbssid[1] + 2; + +This looks fine, however, cpy_len is a u8, the same as mbssid[1], +so the addition of two can overflow. In this case the subsequent +memcpy() will overflow the allocated buffer, since it copies 256 +bytes too much due to the way the allocation and memcpy() sizes +are calculated. + +Fix this by using size_t for the cpy_len variable. + +This fixes CVE-2022-41674. + +Reported-by: Soenke Huster +Tested-by: Soenke Huster +Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning") +Reviewed-by: Kees Cook +Signed-off-by: Johannes Berg +CVE-2022-41674 +Signed-off-by: Thadeu Lima de Souza Cascardo +Acked-by: Kamal Mostafa +Acked-by: Andrea Righi +--- + net/wireless/scan.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: backport-iwlwifi-dkms-8324/net/wireless/scan.c +=================================================================== +--- backport-iwlwifi-dkms-8324.orig/net/wireless/scan.c ++++ backport-iwlwifi-dkms-8324/net/wireless/scan.c +@@ -2103,7 +2103,7 @@ cfg80211_update_notlisted_nontrans(struc + size_t new_ie_len; + struct cfg80211_bss_ies *new_ies; + const struct cfg80211_bss_ies *old; +- u8 cpy_len; ++ size_t cpy_len; + + lockdep_assert_held(&wiphy_to_rdev(wiphy)->bss_lock); + diff -Nru backport-iwlwifi-dkms-8324/debian/patches/0002-UBUNTU-SAUCE-wifi-cfg80211-mac80211-reject-bad-MBSSI.patch backport-iwlwifi-dkms-8324/debian/patches/0002-UBUNTU-SAUCE-wifi-cfg80211-mac80211-reject-bad-MBSSI.patch --- backport-iwlwifi-dkms-8324/debian/patches/0002-UBUNTU-SAUCE-wifi-cfg80211-mac80211-reject-bad-MBSSI.patch 1969-12-31 21:00:00.000000000 -0300 +++ backport-iwlwifi-dkms-8324/debian/patches/0002-UBUNTU-SAUCE-wifi-cfg80211-mac80211-reject-bad-MBSSI.patch 2022-10-24 15:26:59.000000000 -0300 @@ -0,0 +1,58 @@ +From 751dac7a0026f162f337a54ebf758af12646b02b Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Wed, 28 Sep 2022 22:01:37 +0200 +Subject: [PATCH 02/13] UBUNTU: SAUCE: wifi: cfg80211/mac80211: reject bad + MBSSID elements + +Per spec, the maximum value for the MaxBSSID ('n') indicator is 8, +and the minimum is 1 since a multiple BSSID set with just one BSSID +doesn't make sense (the # of BSSIDs is limited by 2^n). + +Limit this in the parsing in both cfg80211 and mac80211, rejecting +any elements with an invalid value. + +This fixes potentially bad shifts in the processing of these inside +the cfg80211_gen_new_bssid() function later. + +I found this during the investigation of CVE-2022-41674 fixed by the +previous patch. + +Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning") +Fixes: 78ac51f81532 ("mac80211: support multi-bssid") +Reviewed-by: Kees Cook +Signed-off-by: Johannes Berg +CVE-2022-41674 +Signed-off-by: Thadeu Lima de Souza Cascardo +Acked-by: Kamal Mostafa +Acked-by: Andrea Righi +--- + net/mac80211/util.c | 2 ++ + net/wireless/scan.c | 2 ++ + 2 files changed, 4 insertions(+) + +Index: backport-iwlwifi-dkms-8324/net/mac80211/util.c +=================================================================== +--- backport-iwlwifi-dkms-8324.orig/net/mac80211/util.c ++++ backport-iwlwifi-dkms-8324/net/mac80211/util.c +@@ -1291,6 +1291,8 @@ static size_t ieee802_11_find_bssid_prof + for_each_element_id(elem, WLAN_EID_MULTIPLE_BSSID, start, len) { + if (elem->datalen < 2) + continue; ++ if (elem->data[0] < 1 || elem->data[0] > 8) ++ continue; + + for_each_element(sub, elem->data + 1, elem->datalen - 1) { + u8 new_bssid[ETH_ALEN]; +Index: backport-iwlwifi-dkms-8324/net/wireless/scan.c +=================================================================== +--- backport-iwlwifi-dkms-8324.orig/net/wireless/scan.c ++++ backport-iwlwifi-dkms-8324/net/wireless/scan.c +@@ -1970,6 +1970,8 @@ static void cfg80211_parse_mbssid_data(s + for_each_element_id(elem, WLAN_EID_MULTIPLE_BSSID, ie, ielen) { + if (elem->datalen < 4) + continue; ++ if (elem->data[0] < 1 || (int)elem->data[0] > 8) ++ continue; + for_each_element(sub, elem->data + 1, elem->datalen - 1) { + u8 profile_len; + diff -Nru backport-iwlwifi-dkms-8324/debian/patches/0002-wifi-mac80211-don-t-parse-mbssid-in-assoc-response.patch backport-iwlwifi-dkms-8324/debian/patches/0002-wifi-mac80211-don-t-parse-mbssid-in-assoc-response.patch --- backport-iwlwifi-dkms-8324/debian/patches/0002-wifi-mac80211-don-t-parse-mbssid-in-assoc-response.patch 1969-12-31 21:00:00.000000000 -0300 +++ backport-iwlwifi-dkms-8324/debian/patches/0002-wifi-mac80211-don-t-parse-mbssid-in-assoc-response.patch 2022-10-25 10:40:54.000000000 -0300 @@ -0,0 +1,44 @@ +From fd891483abec2ee4f4a1a3032e9d85aae4a89193 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Mon, 17 Oct 2022 14:46:00 +0200 +Subject: [PATCH 2/3] wifi: mac80211: don't parse mbssid in assoc response + +This is simply not valid and simplifies the next commit. +I'll make a separate patch for this in the current main +tree as well. + +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +CVE-2022-42719 +(cherry picked from commit b0e9ea8a40571ca0f5513adbb1c61bc95ddfbb7a linux-5.4.y-rc) +Signed-off-by: Thadeu Lima de Souza Cascardo +Acked-by: Stefan Bader +Acked-by: Cengiz Can +Signed-off-by: Stefan Bader +--- + net/mac80211/mlme.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +Index: backport-iwlwifi-dkms-8324/net/mac80211/mlme.c +=================================================================== +--- backport-iwlwifi-dkms-8324.orig/net/mac80211/mlme.c ++++ backport-iwlwifi-dkms-8324/net/mac80211/mlme.c +@@ -3349,7 +3349,7 @@ static bool ieee80211_assoc_success(stru + + pos = mgmt->u.assoc_resp.variable; + ieee802_11_parse_elems(pos, len - (pos - (u8 *)mgmt), false, &elems, +- mgmt->bssid, assoc_data->bss->bssid); ++ mgmt->bssid, NULL); + + if (!elems.supp_rates) { + sdata_info(sdata, "no SuppRates element in AssocResp\n"); +@@ -3704,7 +3704,7 @@ static void ieee80211_rx_mgmt_assoc_resp + + pos = mgmt->u.assoc_resp.variable; + ieee802_11_parse_elems(pos, len - (pos - (u8 *)mgmt), false, &elems, +- mgmt->bssid, assoc_data->bss->bssid); ++ mgmt->bssid, NULL); + + if (status_code == WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY && + elems.timeout_int && diff -Nru backport-iwlwifi-dkms-8324/debian/patches/0003-wifi-mac80211-fix-MBSSID-parsing-use-after-free.patch backport-iwlwifi-dkms-8324/debian/patches/0003-wifi-mac80211-fix-MBSSID-parsing-use-after-free.patch --- backport-iwlwifi-dkms-8324/debian/patches/0003-wifi-mac80211-fix-MBSSID-parsing-use-after-free.patch 1969-12-31 21:00:00.000000000 -0300 +++ backport-iwlwifi-dkms-8324/debian/patches/0003-wifi-mac80211-fix-MBSSID-parsing-use-after-free.patch 2022-10-25 10:40:58.000000000 -0300 @@ -0,0 +1,135 @@ +From dd0aa91244a415a436e889ac0d21309bd1031a92 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Mon, 17 Oct 2022 14:46:00 +0200 +Subject: [PATCH 3/3] wifi: mac80211: fix MBSSID parsing use-after-free + +Commit ff05d4b45dd89b922578dac497dcabf57cf771c6 upstream. +This is a different version of the commit, changed to store +the non-transmitted profile in the elems, and freeing it in +the few places where it's relevant, since that is only the +case when the last argument for parsing (the non-tx BSSID) +is non-NULL. + +When we parse a multi-BSSID element, we might point some +element pointers into the allocated nontransmitted_profile. +However, we free this before returning, causing UAF when the +relevant pointers in the parsed elements are accessed. + +Fix this by not allocating the scratch buffer separately but +as part of the returned structure instead, that way, there +are no lifetime issues with it. + +The scratch buffer introduction as part of the returned data +here is taken from MLO feature work done by Ilan. + +This fixes CVE-2022-42719. + +Fixes: 5023b14cf4df ("mac80211: support profile split between elements") +Co-developed-by: Ilan Peer +Signed-off-by: Ilan Peer +Reviewed-by: Kees Cook +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +CVE-2022-42719 +(cherry picked from commit 2be60da73b3f5ce25d5c4e53cb8a020727acde8c linux-5.4.y-rc) +Signed-off-by: Thadeu Lima de Souza Cascardo +Acked-by: Stefan Bader +Acked-by: Cengiz Can +Signed-off-by: Stefan Bader +--- + net/mac80211/ieee80211_i.h | 2 ++ + net/mac80211/mlme.c | 6 +++++- + net/mac80211/scan.c | 2 ++ + net/mac80211/util.c | 7 ++++++- + 4 files changed, 15 insertions(+), 2 deletions(-) + +Index: backport-iwlwifi-dkms-8324/net/mac80211/ieee80211_i.h +=================================================================== +--- backport-iwlwifi-dkms-8324.orig/net/mac80211/ieee80211_i.h ++++ backport-iwlwifi-dkms-8324/net/mac80211/ieee80211_i.h +@@ -1627,6 +1627,8 @@ struct ieee802_11_elems { + u8 country_elem_len; + u8 bssid_index_len; + ++ void *nontx_profile; ++ + /* whether a parse error occurred while retrieving these elements */ + bool parse_error; + }; +Index: backport-iwlwifi-dkms-8324/net/mac80211/mlme.c +=================================================================== +--- backport-iwlwifi-dkms-8324.orig/net/mac80211/mlme.c ++++ backport-iwlwifi-dkms-8324/net/mac80211/mlme.c +@@ -3425,6 +3425,7 @@ static bool ieee80211_assoc_success(stru + sdata_info(sdata, + "AP bug: VHT operation missing from AssocResp\n"); + } ++ kfree(bss_elems.nontx_profile); + } + + /* +@@ -4026,6 +4027,7 @@ static void ieee80211_rx_mgmt_beacon(str + ifmgd->assoc_data->timeout = jiffies; + ifmgd->assoc_data->timeout_started = true; + run_again(sdata, ifmgd->assoc_data->timeout); ++ kfree(elems.nontx_profile); + return; + } + +@@ -4191,7 +4193,7 @@ static void ieee80211_rx_mgmt_beacon(str + ieee80211_report_disconnect(sdata, deauth_buf, + sizeof(deauth_buf), true, + WLAN_REASON_DEAUTH_LEAVING); +- return; ++ goto free; + } + + if (sta && elems.opmode_notif) +@@ -4206,6 +4208,8 @@ static void ieee80211_rx_mgmt_beacon(str + elems.cisco_dtpc_elem); + + ieee80211_bss_info_change_notify(sdata, changed); ++free: ++ kfree(elems.nontx_profile); + } + + void ieee80211_sta_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata, +Index: backport-iwlwifi-dkms-8324/net/mac80211/scan.c +=================================================================== +--- backport-iwlwifi-dkms-8324.orig/net/mac80211/scan.c ++++ backport-iwlwifi-dkms-8324/net/mac80211/scan.c +@@ -215,6 +215,8 @@ ieee80211_bss_info_update(struct ieee802 + rx_status, beacon); + } + ++ kfree(elems.nontx_profile); ++ + return bss; + } + +Index: backport-iwlwifi-dkms-8324/net/mac80211/util.c +=================================================================== +--- backport-iwlwifi-dkms-8324.orig/net/mac80211/util.c ++++ backport-iwlwifi-dkms-8324/net/mac80211/util.c +@@ -1365,6 +1365,11 @@ u32 ieee802_11_parse_elems_crc(const u8 + cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE, + nontransmitted_profile, + nontransmitted_profile_len); ++ if (!nontransmitted_profile_len) { ++ nontransmitted_profile_len = 0; ++ kfree(nontransmitted_profile); ++ nontransmitted_profile = NULL; ++ } + } + + crc = _ieee802_11_parse_elems_crc(start, len, action, elems, filter, +@@ -1394,7 +1399,7 @@ u32 ieee802_11_parse_elems_crc(const u8 + offsetofend(struct ieee80211_bssid_index, dtim_count)) + elems->dtim_count = elems->bssid_index->dtim_count; + +- kfree(nontransmitted_profile); ++ elems->nontx_profile = nontransmitted_profile; + + return crc; + } diff -Nru backport-iwlwifi-dkms-8324/debian/patches/0004-UBUNTU-SAUCE-wifi-cfg80211-ensure-length-byte-is-pre.patch backport-iwlwifi-dkms-8324/debian/patches/0004-UBUNTU-SAUCE-wifi-cfg80211-ensure-length-byte-is-pre.patch --- backport-iwlwifi-dkms-8324/debian/patches/0004-UBUNTU-SAUCE-wifi-cfg80211-ensure-length-byte-is-pre.patch 1969-12-31 21:00:00.000000000 -0300 +++ backport-iwlwifi-dkms-8324/debian/patches/0004-UBUNTU-SAUCE-wifi-cfg80211-ensure-length-byte-is-pre.patch 2022-10-24 15:33:23.000000000 -0300 @@ -0,0 +1,48 @@ +From 8009632aba31723212236e92133302c0f16ebcbe Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Thu, 29 Sep 2022 21:50:44 +0200 +Subject: [PATCH 04/13] UBUNTU: SAUCE: wifi: cfg80211: ensure length byte is + present before access + +When iterating the elements here, ensure the length byte is +present before checking it to see if the entire element will +fit into the buffer. + +Longer term, we should rewrite this code using the type-safe +element iteration macros that check all of this. + +Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning") +Reported-by: Soenke Huster +Signed-off-by: Johannes Berg +CVE-2022-41674 +Signed-off-by: Thadeu Lima de Souza Cascardo +Acked-by: Kamal Mostafa +Acked-by: Andrea Righi +--- + net/wireless/scan.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +Index: backport-iwlwifi-dkms-8324/net/wireless/scan.c +=================================================================== +--- backport-iwlwifi-dkms-8324.orig/net/wireless/scan.c ++++ backport-iwlwifi-dkms-8324/net/wireless/scan.c +@@ -301,7 +301,8 @@ static size_t cfg80211_gen_new_ie(const + tmp_old = cfg80211_find_ie(WLAN_EID_SSID, ie, ielen); + tmp_old = (tmp_old) ? tmp_old + tmp_old[1] + 2 : ie; + +- while (tmp_old + tmp_old[1] + 2 - ie <= ielen) { ++ while (tmp_old + 2 - ie <= ielen && ++ tmp_old + tmp_old[1] + 2 - ie <= ielen) { + if (tmp_old[0] == 0) { + tmp_old++; + continue; +@@ -361,7 +362,8 @@ static size_t cfg80211_gen_new_ie(const + * copied to new ie, skip ssid, capability, bssid-index ie + */ + tmp_new = sub_copy; +- while (tmp_new + tmp_new[1] + 2 - sub_copy <= subie_len) { ++ while (tmp_new + 2 - sub_copy <= subie_len && ++ tmp_new + tmp_new[1] + 2 - sub_copy <= subie_len) { + if (!(tmp_new[0] == WLAN_EID_NON_TX_BSSID_CAP || + tmp_new[0] == WLAN_EID_SSID)) { + memcpy(pos, tmp_new, tmp_new[1] + 2); diff -Nru backport-iwlwifi-dkms-8324/debian/patches/0005-UBUNTU-SAUCE-wifi-cfg80211-fix-BSS-refcounting-bugs.patch backport-iwlwifi-dkms-8324/debian/patches/0005-UBUNTU-SAUCE-wifi-cfg80211-fix-BSS-refcounting-bugs.patch --- backport-iwlwifi-dkms-8324/debian/patches/0005-UBUNTU-SAUCE-wifi-cfg80211-fix-BSS-refcounting-bugs.patch 1969-12-31 21:00:00.000000000 -0300 +++ backport-iwlwifi-dkms-8324/debian/patches/0005-UBUNTU-SAUCE-wifi-cfg80211-fix-BSS-refcounting-bugs.patch 2022-10-24 15:33:27.000000000 -0300 @@ -0,0 +1,94 @@ +From 2dfbee70bd9f4378b811fa92e519e1e03a3e8354 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Fri, 30 Sep 2022 23:44:23 +0200 +Subject: [PATCH 05/13] UBUNTU: SAUCE: wifi: cfg80211: fix BSS refcounting bugs +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +There are multiple refcounting bugs related to multi-BSSID: + - In bss_ref_get(), if the BSS has a hidden_beacon_bss, then + the bss pointer is overwritten before checking for the + transmitted BSS, which is clearly wrong. Fix this by using + the bss_from_pub() macro. + + - In cfg80211_bss_update() we copy the transmitted_bss pointer + from tmp into new, but then if we release new, we'll unref + it erroneously. We already set the pointer and ref it, but + need to NULL it since it was copied from the tmp data. + + - In cfg80211_inform_single_bss_data(), if adding to the non- + transmitted list fails, we unlink the BSS and yet still we + return it, but this results in returning an entry without + a reference. We shouldn't return it anyway if it was broken + enough to not get added there. + +This fixes CVE-2022-42720. + +Reported-by: Sönke Huster +Tested-by: Sönke Huster +Fixes: a3584f56de1c ("cfg80211: Properly track transmitting and non-transmitting BSS") +Signed-off-by: Johannes Berg +CVE-2022-42720 +Signed-off-by: Thadeu Lima de Souza Cascardo +Acked-by: Kamal Mostafa +Acked-by: Andrea Righi +--- + net/wireless/scan.c | 27 ++++++++++++++------------- + 1 file changed, 14 insertions(+), 13 deletions(-) + +Index: backport-iwlwifi-dkms-8324/net/wireless/scan.c +=================================================================== +--- backport-iwlwifi-dkms-8324.orig/net/wireless/scan.c ++++ backport-iwlwifi-dkms-8324/net/wireless/scan.c +@@ -140,18 +140,12 @@ static inline void bss_ref_get(struct cf + lockdep_assert_held(&rdev->bss_lock); + + bss->refcount++; +- if (bss->pub.hidden_beacon_bss) { +- bss = container_of(bss->pub.hidden_beacon_bss, +- struct cfg80211_internal_bss, +- pub); +- bss->refcount++; +- } +- if (bss->pub.transmitted_bss) { +- bss = container_of(bss->pub.transmitted_bss, +- struct cfg80211_internal_bss, +- pub); +- bss->refcount++; +- } ++ ++ if (bss->pub.hidden_beacon_bss) ++ bss_from_pub(bss->pub.hidden_beacon_bss)->refcount++; ++ ++ if (bss->pub.transmitted_bss) ++ bss_from_pub(bss->pub.transmitted_bss)->refcount++; + } + + static inline void bss_ref_put(struct cfg80211_registered_device *rdev, +@@ -1628,6 +1622,8 @@ cfg80211_bss_update(struct cfg80211_regi + new->refcount = 1; + INIT_LIST_HEAD(&new->hidden_list); + INIT_LIST_HEAD(&new->pub.nontrans_list); ++ /* we'll set this later if it was non-NULL */ ++ new->pub.transmitted_bss = NULL; + + if (rcu_access_pointer(tmp->pub.proberesp_ies)) { + hidden = rb_find_bss(rdev, tmp, BSS_CMP_HIDE_ZLEN); +@@ -1852,10 +1848,15 @@ cfg80211_inform_single_bss_data(struct w + spin_lock_bh(&rdev->bss_lock); + if (cfg80211_add_nontrans_list(non_tx_data->tx_bss, + &res->pub)) { +- if (__cfg80211_unlink_bss(rdev, res)) ++ if (__cfg80211_unlink_bss(rdev, res)) { + rdev->bss_generation++; ++ res = NULL; ++ } + } + spin_unlock_bh(&rdev->bss_lock); ++ ++ if (!res) ++ return NULL; + } + + trace_cfg80211_return_bss(&res->pub); diff -Nru backport-iwlwifi-dkms-8324/debian/patches/0006-UBUNTU-SAUCE-wifi-cfg80211-avoid-nontransmitted-BSS-.patch backport-iwlwifi-dkms-8324/debian/patches/0006-UBUNTU-SAUCE-wifi-cfg80211-avoid-nontransmitted-BSS-.patch --- backport-iwlwifi-dkms-8324/debian/patches/0006-UBUNTU-SAUCE-wifi-cfg80211-avoid-nontransmitted-BSS-.patch 1969-12-31 21:00:00.000000000 -0300 +++ backport-iwlwifi-dkms-8324/debian/patches/0006-UBUNTU-SAUCE-wifi-cfg80211-avoid-nontransmitted-BSS-.patch 2022-10-24 15:33:31.000000000 -0300 @@ -0,0 +1,55 @@ +From 02c503419f6e53002ffe50220077fc0b1cc1b042 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Sat, 1 Oct 2022 00:01:44 +0200 +Subject: [PATCH 06/13] UBUNTU: SAUCE: wifi: cfg80211: avoid nontransmitted BSS + list corruption +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If a non-transmitted BSS shares enough information (both +SSID and BSSID!) with another non-transmitted BSS of a +different AP, then we can find and update it, and then +try to add it to the non-transmitted BSS list. We do a +search for it on the transmitted BSS, but if it's not +there (but belongs to another transmitted BSS), the list +gets corrupted. + +Since this is an erroneous situation, simply fail the +list insertion in this case and free the non-transmitted +BSS. + +This fixes CVE-2022-42721. + +Reported-by: Sönke Huster +Tested-by: Sönke Huster +Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning") +Signed-off-by: Johannes Berg +CVE-2022-42721 +Signed-off-by: Thadeu Lima de Souza Cascardo +Acked-by: Kamal Mostafa +Acked-by: Andrea Righi +--- + net/wireless/scan.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +Index: backport-iwlwifi-dkms-8324/net/wireless/scan.c +=================================================================== +--- backport-iwlwifi-dkms-8324.orig/net/wireless/scan.c ++++ backport-iwlwifi-dkms-8324/net/wireless/scan.c +@@ -419,6 +419,15 @@ cfg80211_add_nontrans_list(struct cfg802 + return 0; + } + ++ /* ++ * This is a bit weird - it's not on the list, but already on another ++ * one! The only way that could happen is if there's some BSSID/SSID ++ * shared by multiple APs in their multi-BSSID profiles, potentially ++ * with hidden SSID mixed in ... ignore it. ++ */ ++ if (!list_empty(&nontrans_bss->nontrans_list)) ++ return -EINVAL; ++ + /* add to the list */ + list_add_tail(&nontrans_bss->nontrans_list, &trans_bss->nontrans_list); + return 0; diff -Nru backport-iwlwifi-dkms-8324/debian/patches/0007-UBUNTU-SAUCE-wifi-mac80211_hwsim-avoid-mac80211-warn.patch backport-iwlwifi-dkms-8324/debian/patches/0007-UBUNTU-SAUCE-wifi-mac80211_hwsim-avoid-mac80211-warn.patch --- backport-iwlwifi-dkms-8324/debian/patches/0007-UBUNTU-SAUCE-wifi-mac80211_hwsim-avoid-mac80211-warn.patch 1969-12-31 21:00:00.000000000 -0300 +++ backport-iwlwifi-dkms-8324/debian/patches/0007-UBUNTU-SAUCE-wifi-mac80211_hwsim-avoid-mac80211-warn.patch 2022-10-24 15:33:36.000000000 -0300 @@ -0,0 +1,38 @@ +From 080d4c4914355ae854b3e5d8eea0194937fbae12 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Wed, 5 Oct 2022 15:10:09 +0200 +Subject: [PATCH 07/13] UBUNTU: SAUCE: wifi: mac80211_hwsim: avoid mac80211 + warning on bad rate +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If the tool on the other side (e.g. wmediumd) gets confused +about the rate, we hit a warning in mac80211. Silence that +by effectively duplicating the check here and dropping the +frame silently (in mac80211 it's dropped with the warning). + +Reported-by: Sönke Huster +Tested-by: Sönke Huster +Signed-off-by: Johannes Berg +CVE-2022-41674 +Signed-off-by: Thadeu Lima de Souza Cascardo +Acked-by: Kamal Mostafa +Acked-by: Andrea Righi +--- + drivers/net/wireless/mac80211_hwsim.c | 2 ++ + 1 file changed, 2 insertions(+) + +Index: backport-iwlwifi-dkms-8324/drivers/net/wireless/mac80211_hwsim.c +=================================================================== +--- backport-iwlwifi-dkms-8324.orig/drivers/net/wireless/mac80211_hwsim.c ++++ backport-iwlwifi-dkms-8324/drivers/net/wireless/mac80211_hwsim.c +@@ -3433,6 +3433,8 @@ static int hwsim_cloned_frame_received_n + + rx_status.band = data2->channel->band; + rx_status.rate_idx = nla_get_u32(info->attrs[HWSIM_ATTR_RX_RATE]); ++ if (rx_status.rate_idx >= data2->hw->wiphy->bands[rx_status.band]->n_bitrates) ++ goto out; + rx_status.signal = nla_get_u32(info->attrs[HWSIM_ATTR_SIGNAL]); + + memcpy(IEEE80211_SKB_RXCB(skb), &rx_status, sizeof(rx_status)); diff -Nru backport-iwlwifi-dkms-8324/debian/patches/0009-UBUNTU-SAUCE-wifi-cfg80211-update-hidden-BSSes-to-av.patch backport-iwlwifi-dkms-8324/debian/patches/0009-UBUNTU-SAUCE-wifi-cfg80211-update-hidden-BSSes-to-av.patch --- backport-iwlwifi-dkms-8324/debian/patches/0009-UBUNTU-SAUCE-wifi-cfg80211-update-hidden-BSSes-to-av.patch 1969-12-31 21:00:00.000000000 -0300 +++ backport-iwlwifi-dkms-8324/debian/patches/0009-UBUNTU-SAUCE-wifi-cfg80211-update-hidden-BSSes-to-av.patch 2022-10-25 08:29:56.000000000 -0300 @@ -0,0 +1,93 @@ +From 91a6dd40c6ea0905c8c571e377b1cbfb2189a646 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Wed, 5 Oct 2022 23:11:43 +0200 +Subject: [PATCH 09/13] UBUNTU: SAUCE: wifi: cfg80211: update hidden BSSes to + avoid WARN_ON +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When updating beacon elements in a non-transmitted BSS, +also update the hidden sub-entries to the same beacon +elements, so that a future update through other paths +won't trigger a WARN_ON(). + +The warning is triggered because the beacon elements in +the hidden BSSes that are children of the BSS should +always be the same as in the parent. + +Reported-by: Sönke Huster +Tested-by: Sönke Huster +Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning") +Signed-off-by: Johannes Berg +CVE-2022-41674 +Signed-off-by: Thadeu Lima de Souza Cascardo +Acked-by: Kamal Mostafa +Acked-by: Andrea Righi +--- + net/wireless/scan.c | 31 ++++++++++++++++++++----------- + 1 file changed, 20 insertions(+), 11 deletions(-) + +Index: backport-iwlwifi-dkms-8324/net/wireless/scan.c +=================================================================== +--- backport-iwlwifi-dkms-8324.orig/net/wireless/scan.c ++++ backport-iwlwifi-dkms-8324/net/wireless/scan.c +@@ -1319,6 +1319,23 @@ static bool cfg80211_bss_type_match(u16 + return ret; + } + ++static void cfg80211_update_hidden_bsses(struct cfg80211_internal_bss *known, ++ const struct cfg80211_bss_ies *new_ies, ++ const struct cfg80211_bss_ies *old_ies) ++{ ++ struct cfg80211_internal_bss *bss; ++ ++ /* Assign beacon IEs to all sub entries */ ++ list_for_each_entry(bss, &known->hidden_list, hidden_list) { ++ const struct cfg80211_bss_ies *ies; ++ ++ ies = rcu_access_pointer(bss->pub.beacon_ies); ++ WARN_ON(ies != old_ies); ++ ++ rcu_assign_pointer(bss->pub.beacon_ies, new_ies); ++ } ++} ++ + static bool + cfg80211_update_known_bss(struct cfg80211_registered_device *rdev, + struct cfg80211_internal_bss *known, +@@ -1342,7 +1359,6 @@ cfg80211_update_known_bss(struct cfg8021 + kfree_rcu((struct cfg80211_bss_ies *)old, rcu_head); + } else if (rcu_access_pointer(new->pub.beacon_ies)) { + const struct cfg80211_bss_ies *old; +- struct cfg80211_internal_bss *bss; + + if (known->pub.hidden_beacon_bss && + !list_empty(&known->hidden_list)) { +@@ -1370,16 +1386,7 @@ cfg80211_update_known_bss(struct cfg8021 + if (old == rcu_access_pointer(known->pub.ies)) + rcu_assign_pointer(known->pub.ies, new->pub.beacon_ies); + +- /* Assign beacon IEs to all sub entries */ +- list_for_each_entry(bss, &known->hidden_list, hidden_list) { +- const struct cfg80211_bss_ies *ies; +- +- ies = rcu_access_pointer(bss->pub.beacon_ies); +- WARN_ON(ies != old); +- +- rcu_assign_pointer(bss->pub.beacon_ies, +- new->pub.beacon_ies); +- } ++ cfg80211_update_hidden_bsses(known, new->pub.beacon_ies, old); + + if (old) + kfree_rcu((struct cfg80211_bss_ies *)old, rcu_head); +@@ -2193,6 +2200,8 @@ cfg80211_update_notlisted_nontrans(struc + } else { + old = rcu_access_pointer(nontrans_bss->beacon_ies); + rcu_assign_pointer(nontrans_bss->beacon_ies, new_ies); ++ cfg80211_update_hidden_bsses(bss_from_pub(nontrans_bss), ++ new_ies, old); + rcu_assign_pointer(nontrans_bss->ies, new_ies); + if (old) + kfree_rcu((struct cfg80211_bss_ies *)old, rcu_head); diff -Nru backport-iwlwifi-dkms-8324/debian/patches/series backport-iwlwifi-dkms-8324/debian/patches/series --- backport-iwlwifi-dkms-8324/debian/patches/series 2021-06-23 06:26:41.000000000 -0300 +++ backport-iwlwifi-dkms-8324/debian/patches/series 2022-10-25 10:40:41.000000000 -0300 @@ -11,3 +11,15 @@ 0013-ftrace-Rework-event_create_dir.patch 0014-nl80211-fix-NL80211_ATTR_FTM_RESPONDER-policy.patch 0015-NOUPSTREAM-nl80211-pull-in-NLA_POLICY_EXACT_LEN_WARN.patch +0001-UBUNTU-SAUCE-wifi-cfg80211-fix-u8-overflow-in-cfg802.patch +0002-UBUNTU-SAUCE-wifi-cfg80211-mac80211-reject-bad-MBSSI.patch +0004-UBUNTU-SAUCE-wifi-cfg80211-ensure-length-byte-is-pre.patch +0001-cfg80211-hold-bss_lock-while-updating-nontrans_list.patch +0005-UBUNTU-SAUCE-wifi-cfg80211-fix-BSS-refcounting-bugs.patch +0006-UBUNTU-SAUCE-wifi-cfg80211-avoid-nontransmitted-BSS-.patch +0007-UBUNTU-SAUCE-wifi-mac80211_hwsim-avoid-mac80211-warn.patch +0001-cfg80211-refactor-cfg80211_bss_update.patch +0009-UBUNTU-SAUCE-wifi-cfg80211-update-hidden-BSSes-to-av.patch +0001-mac80211-mlme-find-auth-challenge-directly.patch +0002-wifi-mac80211-don-t-parse-mbssid-in-assoc-response.patch +0003-wifi-mac80211-fix-MBSSID-parsing-use-after-free.patch