mac80211: backport security fixes (#10324)

* mac80211: backport security fixes

This mainly affects scanning and beacon parsing, especially with MBSSID enabled

Fixes: CVE-2022-41674
Fixes: CVE-2022-42719
Fixes: CVE-2022-42720
Fixes: CVE-2022-42721
Fixes: CVE-2022-42722
Signed-off-by: Felix Fietkau <[email protected]>
(cherry-picked from commit 26f4002)

* mac80211: refresh patches

355-wifi-cfg80211-fix-BSS-refcounting-bugs.patch - gregkh/linux@5a52384

Co-authored-by: Felix Fietkau <[email protected]>
Co-authored-by: 1054009064 <[email protected]>

Author: 1054009064

package/kernel/mac80211/patches/ath10k/991-ath10k-5.19.patch

@@ -1,6 +1,6 @@
 --- a/drivers/net/wireless/ath/ath10k/core.c
 +++ b/drivers/net/wireless/ath/ath10k/core.c
-@@ -3333,7 +3333,11 @@
+@@ -3333,7 +3333,11 @@ static int ath10k_core_probe_fw(struct a
  		ath10k_debug_print_board_info(ar);
  	}
 

package/kernel/mac80211/patches/brcm/999-backport-to-linux-5.18.patch

@@ -1,8 +1,6 @@
-diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
-index 44a11b0..178e692 100644
 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
 +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
-@@ -245,7 +245,11 @@
+@@ -245,7 +245,11 @@ static int brcmf_netdev_set_mac_address(
  	} else {
  		brcmf_dbg(TRACE, "updated to %pM\n", sa->sa_data);
  		memcpy(ifp->mac_addr, sa->sa_data, ETH_ALEN);
@@ -14,53 +12,51 @@ index 44a11b0..178e692 100644
  	}
  	return err;
  }
-@@ -424,6 +428,7 @@
+@@ -424,6 +428,7 @@ void brcmf_netif_rx(struct brcmf_if *ifp
  	ifp->ndev->stats.rx_packets++;
-
+ 
  	brcmf_dbg(DATA, "rx proto=0x%X\n", ntohs(skb->protocol));
 +#if LINUX_VERSION_CODE < KERNEL_VERSION(5,18,0)
  	if (inirq) {
  		netif_rx(skb);
  	} else {
-@@ -433,6 +438,9 @@
+@@ -433,6 +438,9 @@ void brcmf_netif_rx(struct brcmf_if *ifp
  		 */
  		netif_rx_ni(skb);
  	}
 +#else
 +	netif_rx(skb);
 +#endif
  }
-
+ 
  void brcmf_netif_mon_rx(struct brcmf_if *ifp, struct sk_buff *skb)
-@@ -673,7 +681,11 @@
+@@ -673,7 +681,11 @@ int brcmf_net_attach(struct brcmf_if *if
  	ndev->ethtool_ops = &brcmf_ethtool_ops;
-
+ 
  	/* set the mac address & netns */
 +#if LINUX_VERSION_CODE < KERNEL_VERSION(5,18,0)
  	memcpy(ndev->dev_addr, ifp->mac_addr, ETH_ALEN);
 +#else
 +	eth_hw_addr_set(ifp->ndev, ifp->mac_addr);
 +#endif
  	dev_net_set(ndev, wiphy_net(cfg_to_wiphy(drvr->config)));
-
+ 
  	INIT_WORK(&ifp->multicast_work, _brcmf_set_multicast_list);
-@@ -848,7 +860,11 @@
+@@ -848,7 +860,11 @@ static int brcmf_net_p2p_attach(struct b
  	ndev->netdev_ops = &brcmf_netdev_ops_p2p;
-
+ 
  	/* set the mac address */
 +#if LINUX_VERSION_CODE < KERNEL_VERSION(5,18,0)
  	memcpy(ndev->dev_addr, ifp->mac_addr, ETH_ALEN);
 +#else
 +	eth_hw_addr_set(ndev, ifp->mac_addr);
 +#endif
-
+ 
  	if (register_netdev(ndev) != 0) {
  		bphy_err(drvr, "couldn't register the p2p net device\n");
-diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c
-index 9ac0d8c..4735063 100644
 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c
 +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c
-@@ -2125,7 +2125,7 @@ static int brcmf_p2p_disable_p2p_if(struct brcmf_cfg80211_vif *vif)
+@@ -2125,7 +2125,7 @@ static int brcmf_p2p_disable_p2p_if(stru
  	struct brcmf_cfg80211_info *cfg = wdev_to_cfg(&vif->wdev);
  	struct net_device *pri_ndev = cfg_to_ndev(cfg);
  	struct brcmf_if *ifp = netdev_priv(pri_ndev);
@@ -69,7 +65,7 @@ index 9ac0d8c..4735063 100644
 
  	return brcmf_fil_iovar_data_set(ifp, "p2p_ifdis", addr, ETH_ALEN);
  }
-@@ -2135,7 +2135,7 @@ static int brcmf_p2p_release_p2p_if(struct brcmf_cfg80211_vif *vif)
+@@ -2135,7 +2135,7 @@ static int brcmf_p2p_release_p2p_if(stru
  	struct brcmf_cfg80211_info *cfg = wdev_to_cfg(&vif->wdev);
  	struct net_device *pri_ndev = cfg_to_ndev(cfg);
  	struct brcmf_if *ifp = netdev_priv(pri_ndev);
@@ -78,11 +74,9 @@ index 9ac0d8c..4735063 100644
 
  	return brcmf_fil_iovar_data_set(ifp, "p2p_ifdel", addr, ETH_ALEN);
  }
-diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
-index 8effeb7..04362e2 100644
 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
 +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
-@@ -4164,7 +4164,11 @@
+@@ -4164,7 +4164,11 @@ static int brcmf_sdio_bus_reset(struct d
 
  	/* reset the adapter */
  	sdio_claim_host(sdiodev->func1);
@@ -94,8 +88,6 @@ index 8effeb7..04362e2 100644
  	sdio_release_host(sdiodev->func1);
 
  	brcmf_bus_change_state(sdiodev->bus_if, BRCMF_BUS_DOWN);
-diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h
-index ab83553..7941d28 100644
 --- a/include/net/cfg80211.h
 +++ b/include/net/cfg80211.h
 @@ -5555,7 +5555,7 @@ struct wireless_dev {
@@ -107,11 +99,9 @@ index ab83553..7941d28 100644
  {
  	if (wdev->netdev)
  		return wdev->netdev->dev_addr;
-diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c
-index 57aa863..f5ebb5a 100644
 --- a/net/mac80211/iface.c
 +++ b/net/mac80211/iface.c
-@@ -1274,9 +1274,13 @@
+@@ -1274,9 +1274,13 @@ int ieee80211_do_open(struct wireless_de
  	 * this interface, if it has the special null one.
  	 */
  	if (dev && is_zero_ether_addr(dev->dev_addr)) {
@@ -123,10 +113,10 @@ index 57aa863..f5ebb5a 100644
 +		eth_hw_addr_set(dev, local->hw.wiphy->perm_addr);
 +#endif
  		memcpy(dev->perm_addr, dev->dev_addr, ETH_ALEN);
-
+ 
  		if (!is_valid_ether_addr(dev->dev_addr)) {
-@@ -2136,9 +2140,17 @@
-
+@@ -2136,9 +2140,17 @@ int ieee80211_if_add(struct ieee80211_lo
+ 
  		ieee80211_assign_perm_addr(local, ndev->perm_addr, type);
  		if (is_valid_ether_addr(params->macaddr))
 +#if LINUX_VERSION_CODE < KERNEL_VERSION(5,18,0)
@@ -141,5 +131,5 @@ index 57aa863..f5ebb5a 100644
 +			eth_hw_addr_set(ndev, ndev->perm_addr);
 +#endif
  		SET_NETDEV_DEV(ndev, wiphy_dev(local->hw.wiphy));
-
+ 
  		/* don't use IEEE80211_DEV_TO_SUB_IF -- it checks too much */

package/kernel/mac80211/patches/build/267-rtl8723_5.18_support.patch

@@ -1,5 +1,5 @@
 --- a/drivers/staging/rtl8723bs/include/osdep_service_linux.h
-+++ a/drivers/staging/rtl8723bs/include/osdep_service_linux.h
++++ b/drivers/staging/rtl8723bs/include/osdep_service_linux.h
 @@ -45,7 +45,11 @@
  		spinlock_t	lock;
  	};

package/kernel/mac80211/patches/build/882-use-netif_rx.patch

@@ -1,6 +1,6 @@
 --- a/net/wireless/util.c
 +++ b/net/wireless/util.c
-@@ -2149,7 +2149,11 @@
+@@ -2149,7 +2149,11 @@ void cfg80211_send_layer2_update(struct
  	skb->dev = dev;
  	skb->protocol = eth_type_trans(skb, dev);
  	memset(skb->cb, 0, sizeof(skb->cb));
@@ -11,4 +11,4 @@
 +#endif
  }
  EXPORT_SYMBOL(cfg80211_send_layer2_update);
- 
+ 

package/kernel/mac80211/patches/rt2x00/999-backport-to-linux-5.18.patch

@@ -1,6 +1,6 @@
 --- a/drivers/net/wireless/ralink/rt2x00/rt2x00usb.c
 +++ b/drivers/net/wireless/ralink/rt2x00/rt2x00usb.c
-@@ -586,10 +586,18 @@ static void rt2x00usb_assign_endpoint(struct data_queue *queue,
+@@ -586,10 +586,18 @@ static void rt2x00usb_assign_endpoint(st
 
  	if (queue->qid == QID_RX) {
  		pipe = usb_rcvbulkpipe(usb_dev, queue->usb_endpoint);

package/kernel/mac80211/patches/rtl/001-rtw88-Call-rtw_fw_beacon_filter_config-with-rtwdev--mutex-held.patch

@@ -1,8 +1,6 @@
-diff --git a/drivers/net/wireless/realtek/rtw88/mac80211.c b/drivers/net/wireless/realtek/rtw88/mac80211.c
-index 5cdc54c9a9aae..3c07485d6ba47 100644
 --- a/drivers/net/wireless/realtek/rtw88/mac80211.c
 +++ b/drivers/net/wireless/realtek/rtw88/mac80211.c
-@@ -466,8 +466,8 @@ static int rtw_ops_sta_remove(struct ieee80211_hw *hw,
+@@ -455,8 +455,8 @@ static int rtw_ops_sta_remove(struct iee
  {
  	struct rtw_dev *rtwdev = hw->priv;
 

package/kernel/mac80211/patches/rtl/002-rtw88-Drop-rf_lock.patch

@@ -1,8 +1,6 @@
-diff --git a/drivers/net/wireless/realtek/rtw88/debug.c b/drivers/net/wireless/realtek/rtw88/debug.c
-index 1a52ff585fbc7..ba5ba852efb8c 100644
 --- a/drivers/net/wireless/realtek/rtw88/debug.c
 +++ b/drivers/net/wireless/realtek/rtw88/debug.c
-@@ -144,7 +144,9 @@ static int rtw_debugfs_get_rf_read(struct seq_file *m, void *v)
+@@ -143,7 +143,9 @@ static int rtw_debugfs_get_rf_read(struc
  	addr = debugfs_priv->rf_addr;
  	mask = debugfs_priv->rf_mask;
 
@@ -12,7 +10,7 @@ index 1a52ff585fbc7..ba5ba852efb8c 100644
 
  	seq_printf(m, "rf_read path:%d addr:0x%08x mask:0x%08x val=0x%08x\n",
  		   path, addr, mask, val);
-@@ -418,7 +420,9 @@ static ssize_t rtw_debugfs_set_rf_write(struct file *filp,
+@@ -401,7 +403,9 @@ static ssize_t rtw_debugfs_set_rf_write(
  		return count;
  	}
 
@@ -22,7 +20,7 @@ index 1a52ff585fbc7..ba5ba852efb8c 100644
  	rtw_dbg(rtwdev, RTW_DBG_DEBUGFS,
  		"write_rf path:%d addr:0x%08x mask:0x%08x, val:0x%08x\n",
  		path, addr, mask, val);
-@@ -523,6 +527,8 @@ static int rtw_debug_get_rf_dump(struct seq_file *m, void *v)
+@@ -481,6 +485,8 @@ static int rtw_debug_get_rf_dump(struct
  	u32 addr, offset, data;
  	u8 path;
 
@@ -31,7 +29,7 @@ index 1a52ff585fbc7..ba5ba852efb8c 100644
  	for (path = 0; path < rtwdev->hal.rf_path_num; path++) {
  		seq_printf(m, "RF path:%d\n", path);
  		for (addr = 0; addr < 0x100; addr += 4) {
-@@ -537,6 +543,8 @@ static int rtw_debug_get_rf_dump(struct seq_file *m, void *v)
+@@ -495,6 +501,8 @@ static int rtw_debug_get_rf_dump(struct
  		seq_puts(m, "\n");
  	}
 
@@ -40,7 +38,7 @@ index 1a52ff585fbc7..ba5ba852efb8c 100644
  	return 0;
  }
 
-@@ -1027,6 +1035,8 @@ static void dump_gapk_status(struct rtw_dev *rtwdev, struct seq_file *m)
+@@ -911,6 +919,8 @@ static void dump_gapk_status(struct rtw_
  		   dm_info->dm_flags & BIT(RTW_DM_CAP_TXGAPK) ? '-' : '+',
  		   rtw_dm_cap_strs[RTW_DM_CAP_TXGAPK]);
 
@@ -49,16 +47,14 @@ index 1a52ff585fbc7..ba5ba852efb8c 100644
  	for (path = 0; path < rtwdev->hal.rf_path_num; path++) {
  		val = rtw_read_rf(rtwdev, path, RF_GAINTX, RFREG_MASK);
  		seq_printf(m, "path %d:\n0x%x = 0x%x\n", path, RF_GAINTX, val);
-@@ -1036,6 +1046,7 @@ static void dump_gapk_status(struct rtw_dev *rtwdev, struct seq_file *m)
+@@ -920,6 +930,7 @@ static void dump_gapk_status(struct rtw_
  				   txgapk->rf3f_fs[path][i], i);
  		seq_puts(m, "\n");
  	}
 +	mutex_unlock(&rtwdev->mutex);
  }
 
  static int rtw_debugfs_get_dm_cap(struct seq_file *m, void *v)
-diff --git a/drivers/net/wireless/realtek/rtw88/hci.h b/drivers/net/wireless/realtek/rtw88/hci.h
-index 4c6fc6fb3f83b..830d7532f2a35 100644
 --- a/drivers/net/wireless/realtek/rtw88/hci.h
 +++ b/drivers/net/wireless/realtek/rtw88/hci.h
 @@ -166,12 +166,11 @@ static inline u32
@@ -89,23 +85,19 @@ index 4c6fc6fb3f83b..830d7532f2a35 100644
  }
 
  static inline u32
-diff --git a/drivers/net/wireless/realtek/rtw88/main.c b/drivers/net/wireless/realtek/rtw88/main.c
-index 8b9899e41b0bb..f9864840ffd9c 100644
 --- a/drivers/net/wireless/realtek/rtw88/main.c
 +++ b/drivers/net/wireless/realtek/rtw88/main.c
-@@ -1994,7 +1994,6 @@ int rtw_core_init(struct rtw_dev *rtwdev)
+@@ -1839,7 +1839,6 @@ int rtw_core_init(struct rtw_dev *rtwdev
  	skb_queue_head_init(&rtwdev->coex.queue);
  	skb_queue_head_init(&rtwdev->tx_report.queue);
 
 -	spin_lock_init(&rtwdev->rf_lock);
  	spin_lock_init(&rtwdev->h2c.lock);
  	spin_lock_init(&rtwdev->txq_lock);
  	spin_lock_init(&rtwdev->tx_report.q_lock);
-diff --git a/drivers/net/wireless/realtek/rtw88/main.h b/drivers/net/wireless/realtek/rtw88/main.h
-index 17815af9dd4ea..df6c6032bbd3b 100644
 --- a/drivers/net/wireless/realtek/rtw88/main.h
 +++ b/drivers/net/wireless/realtek/rtw88/main.h
-@@ -1994,9 +1994,6 @@ struct rtw_dev {
+@@ -1842,9 +1842,6 @@ struct rtw_dev {
  	/* ensures exclusive access from mac80211 callbacks */
  	struct mutex mutex;
 

package/kernel/mac80211/patches/rtl/003-rtw88-Drop-h2c.lock.patch

@@ -1,8 +1,6 @@
-diff --git a/drivers/net/wireless/realtek/rtw88/debug.c b/drivers/net/wireless/realtek/rtw88/debug.c
-index ba5ba852efb8c..79939aa6b752c 100644
 --- a/drivers/net/wireless/realtek/rtw88/debug.c
 +++ b/drivers/net/wireless/realtek/rtw88/debug.c
-@@ -396,7 +396,9 @@ static ssize_t rtw_debugfs_set_h2c(struct file *filp,
+@@ -379,7 +379,9 @@ static ssize_t rtw_debugfs_set_h2c(struc
  		return -EINVAL;
  	}
 
@@ -12,11 +10,9 @@ index ba5ba852efb8c..79939aa6b752c 100644
 
  	return count;
  }
-diff --git a/drivers/net/wireless/realtek/rtw88/fw.c b/drivers/net/wireless/realtek/rtw88/fw.c
-index aa2aeb5fb2ccd..c3ad2a1b47212 100644
 --- a/drivers/net/wireless/realtek/rtw88/fw.c
 +++ b/drivers/net/wireless/realtek/rtw88/fw.c
-@@ -320,7 +320,7 @@ static void rtw_fw_send_h2c_command(struct rtw_dev *rtwdev,
+@@ -285,7 +285,7 @@ static void rtw_fw_send_h2c_command(stru
  		h2c[3], h2c[2], h2c[1], h2c[0],
  		h2c[7], h2c[6], h2c[5], h2c[4]);
 
@@ -25,7 +21,7 @@ index aa2aeb5fb2ccd..c3ad2a1b47212 100644
 
  	box = rtwdev->h2c.last_box_num;
  	switch (box) {
-@@ -342,7 +342,7 @@ static void rtw_fw_send_h2c_command(struct rtw_dev *rtwdev,
+@@ -307,7 +307,7 @@ static void rtw_fw_send_h2c_command(stru
  		break;
  	default:
  		WARN(1, "invalid h2c mail box number\n");
@@ -34,7 +30,7 @@ index aa2aeb5fb2ccd..c3ad2a1b47212 100644
  	}
 
  	ret = read_poll_timeout_atomic(rtw_read8, box_state,
-@@ -351,7 +351,7 @@ static void rtw_fw_send_h2c_command(struct rtw_dev *rtwdev,
+@@ -316,7 +316,7 @@ static void rtw_fw_send_h2c_command(stru
 
  	if (ret) {
  		rtw_err(rtwdev, "failed to send h2c command\n");
@@ -43,7 +39,7 @@ index aa2aeb5fb2ccd..c3ad2a1b47212 100644
  	}
 
  	for (idx = 0; idx < 4; idx++)
-@@ -361,9 +361,6 @@ static void rtw_fw_send_h2c_command(struct rtw_dev *rtwdev,
+@@ -326,9 +326,6 @@ static void rtw_fw_send_h2c_command(stru
 
  	if (++rtwdev->h2c.last_box_num >= 4)
  		rtwdev->h2c.last_box_num = 0;
@@ -53,7 +49,7 @@ index aa2aeb5fb2ccd..c3ad2a1b47212 100644
  }
 
  void rtw_fw_h2c_cmd_dbg(struct rtw_dev *rtwdev, u8 *h2c)
-@@ -375,15 +372,13 @@ static void rtw_fw_send_h2c_packet(struct rtw_dev *rtwdev, u8 *h2c_pkt)
+@@ -340,15 +337,13 @@ static void rtw_fw_send_h2c_packet(struc
  {
  	int ret;
 
@@ -70,23 +66,19 @@ index aa2aeb5fb2ccd..c3ad2a1b47212 100644
  }
 
  void
-diff --git a/drivers/net/wireless/realtek/rtw88/main.c b/drivers/net/wireless/realtek/rtw88/main.c
-index f9864840ffd9c..baf4d29fde678 100644
 --- a/drivers/net/wireless/realtek/rtw88/main.c
 +++ b/drivers/net/wireless/realtek/rtw88/main.c
-@@ -1994,7 +1994,6 @@ int rtw_core_init(struct rtw_dev *rtwdev)
+@@ -1839,7 +1839,6 @@ int rtw_core_init(struct rtw_dev *rtwdev
  	skb_queue_head_init(&rtwdev->coex.queue);
  	skb_queue_head_init(&rtwdev->tx_report.queue);
 
 -	spin_lock_init(&rtwdev->h2c.lock);
  	spin_lock_init(&rtwdev->txq_lock);
  	spin_lock_init(&rtwdev->tx_report.q_lock);
 
-diff --git a/drivers/net/wireless/realtek/rtw88/main.h b/drivers/net/wireless/realtek/rtw88/main.h
-index df6c6032bbd3b..619ee6e8d2807 100644
 --- a/drivers/net/wireless/realtek/rtw88/main.h
 +++ b/drivers/net/wireless/realtek/rtw88/main.h
-@@ -2018,8 +2018,6 @@ struct rtw_dev {
+@@ -1865,8 +1865,6 @@ struct rtw_dev {
  	struct {
  		/* incicate the mail box to use with fw */
  		u8 last_box_num;