From patchwork Fri Jan 24 19:14:22 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Connor Kuehl <connor.kuehl@canonical.com>
X-Patchwork-Id: 1229016
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org; spf=none (no SPF record)
	smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19;
	helo=huckleberry.canonical.com;
	envelope-from=kernel-team-bounces@lists.ubuntu.com;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none)
	header.from=canonical.com
Received: from huckleberry.canonical.com (huckleberry.canonical.com
	[91.189.94.19])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 4848325h2kz9sRR;
	Sat, 25 Jan 2020 06:14:36 +1100 (AEDT)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1iv4PZ-0004rN-0S; Fri, 24 Jan 2020 19:14:33 +0000
Received: from youngberry.canonical.com ([91.189.89.112])
	by huckleberry.canonical.com with esmtps
	(TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2)
	(envelope-from <connor.kuehl@canonical.com>) id 1iv4PW-0004qo-Fd
	for kernel-team@lists.ubuntu.com; Fri, 24 Jan 2020 19:14:30 +0000
Received: from mail-pg1-f197.google.com ([209.85.215.197])
	by youngberry.canonical.com with esmtps
	(TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2)
	(envelope-from <connor.kuehl@canonical.com>) id 1iv4PW-0004nf-2U
	for kernel-team@lists.ubuntu.com; Fri, 24 Jan 2020 19:14:30 +0000
Received: by mail-pg1-f197.google.com with SMTP id v30so1890957pga.22
	for <kernel-team@lists.ubuntu.com>;
	Fri, 24 Jan 2020 11:14:30 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references:mime-version:content-transfer-encoding;
	bh=lP7xjy3M5it+hbe/VGLXqzkCXsWf7sc/7BjE6esjVRg=;
	b=YFszsvOh2wQ4YtfT8K4sFbD5khHO5MjSj8Rg/qr6RH/ldh3e2eAxDHozsasBfj1Uzl
	LQrSl7VImSI+2nV4I+7hPQ9WqDe6taH3fEuAOL0XTcfNFqlR/pEFEUS06yu+TjpvZb/a
	IRR4H4mfdp+PiliU5600vjv50Ic3s9qoSL20QgSRJ2RFxxA1qM64P9kwpF4FDTH1QPbG
	9a1m4ixQnx8iURlIDQ1vYxzQ5wAnGRo9dK7xJieI2LphaO/JC+PvgdSj9yYNd2GkQpru
	BklWesOids5x1fE9jpBOCgGTCU+uQ2q3j/3omsEswdjjxY4LG2mXzcZqoZ3X2skzITYd
	FBXw==
X-Gm-Message-State: APjAAAXM1KZxLjCxlBFGsi47yka0Je0GBM1kwR9asoWAY2J8auODa0Fm
	8zfbNwKQYkbjQlRqYoASlaDD+gEJL8zUSdXS0d1lGpQbVWLdC7rBVeUJSbRH5osAxAubm3aXozs
	p0LYUp+c7Bf+RHHXCblB/6KyujdopxYe00G9+34Rcfw==
X-Received: by 2002:a17:90a:b10b:: with SMTP id
	z11mr816852pjq.132.1579893268323;
	Fri, 24 Jan 2020 11:14:28 -0800 (PST)
X-Google-Smtp-Source: 
 APXvYqzfJTjDWhZsaOGkNZhOxJh8IRuZ/tsBhQ4FkGemlysaur7d2GqzMQsOhvsybIEANZTYB7bjpw==
X-Received: by 2002:a17:90a:b10b:: with SMTP id
	z11mr816826pjq.132.1579893267976;
	Fri, 24 Jan 2020 11:14:27 -0800 (PST)
Received: from localhost.localdomain (c-71-63-171-240.hsd1.or.comcast.net.
	[71.63.171.240]) by smtp.gmail.com with ESMTPSA id
	z16sm7038622pff.125.2020.01.24.11.14.26
	(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
	Fri, 24 Jan 2020 11:14:27 -0800 (PST)
From: Connor Kuehl <connor.kuehl@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [Bionic][SRU][PATCH 1/2] cfg80211/mac80211: make
	ieee80211_send_layer2_update a public function
Date: Fri, 24 Jan 2020 11:14:22 -0800
Message-Id: <20200124191424.24035-2-connor.kuehl@canonical.com>
X-Mailer: git-send-email 2.20.1
In-Reply-To: <20200124191424.24035-1-connor.kuehl@canonical.com>
References: <20200124191424.24035-1-connor.kuehl@canonical.com>
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Dedy Lansky <dlansky@codeaurora.org>

CVE-2019-5108

Make ieee80211_send_layer2_update() a common function so other drivers
can re-use it.

Signed-off-by: Dedy Lansky <dlansky@codeaurora.org>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
(backported from commit 30ca1aa536211f5ac3de0173513a7a99a98a97f3)
[ Connor Kuehl: context adjustments ]
Signed-off-by: Connor Kuehl <connor.kuehl@canonical.com>
---
 include/net/cfg80211.h | 11 ++++++++++
 net/mac80211/cfg.c     | 48 ++----------------------------------------
 net/wireless/util.c    | 45 +++++++++++++++++++++++++++++++++++++++
 3 files changed, 58 insertions(+), 46 deletions(-)

diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h
index c45fe070e39f..f205f3af2686 100644
--- a/include/net/cfg80211.h
+++ b/include/net/cfg80211.h
@@ -4466,6 +4466,17 @@ static inline const u8 *cfg80211_find_ext_ie(u8 ext_eid, const u8 *ies, int len)
 const u8 *cfg80211_find_vendor_ie(unsigned int oui, int oui_type,
 				  const u8 *ies, int len);
 
+/**
+ * cfg80211_send_layer2_update - send layer 2 update frame
+ *
+ * @dev: network device
+ * @addr: STA MAC address
+ *
+ * Wireless drivers can use this function to update forwarding tables in bridge
+ * devices upon STA association.
+ */
+void cfg80211_send_layer2_update(struct net_device *dev, const u8 *addr);
+
 /**
  * DOC: Regulatory enforcement infrastructure
  *
diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index 8168c667d91d..f236a990638f 100644
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -1089,50 +1089,6 @@ static int ieee80211_stop_ap(struct wiphy *wiphy, struct net_device *dev)
 	return 0;
 }
 
-/* Layer 2 Update frame (802.2 Type 1 LLC XID Update response) */
-struct iapp_layer2_update {
-	u8 da[ETH_ALEN];	/* broadcast */
-	u8 sa[ETH_ALEN];	/* STA addr */
-	__be16 len;		/* 6 */
-	u8 dsap;		/* 0 */
-	u8 ssap;		/* 0 */
-	u8 control;
-	u8 xid_info[3];
-} __packed;
-
-static void ieee80211_send_layer2_update(struct sta_info *sta)
-{
-	struct iapp_layer2_update *msg;
-	struct sk_buff *skb;
-
-	/* Send Level 2 Update Frame to update forwarding tables in layer 2
-	 * bridge devices */
-
-	skb = dev_alloc_skb(sizeof(*msg));
-	if (!skb)
-		return;
-	msg = skb_put(skb, sizeof(*msg));
-
-	/* 802.2 Type 1 Logical Link Control (LLC) Exchange Identifier (XID)
-	 * Update response frame; IEEE Std 802.2-1998, 5.4.1.2.1 */
-
-	eth_broadcast_addr(msg->da);
-	memcpy(msg->sa, sta->sta.addr, ETH_ALEN);
-	msg->len = htons(6);
-	msg->dsap = 0;
-	msg->ssap = 0x01;	/* NULL LSAP, CR Bit: Response */
-	msg->control = 0xaf;	/* XID response lsb.1111F101.
-				 * F=0 (no poll command; unsolicited frame) */
-	msg->xid_info[0] = 0x81;	/* XID format identifier */
-	msg->xid_info[1] = 1;	/* LLC types/classes: Type 1 LLC */
-	msg->xid_info[2] = 0;	/* XID sender's receive window size (RW) */
-
-	skb->dev = sta->sdata->dev;
-	skb->protocol = eth_type_trans(skb, sta->sdata->dev);
-	memset(skb->cb, 0, sizeof(skb->cb));
-	netif_rx_ni(skb);
-}
-
 static int sta_apply_auth_flags(struct ieee80211_local *local,
 				struct sta_info *sta,
 				u32 mask, u32 set)
@@ -1496,7 +1452,7 @@ static int ieee80211_add_station(struct wiphy *wiphy, struct net_device *dev,
 	}
 
 	if (layer2_update)
-		ieee80211_send_layer2_update(sta);
+		cfg80211_send_layer2_update(sta->sdata->dev, sta->sta.addr);
 
 	rcu_read_unlock();
 
@@ -1598,7 +1554,7 @@ static int ieee80211_change_station(struct wiphy *wiphy,
 		if (test_sta_flag(sta, WLAN_STA_AUTHORIZED))
 			ieee80211_vif_inc_num_mcast(sta->sdata);
 
-		ieee80211_send_layer2_update(sta);
+		cfg80211_send_layer2_update(sta->sdata->dev, sta->sta.addr);
 	}
 
 	err = sta_apply_parameters(local, sta, params);
diff --git a/net/wireless/util.c b/net/wireless/util.c
index 801b61ae1623..cd8a3e63fd73 100644
--- a/net/wireless/util.c
+++ b/net/wireless/util.c
@@ -1814,6 +1814,51 @@ const unsigned char bridge_tunnel_header[] __aligned(2) =
 	{ 0xaa, 0xaa, 0x03, 0x00, 0x00, 0xf8 };
 EXPORT_SYMBOL(bridge_tunnel_header);
 
+/* Layer 2 Update frame (802.2 Type 1 LLC XID Update response) */
+struct iapp_layer2_update {
+	u8 da[ETH_ALEN];	/* broadcast */
+	u8 sa[ETH_ALEN];	/* STA addr */
+	__be16 len;		/* 6 */
+	u8 dsap;		/* 0 */
+	u8 ssap;		/* 0 */
+	u8 control;
+	u8 xid_info[3];
+} __packed;
+
+void cfg80211_send_layer2_update(struct net_device *dev, const u8 *addr)
+{
+	struct iapp_layer2_update *msg;
+	struct sk_buff *skb;
+
+	/* Send Level 2 Update Frame to update forwarding tables in layer 2
+	 * bridge devices */
+
+	skb = dev_alloc_skb(sizeof(*msg));
+	if (!skb)
+		return;
+	msg = skb_put(skb, sizeof(*msg));
+
+	/* 802.2 Type 1 Logical Link Control (LLC) Exchange Identifier (XID)
+	 * Update response frame; IEEE Std 802.2-1998, 5.4.1.2.1 */
+
+	eth_broadcast_addr(msg->da);
+	ether_addr_copy(msg->sa, addr);
+	msg->len = htons(6);
+	msg->dsap = 0;
+	msg->ssap = 0x01;	/* NULL LSAP, CR Bit: Response */
+	msg->control = 0xaf;	/* XID response lsb.1111F101.
+				 * F=0 (no poll command; unsolicited frame) */
+	msg->xid_info[0] = 0x81;	/* XID format identifier */
+	msg->xid_info[1] = 1;	/* LLC types/classes: Type 1 LLC */
+	msg->xid_info[2] = 0;	/* XID sender's receive window size (RW) */
+
+	skb->dev = dev;
+	skb->protocol = eth_type_trans(skb, dev);
+	memset(skb->cb, 0, sizeof(skb->cb));
+	netif_rx_ni(skb);
+}
+EXPORT_SYMBOL(cfg80211_send_layer2_update);
+
 bool cfg80211_iftype_allowed(struct wiphy *wiphy, enum nl80211_iftype iftype,
 			     bool is_4addr, u8 check_swif)