diff options
4 files changed, 63 insertions, 80 deletions
diff --git a/0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch b/0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch index d881572..3d9af57 100644 --- a/0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch +++ b/0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch @@ -1,4 +1,4 @@ -From 56c7f1acc778e6e90ea7777c0d3d217ccf3e470e Mon Sep 17 00:00:00 2001 +From 9dda33cd8d3d2feb086a5cb7f7392cda483939ee Mon Sep 17 00:00:00 2001 From: "Jan Alexander Steffens (heftig)" <jan.steffens@gmail.com> Date: Mon, 16 Sep 2019 04:53:20 +0200 Subject: ZEN: Add sysctl and CONFIG to disallow unprivileged CLONE_NEWUSER @@ -62,7 +62,7 @@ index d6a0b31b13dc..2420d38cbfb9 100644 bool "PID Namespaces" default y diff --git a/kernel/fork.c b/kernel/fork.c -index da8d360fb032..e1a347df77ac 100644 +index a9ce750578ca..0da8704c3d91 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -96,6 +96,10 @@ @@ -76,7 +76,7 @@ index da8d360fb032..e1a347df77ac 100644 #include <asm/pgalloc.h> #include <linux/uaccess.h> #include <asm/mmu_context.h> -@@ -1841,6 +1845,10 @@ static __latent_entropy struct task_struct *copy_process( +@@ -1860,6 +1864,10 @@ static __latent_entropy struct task_struct *copy_process( if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS)) return ERR_PTR(-EINVAL); @@ -87,7 +87,7 @@ index da8d360fb032..e1a347df77ac 100644 /* * Thread groups must share signals as well, and detached threads * can only be started up within the thread group. -@@ -2900,6 +2908,12 @@ int ksys_unshare(unsigned long unshare_flags) +@@ -2921,6 +2929,12 @@ int ksys_unshare(unsigned long unshare_flags) if (unshare_flags & CLONE_NEWNS) unshare_flags |= CLONE_FS; diff --git a/0002-i2c-core-Restore-acpi_walk_dep_device_list-getting-called.patch b/0002-i2c-core-Restore-acpi_walk_dep_device_list-getting-called.patch deleted file mode 100644 index 076844f..0000000 --- a/0002-i2c-core-Restore-acpi_walk_dep_device_list-getting-called.patch +++ /dev/null @@ -1,70 +0,0 @@ -From 94d41d2b670111855a361a35806ebac8d2444042 Mon Sep 17 00:00:00 2001 -From: Hans de Goede <hdegoede@redhat.com> -Date: Wed, 14 Oct 2020 16:41:58 +0200 -Subject: i2c: core: Restore acpi_walk_dep_device_list() getting called after - registering the ACPI i2c devs - -Commit 21653a4181ff ("i2c: core: Call i2c_acpi_install_space_handler() -before i2c_acpi_register_devices()")'s intention was to only move the -acpi_install_address_space_handler() call to the point before where -the ACPI declared i2c-children of the adapter where instantiated by -i2c_acpi_register_devices(). - -But i2c_acpi_install_space_handler() had a call to -acpi_walk_dep_device_list() hidden (that is I missed it) at the end -of it, so as an unwanted side-effect now acpi_walk_dep_device_list() -was also being called before i2c_acpi_register_devices(). - -Move the acpi_walk_dep_device_list() call to the end of -i2c_acpi_register_devices(), so that it is once again called *after* -the i2c_client-s hanging of the adapter have been created. - -This fixes the Microsoft Surface Go 2 hanging at boot. - -Fixes: 21653a4181ff ("i2c: core: Call i2c_acpi_install_space_handler() before i2c_acpi_register_devices()") -Suggested-by: Maximilian Luz <luzmaximilian@gmail.com> -Reported-and-tested-by: Kieran Bingham <kieran.bingham@ideasonboard.com> -Signed-off-by: Hans de Goede <hdegoede@redhat.com> ---- - drivers/i2c/i2c-core-acpi.c | 11 ++++++++++- - 1 file changed, 10 insertions(+), 1 deletion(-) - -diff --git a/drivers/i2c/i2c-core-acpi.c b/drivers/i2c/i2c-core-acpi.c -index e627d7b2790f..37c510d9347a 100644 ---- a/drivers/i2c/i2c-core-acpi.c -+++ b/drivers/i2c/i2c-core-acpi.c -@@ -264,6 +264,7 @@ static acpi_status i2c_acpi_add_device(acpi_handle handle, u32 level, - void i2c_acpi_register_devices(struct i2c_adapter *adap) - { - acpi_status status; -+ acpi_handle handle; - - if (!has_acpi_companion(&adap->dev)) - return; -@@ -274,6 +275,15 @@ void i2c_acpi_register_devices(struct i2c_adapter *adap) - adap, NULL); - if (ACPI_FAILURE(status)) - dev_warn(&adap->dev, "failed to enumerate I2C slaves\n"); -+ -+ if (!adap->dev.parent) -+ return; -+ -+ handle = ACPI_HANDLE(adap->dev.parent); -+ if (!handle) -+ return; -+ -+ acpi_walk_dep_device_list(handle); - } - - static const struct acpi_device_id i2c_acpi_force_400khz_device_ids[] = { -@@ -719,7 +729,6 @@ int i2c_acpi_install_space_handler(struct i2c_adapter *adapter) - return -ENOMEM; - } - -- acpi_walk_dep_device_list(handle); - return 0; - } - --- -cgit v1.2.3-1-gf6bb5 - diff --git a/0002-mac80211-fix-regression-where-EAPOL-frames-were-sent.patch b/0002-mac80211-fix-regression-where-EAPOL-frames-were-sent.patch new file mode 100644 index 0000000..d4c5e1a --- /dev/null +++ b/0002-mac80211-fix-regression-where-EAPOL-frames-were-sent.patch @@ -0,0 +1,53 @@ +From 5fbf98ceb5b2218ec764dd0d187953393732a5ef Mon Sep 17 00:00:00 2001 +From: Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be> +Date: Sat, 17 Oct 2020 23:08:18 +0400 +Subject: mac80211: fix regression where EAPOL frames were sent in plaintext + +I've managed to reproduce the issue, or at least a related issue. Can +you try the draft patch below and see if that fixes it? + +When sending EAPOL frames via NL80211 they are treated as injected +frames in mac80211. Due to commit 1df2bdba528b ("mac80211: never drop +injected frames even if normally not allowed") these injected frames +were not assigned a sta context in the function ieee80211_tx_dequeue, +causing certain wireless network cards to always send EAPOL frames in +plaintext. This may cause compatibility issues with some clients or +APs, which for instance can cause the group key handshake to fail and +in turn would cause the station to get disconnected. + +This commit fixes this regression by assigning a sta context in +ieee80211_tx_dequeue to injected frames as well. + +Note that sending EAPOL frames in plaintext is not a security issue +since they contain their own encryption and authentication protection. + +Fixes: 1df2bdba528b ("mac80211: never drop injected frames even if normally not allowed") +--- + net/mac80211/tx.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c +index dca01d7e6e3e..2a0725b548f6 100644 +--- a/net/mac80211/tx.c ++++ b/net/mac80211/tx.c +@@ -3613,13 +3613,14 @@ begin: + tx.skb = skb; + tx.sdata = vif_to_sdata(info->control.vif); + +- if (txq->sta && !(info->flags & IEEE80211_TX_CTL_INJECTED)) { ++ if (txq->sta) { + tx.sta = container_of(txq->sta, struct sta_info, sta); + /* + * Drop unicast frames to unauthorised stations unless they are +- * EAPOL frames from the local station. ++ * injected frames or EAPOL frames from the local station. + */ +- if (unlikely(ieee80211_is_data(hdr->frame_control) && ++ if (unlikely(!(info->flags & IEEE80211_TX_CTL_INJECTED) && ++ ieee80211_is_data(hdr->frame_control) && + !ieee80211_vif_is_mesh(&tx.sdata->vif) && + tx.sdata->vif.type != NL80211_IFTYPE_OCB && + !is_multicast_ether_addr(hdr->addr1) && +-- +cgit v1.2.3-1-gf6bb5 + @@ -21,7 +21,7 @@ _custom=1 pkgbase=linux-ck _supver=5 _majver=9 -_minver=1 +_minver=2 _gccpatchver='20200615' _gccpatchger='10.1' _gccpatchker='5.8' @@ -47,7 +47,7 @@ _srcname=linux-${pkgver} source=( https://www.kernel.org/pub/linux/kernel/v${_supver}.x/${_srcname}.tar.{xz,sign} 0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch - 0002-i2c-core-Restore-acpi_walk_dep_device_list-getting-called.patch + 0002-mac80211-fix-regression-where-EAPOL-frames-were-sent.patch linux-ck-patch-${_supver}.${_majver}-${_ckpatchversion}.xz::http://ck.kolivas.org/patches/${_supver}.0/${_supver}.${_majver}/${_supver}.${_majver}-${_ckpatchversion}/patch-${_supver}.${_majver}-${_ckpatchversion}.xz kernel_gcc_patch-${_gccpatchver}.tar.gz::https://github.com/graysky2/kernel_gcc_patch/archive/${_gccpatchver}.tar.gz ath9k-regdom-hack.patch @@ -60,10 +60,10 @@ validpgpkeys=( '647F28654894E3BD457199BE38DBBDC86092693E' # Greg Kroah-Hartman ) # https://www.kernel.org/pub/linux/kernel/v5.x/sha256sums.asc -b2sums=('65eeccf077194ce03d5dbc1e8ea8f6022d709bc930945a49880fb87d71992e0614cf5ee92eb1b60fe2e3ed41fe17f0c176bbbad5f2cf0a2a349e1b08e6236558' +b2sums=('22ba992df3a1d73fa16efb31bb0d62eacd106fb6f4d6dd1ebe522dc09b94c8df689cdb594ed105076ab5e1be4bd00eb834019dc19b6f58f6bee04f53e5de961e' 'SKIP' - '27ba59acd154834db44166a2d4ed5e4edc335a74785bf5e4cffd30ca5f39a995dcbef960f574de48f197d77cf8d9fa2ae57c61712e494852b5c14ee6ed22d956' - '217c14db67cf20073d9aa2f60bb9c30497ff36f6d608d22ccd5e74338bba16858f0c81862bd92bda45384d06133c3540ad8703af7decb5afb0d5feda076af33e' + 'c1e9177debee553e03873dff9293e7a21a53297fc4b3df8b9f54a8839cf1c7d6803945fc7d64676fe8c04cb54ef331b59c4348fbc9915060162177be503d9e96' + '3006fa726027b57c421c959c4e6c2230cfa871df7a234d4b2061ed1db4784d0c296d90785a2c48f5c059f6e15ad58007773376440054ce6e60a00fc448b939b3' 'c19099ad66168db4608dee44e1913c07c035bc002a91267abc2e1eadf1788ddb5be3b17e3fdfeddcba96526dfa2b9fcc43a5dd0f8236d94c864e6477924a6718' 'c8d0697f99fe6105815217b8ec059d8f587415ea8dd2b88a65e1087feedf697341a64cd56810fde9e7aeada79125fc8235faccc7e7b06492c099e27a8abbe99c' 'b6ef77035611139fa9a6d5b8d30570e2781bb4da483bb569884b0bd0129b62e0b82a5a6776fefe43fee801c70d39de1ea4d4c177f7cedd5ac135e3c64f7b895a' @@ -88,7 +88,7 @@ prepare() { # Hotfixes echo "Applying hotfixes" patch -p1 -i ../0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch - patch -p1 -i ../0002-i2c-core-Restore-acpi_walk_dep_device_list-getting-called.patch + patch -p1 -i ../0002-mac80211-fix-regression-where-EAPOL-frames-were-sent.patch patch -p1 -i ../sphinx-workaround.patch |