* [PATCH 0/3] iwlwifi: more fixes for 5.3
@ 2019-07-23 14:38 Johannes Berg
2019-07-23 14:38 ` [PATCH 1/3] iwlwifi: don't unmap as page memory that was mapped as single Johannes Berg
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Johannes Berg @ 2019-07-23 14:38 UTC (permalink / raw)
To: linux-wireless
Kalle,
As discussed, I have a few more fixes, I'll include them in the pull
request that Luca had already sent a number of patches for.
johannes
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH 1/3] iwlwifi: don't unmap as page memory that was mapped as single
2019-07-23 14:38 [PATCH 0/3] iwlwifi: more fixes for 5.3 Johannes Berg
@ 2019-07-23 14:38 ` Johannes Berg
2019-07-23 14:38 ` [PATCH 2/3] iwlwifi: mvm: fix an out-of-bound access Johannes Berg
2019-07-23 14:38 ` [PATCH 3/3] iwlwifi: mvm: fix a use-after-free bug in iwl_mvm_tx_tso_segment Johannes Berg
2 siblings, 0 replies; 4+ messages in thread
From: Johannes Berg @ 2019-07-23 14:38 UTC (permalink / raw)
To: linux-wireless; +Cc: Emmanuel Grumbach
From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
In order to remember how to unmap a memory (as single or
as page), we maintain a bit per Transmit Buffer (TBs) in
the meta data (structure iwl_cmd_meta).
We maintain a bitmap: 1 bit per TB.
If the TB is set, we will free the memory as a page.
This bitmap was never cleared. Fix this.
Cc: stable@vger.kernel.org
Fixes: 3cd1980b0cdf ("iwlwifi: pcie: introduce new tfd and tb formats")
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
---
drivers/net/wireless/intel/iwlwifi/pcie/tx.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/tx.c b/drivers/net/wireless/intel/iwlwifi/pcie/tx.c
index fa4245d0d4a8..2f0ba7ef53b8 100644
--- a/drivers/net/wireless/intel/iwlwifi/pcie/tx.c
+++ b/drivers/net/wireless/intel/iwlwifi/pcie/tx.c
@@ -435,6 +435,8 @@ static void iwl_pcie_tfd_unmap(struct iwl_trans *trans,
DMA_TO_DEVICE);
}
+ meta->tbs = 0;
+
if (trans->cfg->use_tfh) {
struct iwl_tfh_tfd *tfd_fh = (void *)tfd;
--
2.20.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH 2/3] iwlwifi: mvm: fix an out-of-bound access
2019-07-23 14:38 [PATCH 0/3] iwlwifi: more fixes for 5.3 Johannes Berg
2019-07-23 14:38 ` [PATCH 1/3] iwlwifi: don't unmap as page memory that was mapped as single Johannes Berg
@ 2019-07-23 14:38 ` Johannes Berg
2019-07-23 14:38 ` [PATCH 3/3] iwlwifi: mvm: fix a use-after-free bug in iwl_mvm_tx_tso_segment Johannes Berg
2 siblings, 0 replies; 4+ messages in thread
From: Johannes Berg @ 2019-07-23 14:38 UTC (permalink / raw)
To: linux-wireless; +Cc: Emmanuel Grumbach
From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
The index for the elements of the ACPI object we dereference
was static. This means that if we called the function twice
we wouldn't start from 3 again, but rather from the latest
index we reached in the previous call.
This was dutifully reported by KASAN.
Fix this.
Cc: stable@vger.kernel.org
Fixes: 6996490501ed ("iwlwifi: mvm: add support for EWRD (Dynamic SAR) ACPI table")
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
---
drivers/net/wireless/intel/iwlwifi/mvm/fw.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c
index 00c89bcfdf6a..5de54d1559dd 100644
--- a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c
@@ -755,7 +755,7 @@ static int iwl_mvm_sar_get_ewrd_table(struct iwl_mvm *mvm)
for (i = 0; i < n_profiles; i++) {
/* the tables start at element 3 */
- static int pos = 3;
+ int pos = 3;
/* The EWRD profiles officially go from 2 to 4, but we
* save them in sar_profiles[1-3] (because we don't
--
2.20.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH 3/3] iwlwifi: mvm: fix a use-after-free bug in iwl_mvm_tx_tso_segment
2019-07-23 14:38 [PATCH 0/3] iwlwifi: more fixes for 5.3 Johannes Berg
2019-07-23 14:38 ` [PATCH 1/3] iwlwifi: don't unmap as page memory that was mapped as single Johannes Berg
2019-07-23 14:38 ` [PATCH 2/3] iwlwifi: mvm: fix an out-of-bound access Johannes Berg
@ 2019-07-23 14:38 ` Johannes Berg
2 siblings, 0 replies; 4+ messages in thread
From: Johannes Berg @ 2019-07-23 14:38 UTC (permalink / raw)
To: linux-wireless; +Cc: Emmanuel Grumbach
From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Accessing the hdr of an skb that was consumed already isn't
a good idea.
First ask if the skb is a QoS packet, then keep that data
on stack, and then consume the skb.
This was spotted by KASAN.
Fixes: 08f7d8b69aaf ("iwlwifi: mvm: bring back mvm GSO code")
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
---
drivers/net/wireless/intel/iwlwifi/mvm/tx.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
index a3e5d88f1c07..6ac114a393cc 100644
--- a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
@@ -831,6 +831,7 @@ iwl_mvm_tx_tso_segment(struct sk_buff *skb, unsigned int num_subframes,
unsigned int tcp_payload_len;
unsigned int mss = skb_shinfo(skb)->gso_size;
bool ipv4 = (skb->protocol == htons(ETH_P_IP));
+ bool qos = ieee80211_is_data_qos(hdr->frame_control);
u16 ip_base_id = ipv4 ? ntohs(ip_hdr(skb)->id) : 0;
skb_shinfo(skb)->gso_size = num_subframes * mss;
@@ -864,7 +865,7 @@ iwl_mvm_tx_tso_segment(struct sk_buff *skb, unsigned int num_subframes,
if (tcp_payload_len > mss) {
skb_shinfo(tmp)->gso_size = mss;
} else {
- if (ieee80211_is_data_qos(hdr->frame_control)) {
+ if (qos) {
u8 *qc;
if (ipv4)
--
2.20.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
end of thread, other threads:[~2019-07-23 14:38 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-07-23 14:38 [PATCH 0/3] iwlwifi: more fixes for 5.3 Johannes Berg
2019-07-23 14:38 ` [PATCH 1/3] iwlwifi: don't unmap as page memory that was mapped as single Johannes Berg
2019-07-23 14:38 ` [PATCH 2/3] iwlwifi: mvm: fix an out-of-bound access Johannes Berg
2019-07-23 14:38 ` [PATCH 3/3] iwlwifi: mvm: fix a use-after-free bug in iwl_mvm_tx_tso_segment Johannes Berg
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).