* [PATCH AUTOSEL 4.9 12/91] mwifiex: fix potential NULL dereference and use after free
[not found] <20191122060129.4239-1-sashal@kernel.org>
@ 2019-11-22 6:00 ` Sasha Levin
2019-11-22 6:00 ` [PATCH AUTOSEL 4.9 13/91] mwifiex: debugfs: correct histogram spacing, formatting Sasha Levin
` (3 subsequent siblings)
4 siblings, 0 replies; 5+ messages in thread
From: Sasha Levin @ 2019-11-22 6:00 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Pan Bian, Kalle Valo, Sasha Levin, linux-wireless, netdev
From: Pan Bian <bianpan2016@163.com>
[ Upstream commit 1dcd9429212b98bea87fc6ec92fb50bf5953eb47 ]
There are two defects: (1) passing a NULL bss to
mwifiex_save_hidden_ssid_channels will result in NULL dereference,
(2) using bss after dropping the reference to it via cfg80211_put_bss.
To fix them, the patch moves the buggy code to the branch that bss is
not NULL and puts it before cfg80211_put_bss.
Signed-off-by: Pan Bian <bianpan2016@163.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/marvell/mwifiex/scan.c | 18 ++++++++++--------
1 file changed, 10 insertions(+), 8 deletions(-)
diff --git a/drivers/net/wireless/marvell/mwifiex/scan.c b/drivers/net/wireless/marvell/mwifiex/scan.c
index 7e96b6a37946a..828c6f5eb83c8 100644
--- a/drivers/net/wireless/marvell/mwifiex/scan.c
+++ b/drivers/net/wireless/marvell/mwifiex/scan.c
@@ -1890,15 +1890,17 @@ mwifiex_parse_single_response_buf(struct mwifiex_private *priv, u8 **bss_info,
ETH_ALEN))
mwifiex_update_curr_bss_params(priv,
bss);
- cfg80211_put_bss(priv->wdev.wiphy, bss);
- }
- if ((chan->flags & IEEE80211_CHAN_RADAR) ||
- (chan->flags & IEEE80211_CHAN_NO_IR)) {
- mwifiex_dbg(adapter, INFO,
- "radar or passive channel %d\n",
- channel);
- mwifiex_save_hidden_ssid_channels(priv, bss);
+ if ((chan->flags & IEEE80211_CHAN_RADAR) ||
+ (chan->flags & IEEE80211_CHAN_NO_IR)) {
+ mwifiex_dbg(adapter, INFO,
+ "radar or passive channel %d\n",
+ channel);
+ mwifiex_save_hidden_ssid_channels(priv,
+ bss);
+ }
+
+ cfg80211_put_bss(priv->wdev.wiphy, bss);
}
}
} else {
--
2.20.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH AUTOSEL 4.9 13/91] mwifiex: debugfs: correct histogram spacing, formatting
[not found] <20191122060129.4239-1-sashal@kernel.org>
2019-11-22 6:00 ` [PATCH AUTOSEL 4.9 12/91] mwifiex: fix potential NULL dereference and use after free Sasha Levin
@ 2019-11-22 6:00 ` Sasha Levin
2019-11-22 6:00 ` [PATCH AUTOSEL 4.9 14/91] rtl818x: fix potential use after free Sasha Levin
` (2 subsequent siblings)
4 siblings, 0 replies; 5+ messages in thread
From: Sasha Levin @ 2019-11-22 6:00 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Brian Norris, Kalle Valo, Sasha Levin, linux-wireless, netdev
From: Brian Norris <briannorris@chromium.org>
[ Upstream commit 4cb777c64e030778c569f605398d7604d8aabc0f ]
Currently, snippets of this file look like:
rx rates (in Mbps): 0=1M 1=2M2=5.5M 3=11M 4=6M 5=9M 6=12M
7=18M 8=24M 9=36M 10=48M 11=54M12-27=MCS0-15(BW20) 28-43=MCS0-15(BW40)
44-53=MCS0-9(VHT:BW20)54-63=MCS0-9(VHT:BW40)64-73=MCS0-9(VHT:BW80)
...
noise_flr[--96dBm] = 22
noise_flr[--95dBm] = 149
noise_flr[--94dBm] = 9
noise_flr[--93dBm] = 2
We're missing some spaces, and we're adding a minus sign ('-') on values
that are already negative signed integers.
Signed-off-by: Brian Norris <briannorris@chromium.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/marvell/mwifiex/debugfs.c | 14 ++++++--------
1 file changed, 6 insertions(+), 8 deletions(-)
diff --git a/drivers/net/wireless/marvell/mwifiex/debugfs.c b/drivers/net/wireless/marvell/mwifiex/debugfs.c
index ae2b69db59940..6eacea28d7ac8 100644
--- a/drivers/net/wireless/marvell/mwifiex/debugfs.c
+++ b/drivers/net/wireless/marvell/mwifiex/debugfs.c
@@ -296,15 +296,13 @@ mwifiex_histogram_read(struct file *file, char __user *ubuf,
"total samples = %d\n",
atomic_read(&phist_data->num_samples));
- p += sprintf(p, "rx rates (in Mbps): 0=1M 1=2M");
- p += sprintf(p, "2=5.5M 3=11M 4=6M 5=9M 6=12M\n");
- p += sprintf(p, "7=18M 8=24M 9=36M 10=48M 11=54M");
- p += sprintf(p, "12-27=MCS0-15(BW20) 28-43=MCS0-15(BW40)\n");
+ p += sprintf(p,
+ "rx rates (in Mbps): 0=1M 1=2M 2=5.5M 3=11M 4=6M 5=9M 6=12M\n"
+ "7=18M 8=24M 9=36M 10=48M 11=54M 12-27=MCS0-15(BW20) 28-43=MCS0-15(BW40)\n");
if (ISSUPP_11ACENABLED(priv->adapter->fw_cap_info)) {
- p += sprintf(p, "44-53=MCS0-9(VHT:BW20)");
- p += sprintf(p, "54-63=MCS0-9(VHT:BW40)");
- p += sprintf(p, "64-73=MCS0-9(VHT:BW80)\n\n");
+ p += sprintf(p,
+ "44-53=MCS0-9(VHT:BW20) 54-63=MCS0-9(VHT:BW40) 64-73=MCS0-9(VHT:BW80)\n\n");
} else {
p += sprintf(p, "\n");
}
@@ -333,7 +331,7 @@ mwifiex_histogram_read(struct file *file, char __user *ubuf,
for (i = 0; i < MWIFIEX_MAX_NOISE_FLR; i++) {
value = atomic_read(&phist_data->noise_flr[i]);
if (value)
- p += sprintf(p, "noise_flr[-%02ddBm] = %d\n",
+ p += sprintf(p, "noise_flr[%02ddBm] = %d\n",
(int)(i-128), value);
}
for (i = 0; i < MWIFIEX_MAX_SIG_STRENGTH; i++) {
--
2.20.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH AUTOSEL 4.9 14/91] rtl818x: fix potential use after free
[not found] <20191122060129.4239-1-sashal@kernel.org>
2019-11-22 6:00 ` [PATCH AUTOSEL 4.9 12/91] mwifiex: fix potential NULL dereference and use after free Sasha Levin
2019-11-22 6:00 ` [PATCH AUTOSEL 4.9 13/91] mwifiex: debugfs: correct histogram spacing, formatting Sasha Levin
@ 2019-11-22 6:00 ` Sasha Levin
2019-11-22 6:00 ` [PATCH AUTOSEL 4.9 45/91] ath6kl: Only use match sets when firmware supports it Sasha Levin
2019-11-22 6:00 ` [PATCH AUTOSEL 4.9 46/91] ath6kl: Fix off by one error in scan completion Sasha Levin
4 siblings, 0 replies; 5+ messages in thread
From: Sasha Levin @ 2019-11-22 6:00 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Pan Bian, Larry Finger, Kalle Valo, Sasha Levin, linux-wireless, netdev
From: Pan Bian <bianpan2016@163.com>
[ Upstream commit afbb1947db94eacc5a13302eee88a9772fb78935 ]
entry is released via usb_put_urb just after calling usb_submit_urb.
However, entry is used if the submission fails, resulting in a use after
free bug. The patch fixes this.
Signed-off-by: Pan Bian <bianpan2016@163.com>
ACKed-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c b/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c
index 6113624ccec39..17e3d5e830626 100644
--- a/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c
+++ b/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c
@@ -446,12 +446,13 @@ static int rtl8187_init_urbs(struct ieee80211_hw *dev)
skb_queue_tail(&priv->rx_queue, skb);
usb_anchor_urb(entry, &priv->anchored);
ret = usb_submit_urb(entry, GFP_KERNEL);
- usb_put_urb(entry);
if (ret) {
skb_unlink(skb, &priv->rx_queue);
usb_unanchor_urb(entry);
+ usb_put_urb(entry);
goto err;
}
+ usb_put_urb(entry);
}
return ret;
--
2.20.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH AUTOSEL 4.9 45/91] ath6kl: Only use match sets when firmware supports it
[not found] <20191122060129.4239-1-sashal@kernel.org>
` (2 preceding siblings ...)
2019-11-22 6:00 ` [PATCH AUTOSEL 4.9 14/91] rtl818x: fix potential use after free Sasha Levin
@ 2019-11-22 6:00 ` Sasha Levin
2019-11-22 6:00 ` [PATCH AUTOSEL 4.9 46/91] ath6kl: Fix off by one error in scan completion Sasha Levin
4 siblings, 0 replies; 5+ messages in thread
From: Sasha Levin @ 2019-11-22 6:00 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Kyle Roeschley, Kalle Valo, Sasha Levin, linux-wireless, netdev
From: Kyle Roeschley <kyle.roeschley@ni.com>
[ Upstream commit fb376a495fbdb886f38cfaf5a3805401b9e46f13 ]
Commit dd45b7598f1c ("ath6kl: Include match ssid list in scheduled scan")
merged the probed and matched SSID lists before sending them to the
firmware. In the process, it assumed match set support is always available
in ath6kl_set_probed_ssids, which breaks scans for hidden SSIDs. Now, check
that the firmware supports matching SSIDs in scheduled scans before setting
MATCH_SSID_FLAG.
Fixes: dd45b7598f1c ("ath6kl: Include match ssid list in scheduled scan")
Signed-off-by: Kyle Roeschley <kyle.roeschley@ni.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath6kl/cfg80211.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wireless/ath/ath6kl/cfg80211.c b/drivers/net/wireless/ath/ath6kl/cfg80211.c
index b7fe0af4cb240..0cce5a2bca161 100644
--- a/drivers/net/wireless/ath/ath6kl/cfg80211.c
+++ b/drivers/net/wireless/ath/ath6kl/cfg80211.c
@@ -934,7 +934,7 @@ static int ath6kl_set_probed_ssids(struct ath6kl *ar,
else
ssid_list[i].flag = ANY_SSID_FLAG;
- if (n_match_ssid == 0)
+ if (ar->wiphy->max_match_sets != 0 && n_match_ssid == 0)
ssid_list[i].flag |= MATCH_SSID_FLAG;
}
--
2.20.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH AUTOSEL 4.9 46/91] ath6kl: Fix off by one error in scan completion
[not found] <20191122060129.4239-1-sashal@kernel.org>
` (3 preceding siblings ...)
2019-11-22 6:00 ` [PATCH AUTOSEL 4.9 45/91] ath6kl: Only use match sets when firmware supports it Sasha Levin
@ 2019-11-22 6:00 ` Sasha Levin
4 siblings, 0 replies; 5+ messages in thread
From: Sasha Levin @ 2019-11-22 6:00 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Kyle Roeschley, Kalle Valo, Sasha Levin, linux-wireless, netdev
From: Kyle Roeschley <kyle.roeschley@ni.com>
[ Upstream commit 5803c12816c43bd09e5f4247dd9313c2d9a2c41b ]
When ath6kl was reworked to share code between regular and scheduled scans
in commit 3b8ffc6a22ba ("ath6kl: Configure probed SSID list consistently"),
probed SSID entry changed from 1-index to 0-indexed. However,
ath6kl_cfg80211_scan_complete_event() was missed in that change. Fix its
indexing so that we correctly clear out the probed SSID list.
Signed-off-by: Kyle Roeschley <kyle.roeschley@ni.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath6kl/cfg80211.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wireless/ath/ath6kl/cfg80211.c b/drivers/net/wireless/ath/ath6kl/cfg80211.c
index 0cce5a2bca161..650d2f6446a6c 100644
--- a/drivers/net/wireless/ath/ath6kl/cfg80211.c
+++ b/drivers/net/wireless/ath/ath6kl/cfg80211.c
@@ -1088,7 +1088,7 @@ void ath6kl_cfg80211_scan_complete_event(struct ath6kl_vif *vif, bool aborted)
if (vif->scan_req->n_ssids && vif->scan_req->ssids[0].ssid_len) {
for (i = 0; i < vif->scan_req->n_ssids; i++) {
ath6kl_wmi_probedssid_cmd(ar->wmi, vif->fw_vif_idx,
- i + 1, DISABLE_SSID_FLAG,
+ i, DISABLE_SSID_FLAG,
0, NULL);
}
}
--
2.20.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
end of thread, other threads:[~2019-11-22 6:08 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <20191122060129.4239-1-sashal@kernel.org>
2019-11-22 6:00 ` [PATCH AUTOSEL 4.9 12/91] mwifiex: fix potential NULL dereference and use after free Sasha Levin
2019-11-22 6:00 ` [PATCH AUTOSEL 4.9 13/91] mwifiex: debugfs: correct histogram spacing, formatting Sasha Levin
2019-11-22 6:00 ` [PATCH AUTOSEL 4.9 14/91] rtl818x: fix potential use after free Sasha Levin
2019-11-22 6:00 ` [PATCH AUTOSEL 4.9 45/91] ath6kl: Only use match sets when firmware supports it Sasha Levin
2019-11-22 6:00 ` [PATCH AUTOSEL 4.9 46/91] ath6kl: Fix off by one error in scan completion Sasha Levin
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).