* [PATCH AUTOSEL 4.19 290/671] brcmfmac: fix leak of mypkt on error return path
[not found] <20200116170509.12787-1-sashal@kernel.org>
@ 2020-01-16 16:58 ` Sasha Levin
2020-01-16 16:59 ` [PATCH AUTOSEL 4.19 338/671] ath10k: Fix encoding for protected management frames Sasha Levin
` (12 subsequent siblings)
13 siblings, 0 replies; 14+ messages in thread
From: Sasha Levin @ 2020-01-16 16:58 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Colin Ian King, Mukesh Ojha, Kalle Valo, Sasha Levin,
linux-wireless, brcm80211-dev-list.pdl, brcm80211-dev-list,
netdev
From: Colin Ian King <colin.king@canonical.com>
[ Upstream commit a927e8d8ab57e696800e20cf09a72b7dfe3bbebb ]
Currently if the call to brcmf_sdiod_set_backplane_window fails then
error return path leaks mypkt. Fix this by returning by a new
error path labelled 'out' that calls brcmu_pkt_buf_free_skb to free
mypkt. Also remove redundant check on err before calling
brcmf_sdiod_skbuff_write.
Addresses-Coverity: ("Resource Leak")
Fixes: a7c3aa1509e2 ("brcmfmac: Remove brcmf_sdiod_addrprep()")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Reviewed-by: Mukesh Ojha <mojha@codeaurora.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c | 8 +++-----
1 file changed, 3 insertions(+), 5 deletions(-)
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c
index d2f788d88668..710dc59c5d34 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c
@@ -617,15 +617,13 @@ int brcmf_sdiod_send_buf(struct brcmf_sdio_dev *sdiodev, u8 *buf, uint nbytes)
err = brcmf_sdiod_set_backplane_window(sdiodev, addr);
if (err)
- return err;
+ goto out;
addr &= SBSDIO_SB_OFT_ADDR_MASK;
addr |= SBSDIO_SB_ACCESS_2_4B_FLAG;
- if (!err)
- err = brcmf_sdiod_skbuff_write(sdiodev, sdiodev->func2, addr,
- mypkt);
-
+ err = brcmf_sdiod_skbuff_write(sdiodev, sdiodev->func2, addr, mypkt);
+out:
brcmu_pkt_buf_free_skb(mypkt);
return err;
--
2.20.1
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH AUTOSEL 4.19 338/671] ath10k: Fix encoding for protected management frames
[not found] <20200116170509.12787-1-sashal@kernel.org>
2020-01-16 16:58 ` [PATCH AUTOSEL 4.19 290/671] brcmfmac: fix leak of mypkt on error return path Sasha Levin
@ 2020-01-16 16:59 ` Sasha Levin
2020-01-16 17:01 ` [PATCH AUTOSEL 4.19 468/671] libertas_tf: Use correct channel range in lbtf_geo_init Sasha Levin
` (11 subsequent siblings)
13 siblings, 0 replies; 14+ messages in thread
From: Sasha Levin @ 2020-01-16 16:59 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Rakesh Pillai, Kalle Valo, Sasha Levin, ath10k, linux-wireless, netdev
From: Rakesh Pillai <pillair@codeaurora.org>
[ Upstream commit 42f1bc43e6a97b9ddbe976eba9bd05306c990c75 ]
Currently the protected management frames are
not appended with the MIC_LEN which results in
the protected management frames being encoded
incorrectly.
Add the extra space at the end of the protected
management frames to fix this encoding error for
the protected management frames.
Tested HW: WCN3990
Tested FW: WLAN.HL.3.1-00784-QCAHLSWMTPLZ-1
Fixes: 1807da49733e ("ath10k: wmi: add management tx by reference support over wmi")
Signed-off-by: Rakesh Pillai <pillair@codeaurora.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath10k/wmi-tlv.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/ath/ath10k/wmi-tlv.c b/drivers/net/wireless/ath/ath10k/wmi-tlv.c
index a90990b8008d..248decb494c2 100644
--- a/drivers/net/wireless/ath/ath10k/wmi-tlv.c
+++ b/drivers/net/wireless/ath/ath10k/wmi-tlv.c
@@ -2692,8 +2692,10 @@ ath10k_wmi_tlv_op_gen_mgmt_tx_send(struct ath10k *ar, struct sk_buff *msdu,
if ((ieee80211_is_action(hdr->frame_control) ||
ieee80211_is_deauth(hdr->frame_control) ||
ieee80211_is_disassoc(hdr->frame_control)) &&
- ieee80211_has_protected(hdr->frame_control))
+ ieee80211_has_protected(hdr->frame_control)) {
+ skb_put(msdu, IEEE80211_CCMP_MIC_LEN);
buf_len += IEEE80211_CCMP_MIC_LEN;
+ }
buf_len = min_t(u32, buf_len, WMI_TLV_MGMT_TX_FRAME_MAX_LEN);
buf_len = round_up(buf_len, 4);
--
2.20.1
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH AUTOSEL 4.19 468/671] libertas_tf: Use correct channel range in lbtf_geo_init
[not found] <20200116170509.12787-1-sashal@kernel.org>
2020-01-16 16:58 ` [PATCH AUTOSEL 4.19 290/671] brcmfmac: fix leak of mypkt on error return path Sasha Levin
2020-01-16 16:59 ` [PATCH AUTOSEL 4.19 338/671] ath10k: Fix encoding for protected management frames Sasha Levin
@ 2020-01-16 17:01 ` Sasha Levin
2020-01-16 17:02 ` [PATCH AUTOSEL 4.19 503/671] mac80211: minstrel_ht: fix per-group max throughput rate initialization Sasha Levin
` (10 subsequent siblings)
13 siblings, 0 replies; 14+ messages in thread
From: Sasha Levin @ 2020-01-16 17:01 UTC (permalink / raw)
To: linux-kernel, stable
Cc: YueHaibing, Hulk Robot, Kalle Valo, Sasha Levin, linux-wireless, netdev
From: YueHaibing <yuehaibing@huawei.com>
[ Upstream commit 2ec4ad49b98e4a14147d04f914717135eca7c8b1 ]
It seems we should use 'range' instead of 'priv->range'
in lbtf_geo_init(), because 'range' is the corret one
related to current regioncode.
Reported-by: Hulk Robot <hulkci@huawei.com>
Fixes: 691cdb49388b ("libertas_tf: command helper functions for libertas_tf")
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/marvell/libertas_tf/cmd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wireless/marvell/libertas_tf/cmd.c b/drivers/net/wireless/marvell/libertas_tf/cmd.c
index 909ac3685010..2b193f1257a5 100644
--- a/drivers/net/wireless/marvell/libertas_tf/cmd.c
+++ b/drivers/net/wireless/marvell/libertas_tf/cmd.c
@@ -69,7 +69,7 @@ static void lbtf_geo_init(struct lbtf_private *priv)
break;
}
- for (ch = priv->range.start; ch < priv->range.end; ch++)
+ for (ch = range->start; ch < range->end; ch++)
priv->channels[CHAN_TO_IDX(ch)].flags = 0;
}
--
2.20.1
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH AUTOSEL 4.19 503/671] mac80211: minstrel_ht: fix per-group max throughput rate initialization
[not found] <20200116170509.12787-1-sashal@kernel.org>
` (2 preceding siblings ...)
2020-01-16 17:01 ` [PATCH AUTOSEL 4.19 468/671] libertas_tf: Use correct channel range in lbtf_geo_init Sasha Levin
@ 2020-01-16 17:02 ` Sasha Levin
2020-01-16 17:02 ` [PATCH AUTOSEL 4.19 520/671] bcma: fix incorrect update of BCMA_CORE_PCI_MDIO_DATA Sasha Levin
` (9 subsequent siblings)
13 siblings, 0 replies; 14+ messages in thread
From: Sasha Levin @ 2020-01-16 17:02 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Felix Fietkau, Johannes Berg, Sasha Levin, linux-wireless, netdev
From: Felix Fietkau <nbd@nbd.name>
[ Upstream commit 56dd918ff06e3ee24d8067e93ed12b2a39e71394 ]
The group number needs to be multiplied by the number of rates per group
to get the full rate index
Fixes: 5935839ad735 ("mac80211: improve minstrel_ht rate sorting by throughput & probability")
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Link: https://lore.kernel.org/r/20190820095449.45255-1-nbd@nbd.name
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/mac80211/rc80211_minstrel_ht.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/mac80211/rc80211_minstrel_ht.c b/net/mac80211/rc80211_minstrel_ht.c
index 3d5520776655..0b60e330c115 100644
--- a/net/mac80211/rc80211_minstrel_ht.c
+++ b/net/mac80211/rc80211_minstrel_ht.c
@@ -529,7 +529,7 @@ minstrel_ht_update_stats(struct minstrel_priv *mp, struct minstrel_ht_sta *mi)
/* (re)Initialize group rate indexes */
for(j = 0; j < MAX_THR_RATES; j++)
- tmp_group_tp_rate[j] = group;
+ tmp_group_tp_rate[j] = MCS_GROUP_RATES * group;
for (i = 0; i < MCS_GROUP_RATES; i++) {
if (!(mi->supported[group] & BIT(i)))
--
2.20.1
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH AUTOSEL 4.19 520/671] bcma: fix incorrect update of BCMA_CORE_PCI_MDIO_DATA
[not found] <20200116170509.12787-1-sashal@kernel.org>
` (3 preceding siblings ...)
2020-01-16 17:02 ` [PATCH AUTOSEL 4.19 503/671] mac80211: minstrel_ht: fix per-group max throughput rate initialization Sasha Levin
@ 2020-01-16 17:02 ` Sasha Levin
2020-01-16 17:02 ` [PATCH AUTOSEL 4.19 525/671] ath9k: dynack: fix possible deadlock in ath_dynack_node_{de}init Sasha Levin
` (8 subsequent siblings)
13 siblings, 0 replies; 14+ messages in thread
From: Sasha Levin @ 2020-01-16 17:02 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Colin Ian King, Kalle Valo, Sasha Levin, linux-wireless
From: Colin Ian King <colin.king@canonical.com>
[ Upstream commit 420c20be08a4597404d272ae9793b642401146eb ]
An earlier commit re-worked the setting of the bitmask and is now
assigning v with some bit flags rather than bitwise or-ing them
into v, consequently the earlier bit-settings of v are being lost.
Fix this by replacing an assignment with the bitwise or instead.
Addresses-Coverity: ("Unused value")
Fixes: 2be25cac8402 ("bcma: add constants for PCI and use them")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/bcma/driver_pci.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/bcma/driver_pci.c b/drivers/bcma/driver_pci.c
index f499a469e66d..12b2cc9a3fbe 100644
--- a/drivers/bcma/driver_pci.c
+++ b/drivers/bcma/driver_pci.c
@@ -78,7 +78,7 @@ static u16 bcma_pcie_mdio_read(struct bcma_drv_pci *pc, u16 device, u8 address)
v |= (address << BCMA_CORE_PCI_MDIODATA_REGADDR_SHF_OLD);
}
- v = BCMA_CORE_PCI_MDIODATA_START;
+ v |= BCMA_CORE_PCI_MDIODATA_START;
v |= BCMA_CORE_PCI_MDIODATA_READ;
v |= BCMA_CORE_PCI_MDIODATA_TA;
@@ -121,7 +121,7 @@ static void bcma_pcie_mdio_write(struct bcma_drv_pci *pc, u16 device,
v |= (address << BCMA_CORE_PCI_MDIODATA_REGADDR_SHF_OLD);
}
- v = BCMA_CORE_PCI_MDIODATA_START;
+ v |= BCMA_CORE_PCI_MDIODATA_START;
v |= BCMA_CORE_PCI_MDIODATA_WRITE;
v |= BCMA_CORE_PCI_MDIODATA_TA;
v |= data;
--
2.20.1
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH AUTOSEL 4.19 525/671] ath9k: dynack: fix possible deadlock in ath_dynack_node_{de}init
[not found] <20200116170509.12787-1-sashal@kernel.org>
` (4 preceding siblings ...)
2020-01-16 17:02 ` [PATCH AUTOSEL 4.19 520/671] bcma: fix incorrect update of BCMA_CORE_PCI_MDIO_DATA Sasha Levin
@ 2020-01-16 17:02 ` Sasha Levin
2020-01-16 17:02 ` [PATCH AUTOSEL 4.19 526/671] wcn36xx: use dynamic allocation for large variables Sasha Levin
` (7 subsequent siblings)
13 siblings, 0 replies; 14+ messages in thread
From: Sasha Levin @ 2020-01-16 17:02 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Lorenzo Bianconi, Koen Vandeputte, Kalle Valo, Sasha Levin,
linux-wireless, netdev
From: Lorenzo Bianconi <lorenzo@kernel.org>
[ Upstream commit e1aa1a1db3b01c9890e82cf065cee99962ba1ed9 ]
Fix following lockdep warning disabling bh in
ath_dynack_node_init/ath_dynack_node_deinit
[ 75.955878] --------------------------------
[ 75.955880] inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage.
[ 75.955884] swapper/0/0 [HC0[0]:SC1[3]:HE1:SE0] takes:
[ 75.955888] 00000000792a7ee0 (&(&da->qlock)->rlock){+.?.}, at: ath_dynack_sample_ack_ts+0x4d/0xa0 [ath9k_hw]
[ 75.955905] {SOFTIRQ-ON-W} state was registered at:
[ 75.955912] lock_acquire+0x9a/0x160
[ 75.955917] _raw_spin_lock+0x2c/0x70
[ 75.955927] ath_dynack_node_init+0x2a/0x60 [ath9k_hw]
[ 75.955934] ath9k_sta_state+0xec/0x160 [ath9k]
[ 75.955976] drv_sta_state+0xb2/0x740 [mac80211]
[ 75.956008] sta_info_insert_finish+0x21a/0x420 [mac80211]
[ 75.956039] sta_info_insert_rcu+0x12b/0x2c0 [mac80211]
[ 75.956069] sta_info_insert+0x7/0x70 [mac80211]
[ 75.956093] ieee80211_prep_connection+0x42e/0x730 [mac80211]
[ 75.956120] ieee80211_mgd_auth.cold+0xb9/0x15c [mac80211]
[ 75.956152] cfg80211_mlme_auth+0x143/0x350 [cfg80211]
[ 75.956169] nl80211_authenticate+0x25e/0x2b0 [cfg80211]
[ 75.956172] genl_family_rcv_msg+0x198/0x400
[ 75.956174] genl_rcv_msg+0x42/0x90
[ 75.956176] netlink_rcv_skb+0x35/0xf0
[ 75.956178] genl_rcv+0x1f/0x30
[ 75.956180] netlink_unicast+0x154/0x200
[ 75.956182] netlink_sendmsg+0x1bf/0x3d0
[ 75.956186] ___sys_sendmsg+0x2c2/0x2f0
[ 75.956187] __sys_sendmsg+0x44/0x80
[ 75.956190] do_syscall_64+0x55/0x1a0
[ 75.956192] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 75.956194] irq event stamp: 2357092
[ 75.956196] hardirqs last enabled at (2357092): [<ffffffff818c62de>] _raw_spin_unlock_irqrestore+0x3e/0x50
[ 75.956199] hardirqs last disabled at (2357091): [<ffffffff818c60b1>] _raw_spin_lock_irqsave+0x11/0x80
[ 75.956202] softirqs last enabled at (2357072): [<ffffffff8106dc09>] irq_enter+0x59/0x60
[ 75.956204] softirqs last disabled at (2357073): [<ffffffff8106dcbe>] irq_exit+0xae/0xc0
[ 75.956206]
other info that might help us debug this:
[ 75.956207] Possible unsafe locking scenario:
[ 75.956208] CPU0
[ 75.956209] ----
[ 75.956210] lock(&(&da->qlock)->rlock);
[ 75.956213] <Interrupt>
[ 75.956214] lock(&(&da->qlock)->rlock);
[ 75.956216]
*** DEADLOCK ***
[ 75.956217] 1 lock held by swapper/0/0:
[ 75.956219] #0: 000000003bb5675c (&(&sc->sc_pcu_lock)->rlock){+.-.}, at: ath9k_tasklet+0x55/0x240 [ath9k]
[ 75.956225]
stack backtrace:
[ 75.956228] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.3.0-rc1-wdn+ #13
[ 75.956229] Hardware name: Dell Inc. Studio XPS 1340/0K183D, BIOS A11 09/08/2009
[ 75.956231] Call Trace:
[ 75.956233] <IRQ>
[ 75.956236] dump_stack+0x67/0x90
[ 75.956239] mark_lock+0x4c1/0x640
[ 75.956242] ? check_usage_backwards+0x130/0x130
[ 75.956245] ? sched_clock_local+0x12/0x80
[ 75.956247] __lock_acquire+0x484/0x7a0
[ 75.956250] ? __lock_acquire+0x3b9/0x7a0
[ 75.956252] lock_acquire+0x9a/0x160
[ 75.956259] ? ath_dynack_sample_ack_ts+0x4d/0xa0 [ath9k_hw]
[ 75.956262] _raw_spin_lock_bh+0x34/0x80
[ 75.956268] ? ath_dynack_sample_ack_ts+0x4d/0xa0 [ath9k_hw]
[ 75.956275] ath_dynack_sample_ack_ts+0x4d/0xa0 [ath9k_hw]
[ 75.956280] ath_rx_tasklet+0xd09/0xe90 [ath9k]
[ 75.956286] ath9k_tasklet+0x102/0x240 [ath9k]
[ 75.956288] tasklet_action_common.isra.0+0x6d/0x170
[ 75.956291] __do_softirq+0xcc/0x425
[ 75.956294] irq_exit+0xae/0xc0
[ 75.956296] do_IRQ+0x8a/0x110
[ 75.956298] common_interrupt+0xf/0xf
[ 75.956300] </IRQ>
[ 75.956303] RIP: 0010:cpuidle_enter_state+0xb2/0x400
[ 75.956308] RSP: 0018:ffffffff82203e70 EFLAGS: 00000202 ORIG_RAX: ffffffffffffffd7
[ 75.956310] RAX: ffffffff82219800 RBX: ffffffff822bd0a0 RCX: 0000000000000000
[ 75.956312] RDX: 0000000000000046 RSI: 0000000000000006 RDI: ffffffff82219800
[ 75.956314] RBP: ffff888155a01c00 R08: 00000011af51aabe R09: 0000000000000000
[ 75.956315] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000002
[ 75.956317] R13: 00000011af51aabe R14: 0000000000000003 R15: ffffffff82219800
[ 75.956321] cpuidle_enter+0x24/0x40
[ 75.956323] do_idle+0x1ac/0x220
[ 75.956326] cpu_startup_entry+0x14/0x20
[ 75.956329] start_kernel+0x482/0x489
[ 75.956332] secondary_startup_64+0xa4/0xb0
Fixes: c774d57fd47c ("ath9k: add dynamic ACK timeout estimation")
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Tested-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath9k/dynack.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/net/wireless/ath/ath9k/dynack.c b/drivers/net/wireless/ath/ath9k/dynack.c
index 6e236a485431..71b4888b30e7 100644
--- a/drivers/net/wireless/ath/ath9k/dynack.c
+++ b/drivers/net/wireless/ath/ath9k/dynack.c
@@ -300,9 +300,9 @@ void ath_dynack_node_init(struct ath_hw *ah, struct ath_node *an)
an->ackto = ackto;
- spin_lock(&da->qlock);
+ spin_lock_bh(&da->qlock);
list_add_tail(&an->list, &da->nodes);
- spin_unlock(&da->qlock);
+ spin_unlock_bh(&da->qlock);
}
EXPORT_SYMBOL(ath_dynack_node_init);
@@ -316,9 +316,9 @@ void ath_dynack_node_deinit(struct ath_hw *ah, struct ath_node *an)
{
struct ath_dynack *da = &ah->dynack;
- spin_lock(&da->qlock);
+ spin_lock_bh(&da->qlock);
list_del(&an->list);
- spin_unlock(&da->qlock);
+ spin_unlock_bh(&da->qlock);
}
EXPORT_SYMBOL(ath_dynack_node_deinit);
--
2.20.1
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH AUTOSEL 4.19 526/671] wcn36xx: use dynamic allocation for large variables
[not found] <20200116170509.12787-1-sashal@kernel.org>
` (5 preceding siblings ...)
2020-01-16 17:02 ` [PATCH AUTOSEL 4.19 525/671] ath9k: dynack: fix possible deadlock in ath_dynack_node_{de}init Sasha Levin
@ 2020-01-16 17:02 ` Sasha Levin
2020-01-16 17:02 ` [PATCH AUTOSEL 4.19 534/671] rtlwifi: Fix file release memory leak Sasha Levin
` (6 subsequent siblings)
13 siblings, 0 replies; 14+ messages in thread
From: Sasha Levin @ 2020-01-16 17:02 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Arnd Bergmann, Kalle Valo, Sasha Levin, wcn36xx, linux-wireless,
netdev, clang-built-linux
From: Arnd Bergmann <arnd@arndb.de>
[ Upstream commit 355cf31912014e6ff1bb1019ae4858cad12c68cf ]
clang triggers a warning about oversized stack frames that gcc does not
notice because of slightly different inlining decisions:
ath/wcn36xx/smd.c:1409:5: error: stack frame size of 1040 bytes in function 'wcn36xx_smd_config_bss' [-Werror,-Wframe-larger-than=]
ath/wcn36xx/smd.c:640:5: error: stack frame size of 1032 bytes in function 'wcn36xx_smd_start_hw_scan' [-Werror,-Wframe-larger-than=]
Basically the wcn36xx_hal_start_scan_offload_req_msg,
wcn36xx_hal_config_bss_req_msg_v1, and wcn36xx_hal_config_bss_req_msg
structures are too large to be put on the kernel stack, but small
enough that gcc does not warn about them.
Use kzalloc() to allocate them all. There are similar structures in other
parts of this driver, but they are all smaller, with the next largest
stack frame at 480 bytes for wcn36xx_smd_send_beacon.
Fixes: 8e84c2582169 ("wcn36xx: mac80211 driver for Qualcomm WCN3660/WCN3680 hardware")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/wcn36xx/smd.c | 186 ++++++++++++++-----------
1 file changed, 105 insertions(+), 81 deletions(-)
diff --git a/drivers/net/wireless/ath/wcn36xx/smd.c b/drivers/net/wireless/ath/wcn36xx/smd.c
index 00098f24116d..6cd113b3b3e4 100644
--- a/drivers/net/wireless/ath/wcn36xx/smd.c
+++ b/drivers/net/wireless/ath/wcn36xx/smd.c
@@ -641,52 +641,58 @@ int wcn36xx_smd_start_hw_scan(struct wcn36xx *wcn, struct ieee80211_vif *vif,
struct cfg80211_scan_request *req)
{
struct wcn36xx_vif *vif_priv = wcn36xx_vif_to_priv(vif);
- struct wcn36xx_hal_start_scan_offload_req_msg msg_body;
+ struct wcn36xx_hal_start_scan_offload_req_msg *msg_body;
int ret, i;
if (req->ie_len > WCN36XX_MAX_SCAN_IE_LEN)
return -EINVAL;
mutex_lock(&wcn->hal_mutex);
- INIT_HAL_MSG(msg_body, WCN36XX_HAL_START_SCAN_OFFLOAD_REQ);
+ msg_body = kzalloc(sizeof(*msg_body), GFP_KERNEL);
+ if (!msg_body) {
+ ret = -ENOMEM;
+ goto out;
+ }
- msg_body.scan_type = WCN36XX_HAL_SCAN_TYPE_ACTIVE;
- msg_body.min_ch_time = 30;
- msg_body.max_ch_time = 100;
- msg_body.scan_hidden = 1;
- memcpy(msg_body.mac, vif->addr, ETH_ALEN);
- msg_body.bss_type = vif_priv->bss_type;
- msg_body.p2p_search = vif->p2p;
+ INIT_HAL_MSG((*msg_body), WCN36XX_HAL_START_SCAN_OFFLOAD_REQ);
- msg_body.num_ssid = min_t(u8, req->n_ssids, ARRAY_SIZE(msg_body.ssids));
- for (i = 0; i < msg_body.num_ssid; i++) {
- msg_body.ssids[i].length = min_t(u8, req->ssids[i].ssid_len,
- sizeof(msg_body.ssids[i].ssid));
- memcpy(msg_body.ssids[i].ssid, req->ssids[i].ssid,
- msg_body.ssids[i].length);
+ msg_body->scan_type = WCN36XX_HAL_SCAN_TYPE_ACTIVE;
+ msg_body->min_ch_time = 30;
+ msg_body->max_ch_time = 100;
+ msg_body->scan_hidden = 1;
+ memcpy(msg_body->mac, vif->addr, ETH_ALEN);
+ msg_body->bss_type = vif_priv->bss_type;
+ msg_body->p2p_search = vif->p2p;
+
+ msg_body->num_ssid = min_t(u8, req->n_ssids, ARRAY_SIZE(msg_body->ssids));
+ for (i = 0; i < msg_body->num_ssid; i++) {
+ msg_body->ssids[i].length = min_t(u8, req->ssids[i].ssid_len,
+ sizeof(msg_body->ssids[i].ssid));
+ memcpy(msg_body->ssids[i].ssid, req->ssids[i].ssid,
+ msg_body->ssids[i].length);
}
- msg_body.num_channel = min_t(u8, req->n_channels,
- sizeof(msg_body.channels));
- for (i = 0; i < msg_body.num_channel; i++)
- msg_body.channels[i] = req->channels[i]->hw_value;
+ msg_body->num_channel = min_t(u8, req->n_channels,
+ sizeof(msg_body->channels));
+ for (i = 0; i < msg_body->num_channel; i++)
+ msg_body->channels[i] = req->channels[i]->hw_value;
- msg_body.header.len -= WCN36XX_MAX_SCAN_IE_LEN;
+ msg_body->header.len -= WCN36XX_MAX_SCAN_IE_LEN;
if (req->ie_len > 0) {
- msg_body.ie_len = req->ie_len;
- msg_body.header.len += req->ie_len;
- memcpy(msg_body.ie, req->ie, req->ie_len);
+ msg_body->ie_len = req->ie_len;
+ msg_body->header.len += req->ie_len;
+ memcpy(msg_body->ie, req->ie, req->ie_len);
}
- PREPARE_HAL_BUF(wcn->hal_buf, msg_body);
+ PREPARE_HAL_BUF(wcn->hal_buf, (*msg_body));
wcn36xx_dbg(WCN36XX_DBG_HAL,
"hal start hw-scan (channels: %u; ssids: %u; p2p: %s)\n",
- msg_body.num_channel, msg_body.num_ssid,
- msg_body.p2p_search ? "yes" : "no");
+ msg_body->num_channel, msg_body->num_ssid,
+ msg_body->p2p_search ? "yes" : "no");
- ret = wcn36xx_smd_send_and_wait(wcn, msg_body.header.len);
+ ret = wcn36xx_smd_send_and_wait(wcn, msg_body->header.len);
if (ret) {
wcn36xx_err("Sending hal_start_scan_offload failed\n");
goto out;
@@ -698,6 +704,7 @@ int wcn36xx_smd_start_hw_scan(struct wcn36xx *wcn, struct ieee80211_vif *vif,
goto out;
}
out:
+ kfree(msg_body);
mutex_unlock(&wcn->hal_mutex);
return ret;
}
@@ -1257,96 +1264,104 @@ int wcn36xx_smd_config_sta(struct wcn36xx *wcn, struct ieee80211_vif *vif,
static int wcn36xx_smd_config_bss_v1(struct wcn36xx *wcn,
const struct wcn36xx_hal_config_bss_req_msg *orig)
{
- struct wcn36xx_hal_config_bss_req_msg_v1 msg_body;
- struct wcn36xx_hal_config_bss_params_v1 *bss = &msg_body.bss_params;
- struct wcn36xx_hal_config_sta_params_v1 *sta = &bss->sta;
+ struct wcn36xx_hal_config_bss_req_msg_v1 *msg_body;
+ struct wcn36xx_hal_config_bss_params_v1 *bss;
+ struct wcn36xx_hal_config_sta_params_v1 *sta;
+ int ret;
+
+ msg_body = kzalloc(sizeof(*msg_body), GFP_KERNEL);
+ if (!msg_body)
+ return -ENOMEM;
+
+ INIT_HAL_MSG((*msg_body), WCN36XX_HAL_CONFIG_BSS_REQ);
- INIT_HAL_MSG(msg_body, WCN36XX_HAL_CONFIG_BSS_REQ);
+ bss = &msg_body->bss_params;
+ sta = &bss->sta;
/* convert orig to v1 */
- memcpy(&msg_body.bss_params.bssid,
+ memcpy(&msg_body->bss_params.bssid,
&orig->bss_params.bssid, ETH_ALEN);
- memcpy(&msg_body.bss_params.self_mac_addr,
+ memcpy(&msg_body->bss_params.self_mac_addr,
&orig->bss_params.self_mac_addr, ETH_ALEN);
- msg_body.bss_params.bss_type = orig->bss_params.bss_type;
- msg_body.bss_params.oper_mode = orig->bss_params.oper_mode;
- msg_body.bss_params.nw_type = orig->bss_params.nw_type;
+ msg_body->bss_params.bss_type = orig->bss_params.bss_type;
+ msg_body->bss_params.oper_mode = orig->bss_params.oper_mode;
+ msg_body->bss_params.nw_type = orig->bss_params.nw_type;
- msg_body.bss_params.short_slot_time_supported =
+ msg_body->bss_params.short_slot_time_supported =
orig->bss_params.short_slot_time_supported;
- msg_body.bss_params.lla_coexist = orig->bss_params.lla_coexist;
- msg_body.bss_params.llb_coexist = orig->bss_params.llb_coexist;
- msg_body.bss_params.llg_coexist = orig->bss_params.llg_coexist;
- msg_body.bss_params.ht20_coexist = orig->bss_params.ht20_coexist;
- msg_body.bss_params.lln_non_gf_coexist =
+ msg_body->bss_params.lla_coexist = orig->bss_params.lla_coexist;
+ msg_body->bss_params.llb_coexist = orig->bss_params.llb_coexist;
+ msg_body->bss_params.llg_coexist = orig->bss_params.llg_coexist;
+ msg_body->bss_params.ht20_coexist = orig->bss_params.ht20_coexist;
+ msg_body->bss_params.lln_non_gf_coexist =
orig->bss_params.lln_non_gf_coexist;
- msg_body.bss_params.lsig_tx_op_protection_full_support =
+ msg_body->bss_params.lsig_tx_op_protection_full_support =
orig->bss_params.lsig_tx_op_protection_full_support;
- msg_body.bss_params.rifs_mode = orig->bss_params.rifs_mode;
- msg_body.bss_params.beacon_interval = orig->bss_params.beacon_interval;
- msg_body.bss_params.dtim_period = orig->bss_params.dtim_period;
- msg_body.bss_params.tx_channel_width_set =
+ msg_body->bss_params.rifs_mode = orig->bss_params.rifs_mode;
+ msg_body->bss_params.beacon_interval = orig->bss_params.beacon_interval;
+ msg_body->bss_params.dtim_period = orig->bss_params.dtim_period;
+ msg_body->bss_params.tx_channel_width_set =
orig->bss_params.tx_channel_width_set;
- msg_body.bss_params.oper_channel = orig->bss_params.oper_channel;
- msg_body.bss_params.ext_channel = orig->bss_params.ext_channel;
+ msg_body->bss_params.oper_channel = orig->bss_params.oper_channel;
+ msg_body->bss_params.ext_channel = orig->bss_params.ext_channel;
- msg_body.bss_params.reserved = orig->bss_params.reserved;
+ msg_body->bss_params.reserved = orig->bss_params.reserved;
- memcpy(&msg_body.bss_params.ssid,
+ memcpy(&msg_body->bss_params.ssid,
&orig->bss_params.ssid,
sizeof(orig->bss_params.ssid));
- msg_body.bss_params.action = orig->bss_params.action;
- msg_body.bss_params.rateset = orig->bss_params.rateset;
- msg_body.bss_params.ht = orig->bss_params.ht;
- msg_body.bss_params.obss_prot_enabled =
+ msg_body->bss_params.action = orig->bss_params.action;
+ msg_body->bss_params.rateset = orig->bss_params.rateset;
+ msg_body->bss_params.ht = orig->bss_params.ht;
+ msg_body->bss_params.obss_prot_enabled =
orig->bss_params.obss_prot_enabled;
- msg_body.bss_params.rmf = orig->bss_params.rmf;
- msg_body.bss_params.ht_oper_mode = orig->bss_params.ht_oper_mode;
- msg_body.bss_params.dual_cts_protection =
+ msg_body->bss_params.rmf = orig->bss_params.rmf;
+ msg_body->bss_params.ht_oper_mode = orig->bss_params.ht_oper_mode;
+ msg_body->bss_params.dual_cts_protection =
orig->bss_params.dual_cts_protection;
- msg_body.bss_params.max_probe_resp_retry_limit =
+ msg_body->bss_params.max_probe_resp_retry_limit =
orig->bss_params.max_probe_resp_retry_limit;
- msg_body.bss_params.hidden_ssid = orig->bss_params.hidden_ssid;
- msg_body.bss_params.proxy_probe_resp =
+ msg_body->bss_params.hidden_ssid = orig->bss_params.hidden_ssid;
+ msg_body->bss_params.proxy_probe_resp =
orig->bss_params.proxy_probe_resp;
- msg_body.bss_params.edca_params_valid =
+ msg_body->bss_params.edca_params_valid =
orig->bss_params.edca_params_valid;
- memcpy(&msg_body.bss_params.acbe,
+ memcpy(&msg_body->bss_params.acbe,
&orig->bss_params.acbe,
sizeof(orig->bss_params.acbe));
- memcpy(&msg_body.bss_params.acbk,
+ memcpy(&msg_body->bss_params.acbk,
&orig->bss_params.acbk,
sizeof(orig->bss_params.acbk));
- memcpy(&msg_body.bss_params.acvi,
+ memcpy(&msg_body->bss_params.acvi,
&orig->bss_params.acvi,
sizeof(orig->bss_params.acvi));
- memcpy(&msg_body.bss_params.acvo,
+ memcpy(&msg_body->bss_params.acvo,
&orig->bss_params.acvo,
sizeof(orig->bss_params.acvo));
- msg_body.bss_params.ext_set_sta_key_param_valid =
+ msg_body->bss_params.ext_set_sta_key_param_valid =
orig->bss_params.ext_set_sta_key_param_valid;
- memcpy(&msg_body.bss_params.ext_set_sta_key_param,
+ memcpy(&msg_body->bss_params.ext_set_sta_key_param,
&orig->bss_params.ext_set_sta_key_param,
sizeof(orig->bss_params.acvo));
- msg_body.bss_params.wcn36xx_hal_persona =
+ msg_body->bss_params.wcn36xx_hal_persona =
orig->bss_params.wcn36xx_hal_persona;
- msg_body.bss_params.spectrum_mgt_enable =
+ msg_body->bss_params.spectrum_mgt_enable =
orig->bss_params.spectrum_mgt_enable;
- msg_body.bss_params.tx_mgmt_power = orig->bss_params.tx_mgmt_power;
- msg_body.bss_params.max_tx_power = orig->bss_params.max_tx_power;
+ msg_body->bss_params.tx_mgmt_power = orig->bss_params.tx_mgmt_power;
+ msg_body->bss_params.max_tx_power = orig->bss_params.max_tx_power;
wcn36xx_smd_convert_sta_to_v1(wcn, &orig->bss_params.sta,
- &msg_body.bss_params.sta);
+ &msg_body->bss_params.sta);
- PREPARE_HAL_BUF(wcn->hal_buf, msg_body);
+ PREPARE_HAL_BUF(wcn->hal_buf, (*msg_body));
wcn36xx_dbg(WCN36XX_DBG_HAL,
"hal config bss v1 bssid %pM self_mac_addr %pM bss_type %d oper_mode %d nw_type %d\n",
@@ -1358,7 +1373,10 @@ static int wcn36xx_smd_config_bss_v1(struct wcn36xx *wcn,
sta->bssid, sta->action, sta->sta_index,
sta->bssid_index, sta->aid, sta->type, sta->mac);
- return wcn36xx_smd_send_and_wait(wcn, msg_body.header.len);
+ ret = wcn36xx_smd_send_and_wait(wcn, msg_body->header.len);
+ kfree(msg_body);
+
+ return ret;
}
@@ -1410,16 +1428,21 @@ int wcn36xx_smd_config_bss(struct wcn36xx *wcn, struct ieee80211_vif *vif,
struct ieee80211_sta *sta, const u8 *bssid,
bool update)
{
- struct wcn36xx_hal_config_bss_req_msg msg;
+ struct wcn36xx_hal_config_bss_req_msg *msg;
struct wcn36xx_hal_config_bss_params *bss;
struct wcn36xx_hal_config_sta_params *sta_params;
struct wcn36xx_vif *vif_priv = wcn36xx_vif_to_priv(vif);
int ret;
mutex_lock(&wcn->hal_mutex);
- INIT_HAL_MSG(msg, WCN36XX_HAL_CONFIG_BSS_REQ);
+ msg = kzalloc(sizeof(*msg), GFP_KERNEL);
+ if (!msg) {
+ ret = -ENOMEM;
+ goto out;
+ }
+ INIT_HAL_MSG((*msg), WCN36XX_HAL_CONFIG_BSS_REQ);
- bss = &msg.bss_params;
+ bss = &msg->bss_params;
sta_params = &bss->sta;
WARN_ON(is_zero_ether_addr(bssid));
@@ -1514,11 +1537,11 @@ int wcn36xx_smd_config_bss(struct wcn36xx *wcn, struct ieee80211_vif *vif,
sta_params->mac);
if (!wcn36xx_is_fw_version(wcn, 1, 2, 2, 24)) {
- ret = wcn36xx_smd_config_bss_v1(wcn, &msg);
+ ret = wcn36xx_smd_config_bss_v1(wcn, msg);
} else {
- PREPARE_HAL_BUF(wcn->hal_buf, msg);
+ PREPARE_HAL_BUF(wcn->hal_buf, (*msg));
- ret = wcn36xx_smd_send_and_wait(wcn, msg.header.len);
+ ret = wcn36xx_smd_send_and_wait(wcn, msg->header.len);
}
if (ret) {
wcn36xx_err("Sending hal_config_bss failed\n");
@@ -1534,6 +1557,7 @@ int wcn36xx_smd_config_bss(struct wcn36xx *wcn, struct ieee80211_vif *vif,
goto out;
}
out:
+ kfree(msg);
mutex_unlock(&wcn->hal_mutex);
return ret;
}
--
2.20.1
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH AUTOSEL 4.19 534/671] rtlwifi: Fix file release memory leak
[not found] <20200116170509.12787-1-sashal@kernel.org>
` (6 preceding siblings ...)
2020-01-16 17:02 ` [PATCH AUTOSEL 4.19 526/671] wcn36xx: use dynamic allocation for large variables Sasha Levin
@ 2020-01-16 17:02 ` Sasha Levin
2020-01-16 17:03 ` [PATCH AUTOSEL 4.19 548/671] ath10k: adjust skb length in ath10k_sdio_mbox_rx_packet Sasha Levin
` (5 subsequent siblings)
13 siblings, 0 replies; 14+ messages in thread
From: Sasha Levin @ 2020-01-16 17:02 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Wei Yongjun, Kalle Valo, Sasha Levin, linux-wireless, netdev
From: Wei Yongjun <weiyongjun1@huawei.com>
[ Upstream commit 4c3e48794dec7cb568974ba3bf2ab62b9c45ca3e ]
When using single_open() for opening, single_release() should be
used instead of seq_release(), otherwise there is a memory leak.
This is detected by Coccinelle semantic patch.
Fixes: 610247f46feb ("rtlwifi: Improve debugging by using debugfs")
Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/realtek/rtlwifi/debug.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wireless/realtek/rtlwifi/debug.c b/drivers/net/wireless/realtek/rtlwifi/debug.c
index d70385be9976..498994041bbc 100644
--- a/drivers/net/wireless/realtek/rtlwifi/debug.c
+++ b/drivers/net/wireless/realtek/rtlwifi/debug.c
@@ -109,7 +109,7 @@ static const struct file_operations file_ops_common = {
.open = dl_debug_open_common,
.read = seq_read,
.llseek = seq_lseek,
- .release = seq_release,
+ .release = single_release,
};
static int rtl_debug_get_mac_page(struct seq_file *m, void *v)
--
2.20.1
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH AUTOSEL 4.19 548/671] ath10k: adjust skb length in ath10k_sdio_mbox_rx_packet
[not found] <20200116170509.12787-1-sashal@kernel.org>
` (7 preceding siblings ...)
2020-01-16 17:02 ` [PATCH AUTOSEL 4.19 534/671] rtlwifi: Fix file release memory leak Sasha Levin
@ 2020-01-16 17:03 ` Sasha Levin
2020-01-16 17:03 ` [PATCH AUTOSEL 4.19 578/671] mac80211: accept deauth frames in IBSS mode Sasha Levin
` (4 subsequent siblings)
13 siblings, 0 replies; 14+ messages in thread
From: Sasha Levin @ 2020-01-16 17:03 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Nicolas Boichat, Wen Gong, Kalle Valo, Sasha Levin, ath10k,
linux-wireless, netdev
From: Nicolas Boichat <drinkcat@chromium.org>
[ Upstream commit b7139960832eb56fa15d390a4b5c8c5739bd0d1a ]
When the FW bundles multiple packets, pkt->act_len may be incorrect
as it refers to the first packet only (however, the FW will only
bundle packets that fit into the same pkt->alloc_len).
Before this patch, the skb length would be set (incorrectly) to
pkt->act_len in ath10k_sdio_mbox_rx_packet, and then later manually
adjusted in ath10k_sdio_mbox_rx_process_packet.
The first problem is that ath10k_sdio_mbox_rx_process_packet does not
use proper skb_put commands to adjust the length (it directly changes
skb->len), so we end up with a mismatch between skb->head + skb->tail
and skb->data + skb->len. This is quite serious, and causes corruptions
in the TCP stack, as the stack tries to coalesce packets, and relies
on skb->tail being correct (that is, skb_tail_pointer must point to
the first byte_after_ the data).
Instead of re-adjusting the size in ath10k_sdio_mbox_rx_process_packet,
this moves the code to ath10k_sdio_mbox_rx_packet, and also add a
bounds check, as skb_put would crash the kernel if not enough space is
available.
Tested with QCA6174 SDIO with firmware
WLAN.RMH.4.4.1-00007-QCARMSWP-1.
Fixes: 8530b4e7b22bc3b ("ath10k: sdio: set skb len for all rx packets")
Signed-off-by: Nicolas Boichat <drinkcat@chromium.org>
Signed-off-by: Wen Gong <wgong@codeaurora.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath10k/sdio.c | 29 +++++++++++++++++++-------
1 file changed, 21 insertions(+), 8 deletions(-)
diff --git a/drivers/net/wireless/ath/ath10k/sdio.c b/drivers/net/wireless/ath/ath10k/sdio.c
index 686759b5613f..0ecaba824fb2 100644
--- a/drivers/net/wireless/ath/ath10k/sdio.c
+++ b/drivers/net/wireless/ath/ath10k/sdio.c
@@ -392,16 +392,11 @@ static int ath10k_sdio_mbox_rx_process_packet(struct ath10k *ar,
struct ath10k_htc_hdr *htc_hdr = (struct ath10k_htc_hdr *)skb->data;
bool trailer_present = htc_hdr->flags & ATH10K_HTC_FLAG_TRAILER_PRESENT;
enum ath10k_htc_ep_id eid;
- u16 payload_len;
u8 *trailer;
int ret;
- payload_len = le16_to_cpu(htc_hdr->len);
- skb->len = payload_len + sizeof(struct ath10k_htc_hdr);
-
if (trailer_present) {
- trailer = skb->data + sizeof(*htc_hdr) +
- payload_len - htc_hdr->trailer_len;
+ trailer = skb->data + skb->len - htc_hdr->trailer_len;
eid = pipe_id_to_eid(htc_hdr->eid);
@@ -638,13 +633,31 @@ static int ath10k_sdio_mbox_rx_packet(struct ath10k *ar,
{
struct ath10k_sdio *ar_sdio = ath10k_sdio_priv(ar);
struct sk_buff *skb = pkt->skb;
+ struct ath10k_htc_hdr *htc_hdr;
int ret;
ret = ath10k_sdio_readsb(ar, ar_sdio->mbox_info.htc_addr,
skb->data, pkt->alloc_len);
+ if (ret)
+ goto out;
+
+ /* Update actual length. The original length may be incorrect,
+ * as the FW will bundle multiple packets as long as their sizes
+ * fit within the same aligned length (pkt->alloc_len).
+ */
+ htc_hdr = (struct ath10k_htc_hdr *)skb->data;
+ pkt->act_len = le16_to_cpu(htc_hdr->len) + sizeof(*htc_hdr);
+ if (pkt->act_len > pkt->alloc_len) {
+ ath10k_warn(ar, "rx packet too large (%zu > %zu)\n",
+ pkt->act_len, pkt->alloc_len);
+ ret = -EMSGSIZE;
+ goto out;
+ }
+
+ skb_put(skb, pkt->act_len);
+
+out:
pkt->status = ret;
- if (!ret)
- skb_put(skb, pkt->act_len);
return ret;
}
--
2.20.1
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH AUTOSEL 4.19 578/671] mac80211: accept deauth frames in IBSS mode
[not found] <20200116170509.12787-1-sashal@kernel.org>
` (8 preceding siblings ...)
2020-01-16 17:03 ` [PATCH AUTOSEL 4.19 548/671] ath10k: adjust skb length in ath10k_sdio_mbox_rx_packet Sasha Levin
@ 2020-01-16 17:03 ` Sasha Levin
2020-01-16 17:03 ` [PATCH AUTOSEL 4.19 582/671] iwlwifi: pcie: fix memory leaks in iwl_pcie_ctxt_info_gen3_init Sasha Levin
` (3 subsequent siblings)
13 siblings, 0 replies; 14+ messages in thread
From: Sasha Levin @ 2020-01-16 17:03 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Johannes Berg, Luca Coelho, Sasha Levin, linux-wireless, netdev
From: Johannes Berg <johannes.berg@intel.com>
[ Upstream commit 95697f9907bfe3eab0ef20265a766b22e27dde64 ]
We can process deauth frames and all, but we drop them very
early in the RX path today - this could never have worked.
Fixes: 2cc59e784b54 ("mac80211: reply to AUTH with DEAUTH if sta allocation fails in IBSS")
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Link: https://lore.kernel.org/r/20191004123706.15768-2-luca@coelho.fi
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/mac80211/rx.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index b12f23c996f4..02d0b22d0114 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -3391,9 +3391,18 @@ ieee80211_rx_h_mgmt(struct ieee80211_rx_data *rx)
case cpu_to_le16(IEEE80211_STYPE_PROBE_RESP):
/* process for all: mesh, mlme, ibss */
break;
+ case cpu_to_le16(IEEE80211_STYPE_DEAUTH):
+ if (is_multicast_ether_addr(mgmt->da) &&
+ !is_broadcast_ether_addr(mgmt->da))
+ return RX_DROP_MONITOR;
+
+ /* process only for station/IBSS */
+ if (sdata->vif.type != NL80211_IFTYPE_STATION &&
+ sdata->vif.type != NL80211_IFTYPE_ADHOC)
+ return RX_DROP_MONITOR;
+ break;
case cpu_to_le16(IEEE80211_STYPE_ASSOC_RESP):
case cpu_to_le16(IEEE80211_STYPE_REASSOC_RESP):
- case cpu_to_le16(IEEE80211_STYPE_DEAUTH):
case cpu_to_le16(IEEE80211_STYPE_DISASSOC):
if (is_multicast_ether_addr(mgmt->da) &&
!is_broadcast_ether_addr(mgmt->da))
--
2.20.1
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH AUTOSEL 4.19 582/671] iwlwifi: pcie: fix memory leaks in iwl_pcie_ctxt_info_gen3_init
[not found] <20200116170509.12787-1-sashal@kernel.org>
` (9 preceding siblings ...)
2020-01-16 17:03 ` [PATCH AUTOSEL 4.19 578/671] mac80211: accept deauth frames in IBSS mode Sasha Levin
@ 2020-01-16 17:03 ` Sasha Levin
2020-01-16 17:04 ` [PATCH AUTOSEL 4.19 611/671] mt7601u: fix bbp version check in mt7601u_wait_bbp_ready Sasha Levin
` (2 subsequent siblings)
13 siblings, 0 replies; 14+ messages in thread
From: Sasha Levin @ 2020-01-16 17:03 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Navid Emamdoost, Luca Coelho, Sasha Levin, linux-wireless, netdev
From: Navid Emamdoost <navid.emamdoost@gmail.com>
[ Upstream commit 0f4f199443faca715523b0659aa536251d8b978f ]
In iwl_pcie_ctxt_info_gen3_init there are cases that the allocated dma
memory is leaked in case of error.
DMA memories prph_scratch, prph_info, and ctxt_info_gen3 are allocated
and initialized to be later assigned to trans_pcie. But in any error case
before such assignment the allocated memories should be released.
First of such error cases happens when iwl_pcie_init_fw_sec fails.
Current implementation correctly releases prph_scratch. But in two
sunsequent error cases where dma_alloc_coherent may fail, such
releases are missing.
This commit adds release for prph_scratch when allocation for
prph_info fails, and adds releases for prph_scratch and prph_info when
allocation for ctxt_info_gen3 fails.
Fixes: 2ee824026288 ("iwlwifi: pcie: support context information for 22560 devices")
Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../intel/iwlwifi/pcie/ctxt-info-gen3.c | 36 +++++++++++++------
1 file changed, 25 insertions(+), 11 deletions(-)
diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/ctxt-info-gen3.c b/drivers/net/wireless/intel/iwlwifi/pcie/ctxt-info-gen3.c
index 64d976d872b8..6783b20d9681 100644
--- a/drivers/net/wireless/intel/iwlwifi/pcie/ctxt-info-gen3.c
+++ b/drivers/net/wireless/intel/iwlwifi/pcie/ctxt-info-gen3.c
@@ -102,13 +102,9 @@ int iwl_pcie_ctxt_info_gen3_init(struct iwl_trans *trans,
/* allocate ucode sections in dram and set addresses */
ret = iwl_pcie_init_fw_sec(trans, fw, &prph_scratch->dram);
- if (ret) {
- dma_free_coherent(trans->dev,
- sizeof(*prph_scratch),
- prph_scratch,
- trans_pcie->prph_scratch_dma_addr);
- return ret;
- }
+ if (ret)
+ goto err_free_prph_scratch;
+
/* Allocate prph information
* currently we don't assign to the prph info anything, but it would get
@@ -116,16 +112,20 @@ int iwl_pcie_ctxt_info_gen3_init(struct iwl_trans *trans,
prph_info = dma_alloc_coherent(trans->dev, sizeof(*prph_info),
&trans_pcie->prph_info_dma_addr,
GFP_KERNEL);
- if (!prph_info)
- return -ENOMEM;
+ if (!prph_info) {
+ ret = -ENOMEM;
+ goto err_free_prph_scratch;
+ }
/* Allocate context info */
ctxt_info_gen3 = dma_alloc_coherent(trans->dev,
sizeof(*ctxt_info_gen3),
&trans_pcie->ctxt_info_dma_addr,
GFP_KERNEL);
- if (!ctxt_info_gen3)
- return -ENOMEM;
+ if (!ctxt_info_gen3) {
+ ret = -ENOMEM;
+ goto err_free_prph_info;
+ }
ctxt_info_gen3->prph_info_base_addr =
cpu_to_le64(trans_pcie->prph_info_dma_addr);
@@ -176,6 +176,20 @@ int iwl_pcie_ctxt_info_gen3_init(struct iwl_trans *trans,
iwl_set_bit(trans, CSR_GP_CNTRL, CSR_AUTO_FUNC_INIT);
return 0;
+
+err_free_prph_info:
+ dma_free_coherent(trans->dev,
+ sizeof(*prph_info),
+ prph_info,
+ trans_pcie->prph_info_dma_addr);
+
+err_free_prph_scratch:
+ dma_free_coherent(trans->dev,
+ sizeof(*prph_scratch),
+ prph_scratch,
+ trans_pcie->prph_scratch_dma_addr);
+ return ret;
+
}
void iwl_pcie_ctxt_info_gen3_free(struct iwl_trans *trans)
--
2.20.1
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH AUTOSEL 4.19 611/671] mt7601u: fix bbp version check in mt7601u_wait_bbp_ready
[not found] <20200116170509.12787-1-sashal@kernel.org>
` (10 preceding siblings ...)
2020-01-16 17:03 ` [PATCH AUTOSEL 4.19 582/671] iwlwifi: pcie: fix memory leaks in iwl_pcie_ctxt_info_gen3_init Sasha Levin
@ 2020-01-16 17:04 ` Sasha Levin
2020-01-16 17:04 ` [PATCH AUTOSEL 4.19 616/671] cw1200: Fix a signedness bug in cw1200_load_firmware() Sasha Levin
2020-01-16 17:04 ` [PATCH AUTOSEL 4.19 625/671] rtlwifi: Remove unnecessary NULL check in rtl_regd_init Sasha Levin
13 siblings, 0 replies; 14+ messages in thread
From: Sasha Levin @ 2020-01-16 17:04 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Lorenzo Bianconi, Jakub Kicinski, Kalle Valo, Sasha Levin,
linux-wireless, netdev, linux-arm-kernel, linux-mediatek
From: Lorenzo Bianconi <lorenzo@kernel.org>
[ Upstream commit 15e14f76f85f4f0eab3b8146e1cd3c58ce272823 ]
Fix bbp ready check in mt7601u_wait_bbp_ready. The issue is reported by
coverity with the following error:
Logical vs. bitwise operator
The expression's value does not depend on the operands; inadvertent use
of the wrong operator is a likely logic error.
Addresses-Coverity-ID: 1309441 ("Logical vs. bitwise operator")
Fixes: c869f77d6abb ("add mt7601u driver")
Acked-by: Jakub Kicinski <kubakici@wp.pl>
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/mediatek/mt7601u/phy.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wireless/mediatek/mt7601u/phy.c b/drivers/net/wireless/mediatek/mt7601u/phy.c
index b804abd464ae..539f78149e43 100644
--- a/drivers/net/wireless/mediatek/mt7601u/phy.c
+++ b/drivers/net/wireless/mediatek/mt7601u/phy.c
@@ -221,7 +221,7 @@ int mt7601u_wait_bbp_ready(struct mt7601u_dev *dev)
do {
val = mt7601u_bbp_rr(dev, MT_BBP_REG_VERSION);
- if (val && ~val)
+ if (val && val != 0xff)
break;
} while (--i);
--
2.20.1
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH AUTOSEL 4.19 616/671] cw1200: Fix a signedness bug in cw1200_load_firmware()
[not found] <20200116170509.12787-1-sashal@kernel.org>
` (11 preceding siblings ...)
2020-01-16 17:04 ` [PATCH AUTOSEL 4.19 611/671] mt7601u: fix bbp version check in mt7601u_wait_bbp_ready Sasha Levin
@ 2020-01-16 17:04 ` Sasha Levin
2020-01-16 17:04 ` [PATCH AUTOSEL 4.19 625/671] rtlwifi: Remove unnecessary NULL check in rtl_regd_init Sasha Levin
13 siblings, 0 replies; 14+ messages in thread
From: Sasha Levin @ 2020-01-16 17:04 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Dan Carpenter, Kalle Valo, Sasha Levin, linux-wireless, netdev
From: Dan Carpenter <dan.carpenter@oracle.com>
[ Upstream commit 4a50d454502f1401171ff061a5424583f91266db ]
The "priv->hw_type" is an enum and in this context GCC will treat it
as an unsigned int so the error handling will never trigger.
Fixes: a910e4a94f69 ("cw1200: add driver for the ST-E CW1100 & CW1200 WLAN chipsets")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/st/cw1200/fwio.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/net/wireless/st/cw1200/fwio.c b/drivers/net/wireless/st/cw1200/fwio.c
index 30e7646d04af..16be7fa82a23 100644
--- a/drivers/net/wireless/st/cw1200/fwio.c
+++ b/drivers/net/wireless/st/cw1200/fwio.c
@@ -323,12 +323,12 @@ int cw1200_load_firmware(struct cw1200_common *priv)
goto out;
}
- priv->hw_type = cw1200_get_hw_type(val32, &major_revision);
- if (priv->hw_type < 0) {
+ ret = cw1200_get_hw_type(val32, &major_revision);
+ if (ret < 0) {
pr_err("Can't deduce hardware type.\n");
- ret = -ENOTSUPP;
goto out;
}
+ priv->hw_type = ret;
/* Set DPLL Reg value, and read back to confirm writes work */
ret = cw1200_reg_write_32(priv, ST90TDS_TSET_GEN_R_W_REG_ID,
--
2.20.1
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH AUTOSEL 4.19 625/671] rtlwifi: Remove unnecessary NULL check in rtl_regd_init
[not found] <20200116170509.12787-1-sashal@kernel.org>
` (12 preceding siblings ...)
2020-01-16 17:04 ` [PATCH AUTOSEL 4.19 616/671] cw1200: Fix a signedness bug in cw1200_load_firmware() Sasha Levin
@ 2020-01-16 17:04 ` Sasha Levin
13 siblings, 0 replies; 14+ messages in thread
From: Sasha Levin @ 2020-01-16 17:04 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Nathan Chancellor, Ping-Ke Shih, Kalle Valo, Sasha Levin,
linux-wireless, netdev, clang-built-linux
From: Nathan Chancellor <natechancellor@gmail.com>
[ Upstream commit 091c6e9c083f7ebaff00b37ad13562d51464d175 ]
When building with Clang + -Wtautological-pointer-compare:
drivers/net/wireless/realtek/rtlwifi/regd.c:389:33: warning: comparison
of address of 'rtlpriv->regd' equal to a null pointer is always false
[-Wtautological-pointer-compare]
if (wiphy == NULL || &rtlpriv->regd == NULL)
~~~~~~~~~^~~~ ~~~~
1 warning generated.
The address of an array member is never NULL unless it is the first
struct member so remove the unnecessary check. This was addressed in
the staging version of the driver in commit f986978b32b3 ("Staging:
rtlwifi: remove unnecessary NULL check").
While we are here, fix the following checkpatch warning:
CHECK: Comparison to NULL could be written "!wiphy"
35: FILE: drivers/net/wireless/realtek/rtlwifi/regd.c:389:
+ if (wiphy == NULL)
Fixes: 0c8173385e54 ("rtl8192ce: Add new driver")
Link:https://github.com/ClangBuiltLinux/linux/issues/750
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Acked-by: Ping-Ke Shih <pkshih@realtek.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/realtek/rtlwifi/regd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wireless/realtek/rtlwifi/regd.c b/drivers/net/wireless/realtek/rtlwifi/regd.c
index 1bf3eb25c1da..72ca370331fb 100644
--- a/drivers/net/wireless/realtek/rtlwifi/regd.c
+++ b/drivers/net/wireless/realtek/rtlwifi/regd.c
@@ -427,7 +427,7 @@ int rtl_regd_init(struct ieee80211_hw *hw,
struct wiphy *wiphy = hw->wiphy;
struct country_code_to_enum_rd *country = NULL;
- if (wiphy == NULL || &rtlpriv->regd == NULL)
+ if (!wiphy)
return -EINVAL;
/* init country_code from efuse channel plan */
--
2.20.1
^ permalink raw reply related [flat|nested] 14+ messages in thread
end of thread, other threads:[~2020-01-16 19:01 UTC | newest]
Thread overview: 14+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <20200116170509.12787-1-sashal@kernel.org>
2020-01-16 16:58 ` [PATCH AUTOSEL 4.19 290/671] brcmfmac: fix leak of mypkt on error return path Sasha Levin
2020-01-16 16:59 ` [PATCH AUTOSEL 4.19 338/671] ath10k: Fix encoding for protected management frames Sasha Levin
2020-01-16 17:01 ` [PATCH AUTOSEL 4.19 468/671] libertas_tf: Use correct channel range in lbtf_geo_init Sasha Levin
2020-01-16 17:02 ` [PATCH AUTOSEL 4.19 503/671] mac80211: minstrel_ht: fix per-group max throughput rate initialization Sasha Levin
2020-01-16 17:02 ` [PATCH AUTOSEL 4.19 520/671] bcma: fix incorrect update of BCMA_CORE_PCI_MDIO_DATA Sasha Levin
2020-01-16 17:02 ` [PATCH AUTOSEL 4.19 525/671] ath9k: dynack: fix possible deadlock in ath_dynack_node_{de}init Sasha Levin
2020-01-16 17:02 ` [PATCH AUTOSEL 4.19 526/671] wcn36xx: use dynamic allocation for large variables Sasha Levin
2020-01-16 17:02 ` [PATCH AUTOSEL 4.19 534/671] rtlwifi: Fix file release memory leak Sasha Levin
2020-01-16 17:03 ` [PATCH AUTOSEL 4.19 548/671] ath10k: adjust skb length in ath10k_sdio_mbox_rx_packet Sasha Levin
2020-01-16 17:03 ` [PATCH AUTOSEL 4.19 578/671] mac80211: accept deauth frames in IBSS mode Sasha Levin
2020-01-16 17:03 ` [PATCH AUTOSEL 4.19 582/671] iwlwifi: pcie: fix memory leaks in iwl_pcie_ctxt_info_gen3_init Sasha Levin
2020-01-16 17:04 ` [PATCH AUTOSEL 4.19 611/671] mt7601u: fix bbp version check in mt7601u_wait_bbp_ready Sasha Levin
2020-01-16 17:04 ` [PATCH AUTOSEL 4.19 616/671] cw1200: Fix a signedness bug in cw1200_load_firmware() Sasha Levin
2020-01-16 17:04 ` [PATCH AUTOSEL 4.19 625/671] rtlwifi: Remove unnecessary NULL check in rtl_regd_init Sasha Levin
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).