* [PATCH AUTOSEL 4.9 21/35] wlcore/wl12xx: Fix wl12xx get_mac error if device is in ELP
[not found] <20210706112848.2066036-1-sashal@kernel.org>
@ 2021-07-06 11:28 ` Sasha Levin
2021-07-06 11:28 ` [PATCH AUTOSEL 4.9 22/35] wl1251: Fix possible buffer overflow in wl1251_cmd_scan Sasha Levin
` (2 subsequent siblings)
3 siblings, 0 replies; 4+ messages in thread
From: Sasha Levin @ 2021-07-06 11:28 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Tony Lindgren, Carl Philipp Klemm, Kalle Valo, Sasha Levin,
linux-wireless, netdev
From: Tony Lindgren <tony@atomide.com>
[ Upstream commit 11ef6bc846dcdce838f0b00c5f6a562c57e5d43b ]
At least on wl12xx, reading the MAC after boot can fail with a warning
at drivers/net/wireless/ti/wlcore/sdio.c:78 wl12xx_sdio_raw_read.
The failed call comes from wl12xx_get_mac() that wlcore_nvs_cb() calls
after request_firmware_work_func().
After the error, no wireless interface is created. Reloading the wl12xx
module makes the interface work.
Turns out the wlan controller can be in a low-power ELP state after the
boot from the bootloader or kexec, and needs to be woken up first.
Let's wake the hardware and add a sleep after that similar to
wl12xx_pre_boot() is already doing.
Note that a similar issue could exist for wl18xx, but I have not seen it
so far. And a search for wl18xx_get_mac and wl12xx_sdio_raw_read did not
produce similar errors.
Cc: Carl Philipp Klemm <philipp@uvos.xyz>
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/20210603062814.19464-1-tony@atomide.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ti/wl12xx/main.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/net/wireless/ti/wl12xx/main.c b/drivers/net/wireless/ti/wl12xx/main.c
index 9bd635ec7827..72991d3a55f1 100644
--- a/drivers/net/wireless/ti/wl12xx/main.c
+++ b/drivers/net/wireless/ti/wl12xx/main.c
@@ -1516,6 +1516,13 @@ static int wl12xx_get_fuse_mac(struct wl1271 *wl)
u32 mac1, mac2;
int ret;
+ /* Device may be in ELP from the bootloader or kexec */
+ ret = wlcore_write32(wl, WL12XX_WELP_ARM_COMMAND, WELP_ARM_COMMAND_VAL);
+ if (ret < 0)
+ goto out;
+
+ usleep_range(500000, 700000);
+
ret = wlcore_set_partition(wl, &wl->ptable[PART_DRPW]);
if (ret < 0)
goto out;
--
2.30.2
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH AUTOSEL 4.9 22/35] wl1251: Fix possible buffer overflow in wl1251_cmd_scan
[not found] <20210706112848.2066036-1-sashal@kernel.org>
2021-07-06 11:28 ` [PATCH AUTOSEL 4.9 21/35] wlcore/wl12xx: Fix wl12xx get_mac error if device is in ELP Sasha Levin
@ 2021-07-06 11:28 ` Sasha Levin
2021-07-06 11:28 ` [PATCH AUTOSEL 4.9 23/35] cw1200: add missing MODULE_DEVICE_TABLE Sasha Levin
2021-07-06 11:28 ` [PATCH AUTOSEL 4.9 30/35] wireless: wext-spy: Fix out-of-bounds warning Sasha Levin
3 siblings, 0 replies; 4+ messages in thread
From: Sasha Levin @ 2021-07-06 11:28 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Lee Gibson, Kalle Valo, Sasha Levin, linux-wireless, netdev
From: Lee Gibson <leegib@gmail.com>
[ Upstream commit d10a87a3535cce2b890897914f5d0d83df669c63 ]
Function wl1251_cmd_scan calls memcpy without checking the length.
Harden by checking the length is within the maximum allowed size.
Signed-off-by: Lee Gibson <leegib@gmail.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/20210428115508.25624-1-leegib@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ti/wl1251/cmd.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/drivers/net/wireless/ti/wl1251/cmd.c b/drivers/net/wireless/ti/wl1251/cmd.c
index ede31f048ef9..247f4310a38f 100644
--- a/drivers/net/wireless/ti/wl1251/cmd.c
+++ b/drivers/net/wireless/ti/wl1251/cmd.c
@@ -465,9 +465,12 @@ int wl1251_cmd_scan(struct wl1251 *wl, u8 *ssid, size_t ssid_len,
cmd->channels[i].channel = channels[i]->hw_value;
}
- cmd->params.ssid_len = ssid_len;
- if (ssid)
- memcpy(cmd->params.ssid, ssid, ssid_len);
+ if (ssid) {
+ int len = clamp_val(ssid_len, 0, IEEE80211_MAX_SSID_LEN);
+
+ cmd->params.ssid_len = len;
+ memcpy(cmd->params.ssid, ssid, len);
+ }
ret = wl1251_cmd_send(wl, CMD_SCAN, cmd, sizeof(*cmd));
if (ret < 0) {
--
2.30.2
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH AUTOSEL 4.9 23/35] cw1200: add missing MODULE_DEVICE_TABLE
[not found] <20210706112848.2066036-1-sashal@kernel.org>
2021-07-06 11:28 ` [PATCH AUTOSEL 4.9 21/35] wlcore/wl12xx: Fix wl12xx get_mac error if device is in ELP Sasha Levin
2021-07-06 11:28 ` [PATCH AUTOSEL 4.9 22/35] wl1251: Fix possible buffer overflow in wl1251_cmd_scan Sasha Levin
@ 2021-07-06 11:28 ` Sasha Levin
2021-07-06 11:28 ` [PATCH AUTOSEL 4.9 30/35] wireless: wext-spy: Fix out-of-bounds warning Sasha Levin
3 siblings, 0 replies; 4+ messages in thread
From: Sasha Levin @ 2021-07-06 11:28 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Zou Wei, Hulk Robot, Kalle Valo, Sasha Levin, linux-wireless, netdev
From: Zou Wei <zou_wei@huawei.com>
[ Upstream commit dd778f89225cd258e8f0fed2b7256124982c8bb5 ]
This patch adds missing MODULE_DEVICE_TABLE definition which generates
correct modalias for automatic loading of this driver when it is built
as an external module.
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Zou Wei <zou_wei@huawei.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/1620788714-14300-1-git-send-email-zou_wei@huawei.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/st/cw1200/cw1200_sdio.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/wireless/st/cw1200/cw1200_sdio.c b/drivers/net/wireless/st/cw1200/cw1200_sdio.c
index d3acc85932a5..de92107549ee 100644
--- a/drivers/net/wireless/st/cw1200/cw1200_sdio.c
+++ b/drivers/net/wireless/st/cw1200/cw1200_sdio.c
@@ -62,6 +62,7 @@ static const struct sdio_device_id cw1200_sdio_ids[] = {
{ SDIO_DEVICE(SDIO_VENDOR_ID_STE, SDIO_DEVICE_ID_STE_CW1200) },
{ /* end: all zeroes */ },
};
+MODULE_DEVICE_TABLE(sdio, cw1200_sdio_ids);
/* hwbus_ops implemetation */
--
2.30.2
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH AUTOSEL 4.9 30/35] wireless: wext-spy: Fix out-of-bounds warning
[not found] <20210706112848.2066036-1-sashal@kernel.org>
` (2 preceding siblings ...)
2021-07-06 11:28 ` [PATCH AUTOSEL 4.9 23/35] cw1200: add missing MODULE_DEVICE_TABLE Sasha Levin
@ 2021-07-06 11:28 ` Sasha Levin
3 siblings, 0 replies; 4+ messages in thread
From: Sasha Levin @ 2021-07-06 11:28 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Gustavo A. R. Silva, kernel test robot, Kees Cook, Johannes Berg,
Sasha Levin, linux-wireless, netdev
From: "Gustavo A. R. Silva" <gustavoars@kernel.org>
[ Upstream commit e93bdd78406da9ed01554c51e38b2a02c8ef8025 ]
Fix the following out-of-bounds warning:
net/wireless/wext-spy.c:178:2: warning: 'memcpy' offset [25, 28] from the object at 'threshold' is out of the bounds of referenced subobject 'low' with type 'struct iw_quality' at offset 20 [-Warray-bounds]
The problem is that the original code is trying to copy data into a
couple of struct members adjacent to each other in a single call to
memcpy(). This causes a legitimate compiler warning because memcpy()
overruns the length of &threshold.low and &spydata->spy_thr_low. As
these are just a couple of struct members, fix this by using direct
assignments, instead of memcpy().
This helps with the ongoing efforts to globally enable -Warray-bounds
and get us closer to being able to tighten the FORTIFY_SOURCE routines
on memcpy().
Link: https://github.com/KSPP/linux/issues/109
Reported-by: kernel test robot <lkp@intel.com>
Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20210422200032.GA168995@embeddedor
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/wireless/wext-spy.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/net/wireless/wext-spy.c b/net/wireless/wext-spy.c
index 33bef22e44e9..b379a0371653 100644
--- a/net/wireless/wext-spy.c
+++ b/net/wireless/wext-spy.c
@@ -120,8 +120,8 @@ int iw_handler_set_thrspy(struct net_device * dev,
return -EOPNOTSUPP;
/* Just do it */
- memcpy(&(spydata->spy_thr_low), &(threshold->low),
- 2 * sizeof(struct iw_quality));
+ spydata->spy_thr_low = threshold->low;
+ spydata->spy_thr_high = threshold->high;
/* Clear flag */
memset(spydata->spy_thr_under, '\0', sizeof(spydata->spy_thr_under));
@@ -147,8 +147,8 @@ int iw_handler_get_thrspy(struct net_device * dev,
return -EOPNOTSUPP;
/* Just do it */
- memcpy(&(threshold->low), &(spydata->spy_thr_low),
- 2 * sizeof(struct iw_quality));
+ threshold->low = spydata->spy_thr_low;
+ threshold->high = spydata->spy_thr_high;
return 0;
}
@@ -173,10 +173,10 @@ static void iw_send_thrspy_event(struct net_device * dev,
memcpy(threshold.addr.sa_data, address, ETH_ALEN);
threshold.addr.sa_family = ARPHRD_ETHER;
/* Copy stats */
- memcpy(&(threshold.qual), wstats, sizeof(struct iw_quality));
+ threshold.qual = *wstats;
/* Copy also thresholds */
- memcpy(&(threshold.low), &(spydata->spy_thr_low),
- 2 * sizeof(struct iw_quality));
+ threshold.low = spydata->spy_thr_low;
+ threshold.high = spydata->spy_thr_high;
/* Send event to user space */
wireless_send_event(dev, SIOCGIWTHRSPY, &wrqu, (char *) &threshold);
--
2.30.2
^ permalink raw reply related [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-07-06 12:29 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <20210706112848.2066036-1-sashal@kernel.org>
2021-07-06 11:28 ` [PATCH AUTOSEL 4.9 21/35] wlcore/wl12xx: Fix wl12xx get_mac error if device is in ELP Sasha Levin
2021-07-06 11:28 ` [PATCH AUTOSEL 4.9 22/35] wl1251: Fix possible buffer overflow in wl1251_cmd_scan Sasha Levin
2021-07-06 11:28 ` [PATCH AUTOSEL 4.9 23/35] cw1200: add missing MODULE_DEVICE_TABLE Sasha Levin
2021-07-06 11:28 ` [PATCH AUTOSEL 4.9 30/35] wireless: wext-spy: Fix out-of-bounds warning Sasha Levin
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).