linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Kamal Mostafa <kamal@canonical.com>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org,
	kernel-team@lists.ubuntu.com
Cc: Johannes Berg <johannes.berg@intel.com>,
	Luca Coelho <luciano.coelho@intel.com>,
	Kamal Mostafa <kamal@canonical.com>
Subject: [PATCH 3.13.y-ckt 62/96] iwlwifi: dvm: fix D3 firmware PN programming
Date: Fri, 13 Nov 2015 13:49:16 -0800	[thread overview]
Message-ID: <1447451390-16480-63-git-send-email-kamal@canonical.com> (raw)
In-Reply-To: <1447451390-16480-1-git-send-email-kamal@canonical.com>

3.13.11-ckt30 -stable review patch.  If anyone has any objections, please let me know.

------------------

From: Johannes Berg <johannes.berg@intel.com>

commit 5bd166872d8f99f156fac191299d24f828bb2348 upstream.

The code to send the RX PN data (for each TID) to the firmware
has a devastating bug: it overwrites the data for TID 0 with
all the TID data, leaving the remaining TIDs zeroed. This will
allow replays to actually be accepted by the firmware, which
could allow waking up the system.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/net/wireless/iwlwifi/dvm/lib.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/wireless/iwlwifi/dvm/lib.c b/drivers/net/wireless/iwlwifi/dvm/lib.c
index 9f2ea1e..b884fef 100644
--- a/drivers/net/wireless/iwlwifi/dvm/lib.c
+++ b/drivers/net/wireless/iwlwifi/dvm/lib.c
@@ -1023,7 +1023,7 @@ static void iwlagn_wowlan_program_keys(struct ieee80211_hw *hw,
 			u8 *pn = seq.ccmp.pn;
 
 			ieee80211_get_key_rx_seq(key, i, &seq);
-			aes_sc->pn = cpu_to_le64(
+			aes_sc[i].pn = cpu_to_le64(
 					(u64)pn[5] |
 					((u64)pn[4] << 8) |
 					((u64)pn[3] << 16) |
-- 
1.9.1


  parent reply	other threads:[~2015-11-13 21:50 UTC|newest]

Thread overview: 97+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-11-13 21:48 [3.13.y-ckt stable] Linux 3.13.11-ckt30 stable review Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 01/96] isdn_ppp: Add checks for allocation failure in isdn_ppp_open() Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 02/96] ppp, slip: Validate VJ compression slot parameters completely Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 03/96] staging/dgnc: fix info leak in ioctl Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 04/96] regmap: debugfs: Ensure we don't underflow when printing access masks Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 05/96] regmap: debugfs: Don't bother actually printing when calculating max length Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 06/96] tools lib traceevent: Fix string handling in heterogeneous arch environments Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 07/96] perf tools: Fix copying of /proc/kcore Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 08/96] ASoC: db1200: Fix DAI link format for db1300 and db1550 Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 09/96] m68k: Define asmlinkage_protect Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 10/96] x86/xen: Support kexec/kdump in HVM guests by doing a soft reset Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 11/96] x86/xen: Do not clip xen_e820_map to xen_e820_map_entries when sanitizing map Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 12/96] UBI: return ENOSPC if no enough space available Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 13/96] s390/boot: fix boot of compressed kernel built with gcc 4.9 Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 14/96] s390/boot/decompression: disable floating point in decompressor Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 15/96] MIPS: dma-default: Fix 32-bit fall back to GFP_DMA Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 16/96] Initialize msg/shm IPC objects before doing ipc_addid() Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 17/96] drm/qxl: recreate the primary surface when the bo is not primary Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 18/96] genirq: Fix race in register_irq_proc() Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 19/96] KVM: nSVM: Check for NRIPS support before updating control field Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 20/96] Use WARN_ON_ONCE for missing X86_FEATURE_NRIPS Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 21/96] dm: fix AB-BA deadlock in __dm_destroy() Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 22/96] mm: hugetlbfs: skip shared VMAs when unmapping private pages to satisfy a fault Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 23/96] [SMB3] Do not fall back to SMBWriteX in set_file_size error cases Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 24/96] x86/mm: Set NX on gap between __ex_table and rodata Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 25/96] ASoC: dwc: correct irq clear method Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 26/96] dm raid: fix round up of default region size Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 27/96] clocksource: Fix abs() usage w/ 64bit values Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 28/96] ALSA: hda - Apply SPDIF pin ctl to MacBookPro 12,1 Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 29/96] USB: Add reset-resume quirk for two Plantronics usb headphones Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 30/96] usb: Add device quirk for Logitech PTZ cameras Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 31/96] staging: speakup: fix speakup-r regression Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 32/96] ALSA: synth: Fix conflicting OSS device registration on AWE32 Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 33/96] arm64: readahead: fault retry breaks mmap file read random detection Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 34/96] dm cache: fix NULL pointer when switching from cleaner policy Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 35/96] dmaengine: dw: properly read DWC_PARAMS register Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 36/96] 3w-9xxx: don't unmap bounce buffered commands Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 37/96] mm/slab: fix unexpected index mapping result of kmalloc_size(INDEX_NODE+1) Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 38/96] workqueue: make sure delayed work run in local cpu Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 39/96] crypto: sparc - initialize blkcipher.ivsize Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 40/96] drm/nouveau/fbcon: take runpm reference when userspace has an open fd Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 41/96] arm64: errata: use KBUILD_CFLAGS_MODULE for erratum #843419 Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 42/96] crypto: ahash - ensure statesize is non-zero Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 43/96] dm thin: fix missing pool reference count decrement in pool_ctr error path Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 44/96] btrfs: fix use after free iterating extrefs Kamal Mostafa
2015-11-13 21:48 ` [PATCH 3.13.y-ckt 45/96] i2c: rcar: enable RuntimePM before registering to the core Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 46/96] i2c: s3c2410: " Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 47/96] i2c: designware-platdrv: " Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 48/96] i2c: designware: Do not use parameters from ACPI on Dell Inspiron 7348 Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 49/96] l2tp: protect tunnel->del_work by ref_count Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 50/96] af_unix: Convert the unix_sk macro to an inline function for type safety Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 51/96] af_unix: return data from multiple SKBs on recv() with MSG_PEEK flag Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 52/96] net/unix: fix logic about sk_peek_offset Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 53/96] skbuff: Fix skb checksum flag on skb pull Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 54/96] skbuff: Fix skb checksum partial check Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 55/96] net: add pfmemalloc check in sk_add_backlog() Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 56/96] ppp: don't override sk->sk_state in pppoe_flush_dev() Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 57/96] ethtool: Use kcalloc instead of kmalloc for ethtool_get_strings Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 58/96] asix: Don't reset PHY on if_up for ASIX 88772 Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 59/96] asix: Do full reset during ax88772_bind Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 60/96] ath9k: declare required extra tx headroom Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 61/96] iio: accel: sca3000: memory corruption in sca3000_read_first_n_hw_rb() Kamal Mostafa
2015-11-13 21:49 ` Kamal Mostafa [this message]
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 63/96] iwlwifi: mvm: fix D3 firmware PN programming Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 64/96] iwlwifi: fix firmware filename for 3160 Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 65/96] iwlwifi: pci: add a few more PCI subvendor IDs for the 7265 series Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 66/96] ARM: orion: Fix DSA platform device after mvmdio conversion Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 67/96] xen-blkfront: check for null drvdata in blkback_changed (XenbusStateClosing) Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 68/96] ALSA: hda - Fix inverted internal mic on Lenovo G50-80 Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 69/96] ASoC: Add info callback for SX_TLV controls Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 70/96] xhci: don't finish a TD if we get a short transfer event mid TD Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 71/96] xhci: handle no ping response error properly Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 72/96] xhci: Add spurious wakeup quirk for LynxPoint-LP controllers Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 73/96] ASoC: wm8904: Correct number of EQ registers Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 74/96] drm/nouveau/gem: return only valid domain when there's only one Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 75/96] powerpc/rtas: Validate rtas.entry before calling enter_rtas() Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 76/96] mm: make sendfile(2) killable Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 77/96] rbd: fix double free on rbd_dev->header_name Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 78/96] rbd: don't leak parent_spec in rbd_dev_probe_parent() Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 79/96] rbd: prevent kernel stack blow up on rbd map Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 80/96] dm btree remove: fix a bug when rebalancing nodes after removal Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 81/96] dm btree: fix leak of bufio-backed block in btree_split_beneath error path Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 82/96] IB/cm: Fix rb-tree duplicate free and use-after-free Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 83/96] module: Fix locking in symbol_put_addr() Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 84/96] crypto: api - Only abort operations on fatal signal Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 85/96] md/raid1: submit_bio_wait() returns 0 on success Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 86/96] md/raid10: " Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 87/96] iommu/amd: Don't clear DTE flags when modifying it Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 88/96] mvsas: Fix NULL pointer dereference in mvs_slot_task_free Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 89/96] Revert "ARM64: unwind: Fix PC calculation" Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 90/96] drm/radeon: move bl encoder assignment into bl init Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 91/96] rbd: require stable pages if message data CRCs are enabled Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 92/96] md/raid5: fix locking in handle_stripe_clean_event() Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 93/96] net/mlx4: Copy/set only sizeof struct mlx4_eqe bytes Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 94/96] ipv6: Fix IPsec pre-encap fragmentation check Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 95/96] ipv6: gre: support SIT encapsulation Kamal Mostafa
2015-11-13 21:49 ` [PATCH 3.13.y-ckt 96/96] ppp: fix pppoe_dev deletion condition in pppoe_release() Kamal Mostafa

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1447451390-16480-63-git-send-email-kamal@canonical.com \
    --to=kamal@canonical.com \
    --cc=johannes.berg@intel.com \
    --cc=kernel-team@lists.ubuntu.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=luciano.coelho@intel.com \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).