* [PATCH 0/9] brcmfmac: coverity fixes
@ 2016-09-19 11:09 Arend van Spriel
2016-09-19 11:09 ` [PATCH 1/9] brcmfmac: ignore 11d configuration errors Arend van Spriel
` (9 more replies)
0 siblings, 10 replies; 12+ messages in thread
From: Arend van Spriel @ 2016-09-19 11:09 UTC (permalink / raw)
To: Kalle Valo; +Cc: linux-wireless, Arend van Spriel
This series consist of:
* fixes for several issues found by Coverity.
* ignore 802.11d configuration if not supported in firmware.
* remove worker from netdev callback.
This is intended for 4.9 and applies to the master branch of
the wireless-drivers-next repository.
Arend van Spriel (4):
brcmfmac: rework pointer trickery in brcmf_proto_bcdc_query_dcmd()
brcmfmac: fix memory leak in brcmf_flowring_add_tdls_peer()
brcmfmac: initialize variable in brcmf_sdiod_regrl()
brcmfmac: remove worker from .ndo_set_mac_address() callback
Hante Meuleman (5):
brcmfmac: ignore 11d configuration errors
brcmfmac: remove unnecessary null pointer check
brcmfmac: fix clearing entry IPv6 address
brcmfmac: fix out of bound access on clearing wowl wake indicator
brcmfmac: simplify mapping of auth type
.../wireless/broadcom/brcm80211/brcmfmac/bcdc.c | 2 +-
.../wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c | 2 +-
.../broadcom/brcm80211/brcmfmac/cfg80211.c | 41 +++++++++---------
.../wireless/broadcom/brcm80211/brcmfmac/core.c | 49 +++++++++-------------
.../wireless/broadcom/brcm80211/brcmfmac/core.h | 2 -
.../broadcom/brcm80211/brcmfmac/flowring.c | 8 +++-
6 files changed, 47 insertions(+), 57 deletions(-)
--
1.9.1
^ permalink raw reply [flat|nested] 12+ messages in thread
* [PATCH 1/9] brcmfmac: ignore 11d configuration errors
2016-09-19 11:09 [PATCH 0/9] brcmfmac: coverity fixes Arend van Spriel
@ 2016-09-19 11:09 ` Arend van Spriel
2016-09-26 17:38 ` [1/9] " Kalle Valo
2016-09-19 11:09 ` [PATCH 2/9] brcmfmac: rework pointer trickery in brcmf_proto_bcdc_query_dcmd() Arend van Spriel
` (8 subsequent siblings)
9 siblings, 1 reply; 12+ messages in thread
From: Arend van Spriel @ 2016-09-19 11:09 UTC (permalink / raw)
To: Kalle Valo; +Cc: linux-wireless, Hante Meuleman, Arend van Spriel
From: Hante Meuleman <hante.meuleman@broadcom.com>
802.11d is not always supported by firmware anymore. Currently the
AP configuration of 11d will cause an abort if the ioctl set is
failing. This behavior is not correct and the error should be
ignored.
Reviewed-by: Arend Van Spriel <arend.vanspriel@broadcom.com>
Reviewed-by: Franky Lin <franky.lin@broadcom.com>
Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
Signed-off-by: Hante Meuleman <hante.meuleman@broadcom.com>
Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
---
.../broadcom/brcm80211/brcmfmac/cfg80211.c | 27 ++++++++++++----------
1 file changed, 15 insertions(+), 12 deletions(-)
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
index 201a980..c3b8f59 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
@@ -4502,6 +4502,7 @@ brcmf_cfg80211_start_ap(struct wiphy *wiphy, struct net_device *ndev,
u16 chanspec = chandef_to_chanspec(&cfg->d11inf, &settings->chandef);
bool mbss;
int is_11d;
+ bool supports_11d;
brcmf_dbg(TRACE, "ctrlchn=%d, center=%d, bw=%d, beacon_interval=%d, dtim_period=%d,\n",
settings->chandef.chan->hw_value,
@@ -4514,11 +4515,16 @@ brcmf_cfg80211_start_ap(struct wiphy *wiphy, struct net_device *ndev,
mbss = ifp->vif->mbss;
/* store current 11d setting */
- brcmf_fil_cmd_int_get(ifp, BRCMF_C_GET_REGULATORY, &ifp->vif->is_11d);
- country_ie = brcmf_parse_tlvs((u8 *)settings->beacon.tail,
- settings->beacon.tail_len,
- WLAN_EID_COUNTRY);
- is_11d = country_ie ? 1 : 0;
+ if (brcmf_fil_cmd_int_get(ifp, BRCMF_C_GET_REGULATORY,
+ &ifp->vif->is_11d)) {
+ supports_11d = false;
+ } else {
+ country_ie = brcmf_parse_tlvs((u8 *)settings->beacon.tail,
+ settings->beacon.tail_len,
+ WLAN_EID_COUNTRY);
+ is_11d = country_ie ? 1 : 0;
+ supports_11d = true;
+ }
memset(&ssid_le, 0, sizeof(ssid_le));
if (settings->ssid == NULL || settings->ssid_len == 0) {
@@ -4577,7 +4583,7 @@ brcmf_cfg80211_start_ap(struct wiphy *wiphy, struct net_device *ndev,
/* Parameters shared by all radio interfaces */
if (!mbss) {
- if (is_11d != ifp->vif->is_11d) {
+ if ((supports_11d) && (is_11d != ifp->vif->is_11d)) {
err = brcmf_fil_cmd_int_set(ifp, BRCMF_C_SET_REGULATORY,
is_11d);
if (err < 0) {
@@ -4619,7 +4625,7 @@ brcmf_cfg80211_start_ap(struct wiphy *wiphy, struct net_device *ndev,
brcmf_err("SET INFRA error %d\n", err);
goto exit;
}
- } else if (WARN_ON(is_11d != ifp->vif->is_11d)) {
+ } else if (WARN_ON(supports_11d && (is_11d != ifp->vif->is_11d))) {
/* Multiple-BSS should use same 11d configuration */
err = -EINVAL;
goto exit;
@@ -4753,11 +4759,8 @@ static int brcmf_cfg80211_stop_ap(struct wiphy *wiphy, struct net_device *ndev)
brcmf_err("setting INFRA mode failed %d\n", err);
if (brcmf_feat_is_enabled(ifp, BRCMF_FEAT_MBSS))
brcmf_fil_iovar_int_set(ifp, "mbss", 0);
- err = brcmf_fil_cmd_int_set(ifp, BRCMF_C_SET_REGULATORY,
- ifp->vif->is_11d);
- if (err < 0)
- brcmf_err("restoring REGULATORY setting failed %d\n",
- err);
+ brcmf_fil_cmd_int_set(ifp, BRCMF_C_SET_REGULATORY,
+ ifp->vif->is_11d);
/* Bring device back up so it can be used again */
err = brcmf_fil_cmd_int_set(ifp, BRCMF_C_UP, 1);
if (err < 0)
--
1.9.1
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [PATCH 2/9] brcmfmac: rework pointer trickery in brcmf_proto_bcdc_query_dcmd()
2016-09-19 11:09 [PATCH 0/9] brcmfmac: coverity fixes Arend van Spriel
2016-09-19 11:09 ` [PATCH 1/9] brcmfmac: ignore 11d configuration errors Arend van Spriel
@ 2016-09-19 11:09 ` Arend van Spriel
2016-09-19 11:09 ` [PATCH 3/9] brcmfmac: fix memory leak in brcmf_flowring_add_tdls_peer() Arend van Spriel
` (7 subsequent siblings)
9 siblings, 0 replies; 12+ messages in thread
From: Arend van Spriel @ 2016-09-19 11:09 UTC (permalink / raw)
To: Kalle Valo; +Cc: linux-wireless, Arend van Spriel
The variable info is assigned to point to bcdc->msg[1], which is the
same as pointing to bcdc->buf. As that is what we want to access
make it clear by fixing the assignment. This also avoid out-of-bounds
errors from static analyzers are bcdc->msg[1] is not in the structure
definition.
Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
Reviewed-by: Franky Lin <franky.lin@broadcom.com>
Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
---
drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcdc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcdc.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcdc.c
index d1bc51f..038a960 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcdc.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcdc.c
@@ -194,7 +194,7 @@ retry:
}
/* Check info buffer */
- info = (void *)&msg[1];
+ info = (void *)&bcdc->buf[0];
/* Copy info buffer */
if (buf) {
--
1.9.1
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [PATCH 3/9] brcmfmac: fix memory leak in brcmf_flowring_add_tdls_peer()
2016-09-19 11:09 [PATCH 0/9] brcmfmac: coverity fixes Arend van Spriel
2016-09-19 11:09 ` [PATCH 1/9] brcmfmac: ignore 11d configuration errors Arend van Spriel
2016-09-19 11:09 ` [PATCH 2/9] brcmfmac: rework pointer trickery in brcmf_proto_bcdc_query_dcmd() Arend van Spriel
@ 2016-09-19 11:09 ` Arend van Spriel
2016-09-19 11:09 ` [PATCH 4/9] brcmfmac: initialize variable in brcmf_sdiod_regrl() Arend van Spriel
` (6 subsequent siblings)
9 siblings, 0 replies; 12+ messages in thread
From: Arend van Spriel @ 2016-09-19 11:09 UTC (permalink / raw)
To: Kalle Valo; +Cc: linux-wireless, Arend van Spriel
In the error paths in brcmf_flowring_add_tdls_peer() the allocated
resource should be freed.
Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
---
drivers/net/wireless/broadcom/brcm80211/brcmfmac/flowring.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/flowring.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/flowring.c
index 7e269f9..b16b367 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/flowring.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/flowring.c
@@ -495,14 +495,18 @@ void brcmf_flowring_add_tdls_peer(struct brcmf_flowring *flow, int ifidx,
} else {
search = flow->tdls_entry;
if (memcmp(search->mac, peer, ETH_ALEN) == 0)
- return;
+ goto free_entry;
while (search->next) {
search = search->next;
if (memcmp(search->mac, peer, ETH_ALEN) == 0)
- return;
+ goto free_entry;
}
search->next = tdls_entry;
}
flow->tdls_active = true;
+ return;
+
+free_entry:
+ kfree(tdls_entry);
}
--
1.9.1
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [PATCH 4/9] brcmfmac: initialize variable in brcmf_sdiod_regrl()
2016-09-19 11:09 [PATCH 0/9] brcmfmac: coverity fixes Arend van Spriel
` (2 preceding siblings ...)
2016-09-19 11:09 ` [PATCH 3/9] brcmfmac: fix memory leak in brcmf_flowring_add_tdls_peer() Arend van Spriel
@ 2016-09-19 11:09 ` Arend van Spriel
2016-09-19 11:09 ` [PATCH 5/9] brcmfmac: remove worker from .ndo_set_mac_address() callback Arend van Spriel
` (5 subsequent siblings)
9 siblings, 0 replies; 12+ messages in thread
From: Arend van Spriel @ 2016-09-19 11:09 UTC (permalink / raw)
To: Kalle Valo; +Cc: linux-wireless, Arend van Spriel
In case of an error the variable returned is uninitialized. The caller
will probably check the error code before using it, but better assure
it is set to zero.
Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
---
drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c
index 03404cb..72139b5 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c
@@ -420,7 +420,7 @@ u8 brcmf_sdiod_regrb(struct brcmf_sdio_dev *sdiodev, u32 addr, int *ret)
u32 brcmf_sdiod_regrl(struct brcmf_sdio_dev *sdiodev, u32 addr, int *ret)
{
- u32 data;
+ u32 data = 0;
int retval;
brcmf_dbg(SDIO, "addr:0x%08x\n", addr);
--
1.9.1
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [PATCH 5/9] brcmfmac: remove worker from .ndo_set_mac_address() callback
2016-09-19 11:09 [PATCH 0/9] brcmfmac: coverity fixes Arend van Spriel
` (3 preceding siblings ...)
2016-09-19 11:09 ` [PATCH 4/9] brcmfmac: initialize variable in brcmf_sdiod_regrl() Arend van Spriel
@ 2016-09-19 11:09 ` Arend van Spriel
2016-09-19 11:09 ` [PATCH 6/9] brcmfmac: remove unnecessary null pointer check Arend van Spriel
` (4 subsequent siblings)
9 siblings, 0 replies; 12+ messages in thread
From: Arend van Spriel @ 2016-09-19 11:09 UTC (permalink / raw)
To: Kalle Valo; +Cc: linux-wireless, Arend van Spriel
As it turns out there is no need to use a worker for the callback
because it is not called from atomic context.
Reported-by: Dan Williams <dcbw@redhat.com>
Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
Reviewed-by: Franky Lin <franky.lin@broadcom.com>
Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
---
.../wireless/broadcom/brcm80211/brcmfmac/core.c | 39 ++++++++--------------
.../wireless/broadcom/brcm80211/brcmfmac/core.h | 2 --
2 files changed, 13 insertions(+), 28 deletions(-)
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
index 8d16f02..77c4180 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
@@ -136,27 +136,6 @@ static void _brcmf_set_multicast_list(struct work_struct *work)
err);
}
-static void
-_brcmf_set_mac_address(struct work_struct *work)
-{
- struct brcmf_if *ifp;
- s32 err;
-
- ifp = container_of(work, struct brcmf_if, setmacaddr_work);
-
- brcmf_dbg(TRACE, "Enter, bsscfgidx=%d\n", ifp->bsscfgidx);
-
- err = brcmf_fil_iovar_data_set(ifp, "cur_etheraddr", ifp->mac_addr,
- ETH_ALEN);
- if (err < 0) {
- brcmf_err("Setting cur_etheraddr failed, %d\n", err);
- } else {
- brcmf_dbg(TRACE, "MAC address updated to %pM\n",
- ifp->mac_addr);
- memcpy(ifp->ndev->dev_addr, ifp->mac_addr, ETH_ALEN);
- }
-}
-
#if IS_ENABLED(CONFIG_IPV6)
static void _brcmf_update_ndtable(struct work_struct *work)
{
@@ -190,10 +169,20 @@ static int brcmf_netdev_set_mac_address(struct net_device *ndev, void *addr)
{
struct brcmf_if *ifp = netdev_priv(ndev);
struct sockaddr *sa = (struct sockaddr *)addr;
+ int err;
- memcpy(&ifp->mac_addr, sa->sa_data, ETH_ALEN);
- schedule_work(&ifp->setmacaddr_work);
- return 0;
+ brcmf_dbg(TRACE, "Enter, bsscfgidx=%d\n", ifp->bsscfgidx);
+
+ err = brcmf_fil_iovar_data_set(ifp, "cur_etheraddr", sa->sa_data,
+ ETH_ALEN);
+ if (err < 0) {
+ brcmf_err("Setting cur_etheraddr failed, %d\n", err);
+ } else {
+ brcmf_dbg(TRACE, "updated to %pM\n", sa->sa_data);
+ memcpy(ifp->mac_addr, sa->sa_data, ETH_ALEN);
+ memcpy(ifp->ndev->dev_addr, ifp->mac_addr, ETH_ALEN);
+ }
+ return err;
}
static void brcmf_netdev_set_multicast_list(struct net_device *ndev)
@@ -525,7 +514,6 @@ int brcmf_net_attach(struct brcmf_if *ifp, bool rtnl_locked)
/* set the mac address */
memcpy(ndev->dev_addr, ifp->mac_addr, ETH_ALEN);
- INIT_WORK(&ifp->setmacaddr_work, _brcmf_set_mac_address);
INIT_WORK(&ifp->multicast_work, _brcmf_set_multicast_list);
INIT_WORK(&ifp->ndoffload_work, _brcmf_update_ndtable);
@@ -730,7 +718,6 @@ static void brcmf_del_if(struct brcmf_pub *drvr, s32 bsscfgidx,
}
if (ifp->ndev->netdev_ops == &brcmf_netdev_ops_pri) {
- cancel_work_sync(&ifp->setmacaddr_work);
cancel_work_sync(&ifp->multicast_work);
cancel_work_sync(&ifp->ndoffload_work);
}
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.h b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.h
index 8fa34ca..8a810bb 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.h
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.h
@@ -176,7 +176,6 @@ enum brcmf_netif_stop_reason {
* @vif: points to cfg80211 specific interface information.
* @ndev: associated network device.
* @stats: interface specific network statistics.
- * @setmacaddr_work: worker object for setting mac address.
* @multicast_work: worker object for multicast provisioning.
* @ndoffload_work: worker object for neighbor discovery offload configuration.
* @fws_desc: interface specific firmware-signalling descriptor.
@@ -193,7 +192,6 @@ struct brcmf_if {
struct brcmf_cfg80211_vif *vif;
struct net_device *ndev;
struct net_device_stats stats;
- struct work_struct setmacaddr_work;
struct work_struct multicast_work;
struct work_struct ndoffload_work;
struct brcmf_fws_mac_descriptor *fws_desc;
--
1.9.1
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [PATCH 6/9] brcmfmac: remove unnecessary null pointer check
2016-09-19 11:09 [PATCH 0/9] brcmfmac: coverity fixes Arend van Spriel
` (4 preceding siblings ...)
2016-09-19 11:09 ` [PATCH 5/9] brcmfmac: remove worker from .ndo_set_mac_address() callback Arend van Spriel
@ 2016-09-19 11:09 ` Arend van Spriel
2016-09-19 11:09 ` [PATCH 7/9] brcmfmac: fix clearing entry IPv6 address Arend van Spriel
` (3 subsequent siblings)
9 siblings, 0 replies; 12+ messages in thread
From: Arend van Spriel @ 2016-09-19 11:09 UTC (permalink / raw)
To: Kalle Valo; +Cc: linux-wireless, Hante Meuleman, Arend van Spriel
From: Hante Meuleman <hante.meuleman@broadcom.com>
in the function brcmf_bus_start() in the exception handling a
check is made to dermine whether ifp is null, though this is not
possible. Removing the unnessary check.
Reviewed-by: Arend Van Spriel <arend.vanspriel@broadcom.com>
Reviewed-by: Franky Lin <franky.lin@broadcom.com>
Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
Signed-off-by: Hante Meuleman <hante.meuleman@broadcom.com>
Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
---
drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
index 77c4180..3394184 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
@@ -1048,8 +1048,7 @@ fail:
brcmf_fws_del_interface(ifp);
brcmf_fws_deinit(drvr);
}
- if (ifp)
- brcmf_net_detach(ifp->ndev, false);
+ brcmf_net_detach(ifp->ndev, false);
if (p2p_ifp)
brcmf_net_detach(p2p_ifp->ndev, false);
drvr->iflist[0] = NULL;
--
1.9.1
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [PATCH 7/9] brcmfmac: fix clearing entry IPv6 address
2016-09-19 11:09 [PATCH 0/9] brcmfmac: coverity fixes Arend van Spriel
` (5 preceding siblings ...)
2016-09-19 11:09 ` [PATCH 6/9] brcmfmac: remove unnecessary null pointer check Arend van Spriel
@ 2016-09-19 11:09 ` Arend van Spriel
2016-09-19 11:09 ` [PATCH 8/9] brcmfmac: fix out of bound access on clearing wowl wake indicator Arend van Spriel
` (2 subsequent siblings)
9 siblings, 0 replies; 12+ messages in thread
From: Arend van Spriel @ 2016-09-19 11:09 UTC (permalink / raw)
To: Kalle Valo; +Cc: linux-wireless, Hante Meuleman, Arend van Spriel
From: Hante Meuleman <hante.meuleman@broadcom.com>
When IPv6 address is to be cleared there is a possible out of
bound access. But also the clearing of the last entry and the
adjustment of total number of stored IPv6 addresses is not
updated. This patch fixes that bug. Bug was found using coverity.
Reviewed-by: Arend Van Spriel <arend.vanspriel@broadcom.com>
Reviewed-by: Franky Lin <franky.lin@broadcom.com>
Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
Signed-off-by: Hante Meuleman <hante.meuleman@broadcom.com>
Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
---
drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
index 3394184..bb71199 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
@@ -873,9 +873,12 @@ static int brcmf_inet6addr_changed(struct notifier_block *nb,
}
break;
case NETDEV_DOWN:
- if (i < NDOL_MAX_ENTRIES)
- for (; i < ifp->ipv6addr_idx; i++)
+ if (i < NDOL_MAX_ENTRIES) {
+ for (; i < ifp->ipv6addr_idx - 1; i++)
table[i] = table[i + 1];
+ memset(&table[i], 0, sizeof(table[i]));
+ ifp->ipv6addr_idx--;
+ }
break;
default:
break;
--
1.9.1
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [PATCH 8/9] brcmfmac: fix out of bound access on clearing wowl wake indicator
2016-09-19 11:09 [PATCH 0/9] brcmfmac: coverity fixes Arend van Spriel
` (6 preceding siblings ...)
2016-09-19 11:09 ` [PATCH 7/9] brcmfmac: fix clearing entry IPv6 address Arend van Spriel
@ 2016-09-19 11:09 ` Arend van Spriel
2016-09-19 11:09 ` [PATCH 9/9] brcmfmac: simplify mapping of auth type Arend van Spriel
2016-09-19 16:42 ` [PATCH 0/9] brcmfmac: coverity fixes Florian Fainelli
9 siblings, 0 replies; 12+ messages in thread
From: Arend van Spriel @ 2016-09-19 11:09 UTC (permalink / raw)
To: Kalle Valo; +Cc: linux-wireless, Hante Meuleman, Arend van Spriel
From: Hante Meuleman <hante.meuleman@broadcom.com>
Clearing the wowl wakeindicator happens with a rather odd
construction where the string "clear" is used to set the iovar
wowl_wakeind. This was implemented incorrectly as it caused an
out of bound access. Use an intermediate variable of correct
length and copy string in that. Problem was found using coverity.
Reviewed-by: Arend Van Spriel <arend.vanspriel@broadcom.com>
Reviewed-by: Franky Lin <franky.lin@broadcom.com>
Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
Signed-off-by: Hante Meuleman <hante.meuleman@broadcom.com>
Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
---
drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
index c3b8f59..386ad7e 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
@@ -3703,6 +3703,7 @@ static void brcmf_configure_wowl(struct brcmf_cfg80211_info *cfg,
struct cfg80211_wowlan *wowl)
{
u32 wowl_config;
+ struct brcmf_wowl_wakeind_le wowl_wakeind;
u32 i;
brcmf_dbg(TRACE, "Suspend, wowl config.\n");
@@ -3744,8 +3745,9 @@ static void brcmf_configure_wowl(struct brcmf_cfg80211_info *cfg,
if (!test_bit(BRCMF_VIF_STATUS_CONNECTED, &ifp->vif->sme_state))
wowl_config |= BRCMF_WOWL_UNASSOC;
- brcmf_fil_iovar_data_set(ifp, "wowl_wakeind", "clear",
- sizeof(struct brcmf_wowl_wakeind_le));
+ memcpy(&wowl_wakeind, "clear", 6);
+ brcmf_fil_iovar_data_set(ifp, "wowl_wakeind", &wowl_wakeind,
+ sizeof(wowl_wakeind));
brcmf_fil_iovar_int_set(ifp, "wowl", wowl_config);
brcmf_fil_iovar_int_set(ifp, "wowl_activate", 1);
brcmf_bus_wowl_config(cfg->pub->bus_if, true);
--
1.9.1
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [PATCH 9/9] brcmfmac: simplify mapping of auth type
2016-09-19 11:09 [PATCH 0/9] brcmfmac: coverity fixes Arend van Spriel
` (7 preceding siblings ...)
2016-09-19 11:09 ` [PATCH 8/9] brcmfmac: fix out of bound access on clearing wowl wake indicator Arend van Spriel
@ 2016-09-19 11:09 ` Arend van Spriel
2016-09-19 16:42 ` [PATCH 0/9] brcmfmac: coverity fixes Florian Fainelli
9 siblings, 0 replies; 12+ messages in thread
From: Arend van Spriel @ 2016-09-19 11:09 UTC (permalink / raw)
To: Kalle Valo; +Cc: linux-wireless, Hante Meuleman, Arend van Spriel
From: Hante Meuleman <hante.meuleman@broadcom.com>
The 802.11 standard only has four valid auth type configurations of which
our firmware only supports two, ie. Open System and Shared Key. Simplify
the mapping falling back to automatic for other types specified by
user-space.
Reviewed-by: Arend Van Spriel <arend.vanspriel@broadcom.com>
Reviewed-by: Franky Lin <franky.lin@broadcom.com>
Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
Signed-off-by: Hante Meuleman <hante.meuleman@broadcom.com>
Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
---
drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 8 +-------
1 file changed, 1 insertion(+), 7 deletions(-)
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
index 386ad7e..3b7c0f6 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
@@ -1595,15 +1595,9 @@ static s32 brcmf_set_auth_type(struct net_device *ndev,
val = 1;
brcmf_dbg(CONN, "shared key\n");
break;
- case NL80211_AUTHTYPE_AUTOMATIC:
- val = 2;
- brcmf_dbg(CONN, "automatic\n");
- break;
- case NL80211_AUTHTYPE_NETWORK_EAP:
- brcmf_dbg(CONN, "network eap\n");
default:
val = 2;
- brcmf_err("invalid auth type (%d)\n", sme->auth_type);
+ brcmf_dbg(CONN, "automatic, auth type (%d)\n", sme->auth_type);
break;
}
--
1.9.1
^ permalink raw reply related [flat|nested] 12+ messages in thread
* Re: [PATCH 0/9] brcmfmac: coverity fixes
2016-09-19 11:09 [PATCH 0/9] brcmfmac: coverity fixes Arend van Spriel
` (8 preceding siblings ...)
2016-09-19 11:09 ` [PATCH 9/9] brcmfmac: simplify mapping of auth type Arend van Spriel
@ 2016-09-19 16:42 ` Florian Fainelli
9 siblings, 0 replies; 12+ messages in thread
From: Florian Fainelli @ 2016-09-19 16:42 UTC (permalink / raw)
To: Arend van Spriel, Kalle Valo; +Cc: linux-wireless
On 09/19/2016 04:09 AM, Arend van Spriel wrote:
> This series consist of:
> * fixes for several issues found by Coverity.
> * ignore 802.11d configuration if not supported in firmware.
> * remove worker from netdev callback.
Thanks for doing this, can you also provide the coverity id when
relevant? Something like:
Reported-by: coverity (CID #12345678)
Which can help with automated tools hooking to coverity for managing the
lifecycle of the report.
Thanks!
>
> This is intended for 4.9 and applies to the master branch of
> the wireless-drivers-next repository.
>
> Arend van Spriel (4):
> brcmfmac: rework pointer trickery in brcmf_proto_bcdc_query_dcmd()
> brcmfmac: fix memory leak in brcmf_flowring_add_tdls_peer()
> brcmfmac: initialize variable in brcmf_sdiod_regrl()
> brcmfmac: remove worker from .ndo_set_mac_address() callback
>
> Hante Meuleman (5):
> brcmfmac: ignore 11d configuration errors
> brcmfmac: remove unnecessary null pointer check
> brcmfmac: fix clearing entry IPv6 address
> brcmfmac: fix out of bound access on clearing wowl wake indicator
> brcmfmac: simplify mapping of auth type
>
> .../wireless/broadcom/brcm80211/brcmfmac/bcdc.c | 2 +-
> .../wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c | 2 +-
> .../broadcom/brcm80211/brcmfmac/cfg80211.c | 41 +++++++++---------
> .../wireless/broadcom/brcm80211/brcmfmac/core.c | 49 +++++++++-------------
> .../wireless/broadcom/brcm80211/brcmfmac/core.h | 2 -
> .../broadcom/brcm80211/brcmfmac/flowring.c | 8 +++-
> 6 files changed, 47 insertions(+), 57 deletions(-)
>
--
Florian
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [1/9] brcmfmac: ignore 11d configuration errors
2016-09-19 11:09 ` [PATCH 1/9] brcmfmac: ignore 11d configuration errors Arend van Spriel
@ 2016-09-26 17:38 ` Kalle Valo
0 siblings, 0 replies; 12+ messages in thread
From: Kalle Valo @ 2016-09-26 17:38 UTC (permalink / raw)
To: Arend Van Spriel; +Cc: linux-wireless, Hante Meuleman, Arend van Spriel
Arend Van Spriel <arend.vanspriel@broadcom.com> wrote:
> From: Hante Meuleman <hante.meuleman@broadcom.com>
>
> 802.11d is not always supported by firmware anymore. Currently the
> AP configuration of 11d will cause an abort if the ioctl set is
> failing. This behavior is not correct and the error should be
> ignored.
>
> Reviewed-by: Arend Van Spriel <arend.vanspriel@broadcom.com>
> Reviewed-by: Franky Lin <franky.lin@broadcom.com>
> Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
> Signed-off-by: Hante Meuleman <hante.meuleman@broadcom.com>
> Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
9 patches applied to wireless-drivers-next.git, thanks.
b3589dfe0212 brcmfmac: ignore 11d configuration errors
704d1c6b56f4 brcmfmac: rework pointer trickery in brcmf_proto_bcdc_query_dcmd()
bc9816413601 brcmfmac: fix memory leak in brcmf_flowring_add_tdls_peer()
26305d3d7298 brcmfmac: initialize variable in brcmf_sdiod_regrl()
8fa5fdec09cd brcmfmac: remove worker from .ndo_set_mac_address() callback
835680b82f02 brcmfmac: remove unnecessary null pointer check
2b7425f3629b brcmfmac: fix clearing entry IPv6 address
a7ed7828ecda brcmfmac: fix out of bound access on clearing wowl wake indicator
92c313604711 brcmfmac: simplify mapping of auth type
--
https://patchwork.kernel.org/patch/9339033/
Documentation about submitting wireless patches and checking status
from patchwork:
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
^ permalink raw reply [flat|nested] 12+ messages in thread
end of thread, other threads:[~2016-09-26 17:38 UTC | newest]
Thread overview: 12+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-09-19 11:09 [PATCH 0/9] brcmfmac: coverity fixes Arend van Spriel
2016-09-19 11:09 ` [PATCH 1/9] brcmfmac: ignore 11d configuration errors Arend van Spriel
2016-09-26 17:38 ` [1/9] " Kalle Valo
2016-09-19 11:09 ` [PATCH 2/9] brcmfmac: rework pointer trickery in brcmf_proto_bcdc_query_dcmd() Arend van Spriel
2016-09-19 11:09 ` [PATCH 3/9] brcmfmac: fix memory leak in brcmf_flowring_add_tdls_peer() Arend van Spriel
2016-09-19 11:09 ` [PATCH 4/9] brcmfmac: initialize variable in brcmf_sdiod_regrl() Arend van Spriel
2016-09-19 11:09 ` [PATCH 5/9] brcmfmac: remove worker from .ndo_set_mac_address() callback Arend van Spriel
2016-09-19 11:09 ` [PATCH 6/9] brcmfmac: remove unnecessary null pointer check Arend van Spriel
2016-09-19 11:09 ` [PATCH 7/9] brcmfmac: fix clearing entry IPv6 address Arend van Spriel
2016-09-19 11:09 ` [PATCH 8/9] brcmfmac: fix out of bound access on clearing wowl wake indicator Arend van Spriel
2016-09-19 11:09 ` [PATCH 9/9] brcmfmac: simplify mapping of auth type Arend van Spriel
2016-09-19 16:42 ` [PATCH 0/9] brcmfmac: coverity fixes Florian Fainelli
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).