* [PATCH AUTOSEL 6.3 01/59] wifi: ath: Silence memcpy run-time false positive warning
@ 2023-05-04 19:40 Sasha Levin
2023-05-04 19:40 ` [PATCH AUTOSEL 6.3 02/59] wifi: ath12k: Handle lock during peer_id find Sasha Levin
` (17 more replies)
0 siblings, 18 replies; 19+ messages in thread
From: Sasha Levin @ 2023-05-04 19:40 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Kees Cook, Kalle Valo, David S. Miller, Eric Dumazet,
Jakub Kicinski, Paolo Abeni, linux-wireless, netdev, Kalle Valo,
Sasha Levin
From: Kees Cook <keescook@chromium.org>
[ Upstream commit bfcc8ba45eb87bfaaff900bbad2b87b204899d41 ]
The memcpy() in ath_key_config() was attempting to write across
neighboring struct members in struct ath_keyval. Introduce a wrapping
struct_group, kv_values, to be the addressable target of the memcpy
without overflowing an individual member. Silences the false positive
run-time warning:
memcpy: detected field-spanning write (size 32) of single field "hk.kv_val" at drivers/net/wireless/ath/key.c:506 (size 16)
Link: https://bbs.archlinux.org/viewtopic.php?id=282254
Cc: Kalle Valo <kvalo@kernel.org>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: Paolo Abeni <pabeni@redhat.com>
Cc: linux-wireless@vger.kernel.org
Cc: netdev@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Link: https://lore.kernel.org/r/20230210054310.never.554-kees@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath.h | 12 +++++++-----
drivers/net/wireless/ath/key.c | 2 +-
2 files changed, 8 insertions(+), 6 deletions(-)
diff --git a/drivers/net/wireless/ath/ath.h b/drivers/net/wireless/ath/ath.h
index f083fb9038c36..f02a308a9ffc5 100644
--- a/drivers/net/wireless/ath/ath.h
+++ b/drivers/net/wireless/ath/ath.h
@@ -96,11 +96,13 @@ struct ath_keyval {
u8 kv_type;
u8 kv_pad;
u16 kv_len;
- u8 kv_val[16]; /* TK */
- u8 kv_mic[8]; /* Michael MIC key */
- u8 kv_txmic[8]; /* Michael MIC TX key (used only if the hardware
- * supports both MIC keys in the same key cache entry;
- * in that case, kv_mic is the RX key) */
+ struct_group(kv_values,
+ u8 kv_val[16]; /* TK */
+ u8 kv_mic[8]; /* Michael MIC key */
+ u8 kv_txmic[8]; /* Michael MIC TX key (used only if the hardware
+ * supports both MIC keys in the same key cache entry;
+ * in that case, kv_mic is the RX key) */
+ );
};
enum ath_cipher {
diff --git a/drivers/net/wireless/ath/key.c b/drivers/net/wireless/ath/key.c
index 61b59a804e308..b7b61d4f02bae 100644
--- a/drivers/net/wireless/ath/key.c
+++ b/drivers/net/wireless/ath/key.c
@@ -503,7 +503,7 @@ int ath_key_config(struct ath_common *common,
hk.kv_len = key->keylen;
if (key->keylen)
- memcpy(hk.kv_val, key->key, key->keylen);
+ memcpy(&hk.kv_values, key->key, key->keylen);
if (!(key->flags & IEEE80211_KEY_FLAG_PAIRWISE)) {
switch (vif->type) {
--
2.39.2
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [PATCH AUTOSEL 6.3 02/59] wifi: ath12k: Handle lock during peer_id find
2023-05-04 19:40 [PATCH AUTOSEL 6.3 01/59] wifi: ath: Silence memcpy run-time false positive warning Sasha Levin
@ 2023-05-04 19:40 ` Sasha Levin
2023-05-04 19:40 ` [PATCH AUTOSEL 6.3 03/59] wifi: ath12k: PCI ops for wakeup/release MHI Sasha Levin
` (16 subsequent siblings)
17 siblings, 0 replies; 19+ messages in thread
From: Sasha Levin @ 2023-05-04 19:40 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Ramya Gnanasekar, Kalle Valo, Sasha Levin, kvalo, davem, edumazet,
kuba, pabeni, ath12k, linux-wireless, netdev
From: Ramya Gnanasekar <quic_rgnanase@quicinc.com>
[ Upstream commit 95a389e2ff3212d866cc51c77d682d2934074eb8 ]
ath12k_peer_find_by_id() requires that the caller hold the
ab->base_lock. Currently the WBM error path does not hold
the lock and calling that function, leads to the
following lockdep_assert()in QCN9274:
[105162.160893] ------------[ cut here ]------------
[105162.160916] WARNING: CPU: 3 PID: 0 at drivers/net/wireless/ath/ath12k/peer.c:71 ath12k_peer_find_by_id+0x52/0x60 [ath12k]
[105162.160933] Modules linked in: ath12k(O) qrtr_mhi qrtr mac80211 cfg80211 mhi qmi_helpers libarc4 nvme nvme_core [last unloaded: ath12k(O)]
[105162.160967] CPU: 3 PID: 0 Comm: swapper/3 Tainted: G W O 6.1.0-rc2+ #3
[105162.160972] Hardware name: Intel(R) Client Systems NUC8i7HVK/NUC8i7HVB, BIOS HNKBLi70.86A.0056.2019.0506.1527 05/06/2019
[105162.160977] RIP: 0010:ath12k_peer_find_by_id+0x52/0x60 [ath12k]
[105162.160990] Code: 07 eb 0f 39 68 24 74 0a 48 8b 00 48 39 f8 75 f3 31 c0 5b 5d c3 48 8d bf b0 f2 00 00 be ff ff ff ff e8 22 20 c4 e2 85 c0 75 bf <0f> 0b eb bb 66 2e 0f 1f 84 00 00 00 00 00 41 54 4c 8d a7 98 f2 00
[105162.160996] RSP: 0018:ffffa223001acc60 EFLAGS: 00010246
[105162.161003] RAX: 0000000000000000 RBX: ffff9f0573940000 RCX: 0000000000000000
[105162.161008] RDX: 0000000000000001 RSI: ffffffffa3951c8e RDI: ffffffffa39a96d7
[105162.161013] RBP: 000000000000000a R08: 0000000000000000 R09: 0000000000000000
[105162.161017] R10: ffffa223001acb40 R11: ffffffffa3d57c60 R12: ffff9f057394f2e0
[105162.161022] R13: ffff9f0573940000 R14: ffff9f04ecd659c0 R15: ffff9f04d5a9b040
[105162.161026] FS: 0000000000000000(0000) GS:ffff9f0575600000(0000) knlGS:0000000000000000
[105162.161031] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[105162.161036] CR2: 00001d5c8277a008 CR3: 00000001e6224006 CR4: 00000000003706e0
[105162.161041] Call Trace:
[105162.161046] <IRQ>
[105162.161051] ath12k_dp_rx_process_wbm_err+0x6da/0xaf0 [ath12k]
[105162.161072] ? ath12k_dp_rx_process_err+0x80e/0x15a0 [ath12k]
[105162.161084] ? __lock_acquire+0x4ca/0x1a60
[105162.161104] ath12k_dp_service_srng+0x263/0x310 [ath12k]
[105162.161120] ath12k_pci_ext_grp_napi_poll+0x1c/0x70 [ath12k]
[105162.161133] __napi_poll+0x22/0x260
[105162.161141] net_rx_action+0x2f8/0x380
[105162.161153] __do_softirq+0xd0/0x4c9
[105162.161162] irq_exit_rcu+0x88/0xe0
[105162.161169] common_interrupt+0xa5/0xc0
[105162.161174] </IRQ>
[105162.161179] <TASK>
[105162.161184] asm_common_interrupt+0x22/0x40
Handle spin lock/unlock in WBM error path to hold the necessary lock
expected by ath12k_peer_find_by_id().
Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.0-03171-QCAHKSWPL_SILICONZ-1
Signed-off-by: Ramya Gnanasekar <quic_rgnanase@quicinc.com>
Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Link: https://lore.kernel.org/r/20230122014936.3594-1-quic_rgnanase@quicinc.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath12k/dp_rx.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/net/wireless/ath/ath12k/dp_rx.c b/drivers/net/wireless/ath/ath12k/dp_rx.c
index 83a43ad48c512..de9a4ca66c664 100644
--- a/drivers/net/wireless/ath/ath12k/dp_rx.c
+++ b/drivers/net/wireless/ath/ath12k/dp_rx.c
@@ -3494,11 +3494,14 @@ static int ath12k_dp_rx_h_null_q_desc(struct ath12k *ar, struct sk_buff *msdu,
msdu_len = ath12k_dp_rx_h_msdu_len(ab, desc);
peer_id = ath12k_dp_rx_h_peer_id(ab, desc);
+ spin_lock(&ab->base_lock);
if (!ath12k_peer_find_by_id(ab, peer_id)) {
+ spin_unlock(&ab->base_lock);
ath12k_dbg(ab, ATH12K_DBG_DATA, "invalid peer id received in wbm err pkt%d\n",
peer_id);
return -EINVAL;
}
+ spin_unlock(&ab->base_lock);
if (!rxcb->is_frag && ((msdu_len + hal_rx_desc_sz) > DP_RX_BUFFER_SIZE)) {
/* First buffer will be freed by the caller, so deduct it's length */
--
2.39.2
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [PATCH AUTOSEL 6.3 03/59] wifi: ath12k: PCI ops for wakeup/release MHI
2023-05-04 19:40 [PATCH AUTOSEL 6.3 01/59] wifi: ath: Silence memcpy run-time false positive warning Sasha Levin
2023-05-04 19:40 ` [PATCH AUTOSEL 6.3 02/59] wifi: ath12k: Handle lock during peer_id find Sasha Levin
@ 2023-05-04 19:40 ` Sasha Levin
2023-05-04 19:40 ` [PATCH AUTOSEL 6.3 05/59] wifi: brcmfmac: pcie: Provide a buffer of random bytes to the device Sasha Levin
` (15 subsequent siblings)
17 siblings, 0 replies; 19+ messages in thread
From: Sasha Levin @ 2023-05-04 19:40 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Ramya Gnanasekar, Kalle Valo, Sasha Levin, kvalo, davem, edumazet,
kuba, pabeni, ath12k, linux-wireless, netdev
From: Ramya Gnanasekar <quic_rgnanase@quicinc.com>
[ Upstream commit 80e396586d0a94c42015dd9472176d89a3b0e4ca ]
Wakeup/release MHI is not needed before pci_read/write for QCN9274.
Since wakeup & release MHI is enabled for all QCN9274 and
WCN7850, below MHI assert is seen in QCN9274
[ 784.906613] BUG: sleeping function called from invalid context at drivers/bus/mhi/host/pm.c:989
[ 784.906633] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 0, name: swapper/3
[ 784.906637] preempt_count: 503, expected: 0
[ 784.906641] RCU nest depth: 0, expected: 0
[ 784.906644] 2 locks held by swapper/3/0:
[ 784.906646] #0: ffff8ed348e429e0 (&ab->ce.ce_lock){+.-.}-{2:2}, at: ath12k_ce_recv_process_cb+0xb3/0x2f0 [ath12k]
[ 784.906664] #1: ffff8ed348e491f0 (&srng->lock_key#3){+.-.}-{2:2}, at: ath12k_ce_recv_process_cb+0xfb/0x2f0 [ath12k]
[ 784.906678] Preemption disabled at:
[ 784.906680] [<0000000000000000>] 0x0
[ 784.906686] CPU: 3 PID: 0 Comm: swapper/3 Tainted: G W O 6.1.0-rc2+ #3
[ 784.906688] Hardware name: Intel(R) Client Systems NUC8i7HVK/NUC8i7HVB, BIOS HNKBLi70.86A.0056.2019.0506.1527 05/06/2019
[ 784.906690] Call Trace:
[ 784.906691] <IRQ>
[ 784.906693] dump_stack_lvl+0x56/0x7b
[ 784.906698] __might_resched+0x21c/0x270
[ 784.906704] __mhi_device_get_sync+0x7d/0x1c0 [mhi]
[ 784.906714] mhi_device_get_sync+0xd/0x20 [mhi]
[ 784.906719] ath12k_pci_write32+0x75/0x170 [ath12k]
[ 784.906729] ath12k_hal_srng_access_end+0x55/0xc0 [ath12k]
[ 784.906737] ath12k_ce_recv_process_cb+0x1f3/0x2f0 [ath12k]
[ 784.906776] ? ath12k_pci_ce_tasklet+0x11/0x30 [ath12k]
[ 784.906788] ath12k_pci_ce_tasklet+0x11/0x30 [ath12k]
[ 784.906813] tasklet_action_common.isra.18+0xb7/0xe0
[ 784.906820] __do_softirq+0xd0/0x4c9
[ 784.906826] irq_exit_rcu+0x88/0xe0
[ 784.906828] common_interrupt+0xa5/0xc0
[ 784.906831] </IRQ>
[ 784.906832] <TASK>
Adding function callbacks for MHI wakeup and release operations.
QCN9274 does not need wakeup/release, function callbacks are initialized
to NULL. In case of WCN7850, shadow registers are used to access rings.
Since, shadow register's offset is less than ACCESS_ALWAYS_OFF,
mhi_device_get_sync() or mhi_device_put() to wakeup
and release mhi will not be called during service ring accesses.
Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.0-03171-QCAHKSWPL_SILICONZ-1
Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0-03427-QCAHMTSWPL_V1.0_V2.0_SILICONZ-1.15378.4
Signed-off-by: Ramya Gnanasekar <quic_rgnanase@quicinc.com>
Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Link: https://lore.kernel.org/r/20230123095141.5310-1-quic_rgnanase@quicinc.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath12k/pci.c | 47 ++++++++++++++++++++++-----
drivers/net/wireless/ath/ath12k/pci.h | 6 ++++
2 files changed, 44 insertions(+), 9 deletions(-)
diff --git a/drivers/net/wireless/ath/ath12k/pci.c b/drivers/net/wireless/ath/ath12k/pci.c
index ae7f6083c9fc2..d32637b0113db 100644
--- a/drivers/net/wireless/ath/ath12k/pci.c
+++ b/drivers/net/wireless/ath/ath12k/pci.c
@@ -119,6 +119,30 @@ static const char *irq_name[ATH12K_IRQ_NUM_MAX] = {
"tcl2host-status-ring",
};
+static int ath12k_pci_bus_wake_up(struct ath12k_base *ab)
+{
+ struct ath12k_pci *ab_pci = ath12k_pci_priv(ab);
+
+ return mhi_device_get_sync(ab_pci->mhi_ctrl->mhi_dev);
+}
+
+static void ath12k_pci_bus_release(struct ath12k_base *ab)
+{
+ struct ath12k_pci *ab_pci = ath12k_pci_priv(ab);
+
+ mhi_device_put(ab_pci->mhi_ctrl->mhi_dev);
+}
+
+static const struct ath12k_pci_ops ath12k_pci_ops_qcn9274 = {
+ .wakeup = NULL,
+ .release = NULL,
+};
+
+static const struct ath12k_pci_ops ath12k_pci_ops_wcn7850 = {
+ .wakeup = ath12k_pci_bus_wake_up,
+ .release = ath12k_pci_bus_release,
+};
+
static void ath12k_pci_select_window(struct ath12k_pci *ab_pci, u32 offset)
{
struct ath12k_base *ab = ab_pci->ab;
@@ -989,13 +1013,14 @@ u32 ath12k_pci_read32(struct ath12k_base *ab, u32 offset)
{
struct ath12k_pci *ab_pci = ath12k_pci_priv(ab);
u32 val, window_start;
+ int ret = 0;
/* for offset beyond BAR + 4K - 32, may
* need to wakeup MHI to access.
*/
if (test_bit(ATH12K_PCI_FLAG_INIT_DONE, &ab_pci->flags) &&
- offset >= ACCESS_ALWAYS_OFF)
- mhi_device_get_sync(ab_pci->mhi_ctrl->mhi_dev);
+ offset >= ACCESS_ALWAYS_OFF && ab_pci->pci_ops->wakeup)
+ ret = ab_pci->pci_ops->wakeup(ab);
if (offset < WINDOW_START) {
val = ioread32(ab->mem + offset);
@@ -1023,9 +1048,9 @@ u32 ath12k_pci_read32(struct ath12k_base *ab, u32 offset)
}
if (test_bit(ATH12K_PCI_FLAG_INIT_DONE, &ab_pci->flags) &&
- offset >= ACCESS_ALWAYS_OFF)
- mhi_device_put(ab_pci->mhi_ctrl->mhi_dev);
-
+ offset >= ACCESS_ALWAYS_OFF && ab_pci->pci_ops->release &&
+ !ret)
+ ab_pci->pci_ops->release(ab);
return val;
}
@@ -1033,13 +1058,14 @@ void ath12k_pci_write32(struct ath12k_base *ab, u32 offset, u32 value)
{
struct ath12k_pci *ab_pci = ath12k_pci_priv(ab);
u32 window_start;
+ int ret = 0;
/* for offset beyond BAR + 4K - 32, may
* need to wakeup MHI to access.
*/
if (test_bit(ATH12K_PCI_FLAG_INIT_DONE, &ab_pci->flags) &&
- offset >= ACCESS_ALWAYS_OFF)
- mhi_device_get_sync(ab_pci->mhi_ctrl->mhi_dev);
+ offset >= ACCESS_ALWAYS_OFF && ab_pci->pci_ops->wakeup)
+ ret = ab_pci->pci_ops->wakeup(ab);
if (offset < WINDOW_START) {
iowrite32(value, ab->mem + offset);
@@ -1067,8 +1093,9 @@ void ath12k_pci_write32(struct ath12k_base *ab, u32 offset, u32 value)
}
if (test_bit(ATH12K_PCI_FLAG_INIT_DONE, &ab_pci->flags) &&
- offset >= ACCESS_ALWAYS_OFF)
- mhi_device_put(ab_pci->mhi_ctrl->mhi_dev);
+ offset >= ACCESS_ALWAYS_OFF && ab_pci->pci_ops->release &&
+ !ret)
+ ab_pci->pci_ops->release(ab);
}
int ath12k_pci_power_up(struct ath12k_base *ab)
@@ -1182,6 +1209,7 @@ static int ath12k_pci_probe(struct pci_dev *pdev,
case QCN9274_DEVICE_ID:
ab_pci->msi_config = &ath12k_msi_config[0];
ab->static_window_map = true;
+ ab_pci->pci_ops = &ath12k_pci_ops_qcn9274;
ath12k_pci_read_hw_version(ab, &soc_hw_version_major,
&soc_hw_version_minor);
switch (soc_hw_version_major) {
@@ -1202,6 +1230,7 @@ static int ath12k_pci_probe(struct pci_dev *pdev,
ab_pci->msi_config = &ath12k_msi_config[0];
ab->static_window_map = false;
ab->hw_rev = ATH12K_HW_WCN7850_HW20;
+ ab_pci->pci_ops = &ath12k_pci_ops_wcn7850;
break;
default:
diff --git a/drivers/net/wireless/ath/ath12k/pci.h b/drivers/net/wireless/ath/ath12k/pci.h
index 0d9e40ab31f26..0f24fd9395cd9 100644
--- a/drivers/net/wireless/ath/ath12k/pci.h
+++ b/drivers/net/wireless/ath/ath12k/pci.h
@@ -86,6 +86,11 @@ enum ath12k_pci_flags {
ATH12K_PCI_ASPM_RESTORE,
};
+struct ath12k_pci_ops {
+ int (*wakeup)(struct ath12k_base *ab);
+ void (*release)(struct ath12k_base *ab);
+};
+
struct ath12k_pci {
struct pci_dev *pdev;
struct ath12k_base *ab;
@@ -103,6 +108,7 @@ struct ath12k_pci {
/* enum ath12k_pci_flags */
unsigned long flags;
u16 link_ctl;
+ const struct ath12k_pci_ops *pci_ops;
};
static inline struct ath12k_pci *ath12k_pci_priv(struct ath12k_base *ab)
--
2.39.2
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [PATCH AUTOSEL 6.3 05/59] wifi: brcmfmac: pcie: Provide a buffer of random bytes to the device
2023-05-04 19:40 [PATCH AUTOSEL 6.3 01/59] wifi: ath: Silence memcpy run-time false positive warning Sasha Levin
2023-05-04 19:40 ` [PATCH AUTOSEL 6.3 02/59] wifi: ath12k: Handle lock during peer_id find Sasha Levin
2023-05-04 19:40 ` [PATCH AUTOSEL 6.3 03/59] wifi: ath12k: PCI ops for wakeup/release MHI Sasha Levin
@ 2023-05-04 19:40 ` Sasha Levin
2023-05-04 19:40 ` [PATCH AUTOSEL 6.3 06/59] wifi: brcmfmac: cfg80211: Pass the PMK in binary instead of hex Sasha Levin
` (14 subsequent siblings)
17 siblings, 0 replies; 19+ messages in thread
From: Sasha Levin @ 2023-05-04 19:40 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Hector Martin, Linus Walleij, Julian Calaby, Kalle Valo,
Sasha Levin, aspriel, franky.lin, hante.meuleman, davem, edumazet,
kuba, pabeni, rmk+kernel, wright.feng, linux-wireless,
brcm80211-dev-list.pdl, SHA-cyfmac-dev-list, netdev
From: Hector Martin <marcan@marcan.st>
[ Upstream commit 91918ce88d9fef408bb12c46a27c73d79b604c20 ]
Newer Apple firmwares on chipsets without a hardware RNG require the
host to provide a buffer of 256 random bytes to the device on
initialization. This buffer is present immediately before NVRAM,
suffixed by a footer containing a magic number and the buffer length.
This won't affect chips/firmwares that do not use this feature, so do it
unconditionally for all Apple platforms (those with an Apple OTP).
Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Hector Martin <marcan@marcan.st>
Reviewed-by: Julian Calaby <julian.calaby@gmail.com>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20230214080034.3828-3-marcan@marcan.st
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../broadcom/brcm80211/brcmfmac/pcie.c | 32 +++++++++++++++++++
1 file changed, 32 insertions(+)
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
index a9b9b2dc62d4f..2835ef4edb18f 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
@@ -15,6 +15,7 @@
#include <linux/sched/signal.h>
#include <linux/kthread.h>
#include <linux/io.h>
+#include <linux/random.h>
#include <asm/unaligned.h>
#include <soc.h>
@@ -1653,6 +1654,13 @@ brcmf_pcie_init_share_ram_info(struct brcmf_pciedev_info *devinfo,
return 0;
}
+struct brcmf_random_seed_footer {
+ __le32 length;
+ __le32 magic;
+};
+
+#define BRCMF_RANDOM_SEED_MAGIC 0xfeedc0de
+#define BRCMF_RANDOM_SEED_LENGTH 0x100
static int brcmf_pcie_download_fw_nvram(struct brcmf_pciedev_info *devinfo,
const struct firmware *fw, void *nvram,
@@ -1689,6 +1697,30 @@ static int brcmf_pcie_download_fw_nvram(struct brcmf_pciedev_info *devinfo,
nvram_len;
memcpy_toio(devinfo->tcm + address, nvram, nvram_len);
brcmf_fw_nvram_free(nvram);
+
+ if (devinfo->otp.valid) {
+ size_t rand_len = BRCMF_RANDOM_SEED_LENGTH;
+ struct brcmf_random_seed_footer footer = {
+ .length = cpu_to_le32(rand_len),
+ .magic = cpu_to_le32(BRCMF_RANDOM_SEED_MAGIC),
+ };
+ void *randbuf;
+
+ /* Some Apple chips/firmwares expect a buffer of random
+ * data to be present before NVRAM
+ */
+ brcmf_dbg(PCIE, "Download random seed\n");
+
+ address -= sizeof(footer);
+ memcpy_toio(devinfo->tcm + address, &footer,
+ sizeof(footer));
+
+ address -= rand_len;
+ randbuf = kzalloc(rand_len, GFP_KERNEL);
+ get_random_bytes(randbuf, rand_len);
+ memcpy_toio(devinfo->tcm + address, randbuf, rand_len);
+ kfree(randbuf);
+ }
} else {
brcmf_dbg(PCIE, "No matching NVRAM file found %s\n",
devinfo->nvram_name);
--
2.39.2
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [PATCH AUTOSEL 6.3 06/59] wifi: brcmfmac: cfg80211: Pass the PMK in binary instead of hex
2023-05-04 19:40 [PATCH AUTOSEL 6.3 01/59] wifi: ath: Silence memcpy run-time false positive warning Sasha Levin
` (2 preceding siblings ...)
2023-05-04 19:40 ` [PATCH AUTOSEL 6.3 05/59] wifi: brcmfmac: pcie: Provide a buffer of random bytes to the device Sasha Levin
@ 2023-05-04 19:40 ` Sasha Levin
2023-05-04 19:40 ` [PATCH AUTOSEL 6.3 07/59] wifi: brcmfmac: pcie: Add IDs/properties for BCM4387 Sasha Levin
` (13 subsequent siblings)
17 siblings, 0 replies; 19+ messages in thread
From: Sasha Levin @ 2023-05-04 19:40 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Hector Martin, Linus Walleij, Arend van Spriel, Kalle Valo,
Sasha Levin, aspriel, franky.lin, hante.meuleman, davem, edumazet,
kuba, pabeni, ian.lin, chi-hsien.lin, wright.feng, wataru.gohda,
prasanna.kerekoppa, ramesh.rangavittal, linux-wireless,
brcm80211-dev-list.pdl, SHA-cyfmac-dev-list, netdev
From: Hector Martin <marcan@marcan.st>
[ Upstream commit 89b89e52153fda2733562776c7c9d9d3ebf8dd6d ]
Apparently the hex passphrase mechanism does not work on newer
chips/firmware (e.g. BCM4387). It seems there was a simple way of
passing it in binary all along, so use that and avoid the hexification.
OpenBSD has been doing it like this from the beginning, so this should
work on all chips.
Also clear the structure before setting the PMK. This was leaking
uninitialized stack contents to the device.
Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
Reviewed-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: Hector Martin <marcan@marcan.st>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20230214092423.15175-6-marcan@marcan.st
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
index a9690ec4c850c..044dca23744e9 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
@@ -1617,13 +1617,14 @@ static int brcmf_set_pmk(struct brcmf_if *ifp, const u8 *pmk_data, u16 pmk_len)
{
struct brcmf_pub *drvr = ifp->drvr;
struct brcmf_wsec_pmk_le pmk;
- int i, err;
+ int err;
+
+ memset(&pmk, 0, sizeof(pmk));
- /* convert to firmware key format */
- pmk.key_len = cpu_to_le16(pmk_len << 1);
- pmk.flags = cpu_to_le16(BRCMF_WSEC_PASSPHRASE);
- for (i = 0; i < pmk_len; i++)
- snprintf(&pmk.key[2 * i], 3, "%02x", pmk_data[i]);
+ /* pass pmk directly */
+ pmk.key_len = cpu_to_le16(pmk_len);
+ pmk.flags = cpu_to_le16(0);
+ memcpy(pmk.key, pmk_data, pmk_len);
/* store psk in firmware */
err = brcmf_fil_cmd_data_set(ifp, BRCMF_C_SET_WSEC_PMK,
--
2.39.2
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [PATCH AUTOSEL 6.3 07/59] wifi: brcmfmac: pcie: Add IDs/properties for BCM4387
2023-05-04 19:40 [PATCH AUTOSEL 6.3 01/59] wifi: ath: Silence memcpy run-time false positive warning Sasha Levin
` (3 preceding siblings ...)
2023-05-04 19:40 ` [PATCH AUTOSEL 6.3 06/59] wifi: brcmfmac: cfg80211: Pass the PMK in binary instead of hex Sasha Levin
@ 2023-05-04 19:40 ` Sasha Levin
2023-05-04 19:40 ` [PATCH AUTOSEL 6.3 12/59] wifi: rtw88: fix memory leak in rtw_usb_probe() Sasha Levin
` (12 subsequent siblings)
17 siblings, 0 replies; 19+ messages in thread
From: Sasha Levin @ 2023-05-04 19:40 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Hector Martin, Linus Walleij, Arend van Spriel, Kalle Valo,
Sasha Levin, aspriel, franky.lin, hante.meuleman, davem, edumazet,
kuba, pabeni, ian.lin, alep, marex, rmk+kernel, wright.feng,
linux-wireless, brcm80211-dev-list.pdl, SHA-cyfmac-dev-list,
netdev
From: Hector Martin <marcan@marcan.st>
[ Upstream commit 117ace4014cce3fb78b40eb8028bb0f4fc37dd6f ]
This chip is present on Apple M1 Pro/Max (t600x) platforms:
* maldives (apple,j314s): MacBook Pro (14-inch, M1 Pro, 2021)
* maldives (apple,j314c): MacBook Pro (14-inch, M1 Max, 2021)
* madagascar (apple,j316s): MacBook Pro (16-inch, M1 Pro, 2021)
* madagascar (apple,j316c): MacBook Pro (16-inch, M1 Max, 2021)
Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
Reviewed-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: Hector Martin <marcan@marcan.st>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20230214092423.15175-7-marcan@marcan.st
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c | 2 ++
drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c | 8 ++++++++
.../net/wireless/broadcom/brcm80211/include/brcm_hw_ids.h | 2 ++
3 files changed, 12 insertions(+)
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c
index 8073f31be27d9..9cdbd8d438439 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c
@@ -737,6 +737,8 @@ static u32 brcmf_chip_tcm_rambase(struct brcmf_chip_priv *ci)
return 0x170000;
case BRCM_CC_4378_CHIP_ID:
return 0x352000;
+ case BRCM_CC_4387_CHIP_ID:
+ return 0x740000;
default:
brcmf_err("unknown chip: %s\n", ci->pub.name);
break;
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
index 2835ef4edb18f..d2dad5414f396 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
@@ -67,6 +67,7 @@ BRCMF_FW_DEF(4366C, "brcmfmac4366c-pcie");
BRCMF_FW_DEF(4371, "brcmfmac4371-pcie");
BRCMF_FW_CLM_DEF(4377B3, "brcmfmac4377b3-pcie");
BRCMF_FW_CLM_DEF(4378B1, "brcmfmac4378b1-pcie");
+BRCMF_FW_CLM_DEF(4387C2, "brcmfmac4387c2-pcie");
/* firmware config files */
MODULE_FIRMWARE(BRCMF_FW_DEFAULT_PATH "brcmfmac*-pcie.txt");
@@ -101,6 +102,7 @@ static const struct brcmf_firmware_mapping brcmf_pcie_fwnames[] = {
BRCMF_FW_ENTRY(BRCM_CC_4371_CHIP_ID, 0xFFFFFFFF, 4371),
BRCMF_FW_ENTRY(BRCM_CC_4377_CHIP_ID, 0xFFFFFFFF, 4377B3), /* revision ID 4 */
BRCMF_FW_ENTRY(BRCM_CC_4378_CHIP_ID, 0xFFFFFFFF, 4378B1), /* revision ID 3 */
+ BRCMF_FW_ENTRY(BRCM_CC_4387_CHIP_ID, 0xFFFFFFFF, 4387C2), /* revision ID 7 */
};
#define BRCMF_PCIE_FW_UP_TIMEOUT 5000 /* msec */
@@ -2048,6 +2050,11 @@ static int brcmf_pcie_read_otp(struct brcmf_pciedev_info *devinfo)
base = 0x1120;
words = 0x170;
break;
+ case BRCM_CC_4387_CHIP_ID:
+ coreid = BCMA_CORE_GCI;
+ base = 0x113c;
+ words = 0x170;
+ break;
default:
/* OTP not supported on this chip */
return 0;
@@ -2662,6 +2669,7 @@ static const struct pci_device_id brcmf_pcie_devid_table[] = {
BRCMF_PCIE_DEVICE(BRCM_PCIE_43596_DEVICE_ID, CYW),
BRCMF_PCIE_DEVICE(BRCM_PCIE_4377_DEVICE_ID, WCC),
BRCMF_PCIE_DEVICE(BRCM_PCIE_4378_DEVICE_ID, WCC),
+ BRCMF_PCIE_DEVICE(BRCM_PCIE_4387_DEVICE_ID, WCC),
{ /* end: all zeroes */ }
};
diff --git a/drivers/net/wireless/broadcom/brcm80211/include/brcm_hw_ids.h b/drivers/net/wireless/broadcom/brcm80211/include/brcm_hw_ids.h
index 896615f579522..44684bf1b9acc 100644
--- a/drivers/net/wireless/broadcom/brcm80211/include/brcm_hw_ids.h
+++ b/drivers/net/wireless/broadcom/brcm80211/include/brcm_hw_ids.h
@@ -54,6 +54,7 @@
#define BRCM_CC_4371_CHIP_ID 0x4371
#define BRCM_CC_4377_CHIP_ID 0x4377
#define BRCM_CC_4378_CHIP_ID 0x4378
+#define BRCM_CC_4387_CHIP_ID 0x4387
#define CY_CC_4373_CHIP_ID 0x4373
#define CY_CC_43012_CHIP_ID 43012
#define CY_CC_43439_CHIP_ID 43439
@@ -95,6 +96,7 @@
#define BRCM_PCIE_43596_DEVICE_ID 0x4415
#define BRCM_PCIE_4377_DEVICE_ID 0x4488
#define BRCM_PCIE_4378_DEVICE_ID 0x4425
+#define BRCM_PCIE_4387_DEVICE_ID 0x4433
/* brcmsmac IDs */
#define BCM4313_D11N2G_ID 0x4727 /* 4313 802.11n 2.4G device */
--
2.39.2
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [PATCH AUTOSEL 6.3 12/59] wifi: rtw88: fix memory leak in rtw_usb_probe()
2023-05-04 19:40 [PATCH AUTOSEL 6.3 01/59] wifi: ath: Silence memcpy run-time false positive warning Sasha Levin
` (4 preceding siblings ...)
2023-05-04 19:40 ` [PATCH AUTOSEL 6.3 07/59] wifi: brcmfmac: pcie: Add IDs/properties for BCM4387 Sasha Levin
@ 2023-05-04 19:40 ` Sasha Levin
2023-05-04 19:40 ` [PATCH AUTOSEL 6.3 13/59] wifi: brcmfmac: slab-out-of-bounds read in brcmf_get_assoc_ies() Sasha Levin
` (11 subsequent siblings)
17 siblings, 0 replies; 19+ messages in thread
From: Sasha Levin @ 2023-05-04 19:40 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Dongliang Mu, Ping-Ke Shih, Kalle Valo, Sasha Levin, tony0620emma,
davem, edumazet, kuba, pabeni, linux-wireless, netdev
From: Dongliang Mu <dzm91@hust.edu.cn>
[ Upstream commit 48181d285623198c33bb9698992502687b258efa ]
drivers/net/wireless/realtek/rtw88/usb.c:876 rtw_usb_probe()
warn: 'hw' from ieee80211_alloc_hw() not released on lines: 811
Fix this by modifying return to a goto statement.
Signed-off-by: Dongliang Mu <dzm91@hust.edu.cn>
Reviewed-by: Ping-Ke Shih <pkshih@realtek.com>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20230309021636.528601-1-dzm91@hust.edu.cn
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/realtek/rtw88/usb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wireless/realtek/rtw88/usb.c b/drivers/net/wireless/realtek/rtw88/usb.c
index 2a8336b1847a5..68e1b782d1992 100644
--- a/drivers/net/wireless/realtek/rtw88/usb.c
+++ b/drivers/net/wireless/realtek/rtw88/usb.c
@@ -808,7 +808,7 @@ int rtw_usb_probe(struct usb_interface *intf, const struct usb_device_id *id)
ret = rtw_usb_alloc_rx_bufs(rtwusb);
if (ret)
- return ret;
+ goto err_release_hw;
ret = rtw_core_init(rtwdev);
if (ret)
--
2.39.2
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [PATCH AUTOSEL 6.3 13/59] wifi: brcmfmac: slab-out-of-bounds read in brcmf_get_assoc_ies()
2023-05-04 19:40 [PATCH AUTOSEL 6.3 01/59] wifi: ath: Silence memcpy run-time false positive warning Sasha Levin
` (5 preceding siblings ...)
2023-05-04 19:40 ` [PATCH AUTOSEL 6.3 12/59] wifi: rtw88: fix memory leak in rtw_usb_probe() Sasha Levin
@ 2023-05-04 19:40 ` Sasha Levin
2023-05-04 19:40 ` [PATCH AUTOSEL 6.3 16/59] wifi: ath12k: fix memory leak in ath12k_qmi_driver_event_work() Sasha Levin
` (10 subsequent siblings)
17 siblings, 0 replies; 19+ messages in thread
From: Sasha Levin @ 2023-05-04 19:40 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Jisoo Jang, Arend van Spriel, Kalle Valo, Sasha Levin, aspriel,
franky.lin, hante.meuleman, davem, edumazet, kuba, pabeni,
chi-hsien.lin, ian.lin, johannes.berg, wright.feng, marcan,
ramesh.rangavittal, hdegoede, prasanna.kerekoppa, linux-wireless,
brcm80211-dev-list.pdl, SHA-cyfmac-dev-list, netdev
From: Jisoo Jang <jisoo.jang@yonsei.ac.kr>
[ Upstream commit 0da40e018fd034d87c9460123fa7f897b69fdee7 ]
Fix a slab-out-of-bounds read that occurs in kmemdup() called from
brcmf_get_assoc_ies().
The bug could occur when assoc_info->req_len, data from a URB provided
by a USB device, is bigger than the size of buffer which is defined as
WL_EXTRA_BUF_MAX.
Add the size check for req_len/resp_len of assoc_info.
Found by a modified version of syzkaller.
[ 46.592467][ T7] ==================================================================
[ 46.594687][ T7] BUG: KASAN: slab-out-of-bounds in kmemdup+0x3e/0x50
[ 46.596572][ T7] Read of size 3014656 at addr ffff888019442000 by task kworker/0:1/7
[ 46.598575][ T7]
[ 46.599157][ T7] CPU: 0 PID: 7 Comm: kworker/0:1 Tainted: G O 5.14.0+ #145
[ 46.601333][ T7] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
[ 46.604360][ T7] Workqueue: events brcmf_fweh_event_worker
[ 46.605943][ T7] Call Trace:
[ 46.606584][ T7] dump_stack_lvl+0x8e/0xd1
[ 46.607446][ T7] print_address_description.constprop.0.cold+0x93/0x334
[ 46.608610][ T7] ? kmemdup+0x3e/0x50
[ 46.609341][ T7] kasan_report.cold+0x79/0xd5
[ 46.610151][ T7] ? kmemdup+0x3e/0x50
[ 46.610796][ T7] kasan_check_range+0x14e/0x1b0
[ 46.611691][ T7] memcpy+0x20/0x60
[ 46.612323][ T7] kmemdup+0x3e/0x50
[ 46.612987][ T7] brcmf_get_assoc_ies+0x967/0xf60
[ 46.613904][ T7] ? brcmf_notify_vif_event+0x3d0/0x3d0
[ 46.614831][ T7] ? lock_chain_count+0x20/0x20
[ 46.615683][ T7] ? mark_lock.part.0+0xfc/0x2770
[ 46.616552][ T7] ? lock_chain_count+0x20/0x20
[ 46.617409][ T7] ? mark_lock.part.0+0xfc/0x2770
[ 46.618244][ T7] ? lock_chain_count+0x20/0x20
[ 46.619024][ T7] brcmf_bss_connect_done.constprop.0+0x241/0x2e0
[ 46.620019][ T7] ? brcmf_parse_configure_security.isra.0+0x2a0/0x2a0
[ 46.620818][ T7] ? __lock_acquire+0x181f/0x5790
[ 46.621462][ T7] brcmf_notify_connect_status+0x448/0x1950
[ 46.622134][ T7] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 46.622736][ T7] ? brcmf_cfg80211_join_ibss+0x7b0/0x7b0
[ 46.623390][ T7] ? find_held_lock+0x2d/0x110
[ 46.623962][ T7] ? brcmf_fweh_event_worker+0x19f/0xc60
[ 46.624603][ T7] ? mark_held_locks+0x9f/0xe0
[ 46.625145][ T7] ? lockdep_hardirqs_on_prepare+0x3e0/0x3e0
[ 46.625871][ T7] ? brcmf_cfg80211_join_ibss+0x7b0/0x7b0
[ 46.626545][ T7] brcmf_fweh_call_event_handler.isra.0+0x90/0x100
[ 46.627338][ T7] brcmf_fweh_event_worker+0x557/0xc60
[ 46.627962][ T7] ? brcmf_fweh_call_event_handler.isra.0+0x100/0x100
[ 46.628736][ T7] ? rcu_read_lock_sched_held+0xa1/0xd0
[ 46.629396][ T7] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 46.629970][ T7] ? lockdep_hardirqs_on_prepare+0x273/0x3e0
[ 46.630649][ T7] process_one_work+0x92b/0x1460
[ 46.631205][ T7] ? pwq_dec_nr_in_flight+0x330/0x330
[ 46.631821][ T7] ? rwlock_bug.part.0+0x90/0x90
[ 46.632347][ T7] worker_thread+0x95/0xe00
[ 46.632832][ T7] ? __kthread_parkme+0x115/0x1e0
[ 46.633393][ T7] ? process_one_work+0x1460/0x1460
[ 46.633957][ T7] kthread+0x3a1/0x480
[ 46.634369][ T7] ? set_kthread_struct+0x120/0x120
[ 46.634933][ T7] ret_from_fork+0x1f/0x30
[ 46.635431][ T7]
[ 46.635687][ T7] Allocated by task 7:
[ 46.636151][ T7] kasan_save_stack+0x1b/0x40
[ 46.636628][ T7] __kasan_kmalloc+0x7c/0x90
[ 46.637108][ T7] kmem_cache_alloc_trace+0x19e/0x330
[ 46.637696][ T7] brcmf_cfg80211_attach+0x4a0/0x4040
[ 46.638275][ T7] brcmf_attach+0x389/0xd40
[ 46.638739][ T7] brcmf_usb_probe+0x12de/0x1690
[ 46.639279][ T7] usb_probe_interface+0x2aa/0x760
[ 46.639820][ T7] really_probe+0x205/0xb70
[ 46.640342][ T7] __driver_probe_device+0x311/0x4b0
[ 46.640876][ T7] driver_probe_device+0x4e/0x150
[ 46.641445][ T7] __device_attach_driver+0x1cc/0x2a0
[ 46.642000][ T7] bus_for_each_drv+0x156/0x1d0
[ 46.642543][ T7] __device_attach+0x23f/0x3a0
[ 46.643065][ T7] bus_probe_device+0x1da/0x290
[ 46.643644][ T7] device_add+0xb7b/0x1eb0
[ 46.644130][ T7] usb_set_configuration+0xf59/0x16f0
[ 46.644720][ T7] usb_generic_driver_probe+0x82/0xa0
[ 46.645295][ T7] usb_probe_device+0xbb/0x250
[ 46.645786][ T7] really_probe+0x205/0xb70
[ 46.646258][ T7] __driver_probe_device+0x311/0x4b0
[ 46.646804][ T7] driver_probe_device+0x4e/0x150
[ 46.647387][ T7] __device_attach_driver+0x1cc/0x2a0
[ 46.647926][ T7] bus_for_each_drv+0x156/0x1d0
[ 46.648454][ T7] __device_attach+0x23f/0x3a0
[ 46.648939][ T7] bus_probe_device+0x1da/0x290
[ 46.649478][ T7] device_add+0xb7b/0x1eb0
[ 46.649936][ T7] usb_new_device.cold+0x49c/0x1029
[ 46.650526][ T7] hub_event+0x1c98/0x3950
[ 46.650975][ T7] process_one_work+0x92b/0x1460
[ 46.651535][ T7] worker_thread+0x95/0xe00
[ 46.651991][ T7] kthread+0x3a1/0x480
[ 46.652413][ T7] ret_from_fork+0x1f/0x30
[ 46.652885][ T7]
[ 46.653131][ T7] The buggy address belongs to the object at ffff888019442000
[ 46.653131][ T7] which belongs to the cache kmalloc-2k of size 2048
[ 46.654669][ T7] The buggy address is located 0 bytes inside of
[ 46.654669][ T7] 2048-byte region [ffff888019442000, ffff888019442800)
[ 46.656137][ T7] The buggy address belongs to the page:
[ 46.656720][ T7] page:ffffea0000651000 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x19440
[ 46.657792][ T7] head:ffffea0000651000 order:3 compound_mapcount:0 compound_pincount:0
[ 46.658673][ T7] flags: 0x100000000010200(slab|head|node=0|zone=1)
[ 46.659422][ T7] raw: 0100000000010200 0000000000000000 dead000000000122 ffff888100042000
[ 46.660363][ T7] raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
[ 46.661236][ T7] page dumped because: kasan: bad access detected
[ 46.661956][ T7] page_owner tracks the page as allocated
[ 46.662588][ T7] page last allocated via order 3, migratetype Unmovable, gfp_mask 0x52a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 7, ts 31136961085, free_ts 0
[ 46.664271][ T7] prep_new_page+0x1aa/0x240
[ 46.664763][ T7] get_page_from_freelist+0x159a/0x27c0
[ 46.665340][ T7] __alloc_pages+0x2da/0x6a0
[ 46.665847][ T7] alloc_pages+0xec/0x1e0
[ 46.666308][ T7] allocate_slab+0x380/0x4e0
[ 46.666770][ T7] ___slab_alloc+0x5bc/0x940
[ 46.667264][ T7] __slab_alloc+0x6d/0x80
[ 46.667712][ T7] kmem_cache_alloc_trace+0x30a/0x330
[ 46.668299][ T7] brcmf_usbdev_qinit.constprop.0+0x50/0x470
[ 46.668885][ T7] brcmf_usb_probe+0xc97/0x1690
[ 46.669438][ T7] usb_probe_interface+0x2aa/0x760
[ 46.669988][ T7] really_probe+0x205/0xb70
[ 46.670487][ T7] __driver_probe_device+0x311/0x4b0
[ 46.671031][ T7] driver_probe_device+0x4e/0x150
[ 46.671604][ T7] __device_attach_driver+0x1cc/0x2a0
[ 46.672192][ T7] bus_for_each_drv+0x156/0x1d0
[ 46.672739][ T7] page_owner free stack trace missing
[ 46.673335][ T7]
[ 46.673620][ T7] Memory state around the buggy address:
[ 46.674213][ T7] ffff888019442700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 46.675083][ T7] ffff888019442780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 46.675994][ T7] >ffff888019442800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 46.676875][ T7] ^
[ 46.677323][ T7] ffff888019442880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 46.678190][ T7] ffff888019442900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 46.679052][ T7] ==================================================================
[ 46.679945][ T7] Disabling lock debugging due to kernel taint
[ 46.680725][ T7] Kernel panic - not syncing:
Reviewed-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: Jisoo Jang <jisoo.jang@yonsei.ac.kr>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20230309104457.22628-1-jisoo.jang@yonsei.ac.kr
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
index 044dca23744e9..af97449734a5f 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
@@ -6165,6 +6165,11 @@ static s32 brcmf_get_assoc_ies(struct brcmf_cfg80211_info *cfg,
(struct brcmf_cfg80211_assoc_ielen_le *)cfg->extra_buf;
req_len = le32_to_cpu(assoc_info->req_len);
resp_len = le32_to_cpu(assoc_info->resp_len);
+ if (req_len > WL_EXTRA_BUF_MAX || resp_len > WL_EXTRA_BUF_MAX) {
+ bphy_err(drvr, "invalid lengths in assoc info: req %u resp %u\n",
+ req_len, resp_len);
+ return -EINVAL;
+ }
if (req_len) {
err = brcmf_fil_iovar_data_get(ifp, "assoc_req_ies",
cfg->extra_buf,
--
2.39.2
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [PATCH AUTOSEL 6.3 16/59] wifi: ath12k: fix memory leak in ath12k_qmi_driver_event_work()
2023-05-04 19:40 [PATCH AUTOSEL 6.3 01/59] wifi: ath: Silence memcpy run-time false positive warning Sasha Levin
` (6 preceding siblings ...)
2023-05-04 19:40 ` [PATCH AUTOSEL 6.3 13/59] wifi: brcmfmac: slab-out-of-bounds read in brcmf_get_assoc_ies() Sasha Levin
@ 2023-05-04 19:40 ` Sasha Levin
2023-05-04 19:41 ` [PATCH AUTOSEL 6.3 35/59] wifi: iwlwifi: pcie: fix possible NULL pointer dereference Sasha Levin
` (9 subsequent siblings)
17 siblings, 0 replies; 19+ messages in thread
From: Sasha Levin @ 2023-05-04 19:40 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Rajat Soni, Kalle Valo, Sasha Levin, kvalo, davem, edumazet, kuba,
pabeni, ath12k, linux-wireless, netdev
From: Rajat Soni <quic_rajson@quicinc.com>
[ Upstream commit 960412bee0ea75f6b3c2dca4a3535795ee84c47a ]
Currently the buffer pointed by event is not freed in case
ATH12K_FLAG_UNREGISTERING bit is set, this causes memory leak.
Add a goto skip instead of return, to ensure event and all the
list entries are freed properly.
Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.0.1-00029-QCAHKSWPL_SILICONZ-1
Signed-off-by: Rajat Soni <quic_rajson@quicinc.com>
Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Link: https://lore.kernel.org/r/20230315090632.15065-1-quic_rajson@quicinc.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath12k/qmi.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/ath/ath12k/qmi.c b/drivers/net/wireless/ath/ath12k/qmi.c
index 979a63f2e2ab8..03ba245fbee92 100644
--- a/drivers/net/wireless/ath/ath12k/qmi.c
+++ b/drivers/net/wireless/ath/ath12k/qmi.c
@@ -2991,7 +2991,7 @@ static void ath12k_qmi_driver_event_work(struct work_struct *work)
spin_unlock(&qmi->event_lock);
if (test_bit(ATH12K_FLAG_UNREGISTERING, &ab->dev_flags))
- return;
+ goto skip;
switch (event->type) {
case ATH12K_QMI_EVENT_SERVER_ARRIVE:
@@ -3032,6 +3032,8 @@ static void ath12k_qmi_driver_event_work(struct work_struct *work)
ath12k_warn(ab, "invalid event type: %d", event->type);
break;
}
+
+skip:
kfree(event);
spin_lock(&qmi->event_lock);
}
--
2.39.2
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [PATCH AUTOSEL 6.3 35/59] wifi: iwlwifi: pcie: fix possible NULL pointer dereference
2023-05-04 19:40 [PATCH AUTOSEL 6.3 01/59] wifi: ath: Silence memcpy run-time false positive warning Sasha Levin
` (7 preceding siblings ...)
2023-05-04 19:40 ` [PATCH AUTOSEL 6.3 16/59] wifi: ath12k: fix memory leak in ath12k_qmi_driver_event_work() Sasha Levin
@ 2023-05-04 19:41 ` Sasha Levin
2023-05-04 19:41 ` [PATCH AUTOSEL 6.3 36/59] wifi: iwlwifi: add a new PCI device ID for BZ device Sasha Levin
` (8 subsequent siblings)
17 siblings, 0 replies; 19+ messages in thread
From: Sasha Levin @ 2023-05-04 19:41 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Daniel Gabay, Gregory Greenman, Johannes Berg, Sasha Levin, kvalo,
davem, edumazet, kuba, pabeni, mukesh.sisodiya, golan.ben.ami,
yaara.baruch, linux-wireless, netdev
From: Daniel Gabay <daniel.gabay@intel.com>
[ Upstream commit b655b9a9f8467684cfa8906713d33b71ea8c8f54 ]
It is possible that iwl_pci_probe() will fail and free the trans,
then afterwards iwl_pci_remove() will be called and crash by trying
to access trans which is already freed, fix it.
iwlwifi 0000:01:00.0: Detected crf-id 0xa5a5a5a2, cnv-id 0xa5a5a5a2
wfpm id 0xa5a5a5a2
iwlwifi 0000:01:00.0: Can't find a correct rfid for crf id 0x5a2
...
BUG: kernel NULL pointer dereference, address: 0000000000000028
...
RIP: 0010:iwl_pci_remove+0x12/0x30 [iwlwifi]
pci_device_remove+0x3e/0xb0
device_release_driver_internal+0x103/0x1f0
driver_detach+0x4c/0x90
bus_remove_driver+0x5c/0xd0
driver_unregister+0x31/0x50
pci_unregister_driver+0x40/0x90
iwl_pci_unregister_driver+0x15/0x20 [iwlwifi]
__exit_compat+0x9/0x98 [iwlwifi]
__x64_sys_delete_module+0x147/0x260
Signed-off-by: Daniel Gabay <daniel.gabay@intel.com>
Signed-off-by: Gregory Greenman <gregory.greenman@intel.com>
Link: https://lore.kernel.org/r/20230413213309.082f6e21341b.I0db21d7fa9a828d571ca886713bd0b5d0b6e1e5c@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c
index 99768d6a60322..49e8a27ecce54 100644
--- a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c
+++ b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c
@@ -1699,6 +1699,9 @@ static void iwl_pci_remove(struct pci_dev *pdev)
{
struct iwl_trans *trans = pci_get_drvdata(pdev);
+ if (!trans)
+ return;
+
iwl_drv_stop(trans->drv);
iwl_trans_pcie_free(trans);
--
2.39.2
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [PATCH AUTOSEL 6.3 36/59] wifi: iwlwifi: add a new PCI device ID for BZ device
2023-05-04 19:40 [PATCH AUTOSEL 6.3 01/59] wifi: ath: Silence memcpy run-time false positive warning Sasha Levin
` (8 preceding siblings ...)
2023-05-04 19:41 ` [PATCH AUTOSEL 6.3 35/59] wifi: iwlwifi: pcie: fix possible NULL pointer dereference Sasha Levin
@ 2023-05-04 19:41 ` Sasha Levin
2023-05-04 19:41 ` [PATCH AUTOSEL 6.3 37/59] wifi: iwlwifi: pcie: Fix integer overflow in iwl_write_to_user_buf Sasha Levin
` (7 subsequent siblings)
17 siblings, 0 replies; 19+ messages in thread
From: Sasha Levin @ 2023-05-04 19:41 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Mukesh Sisodiya, Gregory Greenman, Johannes Berg, Sasha Levin,
kvalo, davem, edumazet, kuba, pabeni, daniel.gabay, yaara.baruch,
golan.ben.ami, linux-wireless, netdev
From: Mukesh Sisodiya <mukesh.sisodiya@intel.com>
[ Upstream commit c30a2a64788b3d617a9c5d96adb76c68b0862e5f ]
Add support for a new PCI device ID 0x272b once registering with PCIe.
Signed-off-by: Mukesh Sisodiya <mukesh.sisodiya@intel.com>
Signed-off-by: Gregory Greenman <gregory.greenman@intel.com>
Link: https://lore.kernel.org/r/20230414130637.56342664110d.I5aa6f2858fdcf69fdea4f1a873115a48bd43764e@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c
index 49e8a27ecce54..26e5ef944ecb9 100644
--- a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c
+++ b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c
@@ -504,6 +504,7 @@ static const struct pci_device_id iwl_hw_card_ids[] = {
/* Bz devices */
{IWL_PCI_DEVICE(0x2727, PCI_ANY_ID, iwl_bz_trans_cfg)},
+ {IWL_PCI_DEVICE(0x272b, PCI_ANY_ID, iwl_bz_trans_cfg)},
{IWL_PCI_DEVICE(0xA840, PCI_ANY_ID, iwl_bz_trans_cfg)},
{IWL_PCI_DEVICE(0x7740, PCI_ANY_ID, iwl_bz_trans_cfg)},
#endif /* CONFIG_IWLMVM */
--
2.39.2
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [PATCH AUTOSEL 6.3 37/59] wifi: iwlwifi: pcie: Fix integer overflow in iwl_write_to_user_buf
2023-05-04 19:40 [PATCH AUTOSEL 6.3 01/59] wifi: ath: Silence memcpy run-time false positive warning Sasha Levin
` (9 preceding siblings ...)
2023-05-04 19:41 ` [PATCH AUTOSEL 6.3 36/59] wifi: iwlwifi: add a new PCI device ID for BZ device Sasha Levin
@ 2023-05-04 19:41 ` Sasha Levin
2023-05-04 19:41 ` [PATCH AUTOSEL 6.3 38/59] wifi: iwlwifi: mvm: fix ptk_pn memory leak Sasha Levin
` (6 subsequent siblings)
17 siblings, 0 replies; 19+ messages in thread
From: Sasha Levin @ 2023-05-04 19:41 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Hyunwoo Kim, Gregory Greenman, Johannes Berg, Sasha Levin, kvalo,
davem, edumazet, kuba, pabeni, avraham.stern, emmanuel.grumbach,
linux-wireless, netdev
From: Hyunwoo Kim <imv4bel@gmail.com>
[ Upstream commit 58d1b717879bfeabe09b35e41ad667c79933eb2e ]
An integer overflow occurs in the iwl_write_to_user_buf() function,
which is called by the iwl_dbgfs_monitor_data_read() function.
static bool iwl_write_to_user_buf(char __user *user_buf, ssize_t count,
void *buf, ssize_t *size,
ssize_t *bytes_copied)
{
int buf_size_left = count - *bytes_copied;
buf_size_left = buf_size_left - (buf_size_left % sizeof(u32));
if (*size > buf_size_left)
*size = buf_size_left;
If the user passes a SIZE_MAX value to the "ssize_t count" parameter,
the ssize_t count parameter is assigned to "int buf_size_left".
Then compare "*size" with "buf_size_left" . Here, "buf_size_left" is a
negative number, so "*size" is assigned "buf_size_left" and goes into
the third argument of the copy_to_user function, causing a heap overflow.
This is not a security vulnerability because iwl_dbgfs_monitor_data_read()
is a debugfs operation with 0400 privileges.
Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
Signed-off-by: Gregory Greenman <gregory.greenman@intel.com>
Link: https://lore.kernel.org/r/20230414130637.2d80ace81532.Iecfba549e0e0be21bbb0324675392e42e75bd5ad@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/intel/iwlwifi/pcie/trans.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/trans.c b/drivers/net/wireless/intel/iwlwifi/pcie/trans.c
index 0a9af1ad1f206..6d5d0d40477a6 100644
--- a/drivers/net/wireless/intel/iwlwifi/pcie/trans.c
+++ b/drivers/net/wireless/intel/iwlwifi/pcie/trans.c
@@ -2863,7 +2863,7 @@ static bool iwl_write_to_user_buf(char __user *user_buf, ssize_t count,
void *buf, ssize_t *size,
ssize_t *bytes_copied)
{
- int buf_size_left = count - *bytes_copied;
+ ssize_t buf_size_left = count - *bytes_copied;
buf_size_left = buf_size_left - (buf_size_left % sizeof(u32));
if (*size > buf_size_left)
--
2.39.2
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [PATCH AUTOSEL 6.3 38/59] wifi: iwlwifi: mvm: fix ptk_pn memory leak
2023-05-04 19:40 [PATCH AUTOSEL 6.3 01/59] wifi: ath: Silence memcpy run-time false positive warning Sasha Levin
` (10 preceding siblings ...)
2023-05-04 19:41 ` [PATCH AUTOSEL 6.3 37/59] wifi: iwlwifi: pcie: Fix integer overflow in iwl_write_to_user_buf Sasha Levin
@ 2023-05-04 19:41 ` Sasha Levin
2023-05-04 19:41 ` [PATCH AUTOSEL 6.3 40/59] wifi: ath11k: Ignore frags from uninitialized peer in dp Sasha Levin
` (5 subsequent siblings)
17 siblings, 0 replies; 19+ messages in thread
From: Sasha Levin @ 2023-05-04 19:41 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Johannes Berg, Gregory Greenman, Sasha Levin, kvalo, davem,
edumazet, kuba, pabeni, miriam.rachel.korenblit, linux-wireless,
netdev
From: Johannes Berg <johannes.berg@intel.com>
[ Upstream commit d066a530af8e1833c7ea2cef7784004700c85f79 ]
If adding a key to firmware fails we leak the allocated ptk_pn.
This shouldn't happen in practice, but we should still fix it.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Gregory Greenman <gregory.greenman@intel.com>
Link: https://lore.kernel.org/r/20230414130637.99446ffd02bc.I82a2ad6ec1395f188e0a1677cc619e3fcb1feac9@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
index b55b1b17f4d19..c0b5dc7bd76b1 100644
--- a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
@@ -3587,7 +3587,7 @@ static int __iwl_mvm_mac_set_key(struct ieee80211_hw *hw,
struct iwl_mvm_vif *mvmvif = iwl_mvm_vif_from_mac80211(vif);
struct iwl_mvm *mvm = IWL_MAC80211_GET_MVM(hw);
struct iwl_mvm_sta *mvmsta = NULL;
- struct iwl_mvm_key_pn *ptk_pn;
+ struct iwl_mvm_key_pn *ptk_pn = NULL;
int keyidx = key->keyidx;
u32 sec_key_id = WIDE_ID(DATA_PATH_GROUP, SEC_KEY_CMD);
u8 sec_key_ver = iwl_fw_lookup_cmd_ver(mvm->fw, sec_key_id, 0);
@@ -3739,6 +3739,10 @@ static int __iwl_mvm_mac_set_key(struct ieee80211_hw *hw,
if (ret) {
IWL_WARN(mvm, "set key failed\n");
key->hw_key_idx = STA_KEY_IDX_INVALID;
+ if (ptk_pn) {
+ RCU_INIT_POINTER(mvmsta->ptk_pn[keyidx], NULL);
+ kfree(ptk_pn);
+ }
/*
* can't add key for RX, but we don't need it
* in the device for TX so still return 0,
--
2.39.2
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [PATCH AUTOSEL 6.3 40/59] wifi: ath11k: Ignore frags from uninitialized peer in dp.
2023-05-04 19:40 [PATCH AUTOSEL 6.3 01/59] wifi: ath: Silence memcpy run-time false positive warning Sasha Levin
` (11 preceding siblings ...)
2023-05-04 19:41 ` [PATCH AUTOSEL 6.3 38/59] wifi: iwlwifi: mvm: fix ptk_pn memory leak Sasha Levin
@ 2023-05-04 19:41 ` Sasha Levin
2023-05-04 19:41 ` [PATCH AUTOSEL 6.3 41/59] wifi: mt76: mt7921: add Netgear AXE3000 (A8000) support Sasha Levin
` (4 subsequent siblings)
17 siblings, 0 replies; 19+ messages in thread
From: Sasha Levin @ 2023-05-04 19:41 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Harshitha Prem, Nagarajan Maran, Kalle Valo, Sasha Levin, kvalo,
davem, edumazet, kuba, pabeni, ath11k, linux-wireless, netdev
From: Harshitha Prem <quic_hprem@quicinc.com>
[ Upstream commit a06bfb3c9f69f303692cdae87bc0899d2ae8b2a6 ]
When max virtual ap interfaces are configured in all the bands with
ACS and hostapd restart is done every 60s, a crash is observed at
random times.
In this certain scenario, a fragmented packet is received for
self peer, for which rx_tid and rx_frags are not initialized in
datapath. While handling this fragment, crash is observed as the
rx_frag list is uninitialised and when we walk in
ath11k_dp_rx_h_sort_frags, skb null leads to exception.
To address this, before processing received fragments we check
dp_setup_done flag is set to ensure that peer has completed its
dp peer setup for fragment queue, else ignore processing the
fragments.
Call trace:
ath11k_dp_process_rx_err+0x550/0x1084 [ath11k]
ath11k_dp_service_srng+0x70/0x370 [ath11k]
0xffffffc009693a04
__napi_poll+0x30/0xa4
net_rx_action+0x118/0x270
__do_softirq+0x10c/0x244
irq_exit+0x64/0xb4
__handle_domain_irq+0x88/0xac
gic_handle_irq+0x74/0xbc
el1_irq+0xf0/0x1c0
arch_cpu_idle+0x10/0x18
do_idle+0x104/0x248
cpu_startup_entry+0x20/0x64
rest_init+0xd0/0xdc
arch_call_rest_init+0xc/0x14
start_kernel+0x480/0x4b8
Code: f9400281 f94066a2 91405021 b94a0023 (f9406401)
Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1
Signed-off-by: Harshitha Prem <quic_hprem@quicinc.com>
Signed-off-by: Nagarajan Maran <quic_nmaran@quicinc.com>
Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Link: https://lore.kernel.org/r/20230403184155.8670-2-quic_nmaran@quicinc.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath11k/dp.c | 4 +++-
drivers/net/wireless/ath/ath11k/dp_rx.c | 8 ++++++++
drivers/net/wireless/ath/ath11k/peer.h | 1 +
3 files changed, 12 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/ath/ath11k/dp.c b/drivers/net/wireless/ath/ath11k/dp.c
index f5156a7fbdd7a..d070bcb3fe247 100644
--- a/drivers/net/wireless/ath/ath11k/dp.c
+++ b/drivers/net/wireless/ath/ath11k/dp.c
@@ -36,6 +36,7 @@ void ath11k_dp_peer_cleanup(struct ath11k *ar, int vdev_id, const u8 *addr)
}
ath11k_peer_rx_tid_cleanup(ar, peer);
+ peer->dp_setup_done = false;
crypto_free_shash(peer->tfm_mmic);
spin_unlock_bh(&ab->base_lock);
}
@@ -72,7 +73,8 @@ int ath11k_dp_peer_setup(struct ath11k *ar, int vdev_id, const u8 *addr)
ret = ath11k_peer_rx_frag_setup(ar, addr, vdev_id);
if (ret) {
ath11k_warn(ab, "failed to setup rx defrag context\n");
- return ret;
+ tid--;
+ goto peer_clean;
}
/* TODO: Setup other peer specific resource used in data path */
diff --git a/drivers/net/wireless/ath/ath11k/dp_rx.c b/drivers/net/wireless/ath/ath11k/dp_rx.c
index b65a84a882641..294c6fcfa1aa8 100644
--- a/drivers/net/wireless/ath/ath11k/dp_rx.c
+++ b/drivers/net/wireless/ath/ath11k/dp_rx.c
@@ -3138,6 +3138,7 @@ int ath11k_peer_rx_frag_setup(struct ath11k *ar, const u8 *peer_mac, int vdev_id
}
peer->tfm_mmic = tfm;
+ peer->dp_setup_done = true;
spin_unlock_bh(&ab->base_lock);
return 0;
@@ -3583,6 +3584,13 @@ static int ath11k_dp_rx_frag_h_mpdu(struct ath11k *ar,
ret = -ENOENT;
goto out_unlock;
}
+ if (!peer->dp_setup_done) {
+ ath11k_warn(ab, "The peer %pM [%d] has uninitialized datapath\n",
+ peer->addr, peer_id);
+ ret = -ENOENT;
+ goto out_unlock;
+ }
+
rx_tid = &peer->rx_tid[tid];
if ((!skb_queue_empty(&rx_tid->rx_frags) && seqno != rx_tid->cur_sn) ||
diff --git a/drivers/net/wireless/ath/ath11k/peer.h b/drivers/net/wireless/ath/ath11k/peer.h
index 6dd17bafe3a0c..9bd385d0a38c9 100644
--- a/drivers/net/wireless/ath/ath11k/peer.h
+++ b/drivers/net/wireless/ath/ath11k/peer.h
@@ -35,6 +35,7 @@ struct ath11k_peer {
u16 sec_type;
u16 sec_type_grp;
bool is_authorized;
+ bool dp_setup_done;
};
void ath11k_peer_unmap_event(struct ath11k_base *ab, u16 peer_id);
--
2.39.2
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [PATCH AUTOSEL 6.3 41/59] wifi: mt76: mt7921: add Netgear AXE3000 (A8000) support
2023-05-04 19:40 [PATCH AUTOSEL 6.3 01/59] wifi: ath: Silence memcpy run-time false positive warning Sasha Levin
` (12 preceding siblings ...)
2023-05-04 19:41 ` [PATCH AUTOSEL 6.3 40/59] wifi: ath11k: Ignore frags from uninitialized peer in dp Sasha Levin
@ 2023-05-04 19:41 ` Sasha Levin
2023-05-04 19:41 ` [PATCH AUTOSEL 6.3 42/59] wifi: iwlwifi: fix iwl_mvm_max_amsdu_size() for MLO Sasha Levin
` (3 subsequent siblings)
17 siblings, 0 replies; 19+ messages in thread
From: Sasha Levin @ 2023-05-04 19:41 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Reese Russell, Felix Fietkau, Sasha Levin, lorenzo, ryder.lee,
kvalo, davem, edumazet, kuba, pabeni, matthias.bgg, sean.wang,
deren.wu, sridhar.samudrala, gch981213, greearb, linux-wireless,
netdev, linux-arm-kernel, linux-mediatek
From: Reese Russell <git@qrsnap.io>
[ Upstream commit 03eb52dd78cab08f13925aeec8315fbdbcba3253 ]
Issue: Though the Netgear AXE3000 (A8000) is based on the mt7921
chipset because of the unique USB VID:PID combination this device
does not initialize/register. Thus making it not plug and play.
Fix: Adds support for the Netgear AXE3000 (A8000) based on the Mediatek
mt7921au chipset. The method of action is adding the USD VID/PID
pair to the mt7921u_device_table[] array.
Notes: A retail sample of the Netgear AXE3000 (A8000) yeilds the following
from lsusb D 0846:9060 NetGear, Inc. Wireless_Device. This pair
0846:9060 VID:PID has been reported by other users on Github.
Signed-off-by: Reese Russell <git@qrsnap.io>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/mediatek/mt76/mt7921/usb.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/usb.c b/drivers/net/wireless/mediatek/mt76/mt7921/usb.c
index 8fef09ed29c91..a95ec388653c5 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7921/usb.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7921/usb.c
@@ -18,6 +18,9 @@ static const struct usb_device_id mt7921u_device_table[] = {
/* Comfast CF-952AX */
{ USB_DEVICE_AND_INTERFACE_INFO(0x3574, 0x6211, 0xff, 0xff, 0xff),
.driver_info = (kernel_ulong_t)MT7921_FIRMWARE_WM },
+ /* Netgear, Inc. [A8000,AXE3000] */
+ { USB_DEVICE_AND_INTERFACE_INFO(0x0846, 0x9060, 0xff, 0xff, 0xff),
+ .driver_info = (kernel_ulong_t)MT7921_FIRMWARE_WM },
{ },
};
--
2.39.2
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [PATCH AUTOSEL 6.3 42/59] wifi: iwlwifi: fix iwl_mvm_max_amsdu_size() for MLO
2023-05-04 19:40 [PATCH AUTOSEL 6.3 01/59] wifi: ath: Silence memcpy run-time false positive warning Sasha Levin
` (13 preceding siblings ...)
2023-05-04 19:41 ` [PATCH AUTOSEL 6.3 41/59] wifi: mt76: mt7921: add Netgear AXE3000 (A8000) support Sasha Levin
@ 2023-05-04 19:41 ` Sasha Levin
2023-05-04 19:41 ` [PATCH AUTOSEL 6.3 45/59] wifi: iwlwifi: dvm: Fix memcpy: detected field-spanning write backtrace Sasha Levin
` (2 subsequent siblings)
17 siblings, 0 replies; 19+ messages in thread
From: Sasha Levin @ 2023-05-04 19:41 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Johannes Berg, Gregory Greenman, Sasha Levin, kvalo, davem,
edumazet, kuba, pabeni, ilan.peer, avraham.stern, shaul.triebitz,
greearb, mordechay.goodstein, linux-wireless, netdev
From: Johannes Berg <johannes.berg@intel.com>
[ Upstream commit b2bc600cced23762d4e97db8989b18772145604f ]
For MLO, we cannot use vif->bss_conf.chandef.chan->band, since
that will lead to a NULL-ptr dereference as bss_conf isn't used.
However, in case of real MLO, we also need to take both LMACs
into account if they exist, since the station might be active
on both LMACs at the same time.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Gregory Greenman <gregory.greenman@intel.com>
Link: https://lore.kernel.org/r/20230417113648.3588afc85d79.I11592893bbc191b9548518b8bd782de568a9f848@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/intel/iwlwifi/mvm/tx.c | 37 +++++++++++++++++++--
1 file changed, 34 insertions(+), 3 deletions(-)
diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
index 9813d7fa18007..1c454392de0be 100644
--- a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
@@ -791,10 +791,11 @@ unsigned int iwl_mvm_max_amsdu_size(struct iwl_mvm *mvm,
struct ieee80211_sta *sta, unsigned int tid)
{
struct iwl_mvm_sta *mvmsta = iwl_mvm_sta_from_mac80211(sta);
- enum nl80211_band band = mvmsta->vif->bss_conf.chandef.chan->band;
u8 ac = tid_to_mac80211_ac[tid];
+ enum nl80211_band band;
unsigned int txf;
- int lmac = iwl_mvm_get_lmac_id(mvm->fw, band);
+ unsigned int val;
+ int lmac;
/* For HE redirect to trigger based fifos */
if (sta->deflink.he_cap.has_he && !WARN_ON(!iwl_mvm_has_new_tx_api(mvm)))
@@ -808,7 +809,37 @@ unsigned int iwl_mvm_max_amsdu_size(struct iwl_mvm *mvm,
* We also want to have the start of the next packet inside the
* fifo to be able to send bursts.
*/
- return min_t(unsigned int, mvmsta->max_amsdu_len,
+ val = mvmsta->max_amsdu_len;
+
+ if (hweight16(sta->valid_links) <= 1) {
+ if (sta->valid_links) {
+ struct ieee80211_bss_conf *link_conf;
+ unsigned int link = ffs(sta->valid_links) - 1;
+
+ rcu_read_lock();
+ link_conf = rcu_dereference(mvmsta->vif->link_conf[link]);
+ if (WARN_ON(!link_conf))
+ band = NL80211_BAND_2GHZ;
+ else
+ band = link_conf->chandef.chan->band;
+ rcu_read_unlock();
+ } else {
+ band = mvmsta->vif->bss_conf.chandef.chan->band;
+ }
+
+ lmac = iwl_mvm_get_lmac_id(mvm->fw, band);
+ } else if (fw_has_capa(&mvm->fw->ucode_capa,
+ IWL_UCODE_TLV_CAPA_CDB_SUPPORT)) {
+ /* for real MLO restrict to both LMACs if they exist */
+ lmac = IWL_LMAC_5G_INDEX;
+ val = min_t(unsigned int, val,
+ mvm->fwrt.smem_cfg.lmac[lmac].txfifo_size[txf] - 256);
+ lmac = IWL_LMAC_24G_INDEX;
+ } else {
+ lmac = IWL_LMAC_24G_INDEX;
+ }
+
+ return min_t(unsigned int, val,
mvm->fwrt.smem_cfg.lmac[lmac].txfifo_size[txf] - 256);
}
--
2.39.2
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [PATCH AUTOSEL 6.3 45/59] wifi: iwlwifi: dvm: Fix memcpy: detected field-spanning write backtrace
2023-05-04 19:40 [PATCH AUTOSEL 6.3 01/59] wifi: ath: Silence memcpy run-time false positive warning Sasha Levin
` (14 preceding siblings ...)
2023-05-04 19:41 ` [PATCH AUTOSEL 6.3 42/59] wifi: iwlwifi: fix iwl_mvm_max_amsdu_size() for MLO Sasha Levin
@ 2023-05-04 19:41 ` Sasha Levin
2023-05-04 19:41 ` [PATCH AUTOSEL 6.3 46/59] wifi: ath11k: Fix SKB corruption in REO destination ring Sasha Levin
2023-05-04 19:41 ` [PATCH AUTOSEL 6.3 47/59] wifi: rtw88: Fix memory leak in rtw88_usb Sasha Levin
17 siblings, 0 replies; 19+ messages in thread
From: Sasha Levin @ 2023-05-04 19:41 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Hans de Goede, Kees Cook, Johannes Berg, Johannes Berg,
Sasha Levin, gregory.greenman, kvalo, davem, edumazet, kuba,
pabeni, benjamin.berg, linux-wireless, netdev
From: Hans de Goede <hdegoede@redhat.com>
[ Upstream commit ef16799640865f937719f0771c93be5dca18adc6 ]
A received TKIP key may be up to 32 bytes because it may contain
MIC rx/tx keys too. These are not used by iwl and copying these
over overflows the iwl_keyinfo.key field.
Add a check to not copy more data to iwl_keyinfo.key then will fit.
This fixes backtraces like this one:
memcpy: detected field-spanning write (size 32) of single field "sta_cmd.key.key" at drivers/net/wireless/intel/iwlwifi/dvm/sta.c:1103 (size 16)
WARNING: CPU: 1 PID: 946 at drivers/net/wireless/intel/iwlwifi/dvm/sta.c:1103 iwlagn_send_sta_key+0x375/0x390 [iwldvm]
<snip>
Hardware name: Dell Inc. Latitude E6430/0H3MT5, BIOS A21 05/08/2017
RIP: 0010:iwlagn_send_sta_key+0x375/0x390 [iwldvm]
<snip>
Call Trace:
<TASK>
iwl_set_dynamic_key+0x1f0/0x220 [iwldvm]
iwlagn_mac_set_key+0x1e4/0x280 [iwldvm]
drv_set_key+0xa4/0x1b0 [mac80211]
ieee80211_key_enable_hw_accel+0xa8/0x2d0 [mac80211]
ieee80211_key_replace+0x22d/0x8e0 [mac80211]
<snip>
Link: https://www.alionet.org/index.php?topic=1469.0
Link: https://lore.kernel.org/linux-wireless/20230218191056.never.374-kees@kernel.org/
Link: https://lore.kernel.org/linux-wireless/68760035-7f75-1b23-e355-bfb758a87d83@redhat.com/
Cc: Kees Cook <keescook@chromium.org>
Suggested-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/intel/iwlwifi/dvm/sta.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/intel/iwlwifi/dvm/sta.c b/drivers/net/wireless/intel/iwlwifi/dvm/sta.c
index cef43cf80620a..8b01ab986cb13 100644
--- a/drivers/net/wireless/intel/iwlwifi/dvm/sta.c
+++ b/drivers/net/wireless/intel/iwlwifi/dvm/sta.c
@@ -1081,6 +1081,7 @@ static int iwlagn_send_sta_key(struct iwl_priv *priv,
{
__le16 key_flags;
struct iwl_addsta_cmd sta_cmd;
+ size_t to_copy;
int i;
spin_lock_bh(&priv->sta_lock);
@@ -1100,7 +1101,9 @@ static int iwlagn_send_sta_key(struct iwl_priv *priv,
sta_cmd.key.tkip_rx_tsc_byte2 = tkip_iv32;
for (i = 0; i < 5; i++)
sta_cmd.key.tkip_rx_ttak[i] = cpu_to_le16(tkip_p1k[i]);
- memcpy(sta_cmd.key.key, keyconf->key, keyconf->keylen);
+ /* keyconf may contain MIC rx/tx keys which iwl does not use */
+ to_copy = min_t(size_t, sizeof(sta_cmd.key.key), keyconf->keylen);
+ memcpy(sta_cmd.key.key, keyconf->key, to_copy);
break;
case WLAN_CIPHER_SUITE_WEP104:
key_flags |= STA_KEY_FLG_KEY_SIZE_MSK;
--
2.39.2
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [PATCH AUTOSEL 6.3 46/59] wifi: ath11k: Fix SKB corruption in REO destination ring
2023-05-04 19:40 [PATCH AUTOSEL 6.3 01/59] wifi: ath: Silence memcpy run-time false positive warning Sasha Levin
` (15 preceding siblings ...)
2023-05-04 19:41 ` [PATCH AUTOSEL 6.3 45/59] wifi: iwlwifi: dvm: Fix memcpy: detected field-spanning write backtrace Sasha Levin
@ 2023-05-04 19:41 ` Sasha Levin
2023-05-04 19:41 ` [PATCH AUTOSEL 6.3 47/59] wifi: rtw88: Fix memory leak in rtw88_usb Sasha Levin
17 siblings, 0 replies; 19+ messages in thread
From: Sasha Levin @ 2023-05-04 19:41 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Nagarajan Maran, Kalle Valo, Sasha Levin, kvalo, davem, edumazet,
kuba, pabeni, ath11k, linux-wireless, netdev
From: Nagarajan Maran <quic_nmaran@quicinc.com>
[ Upstream commit f9fff67d2d7ca6fa8066132003a3deef654c55b1 ]
While running traffics for a long time, randomly an RX descriptor
filled with value "0" from REO destination ring is received.
This descriptor which is invalid causes the wrong SKB (SKB stored in
the IDR lookup with buffer id "0") to be fetched which in turn
causes SKB memory corruption issue and the same leads to crash
after some time.
Changed the start id for idr allocation to "1" and the buffer id "0"
is reserved for error validation. Introduced Sanity check to validate
the descriptor, before processing the SKB.
Crash Signature :
Unable to handle kernel paging request at virtual address 3f004900
PC points to "b15_dma_inv_range+0x30/0x50"
LR points to "dma_cache_maint_page+0x8c/0x128".
The Backtrace obtained is as follows:
[<8031716c>] (b15_dma_inv_range) from [<80313a4c>] (dma_cache_maint_page+0x8c/0x128)
[<80313a4c>] (dma_cache_maint_page) from [<80313b90>] (__dma_page_dev_to_cpu+0x28/0xcc)
[<80313b90>] (__dma_page_dev_to_cpu) from [<7fb5dd68>] (ath11k_dp_process_rx+0x1e8/0x4a4 [ath11k])
[<7fb5dd68>] (ath11k_dp_process_rx [ath11k]) from [<7fb53c20>] (ath11k_dp_service_srng+0xb0/0x2ac [ath11k])
[<7fb53c20>] (ath11k_dp_service_srng [ath11k]) from [<7f67bba4>] (ath11k_pci_ext_grp_napi_poll+0x1c/0x78 [ath11k_pci])
[<7f67bba4>] (ath11k_pci_ext_grp_napi_poll [ath11k_pci]) from [<807d5cf4>] (__napi_poll+0x28/0xb8)
[<807d5cf4>] (__napi_poll) from [<807d5f28>] (net_rx_action+0xf0/0x280)
[<807d5f28>] (net_rx_action) from [<80302148>] (__do_softirq+0xd0/0x280)
[<80302148>] (__do_softirq) from [<80320408>] (irq_exit+0x74/0xd4)
[<80320408>] (irq_exit) from [<803638a4>] (__handle_domain_irq+0x90/0xb4)
[<803638a4>] (__handle_domain_irq) from [<805bedec>] (gic_handle_irq+0x58/0x90)
[<805bedec>] (gic_handle_irq) from [<80301a78>] (__irq_svc+0x58/0x8c)
Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1
Signed-off-by: Nagarajan Maran <quic_nmaran@quicinc.com>
Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Link: https://lore.kernel.org/r/20230403191533.28114-1-quic_nmaran@quicinc.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath11k/dp_rx.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/drivers/net/wireless/ath/ath11k/dp_rx.c b/drivers/net/wireless/ath/ath11k/dp_rx.c
index 294c6fcfa1aa8..32a4f88861d58 100644
--- a/drivers/net/wireless/ath/ath11k/dp_rx.c
+++ b/drivers/net/wireless/ath/ath11k/dp_rx.c
@@ -389,10 +389,10 @@ int ath11k_dp_rxbufs_replenish(struct ath11k_base *ab, int mac_id,
goto fail_free_skb;
spin_lock_bh(&rx_ring->idr_lock);
- buf_id = idr_alloc(&rx_ring->bufs_idr, skb, 0,
- rx_ring->bufs_max * 3, GFP_ATOMIC);
+ buf_id = idr_alloc(&rx_ring->bufs_idr, skb, 1,
+ (rx_ring->bufs_max * 3) + 1, GFP_ATOMIC);
spin_unlock_bh(&rx_ring->idr_lock);
- if (buf_id < 0)
+ if (buf_id <= 0)
goto fail_dma_unmap;
desc = ath11k_hal_srng_src_get_next_entry(ab, srng);
@@ -2665,6 +2665,9 @@ int ath11k_dp_process_rx(struct ath11k_base *ab, int ring_id,
cookie);
mac_id = FIELD_GET(DP_RXDMA_BUF_COOKIE_PDEV_ID, cookie);
+ if (unlikely(buf_id == 0))
+ continue;
+
ar = ab->pdevs[mac_id].ar;
rx_ring = &ar->dp.rx_refill_buf_ring;
spin_lock_bh(&rx_ring->idr_lock);
--
2.39.2
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [PATCH AUTOSEL 6.3 47/59] wifi: rtw88: Fix memory leak in rtw88_usb
2023-05-04 19:40 [PATCH AUTOSEL 6.3 01/59] wifi: ath: Silence memcpy run-time false positive warning Sasha Levin
` (16 preceding siblings ...)
2023-05-04 19:41 ` [PATCH AUTOSEL 6.3 46/59] wifi: ath11k: Fix SKB corruption in REO destination ring Sasha Levin
@ 2023-05-04 19:41 ` Sasha Levin
17 siblings, 0 replies; 19+ messages in thread
From: Sasha Levin @ 2023-05-04 19:41 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Larry Finger, Sascha Hauer, Ping-Ke Shih, Kalle Valo, Sasha Levin,
tony0620emma, davem, edumazet, kuba, pabeni, linux-wireless,
netdev
From: Larry Finger <Larry.Finger@lwfinger.net>
[ Upstream commit 59a3a312009723e3e5082899655fdcc420e2b47a ]
Kmemleak shows the following leak arising from routine in the usb
probe routine:
unreferenced object 0xffff895cb29bba00 (size 512):
comm "(udev-worker)", pid 534, jiffies 4294903932 (age 102751.088s)
hex dump (first 32 bytes):
77 30 30 30 00 00 00 00 02 2f 2d 2b 30 00 00 00 w000...../-+0...
02 00 2a 28 00 00 00 00 ff 55 ff ff ff 00 00 00 ..*(.....U......
backtrace:
[<ffffffff9265fa36>] kmalloc_trace+0x26/0x90
[<ffffffffc17eec41>] rtw_usb_probe+0x2f1/0x680 [rtw_usb]
[<ffffffffc03e19fd>] usb_probe_interface+0xdd/0x2e0 [usbcore]
[<ffffffff92b4f2fe>] really_probe+0x18e/0x3d0
[<ffffffff92b4f5b8>] __driver_probe_device+0x78/0x160
[<ffffffff92b4f6bf>] driver_probe_device+0x1f/0x90
[<ffffffff92b4f8df>] __driver_attach+0xbf/0x1b0
[<ffffffff92b4d350>] bus_for_each_dev+0x70/0xc0
[<ffffffff92b4e51e>] bus_add_driver+0x10e/0x210
[<ffffffff92b50935>] driver_register+0x55/0xf0
[<ffffffffc03e0708>] usb_register_driver+0x88/0x140 [usbcore]
[<ffffffff92401153>] do_one_initcall+0x43/0x210
[<ffffffff9254f42a>] do_init_module+0x4a/0x200
[<ffffffff92551d1c>] __do_sys_finit_module+0xac/0x120
[<ffffffff92ee6626>] do_syscall_64+0x56/0x80
[<ffffffff9300006a>] entry_SYSCALL_64_after_hwframe+0x46/0xb0
The leak was verified to be real by unloading the driver, which resulted
in a dangling pointer to the allocation.
The allocated memory is freed in rtw_usb_intf_deinit().
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Cc: Sascha Hauer <s.hauer@pengutronix.de>
Cc: Ping-Ke Shih <pkshih@realtek.com>
Reviewed-by: Ping-Ke Shih <pkshih@realtek.com>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20230417160331.23071-1-Larry.Finger@lwfinger.net
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/realtek/rtw88/usb.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/wireless/realtek/rtw88/usb.c b/drivers/net/wireless/realtek/rtw88/usb.c
index 68e1b782d1992..05c7326443614 100644
--- a/drivers/net/wireless/realtek/rtw88/usb.c
+++ b/drivers/net/wireless/realtek/rtw88/usb.c
@@ -780,6 +780,7 @@ static void rtw_usb_intf_deinit(struct rtw_dev *rtwdev,
struct rtw_usb *rtwusb = rtw_get_usb_priv(rtwdev);
usb_put_dev(rtwusb->udev);
+ kfree(rtwusb->usb_data);
usb_set_intfdata(intf, NULL);
}
--
2.39.2
^ permalink raw reply related [flat|nested] 19+ messages in thread
end of thread, other threads:[~2023-05-04 20:11 UTC | newest]
Thread overview: 19+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-05-04 19:40 [PATCH AUTOSEL 6.3 01/59] wifi: ath: Silence memcpy run-time false positive warning Sasha Levin
2023-05-04 19:40 ` [PATCH AUTOSEL 6.3 02/59] wifi: ath12k: Handle lock during peer_id find Sasha Levin
2023-05-04 19:40 ` [PATCH AUTOSEL 6.3 03/59] wifi: ath12k: PCI ops for wakeup/release MHI Sasha Levin
2023-05-04 19:40 ` [PATCH AUTOSEL 6.3 05/59] wifi: brcmfmac: pcie: Provide a buffer of random bytes to the device Sasha Levin
2023-05-04 19:40 ` [PATCH AUTOSEL 6.3 06/59] wifi: brcmfmac: cfg80211: Pass the PMK in binary instead of hex Sasha Levin
2023-05-04 19:40 ` [PATCH AUTOSEL 6.3 07/59] wifi: brcmfmac: pcie: Add IDs/properties for BCM4387 Sasha Levin
2023-05-04 19:40 ` [PATCH AUTOSEL 6.3 12/59] wifi: rtw88: fix memory leak in rtw_usb_probe() Sasha Levin
2023-05-04 19:40 ` [PATCH AUTOSEL 6.3 13/59] wifi: brcmfmac: slab-out-of-bounds read in brcmf_get_assoc_ies() Sasha Levin
2023-05-04 19:40 ` [PATCH AUTOSEL 6.3 16/59] wifi: ath12k: fix memory leak in ath12k_qmi_driver_event_work() Sasha Levin
2023-05-04 19:41 ` [PATCH AUTOSEL 6.3 35/59] wifi: iwlwifi: pcie: fix possible NULL pointer dereference Sasha Levin
2023-05-04 19:41 ` [PATCH AUTOSEL 6.3 36/59] wifi: iwlwifi: add a new PCI device ID for BZ device Sasha Levin
2023-05-04 19:41 ` [PATCH AUTOSEL 6.3 37/59] wifi: iwlwifi: pcie: Fix integer overflow in iwl_write_to_user_buf Sasha Levin
2023-05-04 19:41 ` [PATCH AUTOSEL 6.3 38/59] wifi: iwlwifi: mvm: fix ptk_pn memory leak Sasha Levin
2023-05-04 19:41 ` [PATCH AUTOSEL 6.3 40/59] wifi: ath11k: Ignore frags from uninitialized peer in dp Sasha Levin
2023-05-04 19:41 ` [PATCH AUTOSEL 6.3 41/59] wifi: mt76: mt7921: add Netgear AXE3000 (A8000) support Sasha Levin
2023-05-04 19:41 ` [PATCH AUTOSEL 6.3 42/59] wifi: iwlwifi: fix iwl_mvm_max_amsdu_size() for MLO Sasha Levin
2023-05-04 19:41 ` [PATCH AUTOSEL 6.3 45/59] wifi: iwlwifi: dvm: Fix memcpy: detected field-spanning write backtrace Sasha Levin
2023-05-04 19:41 ` [PATCH AUTOSEL 6.3 46/59] wifi: ath11k: Fix SKB corruption in REO destination ring Sasha Levin
2023-05-04 19:41 ` [PATCH AUTOSEL 6.3 47/59] wifi: rtw88: Fix memory leak in rtw88_usb Sasha Levin
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).