* [PATCH AUTOSEL 4.19 06/22] wifi: ath9k: Fix potential array-index-out-of-bounds read in ath9k_htc_txstatus()
[not found] <20240116200432.260016-1-sashal@kernel.org>
@ 2024-01-16 20:04 ` Sasha Levin
2024-01-16 20:04 ` [PATCH AUTOSEL 4.19 19/22] wifi: rtl8xxxu: Add additional USB IDs for RTL8192EU devices Sasha Levin
` (3 subsequent siblings)
4 siblings, 0 replies; 5+ messages in thread
From: Sasha Levin @ 2024-01-16 20:04 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Minsuk Kang, Toke Høiland-Jørgensen, Kalle Valo,
Sasha Levin, kvalo, linux-wireless
From: Minsuk Kang <linuxlovemin@yonsei.ac.kr>
[ Upstream commit 2adc886244dff60f948497b59affb6c6ebb3c348 ]
Fix an array-index-out-of-bounds read in ath9k_htc_txstatus(). The bug
occurs when txs->cnt, data from a URB provided by a USB device, is
bigger than the size of the array txs->txstatus, which is
HTC_MAX_TX_STATUS. WARN_ON() already checks it, but there is no bug
handling code after the check. Make the function return if that is the
case.
Found by a modified version of syzkaller.
UBSAN: array-index-out-of-bounds in htc_drv_txrx.c
index 13 is out of range for type '__wmi_event_txstatus [12]'
Call Trace:
ath9k_htc_txstatus
ath9k_wmi_event_tasklet
tasklet_action_common
__do_softirq
irq_exit_rxu
sysvec_apic_timer_interrupt
Signed-off-by: Minsuk Kang <linuxlovemin@yonsei.ac.kr>
Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Link: https://lore.kernel.org/r/20231113065756.1491991-1-linuxlovemin@yonsei.ac.kr
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath9k/htc_drv_txrx.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c
index 979ac31a77a0..527bca8f7deb 100644
--- a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c
+++ b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c
@@ -647,9 +647,10 @@ void ath9k_htc_txstatus(struct ath9k_htc_priv *priv, void *wmi_event)
struct ath9k_htc_tx_event *tx_pend;
int i;
- for (i = 0; i < txs->cnt; i++) {
- WARN_ON(txs->cnt > HTC_MAX_TX_STATUS);
+ if (WARN_ON_ONCE(txs->cnt > HTC_MAX_TX_STATUS))
+ return;
+ for (i = 0; i < txs->cnt; i++) {
__txs = &txs->txstatus[i];
skb = ath9k_htc_tx_get_packet(priv, __txs);
--
2.43.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH AUTOSEL 4.19 19/22] wifi: rtl8xxxu: Add additional USB IDs for RTL8192EU devices
[not found] <20240116200432.260016-1-sashal@kernel.org>
2024-01-16 20:04 ` [PATCH AUTOSEL 4.19 06/22] wifi: ath9k: Fix potential array-index-out-of-bounds read in ath9k_htc_txstatus() Sasha Levin
@ 2024-01-16 20:04 ` Sasha Levin
2024-01-16 20:04 ` [PATCH AUTOSEL 4.19 20/22] wifi: rtlwifi: add calculate_bit_shift() Sasha Levin
` (2 subsequent siblings)
4 siblings, 0 replies; 5+ messages in thread
From: Sasha Levin @ 2024-01-16 20:04 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Zenm Chen, Ping-Ke Shih, Kalle Valo, Sasha Levin, Jes.Sorensen,
linux-wireless
From: Zenm Chen <zenmchen@gmail.com>
[ Upstream commit 4e87ca403e2008b9e182239e1abbf6876a55eb33 ]
Add additional USB IDs found in the vendor driver from
https://github.com/Mange/rtl8192eu-linux-driver to support more
RTL8192EU devices.
Signed-off-by: Zenm Chen <zenmchen@gmail.com>
Reviewed-by: Ping-Ke Shih <pkshih@realtek.com>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://msgid.link/20231217123017.1982-1-zenmchen@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
index 780dab276829..9c5a7ea1479e 100644
--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
+++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
@@ -6366,6 +6366,18 @@ static const struct usb_device_id dev_table[] = {
.driver_info = (unsigned long)&rtl8192eu_fops},
{USB_DEVICE_AND_INTERFACE_INFO(USB_VENDOR_ID_REALTEK, 0x818c, 0xff, 0xff, 0xff),
.driver_info = (unsigned long)&rtl8192eu_fops},
+/* D-Link DWA-131 rev C1 */
+{USB_DEVICE_AND_INTERFACE_INFO(0x2001, 0x3312, 0xff, 0xff, 0xff),
+ .driver_info = (unsigned long)&rtl8192eu_fops},
+/* TP-Link TL-WN8200ND V2 */
+{USB_DEVICE_AND_INTERFACE_INFO(0x2357, 0x0126, 0xff, 0xff, 0xff),
+ .driver_info = (unsigned long)&rtl8192eu_fops},
+/* Mercusys MW300UM */
+{USB_DEVICE_AND_INTERFACE_INFO(0x2c4e, 0x0100, 0xff, 0xff, 0xff),
+ .driver_info = (unsigned long)&rtl8192eu_fops},
+/* Mercusys MW300UH */
+{USB_DEVICE_AND_INTERFACE_INFO(0x2c4e, 0x0104, 0xff, 0xff, 0xff),
+ .driver_info = (unsigned long)&rtl8192eu_fops},
#endif
{ }
};
--
2.43.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH AUTOSEL 4.19 20/22] wifi: rtlwifi: add calculate_bit_shift()
[not found] <20240116200432.260016-1-sashal@kernel.org>
2024-01-16 20:04 ` [PATCH AUTOSEL 4.19 06/22] wifi: ath9k: Fix potential array-index-out-of-bounds read in ath9k_htc_txstatus() Sasha Levin
2024-01-16 20:04 ` [PATCH AUTOSEL 4.19 19/22] wifi: rtl8xxxu: Add additional USB IDs for RTL8192EU devices Sasha Levin
@ 2024-01-16 20:04 ` Sasha Levin
2024-01-16 20:04 ` [PATCH AUTOSEL 4.19 21/22] wifi: rtlwifi: rtl8723{be,ae}: using calculate_bit_shift() Sasha Levin
2024-01-16 20:04 ` [PATCH AUTOSEL 4.19 22/22] wifi: cfg80211: free beacon_ies when overridden from hidden BSS Sasha Levin
4 siblings, 0 replies; 5+ messages in thread
From: Sasha Levin @ 2024-01-16 20:04 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Su Hui, Ping-Ke Shih, Kalle Valo, Sasha Levin, linux-wireless
From: Su Hui <suhui@nfschina.com>
[ Upstream commit 52221dfddbbfb5b4e029bb2efe9bb7da33ec1e46 ]
There are many same functions like _rtl88e_phy_calculate_bit_shift(),
_rtl92c_phy_calculate_bit_shift() and so on. And these functions can
cause undefined bitwise shift behavior. Add calculate_bit_shift() to
replace them and fix undefined behavior in subsequent patches.
Signed-off-by: Su Hui <suhui@nfschina.com>
Acked-by: Ping-Ke Shih <pkshih@realtek.com>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://msgid.link/20231219065739.1895666-2-suhui@nfschina.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/realtek/rtlwifi/wifi.h | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/net/wireless/realtek/rtlwifi/wifi.h b/drivers/net/wireless/realtek/rtlwifi/wifi.h
index 0f3b98c5227f..0287cbb9a719 100644
--- a/drivers/net/wireless/realtek/rtlwifi/wifi.h
+++ b/drivers/net/wireless/realtek/rtlwifi/wifi.h
@@ -3251,4 +3251,11 @@ static inline struct ieee80211_sta *rtl_find_sta(struct ieee80211_hw *hw,
return ieee80211_find_sta(mac->vif, mac_addr);
}
+static inline u32 calculate_bit_shift(u32 bitmask)
+{
+ if (WARN_ON_ONCE(!bitmask))
+ return 0;
+
+ return __ffs(bitmask);
+}
#endif
--
2.43.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH AUTOSEL 4.19 21/22] wifi: rtlwifi: rtl8723{be,ae}: using calculate_bit_shift()
[not found] <20240116200432.260016-1-sashal@kernel.org>
` (2 preceding siblings ...)
2024-01-16 20:04 ` [PATCH AUTOSEL 4.19 20/22] wifi: rtlwifi: add calculate_bit_shift() Sasha Levin
@ 2024-01-16 20:04 ` Sasha Levin
2024-01-16 20:04 ` [PATCH AUTOSEL 4.19 22/22] wifi: cfg80211: free beacon_ies when overridden from hidden BSS Sasha Levin
4 siblings, 0 replies; 5+ messages in thread
From: Sasha Levin @ 2024-01-16 20:04 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Su Hui, Kalle Valo, Sasha Levin, pkshih, linux-wireless
From: Su Hui <suhui@nfschina.com>
[ Upstream commit 5c16618bc06a41ad68fd8499a21d35ef57ca06c2 ]
Using calculate_bit_shift() to replace rtl8723_phy_calculate_bit_shift().
And fix an undefined bitwise shift behavior problem.
Signed-off-by: Su Hui <suhui@nfschina.com>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://msgid.link/20231219065739.1895666-12-suhui@nfschina.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/realtek/rtlwifi/rtl8723ae/phy.c | 6 +++---
drivers/net/wireless/realtek/rtlwifi/rtl8723be/phy.c | 4 ++--
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8723ae/phy.c b/drivers/net/wireless/realtek/rtlwifi/rtl8723ae/phy.c
index 5cf29f5a4b54..e6ac496e898e 100644
--- a/drivers/net/wireless/realtek/rtlwifi/rtl8723ae/phy.c
+++ b/drivers/net/wireless/realtek/rtlwifi/rtl8723ae/phy.c
@@ -72,7 +72,7 @@ u32 rtl8723e_phy_query_rf_reg(struct ieee80211_hw *hw,
rfpath, regaddr);
}
- bitshift = rtl8723_phy_calculate_bit_shift(bitmask);
+ bitshift = calculate_bit_shift(bitmask);
readback_value = (original_value & bitmask) >> bitshift;
spin_unlock_irqrestore(&rtlpriv->locks.rf_lock, flags);
@@ -104,7 +104,7 @@ void rtl8723e_phy_set_rf_reg(struct ieee80211_hw *hw,
original_value = rtl8723_phy_rf_serial_read(hw,
rfpath,
regaddr);
- bitshift = rtl8723_phy_calculate_bit_shift(bitmask);
+ bitshift = calculate_bit_shift(bitmask);
data =
((original_value & (~bitmask)) |
(data << bitshift));
@@ -113,7 +113,7 @@ void rtl8723e_phy_set_rf_reg(struct ieee80211_hw *hw,
rtl8723_phy_rf_serial_write(hw, rfpath, regaddr, data);
} else {
if (bitmask != RFREG_OFFSET_MASK) {
- bitshift = rtl8723_phy_calculate_bit_shift(bitmask);
+ bitshift = calculate_bit_shift(bitmask);
data =
((original_value & (~bitmask)) |
(data << bitshift));
diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8723be/phy.c b/drivers/net/wireless/realtek/rtlwifi/rtl8723be/phy.c
index 1263b12db5dc..bbbbf61d7bcf 100644
--- a/drivers/net/wireless/realtek/rtlwifi/rtl8723be/phy.c
+++ b/drivers/net/wireless/realtek/rtlwifi/rtl8723be/phy.c
@@ -64,7 +64,7 @@ u32 rtl8723be_phy_query_rf_reg(struct ieee80211_hw *hw, enum radio_path rfpath,
spin_lock_irqsave(&rtlpriv->locks.rf_lock, flags);
original_value = rtl8723_phy_rf_serial_read(hw, rfpath, regaddr);
- bitshift = rtl8723_phy_calculate_bit_shift(bitmask);
+ bitshift = calculate_bit_shift(bitmask);
readback_value = (original_value & bitmask) >> bitshift;
spin_unlock_irqrestore(&rtlpriv->locks.rf_lock, flags);
@@ -92,7 +92,7 @@ void rtl8723be_phy_set_rf_reg(struct ieee80211_hw *hw, enum radio_path path,
if (bitmask != RFREG_OFFSET_MASK) {
original_value = rtl8723_phy_rf_serial_read(hw, path,
regaddr);
- bitshift = rtl8723_phy_calculate_bit_shift(bitmask);
+ bitshift = calculate_bit_shift(bitmask);
data = ((original_value & (~bitmask)) |
(data << bitshift));
}
--
2.43.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH AUTOSEL 4.19 22/22] wifi: cfg80211: free beacon_ies when overridden from hidden BSS
[not found] <20240116200432.260016-1-sashal@kernel.org>
` (3 preceding siblings ...)
2024-01-16 20:04 ` [PATCH AUTOSEL 4.19 21/22] wifi: rtlwifi: rtl8723{be,ae}: using calculate_bit_shift() Sasha Levin
@ 2024-01-16 20:04 ` Sasha Levin
4 siblings, 0 replies; 5+ messages in thread
From: Sasha Levin @ 2024-01-16 20:04 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Benjamin Berg, Johannes Berg, Miri Korenblit, Sasha Levin,
johannes, davem, edumazet, kuba, pabeni, linux-wireless, netdev
From: Benjamin Berg <benjamin.berg@intel.com>
[ Upstream commit 32af9a9e1069e55bc02741fb00ac9d0ca1a2eaef ]
This is a more of a cosmetic fix. The branch will only be taken if
proberesp_ies is set, which implies that beacon_ies is not set unless we
are connected to an AP that just did a channel switch. And, in that case
we should have found the BSS in the internal storage to begin with.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Reviewed-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
Link: https://msgid.link/20231220133549.b898e22dadff.Id8c4c10aedd176ef2e18a4cad747b299f150f9df@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/wireless/scan.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/net/wireless/scan.c b/net/wireless/scan.c
index d871349036a5..7f1a4ba975dd 100644
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -1018,8 +1018,12 @@ cfg80211_bss_update(struct cfg80211_registered_device *rdev,
list_add(&new->hidden_list,
&hidden->hidden_list);
hidden->refcount++;
+
+ ies = (void *)rcu_dereference(new->pub.beacon_ies);
rcu_assign_pointer(new->pub.beacon_ies,
hidden->pub.beacon_ies);
+ if (ies)
+ kfree_rcu(ies, rcu_head);
}
} else {
/*
--
2.43.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
end of thread, other threads:[~2024-01-16 20:05 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <20240116200432.260016-1-sashal@kernel.org>
2024-01-16 20:04 ` [PATCH AUTOSEL 4.19 06/22] wifi: ath9k: Fix potential array-index-out-of-bounds read in ath9k_htc_txstatus() Sasha Levin
2024-01-16 20:04 ` [PATCH AUTOSEL 4.19 19/22] wifi: rtl8xxxu: Add additional USB IDs for RTL8192EU devices Sasha Levin
2024-01-16 20:04 ` [PATCH AUTOSEL 4.19 20/22] wifi: rtlwifi: add calculate_bit_shift() Sasha Levin
2024-01-16 20:04 ` [PATCH AUTOSEL 4.19 21/22] wifi: rtlwifi: rtl8723{be,ae}: using calculate_bit_shift() Sasha Levin
2024-01-16 20:04 ` [PATCH AUTOSEL 4.19 22/22] wifi: cfg80211: free beacon_ies when overridden from hidden BSS Sasha Levin
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).