From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Daniel Gabay <daniel.gabay@intel.com>,
Miri Korenblit <miriam.rachel.korenblit@intel.com>,
Johannes Berg <johannes.berg@intel.com>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.10 068/110] wifi: iwlwifi: mvm: Fix response handling in iwl_mvm_send_recovery_cmd()
Date: Wed, 6 Nov 2024 13:04:34 +0100 [thread overview]
Message-ID: <20241106120305.067593767@linuxfoundation.org> (raw)
In-Reply-To: <20241106120303.135636370@linuxfoundation.org>
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Gabay <daniel.gabay@intel.com>
[ Upstream commit 07a6e3b78a65f4b2796a8d0d4adb1a15a81edead ]
1. The size of the response packet is not validated.
2. The response buffer is not freed.
Resolve these issues by switching to iwl_mvm_send_cmd_status(),
which handles both size validation and frees the buffer.
Fixes: f130bb75d881 ("iwlwifi: add FW recovery flow")
Signed-off-by: Daniel Gabay <daniel.gabay@intel.com>
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
Link: https://patch.msgid.link/20241010140328.76c73185951e.Id3b6ca82ced2081f5ee4f33c997491d0ebda83f7@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/intel/iwlwifi/mvm/fw.c | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c
index 594c88a9ac496..553117e8fdd90 100644
--- a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c
@@ -1261,8 +1261,8 @@ static void iwl_mvm_disconnect_iterator(void *data, u8 *mac,
void iwl_mvm_send_recovery_cmd(struct iwl_mvm *mvm, u32 flags)
{
u32 error_log_size = mvm->fw->ucode_capa.error_log_size;
+ u32 status = 0;
int ret;
- u32 resp;
struct iwl_fw_error_recovery_cmd recovery_cmd = {
.flags = cpu_to_le32(flags),
@@ -1270,7 +1270,6 @@ void iwl_mvm_send_recovery_cmd(struct iwl_mvm *mvm, u32 flags)
};
struct iwl_host_cmd host_cmd = {
.id = WIDE_ID(SYSTEM_GROUP, FW_ERROR_RECOVERY_CMD),
- .flags = CMD_WANT_SKB,
.data = {&recovery_cmd, },
.len = {sizeof(recovery_cmd), },
};
@@ -1290,7 +1289,7 @@ void iwl_mvm_send_recovery_cmd(struct iwl_mvm *mvm, u32 flags)
recovery_cmd.buf_size = cpu_to_le32(error_log_size);
}
- ret = iwl_mvm_send_cmd(mvm, &host_cmd);
+ ret = iwl_mvm_send_cmd_status(mvm, &host_cmd, &status);
kfree(mvm->error_recovery_buf);
mvm->error_recovery_buf = NULL;
@@ -1301,11 +1300,10 @@ void iwl_mvm_send_recovery_cmd(struct iwl_mvm *mvm, u32 flags)
/* skb respond is only relevant in ERROR_RECOVERY_UPDATE_DB */
if (flags & ERROR_RECOVERY_UPDATE_DB) {
- resp = le32_to_cpu(*(__le32 *)host_cmd.resp_pkt->data);
- if (resp) {
+ if (status) {
IWL_ERR(mvm,
"Failed to send recovery cmd blob was invalid %d\n",
- resp);
+ status);
ieee80211_iterate_interfaces(mvm->hw, 0,
iwl_mvm_disconnect_iterator,
--
2.43.0
next prev parent reply other threads:[~2024-11-06 12:40 UTC|newest]
Thread overview: 118+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-06 12:03 [PATCH 5.10 000/110] 5.10.229-rc1 review Greg Kroah-Hartman
2024-11-06 12:03 ` [PATCH 5.10 001/110] RDMA/bnxt_re: Fix incorrect AVID type in WQE structure Greg Kroah-Hartman
2024-11-06 12:03 ` [PATCH 5.10 002/110] RDMA/bnxt_re: Add a check for memory allocation Greg Kroah-Hartman
2024-11-06 12:03 ` [PATCH 5.10 003/110] ARM: dts: bcm2837-rpi-cm3-io3: Fix HDMI hpd-gpio pin Greg Kroah-Hartman
2024-11-06 12:03 ` [PATCH 5.10 004/110] RDMA/cxgb4: Fix RDMA_CM_EVENT_UNREACHABLE error for iWARP Greg Kroah-Hartman
2024-11-06 12:03 ` [PATCH 5.10 005/110] ipv4: give an IPv4 dev to blackhole_netdev Greg Kroah-Hartman
2024-11-06 12:03 ` [PATCH 5.10 006/110] RDMA/bnxt_re: Return more meaningful error Greg Kroah-Hartman
2024-11-06 12:03 ` [PATCH 5.10 007/110] RDMA/bnxt_re: Fix a bug while setting up Level-2 PBL pages Greg Kroah-Hartman
2024-11-06 12:03 ` [PATCH 5.10 008/110] drm/msm/dsi: fix 32-bit signed integer extension in pclk_rate calculation Greg Kroah-Hartman
2024-11-06 12:03 ` [PATCH 5.10 009/110] macsec: dont increment counters for an unrelated SA Greg Kroah-Hartman
2024-11-06 12:03 ` [PATCH 5.10 010/110] net: ethernet: aeroflex: fix potential memory leak in greth_start_xmit_gbit() Greg Kroah-Hartman
2024-11-06 12:03 ` [PATCH 5.10 011/110] net/smc: Fix searching in list of known pnetids in smc_pnet_add_pnetid Greg Kroah-Hartman
2024-11-06 12:03 ` [PATCH 5.10 012/110] net: systemport: fix potential memory leak in bcm_sysport_xmit() Greg Kroah-Hartman
2024-11-06 12:03 ` [PATCH 5.10 013/110] genetlink: hold RCU in genlmsg_mcast() Greg Kroah-Hartman
2024-11-06 12:03 ` [PATCH 5.10 014/110] scsi: target: core: Fix null-ptr-deref in target_alloc_device() Greg Kroah-Hartman
2024-11-06 12:03 ` [PATCH 5.10 015/110] smb: client: fix OOBs when building SMB2_IOCTL request Greg Kroah-Hartman
2024-11-06 12:03 ` [PATCH 5.10 016/110] usb: typec: altmode should keep reference to parent Greg Kroah-Hartman
2024-11-06 12:03 ` [PATCH 5.10 017/110] s390: Initialize psw mask in perf_arch_fetch_caller_regs() Greg Kroah-Hartman
2024-11-06 12:03 ` [PATCH 5.10 018/110] Bluetooth: bnep: fix wild-memory-access in proto_unregister Greg Kroah-Hartman
2024-11-06 12:03 ` [PATCH 5.10 019/110] arm64:uprobe fix the uprobe SWBP_INSN in big-endian Greg Kroah-Hartman
2024-11-06 12:03 ` [PATCH 5.10 020/110] arm64: probes: Fix uprobes for big-endian kernels Greg Kroah-Hartman
2024-11-06 12:03 ` [PATCH 5.10 021/110] KVM: s390: gaccess: Refactor gpa and length calculation Greg Kroah-Hartman
2024-11-06 12:03 ` [PATCH 5.10 022/110] KVM: s390: gaccess: Refactor access address range check Greg Kroah-Hartman
2024-11-06 12:03 ` [PATCH 5.10 023/110] KVM: s390: gaccess: Cleanup access to guest pages Greg Kroah-Hartman
2024-11-06 12:03 ` [PATCH 5.10 024/110] KVM: s390: gaccess: Check if guest address is in memslot Greg Kroah-Hartman
2024-11-06 12:03 ` [PATCH 5.10 025/110] block, bfq: fix procress reference leakage for bfqq in merge chain Greg Kroah-Hartman
2024-11-06 12:03 ` [PATCH 5.10 026/110] exec: dont WARN for racy path_noexec check Greg Kroah-Hartman
2024-11-06 12:03 ` [PATCH 5.10 027/110] iomap: update ki_pos a little later in iomap_dio_complete Greg Kroah-Hartman
2024-11-06 12:03 ` [PATCH 5.10 028/110] drm/vboxvideo: Replace fake VLA at end of vbva_mouse_pointer_shape with real VLA Greg Kroah-Hartman
2024-11-06 12:03 ` [PATCH 5.10 029/110] ASoC: fsl_sai: Enable FIFO continue on error FCONT bit Greg Kroah-Hartman
2024-11-06 12:03 ` [PATCH 5.10 030/110] arm64: Force position-independent veneers Greg Kroah-Hartman
2024-11-06 12:03 ` [PATCH 5.10 031/110] jfs: Fix sanity check in dbMount Greg Kroah-Hartman
2024-11-06 12:03 ` [PATCH 5.10 032/110] tracing: Consider the NULL character when validating the event length Greg Kroah-Hartman
2024-11-06 12:03 ` [PATCH 5.10 033/110] xfrm: extract dst lookup parameters into a struct Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 034/110] xfrm: respect ip protocols rules criteria when performing dst lookups Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 035/110] net/sun3_82586: fix potential memory leak in sun3_82586_send_packet() Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 036/110] be2net: fix potential memory leak in be_xmit() Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 037/110] net: usb: usbnet: fix name regression Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 038/110] net: sched: fix use-after-free in taprio_change() Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 039/110] r8169: avoid unsolicited interrupts Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 040/110] posix-clock: posix-clock: Fix unbalanced locking in pc_clock_settime() Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 041/110] ALSA: firewire-lib: Avoid division by zero in apply_constraint_to_size() Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 042/110] ALSA: hda/realtek: Update default depop procedure Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 043/110] drm/amd: Guard against bad data for ATIF ACPI method Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 044/110] ACPI: resource: Add LG 16T90SP to irq1_level_low_skip_override[] Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 045/110] ACPI: button: Add DMI quirk for Samsung Galaxy Book2 to fix initial lid detection issue Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 046/110] nilfs2: fix kernel bug due to missing clearing of buffer delay flag Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 047/110] openat2: explicitly return -E2BIG for (usize > PAGE_SIZE) Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 048/110] KVM: nSVM: Ignore nCR3[4:0] when loading PDPTEs from memory Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 049/110] ALSA: hda/realtek: Add subwoofer quirk for Acer Predator G9-593 Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 050/110] hv_netvsc: Fix VF namespace also in synthetic NIC NETDEV_REGISTER event Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 051/110] selinux: improve error checking in sel_write_load() Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 052/110] serial: protect uart_port_dtr_rts() in uart_shutdown() too Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 053/110] net: phy: dp83822: Fix reset pin definitions Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 054/110] ASoC: qcom: Fix NULL Dereference in asoc_qcom_lpass_cpu_platform_probe() Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 055/110] arm64/uprobes: change the uprobe_opcode_t typedef to fix the sparse warning Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 056/110] xfrm: validate new SAs prefixlen using SA family when sel.family is unset Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 057/110] selftests/mm: fix incorrect buffer->mirror size in hmm2 double_map test Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 058/110] cgroup: Fix potential overflow issue when checking max_depth Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 059/110] mac80211: MAC80211_MESSAGE_TRACING should depend on TRACING Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 060/110] wifi: mac80211: skip non-uploaded keys in ieee80211_iter_keys Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 061/110] wifi: brcm80211: BRCM_TRACING should depend on TRACING Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 062/110] RDMA/cxgb4: Dump vendor specific QP details Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 063/110] RDMA/mlx5: Round max_rd_atomic/max_dest_rd_atomic up instead of down Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 064/110] RDMA/bnxt_re: synchronize the qp-handle table array Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 065/110] mac80211: do drv_reconfig_complete() before restarting all Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 066/110] mac80211: Add support to trigger sta disconnect on hardware restart Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 067/110] wifi: iwlwifi: mvm: disconnect station vifs if recovery failed Greg Kroah-Hartman
2024-11-06 12:04 ` Greg Kroah-Hartman [this message]
2024-11-06 12:04 ` [PATCH 5.10 069/110] ASoC: cs42l51: Fix some error handling paths in cs42l51_probe() Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 070/110] igb: Disable threaded IRQ for igb_msix_other Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 071/110] ipv4: ip_tunnel: Fix suspicious RCU usage warning in ip_tunnel_init_flow() Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 072/110] gtp: allow -1 to be specified as file description from userspace Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 073/110] net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 074/110] bpf: Fix out-of-bounds write in trie_get_next_key() Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 075/110] net: support ip generic csum processing in skb_csum_hwoffload_help Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 076/110] net: skip offload for NETIF_F_IPV6_CSUM if ipv6 header contains extension Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 077/110] netfilter: nft_payload: sanitize offset and length before calling skb_checksum() Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 078/110] compiler-gcc: be consistent with underscores use for `no_sanitize` Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 079/110] compiler-gcc: remove attribute support check for `__no_sanitize_address__` Greg Kroah-Hartman
2024-11-06 18:59 ` Miguel Ojeda
2024-11-06 12:04 ` [PATCH 5.10 080/110] kasan: Fix Software Tag-Based KASAN with GCC Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 081/110] firmware: arm_sdei: Fix the input parameter of cpuhp_remove_state() Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 082/110] net: amd: mvme147: Fix probe banner message Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 083/110] NFS: remove revoked delegation from servers delegation list Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 084/110] misc: sgi-gru: Dont disable preemption in GRU driver Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 085/110] usbip: tools: Fix detach_port() invalid port error path Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 086/110] usb: phy: Fix API devm_usb_put_phy() can not release the phy Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 087/110] xhci: Fix Link TRB DMA in command ring stopped completion event Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 088/110] xhci: Use pm_runtime_get to prevent RPM on unsupported systems Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 089/110] Revert "driver core: Fix uevent_show() vs driver detach race" Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 090/110] wifi: mac80211: do not pass a stopped vif to the driver in .get_txpower Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 091/110] wifi: ath10k: Fix memory leak in management tx Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 092/110] wifi: iwlegacy: Clear stale interrupts before resuming device Greg Kroah-Hartman
2024-11-06 12:04 ` [PATCH 5.10 093/110] staging: iio: frequency: ad9832: fix division by zero in ad9832_calc_freqreg() Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.10 094/110] iio: light: veml6030: fix microlux value calculation Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.10 095/110] nilfs2: fix potential deadlock with newly created symlinks Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.10 096/110] mm: add remap_pfn_range_notrack Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.10 097/110] mm: avoid leaving partial pfn mappings around in error case Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.10 098/110] riscv: vdso: Prevent the compiler from inserting calls to memset() Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.10 099/110] riscv: efi: Set NX compat flag in PE/COFF header Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.10 100/110] riscv: Use %u to format the output of cpu Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.10 101/110] riscv: Remove unused GENERATING_ASM_OFFSETS Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.10 102/110] riscv: Remove duplicated GET_RM Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.10 103/110] ocfs2: pass u64 to ocfs2_truncate_inline maybe overflow Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.10 104/110] x86/bugs: Use code segment selector for VERW operand Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.10 105/110] nilfs2: fix kernel bug due to missing clearing of checked flag Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.10 106/110] mm: shmem: fix data-race in shmem_getattr() Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.10 107/110] Revert "drm/mipi-dsi: Set the fwnode for mipi_dsi_device" Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.10 108/110] drm/shmem-helper: Fix BUG_ON() on mmap(PROT_WRITE, MAP_PRIVATE) Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.10 109/110] vt: prevent kernel-infoleak in con_font_get() Greg Kroah-Hartman
2024-11-06 12:05 ` [PATCH 5.10 110/110] mac80211: always have ieee80211_sta_restart() Greg Kroah-Hartman
2024-11-06 17:29 ` [PATCH 5.10 000/110] 5.10.229-rc1 review Pavel Machek
2024-11-07 13:42 ` Jon Hunter
2024-11-07 19:10 ` Florian Fainelli
2024-11-08 9:09 ` Naresh Kamboju
2024-11-08 15:47 ` Mark Brown
2024-11-28 17:51 ` Pavel Machek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241106120305.067593767@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=daniel.gabay@intel.com \
--cc=johannes.berg@intel.com \
--cc=miriam.rachel.korenblit@intel.com \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).