1. 06 9月, 2017 1 次提交
  2. 05 9月, 2017 1 次提交
  3. 07 7月, 2017 4 次提交
  4. 30 6月, 2017 1 次提交
  5. 16 6月, 2017 1 次提交
    • J
      networking: make skb_push & __skb_push return void pointers · d58ff351
      Johannes Berg 提交于
      It seems like a historic accident that these return unsigned char *,
      and in many places that means casts are required, more often than not.
      
      Make these functions return void * and remove all the casts across
      the tree, adding a (u8 *) cast only where the unsigned char pointer
      was used directly, all done with the following spatch:
      
          @@
          expression SKB, LEN;
          typedef u8;
          identifier fn = { skb_push, __skb_push, skb_push_rcsum };
          @@
          - *(fn(SKB, LEN))
          + *(u8 *)fn(SKB, LEN)
      
          @@
          expression E, SKB, LEN;
          identifier fn = { skb_push, __skb_push, skb_push_rcsum };
          type T;
          @@
          - E = ((T *)(fn(SKB, LEN)))
          + E = fn(SKB, LEN)
      
          @@
          expression SKB, LEN;
          identifier fn = { skb_push, __skb_push, skb_push_rcsum };
          @@
          - fn(SKB, LEN)[0]
          + *(u8 *)fn(SKB, LEN)
      
      Note that the last part there converts from push(...)[0] to the
      more idiomatic *(u8 *)push(...).
      Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      d58ff351
  6. 14 6月, 2017 3 次提交
  7. 13 6月, 2017 3 次提交
  8. 23 5月, 2017 1 次提交
    • A
      cfg80211: make cfg80211_sched_scan_results() work from atomic context · 1b57b621
      Arend Van Spriel 提交于
      Drivers should be able to call cfg80211_sched_scan_results() from atomic
      context. However, with the introduction of multiple scheduled scan feature
      this requirement was not taken into account resulting in regression shown
      below.
      
      [  119.021594] BUG: scheduling while atomic: irq/47-iwlwifi/517/0x00000200
      [  119.021604] Modules linked in: [...]
      [  119.021759] CPU: 1 PID: 517 Comm: irq/47-iwlwifi Not tainted 4.12.0-rc2-t440s-20170522+ #1
      [  119.021763] Hardware name: LENOVO 20AQS03H00/20AQS03H00, BIOS GJET91WW (2.41 ) 09/21/2016
      [  119.021766] Call Trace:
      [  119.021778]  ? dump_stack+0x5c/0x84
      [  119.021784]  ? __schedule_bug+0x4c/0x70
      [  119.021792]  ? __schedule+0x496/0x5c0
      [  119.021798]  ? schedule+0x2d/0x80
      [  119.021804]  ? schedule_preempt_disabled+0x5/0x10
      [  119.021810]  ? __mutex_lock.isra.0+0x18e/0x4c0
      [  119.021817]  ? __wake_up+0x2f/0x50
      [  119.021833]  ? cfg80211_sched_scan_results+0x19/0x60 [cfg80211]
      [  119.021844]  ? cfg80211_sched_scan_results+0x19/0x60 [cfg80211]
      [  119.021859]  ? iwl_mvm_rx_lmac_scan_iter_complete_notif+0x17/0x30 [iwlmvm]
      [  119.021869]  ? iwl_pcie_rx_handle+0x2a9/0x7e0 [iwlwifi]
      [  119.021878]  ? iwl_pcie_irq_handler+0x17c/0x730 [iwlwifi]
      [  119.021884]  ? irq_forced_thread_fn+0x60/0x60
      [  119.021887]  ? irq_thread_fn+0x16/0x40
      [  119.021892]  ? irq_thread+0x109/0x180
      [  119.021896]  ? wake_threads_waitq+0x30/0x30
      [  119.021901]  ? kthread+0xf2/0x130
      [  119.021905]  ? irq_thread_dtor+0x90/0x90
      [  119.021910]  ? kthread_create_on_node+0x40/0x40
      [  119.021915]  ? ret_from_fork+0x26/0x40
      
      Fixes: b34939b9 ("cfg80211: add request id to cfg80211_sched_scan_*() api")
      Reported-by: NSander Eikelenboom <linux@eikelenboom.it>
      Signed-off-by: NArend van Spriel <arend.vanspriel@broadcom.com>
      Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
      1b57b621
  9. 19 5月, 2017 2 次提交
  10. 17 5月, 2017 2 次提交
  11. 08 5月, 2017 1 次提交
  12. 28 4月, 2017 2 次提交
  13. 27 4月, 2017 4 次提交
  14. 26 4月, 2017 1 次提交
  15. 18 4月, 2017 3 次提交
  16. 14 4月, 2017 2 次提交
    • J
      netlink: pass extended ACK struct where available · fe52145f
      Johannes Berg 提交于
      This is an add-on to the previous patch that passes the extended ACK
      structure where it's already available by existing genl_info or extack
      function arguments.
      
      This was done with this spatch (with some manual adjustment of
      indentation):
      
      @@
      expression A, B, C, D, E;
      identifier fn, info;
      @@
      fn(..., struct genl_info *info, ...) {
      ...
      -nlmsg_parse(A, B, C, D, E, NULL)
      +nlmsg_parse(A, B, C, D, E, info->extack)
      ...
      }
      
      @@
      expression A, B, C, D, E;
      identifier fn, info;
      @@
      fn(..., struct genl_info *info, ...) {
      <...
      -nla_parse_nested(A, B, C, D, NULL)
      +nla_parse_nested(A, B, C, D, info->extack)
      ...>
      }
      
      @@
      expression A, B, C, D, E;
      identifier fn, extack;
      @@
      fn(..., struct netlink_ext_ack *extack, ...) {
      <...
      -nlmsg_parse(A, B, C, D, E, NULL)
      +nlmsg_parse(A, B, C, D, E, extack)
      ...>
      }
      
      @@
      expression A, B, C, D, E;
      identifier fn, extack;
      @@
      fn(..., struct netlink_ext_ack *extack, ...) {
      <...
      -nla_parse(A, B, C, D, E, NULL)
      +nla_parse(A, B, C, D, E, extack)
      ...>
      }
      
      @@
      expression A, B, C, D, E;
      identifier fn, extack;
      @@
      fn(..., struct netlink_ext_ack *extack, ...) {
      ...
      -nlmsg_parse(A, B, C, D, E, NULL)
      +nlmsg_parse(A, B, C, D, E, extack)
      ...
      }
      
      @@
      expression A, B, C, D;
      identifier fn, extack;
      @@
      fn(..., struct netlink_ext_ack *extack, ...) {
      <...
      -nla_parse_nested(A, B, C, D, NULL)
      +nla_parse_nested(A, B, C, D, extack)
      ...>
      }
      
      @@
      expression A, B, C, D;
      identifier fn, extack;
      @@
      fn(..., struct netlink_ext_ack *extack, ...) {
      <...
      -nlmsg_validate(A, B, C, D, NULL)
      +nlmsg_validate(A, B, C, D, extack)
      ...>
      }
      
      @@
      expression A, B, C, D;
      identifier fn, extack;
      @@
      fn(..., struct netlink_ext_ack *extack, ...) {
      <...
      -nla_validate(A, B, C, D, NULL)
      +nla_validate(A, B, C, D, extack)
      ...>
      }
      
      @@
      expression A, B, C;
      identifier fn, extack;
      @@
      fn(..., struct netlink_ext_ack *extack, ...) {
      <...
      -nla_validate_nested(A, B, C, NULL)
      +nla_validate_nested(A, B, C, extack)
      ...>
      }
      Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
      Reviewed-by: NJiri Pirko <jiri@mellanox.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      fe52145f
    • J
      netlink: pass extended ACK struct to parsing functions · fceb6435
      Johannes Berg 提交于
      Pass the new extended ACK reporting struct to all of the generic
      netlink parsing functions. For now, pass NULL in almost all callers
      (except for some in the core.)
      Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      fceb6435
  17. 13 4月, 2017 3 次提交
  18. 31 3月, 2017 2 次提交
  19. 29 3月, 2017 1 次提交
    • A
      cfg80211: check rdev resume callback only for registered wiphy · b3ef5520
      Arend Van Spriel 提交于
      We got the following use-after-free KASAN report:
      
       BUG: KASAN: use-after-free in wiphy_resume+0x591/0x5a0 [cfg80211]
      	 at addr ffff8803fc244090
       Read of size 8 by task kworker/u16:24/2587
       CPU: 6 PID: 2587 Comm: kworker/u16:24 Tainted: G    B 4.9.13-debug+
       Hardware name: Dell Inc. XPS 15 9550/0N7TVV, BIOS 1.2.19 12/22/2016
       Workqueue: events_unbound async_run_entry_fn
        ffff880425d4f9d8 ffffffffaeedb541 ffff88042b80ef00 ffff8803fc244088
        ffff880425d4fa00 ffffffffae84d7a1 ffff880425d4fa98 ffff8803fc244080
        ffff88042b80ef00 ffff880425d4fa88 ffffffffae84da3a ffffffffc141f7d9
       Call Trace:
        [<ffffffffaeedb541>] dump_stack+0x85/0xc4
        [<ffffffffae84d7a1>] kasan_object_err+0x21/0x70
        [<ffffffffae84da3a>] kasan_report_error+0x1fa/0x500
        [<ffffffffc141f7d9>] ? cfg80211_bss_age+0x39/0xc0 [cfg80211]
        [<ffffffffc141f83a>] ? cfg80211_bss_age+0x9a/0xc0 [cfg80211]
        [<ffffffffae48d46d>] ? trace_hardirqs_on+0xd/0x10
        [<ffffffffc13fb1c0>] ? wiphy_suspend+0xc70/0xc70 [cfg80211]
        [<ffffffffae84def1>] __asan_report_load8_noabort+0x61/0x70
        [<ffffffffc13fb100>] ? wiphy_suspend+0xbb0/0xc70 [cfg80211]
        [<ffffffffc13fb751>] ? wiphy_resume+0x591/0x5a0 [cfg80211]
        [<ffffffffc13fb751>] wiphy_resume+0x591/0x5a0 [cfg80211]
        [<ffffffffc13fb1c0>] ? wiphy_suspend+0xc70/0xc70 [cfg80211]
        [<ffffffffaf3b206e>] dpm_run_callback+0x6e/0x4f0
        [<ffffffffaf3b31b2>] device_resume+0x1c2/0x670
        [<ffffffffaf3b367d>] async_resume+0x1d/0x50
        [<ffffffffae3ee84e>] async_run_entry_fn+0xfe/0x610
        [<ffffffffae3d0666>] process_one_work+0x716/0x1a50
        [<ffffffffae3d05c9>] ? process_one_work+0x679/0x1a50
        [<ffffffffafdd7b6d>] ? _raw_spin_unlock_irq+0x3d/0x60
        [<ffffffffae3cff50>] ? pwq_dec_nr_in_flight+0x2b0/0x2b0
        [<ffffffffae3d1a80>] worker_thread+0xe0/0x1460
        [<ffffffffae3d19a0>] ? process_one_work+0x1a50/0x1a50
        [<ffffffffae3e54c2>] kthread+0x222/0x2e0
        [<ffffffffae3e52a0>] ? kthread_park+0x80/0x80
        [<ffffffffae3e52a0>] ? kthread_park+0x80/0x80
        [<ffffffffae3e52a0>] ? kthread_park+0x80/0x80
        [<ffffffffafdd86aa>] ret_from_fork+0x2a/0x40
       Object at ffff8803fc244088, in cache kmalloc-1024 size: 1024
       Allocated:
       PID = 71
        save_stack_trace+0x1b/0x20
        save_stack+0x46/0xd0
        kasan_kmalloc+0xad/0xe0
        kasan_slab_alloc+0x12/0x20
        __kmalloc_track_caller+0x134/0x360
        kmemdup+0x20/0x50
        brcmf_cfg80211_attach+0x10b/0x3a90 [brcmfmac]
        brcmf_bus_start+0x19a/0x9a0 [brcmfmac]
        brcmf_pcie_setup+0x1f1a/0x3680 [brcmfmac]
        brcmf_fw_request_nvram_done+0x44c/0x11b0 [brcmfmac]
        request_firmware_work_func+0x135/0x280
        process_one_work+0x716/0x1a50
        worker_thread+0xe0/0x1460
        kthread+0x222/0x2e0
        ret_from_fork+0x2a/0x40
       Freed:
       PID = 2568
        save_stack_trace+0x1b/0x20
        save_stack+0x46/0xd0
        kasan_slab_free+0x71/0xb0
        kfree+0xe8/0x2e0
        brcmf_cfg80211_detach+0x62/0xf0 [brcmfmac]
        brcmf_detach+0x14a/0x2b0 [brcmfmac]
        brcmf_pcie_remove+0x140/0x5d0 [brcmfmac]
        brcmf_pcie_pm_leave_D3+0x198/0x2e0 [brcmfmac]
        pci_pm_resume+0x186/0x220
        dpm_run_callback+0x6e/0x4f0
        device_resume+0x1c2/0x670
        async_resume+0x1d/0x50
        async_run_entry_fn+0xfe/0x610
        process_one_work+0x716/0x1a50
        worker_thread+0xe0/0x1460
        kthread+0x222/0x2e0
        ret_from_fork+0x2a/0x40
       Memory state around the buggy address:
        ffff8803fc243f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
        ffff8803fc244000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
       >ffff8803fc244080: fc fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                ^
        ffff8803fc244100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
        ffff8803fc244180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      
      What is happening is that brcmf_pcie_resume() detects a device that
      is no longer responsive and it decides to unbind resulting in a
      wiphy_unregister() and wiphy_free() call. Now the wiphy instance
      remains allocated, because PM needs to call wiphy_resume() for it.
      However, brcmfmac already does a kfree() for the struct
      cfg80211_registered_device::ops field. Change the checks in
      wiphy_resume() to only access the struct cfg80211_registered_device::ops
      if the wiphy instance is still registered at this time.
      
      Cc: stable@vger.kernel.org # 4.10.x, 4.9.x
      Reported-by: NDaniel J Blueman <daniel@quora.org>
      Reviewed-by: NHante Meuleman <hante.meuleman@broadcom.com>
      Reviewed-by: NPieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
      Reviewed-by: NFranky Lin <franky.lin@broadcom.com>
      Signed-off-by: NArend van Spriel <arend.vanspriel@broadcom.com>
      Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
      b3ef5520
  20. 17 3月, 2017 1 次提交
  21. 16 3月, 2017 1 次提交