1. 26 7月, 2019 10 次提交
    • W
      ath10k: add peer id check in ath10k_peer_find_by_id · a4bf4fec
      Wen Gong 提交于
      [ Upstream commit 49ed34b835e231aa941257394716bc689bc98d9f ]
      
      For some SDIO chip, the peer id is 65535 for MPDU with error status,
      then test_bit will trigger buffer overflow for peer's memory, if kasan
      enabled, it will report error.
      
      Reason is when station is in disconnecting status, firmware do not delete
      the peer info since it not disconnected completely, meanwhile some AP will
      still send data packet to station, then hardware will receive the packet
      and send to firmware, firmware's logic will report peer id of 65535 for
      MPDU with error status.
      
      Add check for overflow the size of peer's peer_ids will avoid the buffer
      overflow access.
      
      Call trace of kasan:
      dump_backtrace+0x0/0x2ec
      show_stack+0x20/0x2c
      __dump_stack+0x20/0x28
      dump_stack+0xc8/0xec
      print_address_description+0x74/0x240
      kasan_report+0x250/0x26c
      __asan_report_load8_noabort+0x20/0x2c
      ath10k_peer_find_by_id+0x180/0x1e4 [ath10k_core]
      ath10k_htt_t2h_msg_handler+0x100c/0x2fd4 [ath10k_core]
      ath10k_htt_htc_t2h_msg_handler+0x20/0x34 [ath10k_core]
      ath10k_sdio_irq_handler+0xcc8/0x1678 [ath10k_sdio]
      process_sdio_pending_irqs+0xec/0x370
      sdio_run_irqs+0x68/0xe4
      sdio_irq_work+0x1c/0x28
      process_one_work+0x3d8/0x8b0
      worker_thread+0x508/0x7cc
      kthread+0x24c/0x264
      ret_from_fork+0x10/0x18
      
      Tested with QCA6174 SDIO with firmware
      WLAN.RMH.4.4.1-00007-QCARMSWP-1.
      Signed-off-by: NWen Gong <wgong@codeaurora.org>
      Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      a4bf4fec
    • D
      ath6kl: add some bounds checking · 83c911f4
      Dan Carpenter 提交于
      [ Upstream commit 5d6751eaff672ea77642e74e92e6c0ac7f9709ab ]
      
      The "ev->traffic_class" and "reply->ac" variables come from the network
      and they're used as an offset into the wmi->stream_exist_for_ac[] array.
      Those variables are u8 so they can be 0-255 but the stream_exist_for_ac[]
      array only has WMM_NUM_AC (4) elements.  We need to add a couple bounds
      checks to prevent array overflows.
      
      I also modified one existing check from "if (traffic_class > 3) {" to
      "if (traffic_class >= WMM_NUM_AC) {" just to make them all consistent.
      
      Fixes: bdcd8170 (" Add ath6kl cleaned up driver")
      Signed-off-by: NDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      83c911f4
    • T
      ath9k: Check for errors when reading SREV register · 42dcbf20
      Tim Schumacher 提交于
      [ Upstream commit 2f90c7e5d09437a4d8d5546feaae9f1cf48cfbe1 ]
      
      Right now, if an error is encountered during the SREV register
      read (i.e. an EIO in ath9k_regread()), that error code gets
      passed all the way to __ath9k_hw_init(), where it is visible
      during the "Chip rev not supported" message.
      
          ath9k_htc 1-1.4:1.0: ath9k_htc: HTC initialized with 33 credits
          ath: phy2: Mac Chip Rev 0x0f.3 is not supported by this driver
          ath: phy2: Unable to initialize hardware; initialization status: -95
          ath: phy2: Unable to initialize hardware; initialization status: -95
          ath9k_htc: Failed to initialize the device
      
      Check for -EIO explicitly in ath9k_hw_read_revisions() and return
      a boolean based on the success of the operation. Check for that in
      __ath9k_hw_init() and abort with a more debugging-friendly message
      if reading the revisions wasn't successful.
      
          ath9k_htc 1-1.4:1.0: ath9k_htc: HTC initialized with 33 credits
          ath: phy2: Failed to read SREV register
          ath: phy2: Could not read hardware revision
          ath: phy2: Unable to initialize hardware; initialization status: -95
          ath: phy2: Unable to initialize hardware; initialization status: -95
          ath9k_htc: Failed to initialize the device
      
      This helps when debugging by directly showing the first point of
      failure and it could prevent possible errors if a 0x0f.3 revision
      is ever supported.
      Signed-off-by: NTim Schumacher <timschumi@gmx.de>
      Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      42dcbf20
    • S
      ath10k: Do not send probe response template for mesh · 7e19e658
      Surabhi Vishnoi 提交于
      [ Upstream commit 97354f2c432788e3163134df6bb144f4b6289d87 ]
      
      Currently mac80211 do not support probe response template for
      mesh point. When WMI_SERVICE_BEACON_OFFLOAD is enabled, host
      driver tries to configure probe response template for mesh, but
      it fails because the interface type is not NL80211_IFTYPE_AP but
      NL80211_IFTYPE_MESH_POINT.
      
      To avoid this failure, skip sending probe response template to
      firmware for mesh point.
      
      Tested HW: WCN3990/QCA6174/QCA9984
      Signed-off-by: NSurabhi Vishnoi <svishnoi@codeaurora.org>
      Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      7e19e658
    • G
      wil6210: fix potential out-of-bounds read · 009edc62
      Gustavo A. R. Silva 提交于
      [ Upstream commit bfabdd6997323adbedccb13a3fed1967fb8cf8f5 ]
      
      Notice that *rc* can evaluate to up to 5, include/linux/netdevice.h:
      
      enum gro_result {
              GRO_MERGED,
              GRO_MERGED_FREE,
              GRO_HELD,
              GRO_NORMAL,
              GRO_DROP,
              GRO_CONSUMED,
      };
      typedef enum gro_result gro_result_t;
      
      In case *rc* evaluates to 5, we end up having an out-of-bounds read
      at drivers/net/wireless/ath/wil6210/txrx.c:821:
      
      	wil_dbg_txrx(wil, "Rx complete %d bytes => %s\n",
      		     len, gro_res_str[rc]);
      
      Fix this by adding element "GRO_CONSUMED" to array gro_res_str.
      
      Addresses-Coverity-ID: 1444666 ("Out-of-bounds read")
      Fixes: 194b482b ("wil6210: Debug print GRO Rx result")
      Signed-off-by: NGustavo A. R. Silva <gustavo@embeddedor.com>
      Reviewed-by: NMaya Erez <merez@codeaurora.org>
      Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      009edc62
    • S
      dmaengine: imx-sdma: fix use-after-free on probe error path · 09593c25
      Sven Van Asbroeck 提交于
      [ Upstream commit 2b8066c3deb9140fdf258417a51479b2aeaa7622 ]
      
      If probe() fails anywhere beyond the point where
      sdma_get_firmware() is called, then a kernel oops may occur.
      
      Problematic sequence of events:
      1. probe() calls sdma_get_firmware(), which schedules the
         firmware callback to run when firmware becomes available,
         using the sdma instance structure as the context
      2. probe() encounters an error, which deallocates the
         sdma instance structure
      3. firmware becomes available, firmware callback is
         called with deallocated sdma instance structure
      4. use after free - kernel oops !
      
      Solution: only attempt to load firmware when we're certain
      that probe() will succeed. This guarantees that the firmware
      callback's context will remain valid.
      
      Note that the remove() path is unaffected by this issue: the
      firmware loader will increment the driver module's use count,
      ensuring that the module cannot be unloaded while the
      firmware callback is pending or running.
      Signed-off-by: NSven Van Asbroeck <TheSven73@gmail.com>
      Reviewed-by: NRobin Gong <yibin.gong@nxp.com>
      [vkoul: fixed braces for if condition]
      Signed-off-by: NVinod Koul <vkoul@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      09593c25
    • M
      scsi: iscsi: set auth_protocol back to NULL if CHAP_A value is not supported · 06e15cf5
      Maurizio Lombardi 提交于
      [ Upstream commit 5dd6c49339126c2c8df2179041373222362d6e49 ]
      
      If the CHAP_A value is not supported, the chap_server_open() function
      should free the auth_protocol pointer and set it to NULL, or we will leave
      a dangling pointer around.
      
      [   66.010905] Unsupported CHAP_A value
      [   66.011660] Security negotiation failed.
      [   66.012443] iSCSI Login negotiation failed.
      [   68.413924] general protection fault: 0000 [#1] SMP PTI
      [   68.414962] CPU: 0 PID: 1562 Comm: targetcli Kdump: loaded Not tainted 4.18.0-80.el8.x86_64 #1
      [   68.416589] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
      [   68.417677] RIP: 0010:__kmalloc_track_caller+0xc2/0x210
      Signed-off-by: NMaurizio Lombardi <mlombard@redhat.com>
      Reviewed-by: NChris Leech <cleech@redhat.com>
      Signed-off-by: NMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      06e15cf5
    • N
      arm64/efi: Mark __efistub_stext_offset as an absolute symbol explicitly · 37cb02da
      Nathan Chancellor 提交于
      [ Upstream commit aa69fb62bea15126e744af2e02acc0d6cf3ed4da ]
      
      After r363059 and r363928 in LLVM, a build using ld.lld as the linker
      with CONFIG_RANDOMIZE_BASE enabled fails like so:
      
      ld.lld: error: relocation R_AARCH64_ABS32 cannot be used against symbol
      __efistub_stext_offset; recompile with -fPIC
      
      Fangrui and Peter figured out that ld.lld is incorrectly considering
      __efistub_stext_offset as a relative symbol because of the order in
      which symbols are evaluated. _text is treated as an absolute symbol
      and stext is a relative symbol, making __efistub_stext_offset a
      relative symbol.
      
      Adding ABSOLUTE will force ld.lld to evalute this expression in the
      right context and does not change ld.bfd's behavior. ld.lld will
      need to be fixed but the developers do not see a quick or simple fix
      without some research (see the linked issue for further explanation).
      Add this simple workaround so that ld.lld can continue to link kernels.
      
      Link: https://github.com/ClangBuiltLinux/linux/issues/561
      Link: https://github.com/llvm/llvm-project/commit/025a815d75d2356f2944136269aa5874721ec236
      Link: https://github.com/llvm/llvm-project/commit/249fde85832c33f8b06c6b4ac65d1c4b96d23b83Acked-by: NArd Biesheuvel <ard.biesheuvel@linaro.org>
      Debugged-by: NFangrui Song <maskray@google.com>
      Debugged-by: NPeter Smith <peter.smith@linaro.org>
      Suggested-by: NFangrui Song <maskray@google.com>
      Signed-off-by: NNathan Chancellor <natechancellor@gmail.com>
      [will: add comment]
      Signed-off-by: NWill Deacon <will@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      37cb02da
    • K
      MIPS: fix build on non-linux hosts · 73ebefc8
      Kevin Darbyshire-Bryant 提交于
      [ Upstream commit 1196364f21ffe5d1e6d83cafd6a2edb89404a3ae ]
      
      calc_vmlinuz_load_addr.c requires SZ_64K to be defined for alignment
      purposes.  It included "../../../../include/linux/sizes.h" to define
      that size, however "sizes.h" tries to include <linux/const.h> which
      assumes linux system headers.  These may not exist eg. the following
      error was encountered when building Linux for OpenWrt under macOS:
      
      In file included from arch/mips/boot/compressed/calc_vmlinuz_load_addr.c:16:
      arch/mips/boot/compressed/../../../../include/linux/sizes.h:11:10: fatal error: 'linux/const.h' file not found
               ^~~~~~~~~~
      
      Change makefile to force building on local linux headers instead of
      system headers.  Also change eye-watering relative reference in include
      file spec.
      
      Thanks to Jo-Philip Wich & Petr Štetiar for assistance in tracking this
      down & fixing.
      Suggested-by: NJo-Philipp Wich <jo@mein.io>
      Signed-off-by: NPetr Štetiar <ynezz@true.cz>
      Signed-off-by: NKevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
      Signed-off-by: NPaul Burton <paul.burton@mips.com>
      Cc: linux-mips@vger.kernel.org
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      73ebefc8
    • S
      MIPS: ath79: fix ar933x uart parity mode · 7202df6b
      Stefan Hellermann 提交于
      [ Upstream commit db13a5ba2732755cf13320f3987b77cf2a71e790 ]
      
      While trying to get the uart with parity working I found setting even
      parity enabled odd parity insted. Fix the register settings to match
      the datasheet of AR9331.
      
      A similar patch was created by 8devices, but not sent upstream.
      https://github.com/8devices/openwrt-8devices/commit/77c5586ade3bb72cda010afad3f209ed0c98ea7cSigned-off-by: NStefan Hellermann <stefan@the2masters.de>
      Signed-off-by: NPaul Burton <paul.burton@mips.com>
      Cc: linux-mips@vger.kernel.org
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      7202df6b
  2. 21 7月, 2019 30 次提交