1. 26 4月, 2019 10 次提交
    • A
      rsi: Fix NULL pointer dereference in kmalloc · d5414c23
      Aditya Pakki 提交于
      kmalloc can fail in rsi_register_rates_channels but memcpy still attempts
      to write to channels. The patch replaces these calls with kmemdup and
      passes the error upstream.
      Signed-off-by: NAditya Pakki <pakki001@umn.edu>
      Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
      d5414c23
    • T
      rt2x00: code-style fix in rt2800usb.c · 9490c560
      Tomislav Požega 提交于
      Remove space leftovers.
      Signed-off-by: NTomislav Požega <pozega.tomislav@gmail.com>
      Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
      9490c560
    • S
      rt2x00: do not print error when queue is full · 61a4e5ff
      Stanislaw Gruszka 提交于
      For unknown reasons printk() on some context can cause CPU hung on
      embedded MT7620 AP/router MIPS platforms. What can result on wifi
      disconnects.
      
      This patch move queue full messages to debug level what is consistent
      with other mac80211 drivers which drop packet silently if tx queue is
      full. This make MT7620 OpenWRT routers more stable, what was reported
      by various users.
      Signed-off-by: NStanislaw Gruszka <sgruszka@redhat.com>
      Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
      61a4e5ff
    • S
      rt2x00: check number of EPROTO errors · e383c704
      Stanislaw Gruszka 提交于
      Some USB host devices/drivers on some conditions can always return
      EPROTO error on submitted URBs. That can cause infinity loop in the
      rt2x00 driver.
      
      Since we can have single EPROTO errors we can not mark as device as
      removed to avoid infinity loop. However we can count consecutive
      EPROTO errors and mark device as removed if get lot of it.
      I choose number 10 as threshold.
      Reported-and-tested-by: NRandy Oostdyk <linux-kernel@oostdyk.com>
      Signed-off-by: NStanislaw Gruszka <sgruszka@redhat.com>
      Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
      e383c704
    • S
      rt2x00: use ratelimited variants dev_warn/dev_err · bb3b18c9
      Stanislaw Gruszka 提交于
      As reported by Randy we can overwhelm logs on some USB error conditions.
      To avoid that use dev_warn_ratelimited() and dev_err_ratelimitd().
      Reported-and-tested-by: NRandy Oostdyk <linux-kernel@oostdyk.com>
      Signed-off-by: NStanislaw Gruszka <sgruszka@redhat.com>
      Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
      bb3b18c9
    • K
      net: cw1200: fix a NULL pointer dereference · 0ed2a005
      Kangjie Lu 提交于
      In case create_singlethread_workqueue fails, the fix free the
      hardware and returns NULL to avoid NULL pointer dereference.
      Signed-off-by: NKangjie Lu <kjlu@umn.edu>
      Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
      0ed2a005
    • Y
      ssb: Fix possible NULL pointer dereference in ssb_host_pcmcia_exit · b2c01aab
      YueHaibing 提交于
      Syzkaller report this:
      
      kasan: GPF could be caused by NULL-ptr deref or user memory access
      general protection fault: 0000 [#1] SMP KASAN PTI
      CPU: 0 PID: 4492 Comm: syz-executor.0 Not tainted 5.0.0-rc7+ #45
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
      RIP: 0010:sysfs_remove_file_ns+0x27/0x70 fs/sysfs/file.c:468
      Code: 00 00 00 41 54 55 48 89 fd 53 49 89 d4 48 89 f3 e8 ee 76 9c ff 48 8d 7d 30 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 75 2d 48 89 da 48 b8 00 00 00 00 00 fc ff df 48 8b 6d
      RSP: 0018:ffff8881e9d9fc00 EFLAGS: 00010206
      RAX: dffffc0000000000 RBX: ffffffff900367e0 RCX: ffffffff81a95952
      RDX: 0000000000000006 RSI: ffffc90001405000 RDI: 0000000000000030
      RBP: 0000000000000000 R08: fffffbfff1fa22ed R09: fffffbfff1fa22ed
      R10: 0000000000000001 R11: fffffbfff1fa22ec R12: 0000000000000000
      R13: ffffffffc1abdac0 R14: 1ffff1103d3b3f8b R15: 0000000000000000
      FS:  00007fe409dc1700(0000) GS:ffff8881f1200000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 0000001b2d721000 CR3: 00000001e98b6005 CR4: 00000000007606f0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      PKRU: 55555554
      Call Trace:
       sysfs_remove_file include/linux/sysfs.h:519 [inline]
       driver_remove_file+0x40/0x50 drivers/base/driver.c:122
       pcmcia_remove_newid_file drivers/pcmcia/ds.c:163 [inline]
       pcmcia_unregister_driver+0x7d/0x2b0 drivers/pcmcia/ds.c:209
       ssb_modexit+0xa/0x1b [ssb]
       __do_sys_delete_module kernel/module.c:1018 [inline]
       __se_sys_delete_module kernel/module.c:961 [inline]
       __x64_sys_delete_module+0x3dc/0x5e0 kernel/module.c:961
       do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      RIP: 0033:0x462e99
      Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
      RSP: 002b:00007fe409dc0c58 EFLAGS: 00000246 ORIG_RAX: 00000000000000b0
      RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99
      RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000200000c0
      RBP: 0000000000000002 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe409dc16bc
      R13: 00000000004bccaa R14: 00000000006f6bc8 R15: 00000000ffffffff
      Modules linked in: ssb(-) 3c59x nvme_core macvlan tap pata_hpt3x3 rt2x00pci null_blk tsc40 pm_notifier_error_inject notifier_error_inject mdio cdc_wdm nf_reject_ipv4 ath9k_common ath9k_hw ath pppox ppp_generic slhc ehci_platform wl12xx wlcore tps6507x_ts ioc4 nf_synproxy_core ide_gd_mod ax25 can_dev iwlwifi can_raw atm tm2_touchkey can_gw can sundance adp5588_keys rt2800mmio rt2800lib rt2x00mmio rt2x00lib eeprom_93cx6 pn533 lru_cache elants_i2c ip_set nfnetlink gameport tipc hampshire nhc_ipv6 nhc_hop nhc_udp nhc_fragment nhc_routing nhc_mobility nhc_dest 6lowpan silead brcmutil nfc mt76_usb mt76 mac80211 iptable_security iptable_raw iptable_mangle iptable_nat nf_nat_ipv4 nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 iptable_filter bpfilter ip6_vti ip_gre sit hsr veth vxcan batman_adv cfg80211 rfkill chnl_net caif nlmon vcan bridge stp llc ip6_gre ip6_tunnel tunnel6 tun joydev mousedev serio_raw ide_pci_generic piix floppy ide_core sch_fq_codel ip_tables x_tables ipv6
       [last unloaded: 3c59x]
      Dumping ftrace buffer:
         (ftrace buffer empty)
      ---[ end trace 3913cbf8011e1c05 ]---
      
      In ssb_modinit, it does not fail SSB init when ssb_host_pcmcia_init failed,
      however in ssb_modexit, ssb_host_pcmcia_exit calls pcmcia_unregister_driver
      unconditionally, which may tigger a NULL pointer dereference issue as above.
      Reported-by: NHulk Robot <hulkci@huawei.com>
      Fixes: 399500da ("ssb: pick PCMCIA host code support from b43 driver")
      Signed-off-by: NYueHaibing <yuehaibing@huawei.com>
      Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
      b2c01aab
    • Y
      ray_cs: use remove_proc_subtree to simplify procfs code · 3b6edcb3
      YueHaibing 提交于
      Use remove_proc_subtree to remove the whole subtree
      Signed-off-by: NYueHaibing <yuehaibing@huawei.com>
      Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
      3b6edcb3
    • Y
      ray_cs: Check return value of pcmcia_register_driver · 444efbde
      YueHaibing 提交于
      init_ray_cs does not check value of pcmcia_register_driver,
      if it fails, there maybe cause a NULL pointer dereference in
      exit_ray_cs.
      Signed-off-by: NYueHaibing <yuehaibing@huawei.com>
      Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
      444efbde
    • G
      rndis_wlan: use struct_size() helper · d442af2e
      Gustavo A. R. Silva 提交于
      Make use of the struct_size() helper instead of an open-coded version
      in order to avoid any potential type mistakes, in particular in the
      context in which this code is being used.
      
      So, replace code of the following form:
      
      sizeof(*pmkids) + max_pmkids * sizeof(pmkids->bssid_info[0])
      
      with:
      
      struct_size(pmkids, bssid_info, num_pmkids)
      
      This code was detected with the help of Coccinelle.
      Signed-off-by: NGustavo A. R. Silva <gustavo@embeddedor.com>
      Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
      d442af2e
  2. 25 4月, 2019 1 次提交
  3. 19 4月, 2019 29 次提交