linux/drivers/net/wireless/microchip, branch v6.3Mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
https://git.shady.money/linux/atom?h=v6.32023-01-17T11:36:25ZMerge wireless into wireless-next2023-01-17T11:36:25ZKalle Valokvalo@kernel.org2023-01-17T11:36:25Zurn:sha1:d0e99511834b6828c960e978d9a8cb6e5731250d
Due to the two cherry picked commits from wireless to wireless-next we have
several conflicts in mt76. To avoid any bugs with conflicts merge wireless into
wireless-next.
96f134dc1964 wifi: mt76: handle possible mt76_rx_token_consume failures
fe13dad8992b wifi: mt76: dma: do not increment queue head if mt76_dma_add_buf fails
treewide: Convert del_timer*() to timer_shutdown*()2022-12-25T21:38:09ZSteven Rostedt (Google)rostedt@goodmis.org2022-12-20T18:45:19Zurn:sha1:292a089d78d3e2f7944e60bb897c977785a321e3
Due to several bugs caused by timers being re-armed after they are
shutdown and just before they are freed, a new state of timers was added
called "shutdown". After a timer is set to this state, then it can no
longer be re-armed.
The following script was run to find all the trivial locations where
del_timer() or del_timer_sync() is called in the same function that the
object holding the timer is freed. It also ignores any locations where
the timer->function is modified between the del_timer*() and the free(),
as that is not considered a "trivial" case.
This was created by using a coccinelle script and the following
commands:
$ cat timer.cocci
@@
expression ptr, slab;
identifier timer, rfield;
@@
(
- del_timer(&ptr->timer);
+ timer_shutdown(&ptr->timer);
|
- del_timer_sync(&ptr->timer);
+ timer_shutdown_sync(&ptr->timer);
)
... when strict
when != ptr->timer
(
kfree_rcu(ptr, rfield);
|
kmem_cache_free(slab, ptr);
|
kfree(ptr);
)
$ spatch timer.cocci . > /tmp/t.patch
$ patch -p1 < /tmp/t.patch
Link: https://lore.kernel.org/lkml/20221123201306.823305113@linutronix.de/
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Acked-by: Pavel Machek <pavel@ucw.cz> [ LED ]
Acked-by: Kalle Valo <kvalo@kernel.org> [ wireless ]
Acked-by: Paolo Abeni <pabeni@redhat.com> [ networking ]
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
wifi: wilc1000: add missing unregister_netdev() in wilc_netdev_ifc_init()2022-12-22T16:06:26ZWang Yufenwangyufen@huawei.com2022-11-24T11:38:22Zurn:sha1:2b88974ecb358990e1c33fabcd0b9e142bab7f21
Fault injection test reports this issue:
kernel BUG at net/core/dev.c:10731!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
Call Trace:
<TASK>
wilc_netdev_ifc_init+0x19f/0x220 [wilc1000 884bf126e9e98af6a708f266a8dffd53f99e4bf5]
wilc_cfg80211_init+0x30c/0x380 [wilc1000 884bf126e9e98af6a708f266a8dffd53f99e4bf5]
wilc_bus_probe+0xad/0x2b0 [wilc1000_spi 1520a7539b6589cc6cde2ae826a523a33f8bacff]
spi_probe+0xe4/0x140
really_probe+0x17e/0x3f0
__driver_probe_device+0xe3/0x170
driver_probe_device+0x49/0x120
The root case here is alloc_ordered_workqueue() fails, but
cfg80211_unregister_netdevice() or unregister_netdev() not be called in
error handling path. To fix add unregister_netdev goto lable to add the
unregister operation in error handling path.
Fixes: 09ed8bfc5215 ("wilc1000: Rename workqueue from "WILC_wq" to "NETDEV-wq"")
Signed-off-by: Wang Yufen <wangyufen@huawei.com>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/1669289902-23639-1-git-send-email-wangyufen@huawei.com
wifi: wilc1000: fix potential memory leak in wilc_mac_xmit()2022-12-22T16:05:57ZZhang Changzhongzhangchangzhong@huawei.com2022-11-17T11:36:03Zurn:sha1:deb962ec9e1c9a81babd3d37542ad4bd6ac3396e
The wilc_mac_xmit() returns NETDEV_TX_OK without freeing skb, add
dev_kfree_skb() to fix it. Compile tested only.
Fixes: c5c77ba18ea6 ("staging: wilc1000: Add SDIO/SPI 802.11 driver")
Signed-off-by: Zhang Changzhong <zhangchangzhong@huawei.com>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/1668684964-48622-1-git-send-email-zhangchangzhong@huawei.com
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net2022-11-29T21:04:52ZJakub Kicinskikuba@kernel.org2022-11-29T21:04:52Zurn:sha1:f2bb566f5c977ff010baaa9e5e14d9a75b06e5f2
tools/lib/bpf/ringbuf.c
927cbb478adf ("libbpf: Handle size overflow for ringbuf mmap")
b486d19a0ab0 ("libbpf: checkpatch: Fixed code alignments in ringbuf.c")
https://lore.kernel.org/all/20221121122707.44d1446a@canb.auug.org.au/
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
wifi: wilc1000: validate number of channels2022-11-24T16:11:23ZPhil Turnbullphilipturnbull@github.com2022-11-23T15:35:43Zurn:sha1:0cdfa9e6f0915e3d243e2393bfa8a22e12d553b0
There is no validation of 'e->no_of_channels' which can trigger an
out-of-bounds write in the following 'memset' call. Validate that the
number of channels does not extends beyond the size of the channel list
element.
Signed-off-by: Phil Turnbull <philipturnbull@github.com>
Tested-by: Ajay Kathat <ajay.kathat@microchip.com>
Acked-by: Ajay Kathat <ajay.kathat@microchip.com>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20221123153543.8568-5-philipturnbull@github.com
wifi: wilc1000: validate length of IEEE80211_P2P_ATTR_CHANNEL_LIST attribute2022-11-24T16:11:23ZPhil Turnbullphilipturnbull@github.com2022-11-23T15:35:42Zurn:sha1:f9b62f9843c7b0afdaecabbcebf1dbba18599408
Validate that the IEEE80211_P2P_ATTR_CHANNEL_LIST attribute contains
enough space for a 'struct wilc_attr_oper_ch'. If the attribute is too
small then it can trigger an out-of-bounds write later in the function.
'struct wilc_attr_oper_ch' is variable sized so also check 'attr_len'
does not extend beyond the end of 'buf'.
Signed-off-by: Phil Turnbull <philipturnbull@github.com>
Tested-by: Ajay Kathat <ajay.kathat@microchip.com>
Acked-by: Ajay Kathat <ajay.kathat@microchip.com>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20221123153543.8568-4-philipturnbull@github.com
wifi: wilc1000: validate length of IEEE80211_P2P_ATTR_OPER_CHANNEL attribute2022-11-24T16:11:23ZPhil Turnbullphilipturnbull@github.com2022-11-23T15:35:41Zurn:sha1:051ae669e4505abbe05165bebf6be7922de11f41
Validate that the IEEE80211_P2P_ATTR_OPER_CHANNEL attribute contains
enough space for a 'struct struct wilc_attr_oper_ch'. If the attribute is
too small then it triggers an out-of-bounds write later in the function.
Signed-off-by: Phil Turnbull <philipturnbull@github.com>
Tested-by: Ajay Kathat <ajay.kathat@microchip.com>
Acked-by: Ajay Kathat <ajay.kathat@microchip.com>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20221123153543.8568-3-philipturnbull@github.com
wifi: wilc1000: validate pairwise and authentication suite offsets2022-11-24T16:11:23ZPhil Turnbullphilipturnbull@github.com2022-11-23T15:35:40Zurn:sha1:cd21d99e595ec1d8721e1058dcdd4f1f7de1d793
There is no validation of 'offset' which can trigger an out-of-bounds
read when extracting RSN capabilities.
Signed-off-by: Phil Turnbull <philipturnbull@github.com>
Tested-by: Ajay Kathat <ajay.kathat@microchip.com>
Acked-by: Ajay Kathat <ajay.kathat@microchip.com>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20221123153543.8568-2-philipturnbull@github.com
wifi: wilc1000: sdio: fix module autoloading2022-11-01T11:07:34ZMichael Wallemichael@walle.cc2022-10-27T17:12:21Zurn:sha1:57d545b5a3d6ce3a8fb6b093f02bfcbb908973f3
There are no SDIO module aliases included in the driver, therefore,
module autoloading isn't working. Add the proper MODULE_DEVICE_TABLE().
Cc: stable@vger.kernel.org
Signed-off-by: Michael Walle <michael@walle.cc>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20221027171221.491937-1-michael@walle.cc