linux-stable.git/drivers/net/wireless/quantenna, branch linux-5.4.y Linux kernel stable tree qtnfmac: Fix possible buffer overflow in qtnf_event_handle_external_auth 2021-05-19T08:08:24+00:00 Lee Gibson leegib@gmail.com 2021-04-19T14:58:42+00:00 d26436a3b913a5a25db29c460d27e6c9673cf741 [ Upstream commit 130f634da1af649205f4a3dd86cbe5c126b57914 ] Function qtnf_event_handle_external_auth calls memcpy without checking the length. A user could control that length and trigger a buffer overflow. Fix by checking the length is within the maximum allowed size. Signed-off-by: Lee Gibson <leegib@gmail.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/20210419145842.345787-1-leegib@gmail.com Signed-off-by: Sasha Levin <sashal@kernel.org> 
[ Upstream commit 130f634da1af649205f4a3dd86cbe5c126b57914 ]

Function qtnf_event_handle_external_auth calls memcpy without
checking the length.
A user could control that length and trigger a buffer overflow.
Fix by checking the length is within the maximum allowed size.

Signed-off-by: Lee Gibson <leegib@gmail.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/20210419145842.345787-1-leegib@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
qtnfmac: fix error return code in qtnf_pcie_probe() 2020-12-30T10:51:11+00:00 Wang Hai wanghai38@huawei.com 2020-11-14T12:33:47+00:00 f7a6e378fc175734de2a087c4bd94b6fe9ff4833 [ Upstream commit 31e07aa33fa7cdc93fa91c3f78f031e8d38862c2 ] Fix to return a negative error code from the error handling case instead of 0, as done elsewhere in this function. Fixes: b7da53cd6cd1 ("qtnfmac_pcie: use single PCIe driver for all platforms") Reported-by: Hulk Robot <hulkci@huawei.com> Signed-off-by: Wang Hai <wanghai38@huawei.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/20201114123347.29632-1-wanghai38@huawei.com Signed-off-by: Sasha Levin <sashal@kernel.org> 
[ Upstream commit 31e07aa33fa7cdc93fa91c3f78f031e8d38862c2 ]

Fix to return a negative error code from the error handling
case instead of 0, as done elsewhere in this function.

Fixes: b7da53cd6cd1 ("qtnfmac_pcie: use single PCIe driver for all platforms")
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Wang Hai <wanghai38@huawei.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/20201114123347.29632-1-wanghai38@huawei.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
qtnfmac: fix resource leaks on unsupported iftype error return path 2020-10-29T08:57:43+00:00 Colin Ian King colin.king@canonical.com 2020-09-25T13:22:24+00:00 cbe5109aa47be52e96f596deff45a5881d5b2214 [ Upstream commit 63f6982075d890d7563e2469643f05a37d193f01 ] Currently if an unsupported iftype is detected the error return path does not free the cmd_skb leading to a resource leak. Fix this by free'ing cmd_skb. Addresses-Coverity: ("Resource leak") Fixes: 805b28c05c8e ("qtnfmac: prepare for AP_VLAN interface type support") Signed-off-by: Colin Ian King <colin.king@canonical.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/20200925132224.21638-1-colin.king@canonical.com Signed-off-by: Sasha Levin <sashal@kernel.org> 
[ Upstream commit 63f6982075d890d7563e2469643f05a37d193f01 ]

Currently if an unsupported iftype is detected the error return path
does not free the cmd_skb leading to a resource leak. Fix this by
free'ing cmd_skb.

Addresses-Coverity: ("Resource leak")
Fixes: 805b28c05c8e ("qtnfmac: prepare for AP_VLAN interface type support")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/20200925132224.21638-1-colin.king@canonical.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
qtnfmac: fix using skb after free 2019-12-31T15:45:28+00:00 Sergey Matyukevich sergey.matyukevich.os@quantenna.com 2019-11-13T11:06:47+00:00 a9f6525550644a29306facdfa23b4ee4bc05cc89 [ Upstream commit 4a33f21cef84b1b933958c99ed5dac1726214b35 ] KASAN reported use-after-free error: [ 995.220767] BUG: KASAN: use-after-free in qtnf_cmd_send_with_reply+0x169/0x3e0 [qtnfmac] [ 995.221098] Read of size 2 at addr ffff888213d1ded0 by task kworker/1:1/71 The issue in qtnf_cmd_send_with_reply impacts all the commands that do not need response other then return code. For such commands, consume_skb is used for response skb and right after that return code in response skb is accessed. Signed-off-by: Sergey Matyukevich <sergey.matyukevich.os@quantenna.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Signed-off-by: Sasha Levin <sashal@kernel.org> 
[ Upstream commit 4a33f21cef84b1b933958c99ed5dac1726214b35 ]

KASAN reported use-after-free error:

[  995.220767] BUG: KASAN: use-after-free in qtnf_cmd_send_with_reply+0x169/0x3e0 [qtnfmac]
[  995.221098] Read of size 2 at addr ffff888213d1ded0 by task kworker/1:1/71

The issue in qtnf_cmd_send_with_reply impacts all the commands that do
not need response other then return code. For such commands, consume_skb
is used for response skb and right after that return code in response
skb is accessed.

Signed-off-by: Sergey Matyukevich <sergey.matyukevich.os@quantenna.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
qtnfmac: fix invalid channel information output 2019-12-31T15:45:27+00:00 Sergey Matyukevich sergey.matyukevich.os@quantenna.com 2019-11-13T11:06:51+00:00 a9a6a4e3708d1d167fb868783a5a16dc7268817f [ Upstream commit 24227a9e956a7c9913a7e6e7199a9ae3f540fe88 ] Do not attempt to print frequency for an invalid channel provided by firmware. That channel may simply not exist. Signed-off-by: Sergey Matyukevich <sergey.matyukevich.os@quantenna.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Signed-off-by: Sasha Levin <sashal@kernel.org> 
[ Upstream commit 24227a9e956a7c9913a7e6e7199a9ae3f540fe88 ]

Do not attempt to print frequency for an invalid channel
provided by firmware. That channel may simply not exist.

Signed-off-by: Sergey Matyukevich <sergey.matyukevich.os@quantenna.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
qtnfmac: fix debugfs support for multiple cards 2019-12-31T15:45:27+00:00 Sergey Matyukevich sergey.matyukevich.os@quantenna.com 2019-11-13T11:06:49+00:00 9348d03492f5602b9d139c9a01ba87f17826caad [ Upstream commit dd4c2260dab04f5ae7bdb79b9470e7da56f48145 ] Fix merge artifact for commit 0b68fe10b8e8 ("qtnfmac: modify debugfs to support multiple cards") and finally add debugfs support for multiple qtnfmac wireless cards. Signed-off-by: Sergey Matyukevich <sergey.matyukevich.os@quantenna.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Signed-off-by: Sasha Levin <sashal@kernel.org> 
[ Upstream commit dd4c2260dab04f5ae7bdb79b9470e7da56f48145 ]

Fix merge artifact for commit 0b68fe10b8e8 ("qtnfmac: modify debugfs
to support multiple cards") and finally add debugfs support
for multiple qtnfmac wireless cards.

Signed-off-by: Sergey Matyukevich <sergey.matyukevich.os@quantenna.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
qtnfmac_pcie: Use dev_get_drvdata 2019-08-06T12:33:52+00:00 Chuhong Yuan hslester96@gmail.com 2019-07-24T11:27:53+00:00 1f5f5ea72fc993a1ffdc8f7c16430c921cc16e16 Instead of using to_pci_dev + pci_get_drvdata, use dev_get_drvdata to make code simpler. Signed-off-by: Chuhong Yuan <hslester96@gmail.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> 
Instead of using to_pci_dev + pci_get_drvdata,
use dev_get_drvdata to make code simpler.

Signed-off-by: Chuhong Yuan <hslester96@gmail.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
qtnfmac: Use struct_size() in kzalloc() 2019-06-25T05:01:32+00:00 Gustavo A. R. Silva gustavo@embeddedor.com 2019-06-07T19:17:45+00:00 9a1ace64ca3b713e1029fed83dc22d8740b20aba One of the more common cases of allocation size calculations is finding the size of a structure that has a zero-sized array at the end, along with memory for some number of elements for that array. For example: struct ieee80211_regdomain { ... struct ieee80211_reg_rule reg_rules[]; }; instance = kzalloc(sizeof(*mac->rd) + sizeof(struct ieee80211_reg_rule) * count, GFP_KERNEL); Instead of leaving these open-coded and prone to type mistakes, we can now use the new struct_size() helper: instance = kzalloc(struct_size(instance, reg_rules, count), GFP_KERNEL); This code was detected with the help of Coccinelle. Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com> Reviewed-by: Sergey Matyukevich <sergey.matyukevich.os@quantenna.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> 
One of the more common cases of allocation size calculations is finding
the size of a structure that has a zero-sized array at the end, along
with memory for some number of elements for that array. For example:

struct ieee80211_regdomain {
	...
        struct ieee80211_reg_rule reg_rules[];
};

instance = kzalloc(sizeof(*mac->rd) +
                          sizeof(struct ieee80211_reg_rule) *
                          count, GFP_KERNEL);

Instead of leaving these open-coded and prone to type mistakes, we can
now use the new struct_size() helper:

instance = kzalloc(struct_size(instance, reg_rules, count), GFP_KERNEL);

This code was detected with the help of Coccinelle.

Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Reviewed-by: Sergey Matyukevich <sergey.matyukevich.os@quantenna.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
treewide: Add SPDX license identifier - Makefile/Kconfig 2019-05-21T08:50:46+00:00 Thomas Gleixner tglx@linutronix.de 2019-05-19T12:07:45+00:00 ec8f24b7faaf3d4799a7c3f4c1b87f6b02778ad1 Add SPDX license identifiers to all Make/Kconfig files which: - Have no license information of any form These files fall under the project license, GPL v2 only. The resulting SPDX license identifier is: GPL-2.0-only Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
Add SPDX license identifiers to all Make/Kconfig files which:

 - Have no license information of any form

These files fall under the project license, GPL v2 only. The resulting SPDX
license identifier is:

  GPL-2.0-only

Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
qtnfmac: modify debugfs to support multiple cards 2019-04-26T11:53:13+00:00 Sergey Matyukevich sergey.matyukevich.os@quantenna.com 2019-04-09T07:35:12+00:00 0b68fe10b8e8c1a31c23c58d32e60637fb486b1e This patch modifies location of debugfs entries and their naming conventions to support multiple wireless cards on pcie host. Selected approach is to use separate directories for different wireless cards in top-level qtnfmac debugfs directory. Here is an example that clarifies the chosen naming conventions: $ sudo ls /sys/kernel/debug/qtnfmac/ qtnfmac_pcie:0000:01:00.0 Signed-off-by: Sergey Matyukevich <sergey.matyukevich.os@quantenna.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> 
This patch modifies location of debugfs entries and their naming
conventions to support multiple wireless cards on pcie host.
Selected approach is to use separate directories for different
wireless cards in top-level qtnfmac debugfs directory.

Here is an example that clarifies the chosen naming conventions:

 $ sudo ls /sys/kernel/debug/qtnfmac/
   qtnfmac_pcie:0000:01:00.0

Signed-off-by: Sergey Matyukevich <sergey.matyukevich.os@quantenna.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>