<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/drivers/net/wireless/rsi, branch linux-5.2.y</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>rsi: fix a double free bug in rsi_91x_deinit()</title>
<updated>2019-09-19T07:11:08+00:00</updated>
<author>
<name>Hui Peng</name>
<email>benquike@gmail.com</email>
</author>
<published>2019-08-19T22:02:29+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=8803770b85d32505a71dd623a5483b8fe2b50e31'/>
<id>8803770b85d32505a71dd623a5483b8fe2b50e31</id>
<content type='text'>
commit 8b51dc7291473093c821195c4b6af85fadedbc2f upstream.

`dev` (struct rsi_91x_usbdev *) field of adapter
(struct rsi_91x_usbdev *) is allocated  and initialized in
`rsi_init_usb_interface`. If any error is detected in information
read from the device side,  `rsi_init_usb_interface` will be
freed. However, in the higher level error handling code in
`rsi_probe`, if error is detected, `rsi_91x_deinit` is called
again, in which `dev` will be freed again, resulting double free.

This patch fixes the double free by removing the free operation on
`dev` in `rsi_init_usb_interface`, because `rsi_91x_deinit` is also
used in `rsi_disconnect`, in that code path, the `dev` field is not
 (and thus needs to be) freed.

This bug was found in v4.19, but is also present in the latest version
of kernel. Fixes CVE-2019-15504.

Reported-by: Hui Peng &lt;benquike@gmail.com&gt;
Reported-by: Mathias Payer &lt;mathias.payer@nebelwelt.net&gt;
Signed-off-by: Hui Peng &lt;benquike@gmail.com&gt;
Reviewed-by: Guenter Roeck &lt;linux@roeck-us.net&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 8b51dc7291473093c821195c4b6af85fadedbc2f upstream.

`dev` (struct rsi_91x_usbdev *) field of adapter
(struct rsi_91x_usbdev *) is allocated  and initialized in
`rsi_init_usb_interface`. If any error is detected in information
read from the device side,  `rsi_init_usb_interface` will be
freed. However, in the higher level error handling code in
`rsi_probe`, if error is detected, `rsi_91x_deinit` is called
again, in which `dev` will be freed again, resulting double free.

This patch fixes the double free by removing the free operation on
`dev` in `rsi_init_usb_interface`, because `rsi_91x_deinit` is also
used in `rsi_disconnect`, in that code path, the `dev` field is not
 (and thus needs to be) freed.

This bug was found in v4.19, but is also present in the latest version
of kernel. Fixes CVE-2019-15504.

Reported-by: Hui Peng &lt;benquike@gmail.com&gt;
Reported-by: Mathias Payer &lt;mathias.payer@nebelwelt.net&gt;
Signed-off-by: Hui Peng &lt;benquike@gmail.com&gt;
Reviewed-by: Guenter Roeck &lt;linux@roeck-us.net&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>rsi: Properly initialize data in rsi_sdio_ta_reset</title>
<updated>2019-05-28T11:31:36+00:00</updated>
<author>
<name>Nathan Chancellor</name>
<email>natechancellor@gmail.com</email>
</author>
<published>2019-05-23T15:30:08+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=f57b5d85ed5865f0cd0a6dc4726c995b9e57e28a'/>
<id>f57b5d85ed5865f0cd0a6dc4726c995b9e57e28a</id>
<content type='text'>
When building with -Wuninitialized, Clang warns:

drivers/net/wireless/rsi/rsi_91x_sdio.c:940:43: warning: variable 'data'
is uninitialized when used here [-Wuninitialized]
        put_unaligned_le32(TA_HOLD_THREAD_VALUE, data);
                                                 ^~~~
drivers/net/wireless/rsi/rsi_91x_sdio.c:930:10: note: initialize the
variable 'data' to silence this warning
        u8 *data;
                ^
                 = NULL
1 warning generated.

Using Clang's suggestion of initializing data to NULL wouldn't work out
because data will be dereferenced by put_unaligned_le32. Use kzalloc to
properly initialize data, which matches a couple of other places in this
driver.

Fixes: e5a1ecc97e5f ("rsi: add firmware loading for 9116 device")
Link: https://github.com/ClangBuiltLinux/linux/issues/464
Signed-off-by: Nathan Chancellor &lt;natechancellor@gmail.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
When building with -Wuninitialized, Clang warns:

drivers/net/wireless/rsi/rsi_91x_sdio.c:940:43: warning: variable 'data'
is uninitialized when used here [-Wuninitialized]
        put_unaligned_le32(TA_HOLD_THREAD_VALUE, data);
                                                 ^~~~
drivers/net/wireless/rsi/rsi_91x_sdio.c:930:10: note: initialize the
variable 'data' to silence this warning
        u8 *data;
                ^
                 = NULL
1 warning generated.

Using Clang's suggestion of initializing data to NULL wouldn't work out
because data will be dereferenced by put_unaligned_le32. Use kzalloc to
properly initialize data, which matches a couple of other places in this
driver.

Fixes: e5a1ecc97e5f ("rsi: add firmware loading for 9116 device")
Link: https://github.com/ClangBuiltLinux/linux/issues/464
Signed-off-by: Nathan Chancellor &lt;natechancellor@gmail.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>treewide: Add SPDX license identifier - Makefile/Kconfig</title>
<updated>2019-05-21T08:50:46+00:00</updated>
<author>
<name>Thomas Gleixner</name>
<email>tglx@linutronix.de</email>
</author>
<published>2019-05-19T12:07:45+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=ec8f24b7faaf3d4799a7c3f4c1b87f6b02778ad1'/>
<id>ec8f24b7faaf3d4799a7c3f4c1b87f6b02778ad1</id>
<content type='text'>
Add SPDX license identifiers to all Make/Kconfig files which:

 - Have no license information of any form

These files fall under the project license, GPL v2 only. The resulting SPDX
license identifier is:

  GPL-2.0-only

Signed-off-by: Thomas Gleixner &lt;tglx@linutronix.de&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Add SPDX license identifiers to all Make/Kconfig files which:

 - Have no license information of any form

These files fall under the project license, GPL v2 only. The resulting SPDX
license identifier is:

  GPL-2.0-only

Signed-off-by: Thomas Gleixner &lt;tglx@linutronix.de&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>rsi: miscallaneous changes for 9116 and common</title>
<updated>2019-04-25T16:44:29+00:00</updated>
<author>
<name>Siva Rebbagondla</name>
<email>siva8118@gmail.com</email>
</author>
<published>2019-04-03T04:13:09+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=0a60014b76f512f18e48cfb4efc71e07c6791996'/>
<id>0a60014b76f512f18e48cfb4efc71e07c6791996</id>
<content type='text'>
Below changes are done:
* Device 80MHz clock should be disabled for 9116 in 20MHz band.
* Default edca parameters should be used initially before
  connection.
* Default TA aggregation is 3 for 9116.
* Bootup parameters should be loaded first when channel is
  changed.
* 4 byte register writes are possible for 9116.

Signed-off-by: Siva Rebbagondla &lt;siva8118@gmail.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Below changes are done:
* Device 80MHz clock should be disabled for 9116 in 20MHz band.
* Default edca parameters should be used initially before
  connection.
* Default TA aggregation is 3 for 9116.
* Bootup parameters should be loaded first when channel is
  changed.
* 4 byte register writes are possible for 9116.

Signed-off-by: Siva Rebbagondla &lt;siva8118@gmail.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>rsi: reset device changes for 9116</title>
<updated>2019-04-25T16:44:29+00:00</updated>
<author>
<name>Siva Rebbagondla</name>
<email>siva8118@gmail.com</email>
</author>
<published>2019-04-03T04:13:08+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=17ff2c794f39f8c1bc7119e5fd9957efc69c3c72'/>
<id>17ff2c794f39f8c1bc7119e5fd9957efc69c3c72</id>
<content type='text'>
Device reset register(watchdog timer related) addresses and
values are different for 9116.

Signed-off-by: Siva Rebbagondla &lt;siva8118@gmail.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Device reset register(watchdog timer related) addresses and
values are different for 9116.

Signed-off-by: Siva Rebbagondla &lt;siva8118@gmail.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>rsi: send new tx command frame wlan9116 features</title>
<updated>2019-04-25T16:44:28+00:00</updated>
<author>
<name>Siva Rebbagondla</name>
<email>siva8118@gmail.com</email>
</author>
<published>2019-04-03T04:13:07+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=1533f976c66896cc3454e48ed48f84addcd740d1'/>
<id>1533f976c66896cc3454e48ed48f84addcd740d1</id>
<content type='text'>
For 9116 device, we have introduced w9116 features frame, which shall be
send when radio capabilities confirm is received.

Signed-off-by: Siva Rebbagondla &lt;siva8118@gmail.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
For 9116 device, we have introduced w9116 features frame, which shall be
send when radio capabilities confirm is received.

Signed-off-by: Siva Rebbagondla &lt;siva8118@gmail.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>rsi: new bootup parameters for 9116</title>
<updated>2019-04-25T16:44:27+00:00</updated>
<author>
<name>Siva Rebbagondla</name>
<email>siva8118@gmail.com</email>
</author>
<published>2019-04-03T04:13:06+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=f911c86166d5022da15451a95de34cffaf95516c'/>
<id>f911c86166d5022da15451a95de34cffaf95516c</id>
<content type='text'>
Bootup parameters are different for 9116 device. Check added for device
model where-ever bootup parameters are being send.

Signed-off-by: Siva Rebbagondla &lt;siva8118@gmail.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Bootup parameters are different for 9116 device. Check added for device
model where-ever bootup parameters are being send.

Signed-off-by: Siva Rebbagondla &lt;siva8118@gmail.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>rsi: change in device init frame sequence for 9116</title>
<updated>2019-04-25T16:44:26+00:00</updated>
<author>
<name>Siva Rebbagondla</name>
<email>siva8118@gmail.com</email>
</author>
<published>2019-04-03T04:13:05+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=9ba4562ac195f8b9ceca47e7ff3aab046e9e542a'/>
<id>9ba4562ac195f8b9ceca47e7ff3aab046e9e542a</id>
<content type='text'>
Initial frame exchange sequence has been changed for 9116 chip. Getting MAC
address using EEPROM read frame will be once common device configuration is
done and RESET_MAC frame is sending after bootup parameters confirmation is
received, which are different from RS9113 device

Signed-off-by: Siva Rebbagondla &lt;siva8118@gmail.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Initial frame exchange sequence has been changed for 9116 chip. Getting MAC
address using EEPROM read frame will be once common device configuration is
done and RESET_MAC frame is sending after bootup parameters confirmation is
received, which are different from RS9113 device

Signed-off-by: Siva Rebbagondla &lt;siva8118@gmail.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>rsi: add firmware loading for 9116 device</title>
<updated>2019-04-25T16:44:25+00:00</updated>
<author>
<name>Siva Rebbagondla</name>
<email>siva8118@gmail.com</email>
</author>
<published>2019-04-03T04:13:04+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=e5a1ecc97e5f717934685bf62a4d398df331459e'/>
<id>e5a1ecc97e5f717934685bf62a4d398df331459e</id>
<content type='text'>
New firmware files and firmware loading method are added for 9116.

Signed-off-by: Siva Rebbagondla &lt;siva8118@gmail.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
New firmware files and firmware loading method are added for 9116.

Signed-off-by: Siva Rebbagondla &lt;siva8118@gmail.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>rsi: move common part of firmware load to separate function</title>
<updated>2019-04-25T16:44:24+00:00</updated>
<author>
<name>Siva Rebbagondla</name>
<email>siva8118@gmail.com</email>
</author>
<published>2019-04-03T04:13:03+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=3ac61578fbd49dd13c62f11c94aa0044b6daa682'/>
<id>3ac61578fbd49dd13c62f11c94aa0044b6daa682</id>
<content type='text'>
Till software bootloader ready state, communication with device is common
for 9113 and 9116. Hence moved that part of firmware loading to separate
function rsi_prepare_fw_load(). Also LMAC_VER_OFFSET is different for 9113
and 9116, so renamed existing macro to LMAC_VER_OFFSET_9113

Signed-off-by: Siva Rebbagondla &lt;siva8118@gmail.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Till software bootloader ready state, communication with device is common
for 9113 and 9116. Hence moved that part of firmware loading to separate
function rsi_prepare_fw_load(). Also LMAC_VER_OFFSET is different for 9113
and 9116, so renamed existing macro to LMAC_VER_OFFSET_9113

Signed-off-by: Siva Rebbagondla &lt;siva8118@gmail.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
</pre>
</div>
</content>
</entry>
</feed>
