linux-stable.git/drivers/net/wireless, branch v4.5.2 Linux kernel stable tree ath9k: fix buffer overrun for ar9287 2016-04-20T06:45:13+00:00 Arnd Bergmann arnd@arndb.de 2016-03-14T14:18:36+00:00 03cbd08593beff8d7d3e51c68079e4414e50fcca [ Upstream commit 83d6f1f15f8cce844b0a131cbc63e444620e48b5 ] Code that was added back in 2.6.38 has an obvious overflow when accessing a static array, and at the time it was added only a code comment was put in front of it as a reminder to have it reviewed properly. This has not happened, but gcc-6 now points to the specific overflow: drivers/net/wireless/ath/ath9k/eeprom.c: In function 'ath9k_hw_get_gain_boundaries_pdadcs': drivers/net/wireless/ath/ath9k/eeprom.c:483:44: error: array subscript is above array bounds [-Werror=array-bounds] maxPwrT4[i] = data_9287[idxL].pwrPdg[i][4]; ~~~~~~~~~~~~~~~~~~~~~~~~~^~~ It turns out that the correct array length exists in the local 'intercepts' variable of this function, so we can just use that instead of hardcoding '4', so this patch changes all three instances to use that variable. The other two instances were already correct, but it's more consistent this way. Signed-off-by: Arnd Bergmann <arnd@arndb.de> Fixes: 940cd2c12ebf ("ath9k_hw: merge the ar9287 version of ath9k_hw_get_gain_boundaries_pdadcs") Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
[ Upstream commit 83d6f1f15f8cce844b0a131cbc63e444620e48b5 ]

Code that was added back in 2.6.38 has an obvious overflow
when accessing a static array, and at the time it was added
only a code comment was put in front of it as a reminder
to have it reviewed properly.

This has not happened, but gcc-6 now points to the specific
overflow:

drivers/net/wireless/ath/ath9k/eeprom.c: In function 'ath9k_hw_get_gain_boundaries_pdadcs':
drivers/net/wireless/ath/ath9k/eeprom.c:483:44: error: array subscript is above array bounds [-Werror=array-bounds]
     maxPwrT4[i] = data_9287[idxL].pwrPdg[i][4];
                   ~~~~~~~~~~~~~~~~~~~~~~~~~^~~

It turns out that the correct array length exists in the local
'intercepts' variable of this function, so we can just use that
instead of hardcoding '4', so this patch changes all three
instances to use that variable. The other two instances were
already correct, but it's more consistent this way.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Fixes: 940cd2c12ebf ("ath9k_hw: merge the ar9287 version of ath9k_hw_get_gain_boundaries_pdadcs")
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
brcmfmac: Increase nr of supported flowrings. 2016-04-12T14:33:37+00:00 Hante Meuleman meuleman@broadcom.com 2016-02-07T23:00:30+00:00 32f90caa7debdf12a4b582aafef8767254fbe372 commit 19c8f421a61947116898c9f8a28823b9d988df74 upstream. New generation devices have firmware which has more than 256 flowrings. E.g. following debugging message comes from 14e4:4365 BCM4366: [ 194.606245] brcmfmac: brcmf_pcie_init_ringbuffers Nr of flowrings is 264 At various code places (related to flowrings) we were using u8 which could lead to storing wrong number or infinite loops when indexing with this type. This issue was quite easy to spot in brcmf_flowring_detach where it led to infinite loop e.g. on failed initialization. This patch switches code to proper types and increases the maximum number of supported flowrings to 512. Originally this change was sent in September 2015, but back it was causing a regression on BCM43602 resulting in: Unable to handle kernel NULL pointer dereference at virtual address ... The reason for this regression was missing update (s/u8/u16) of struct brcmf_flowring_ring. This problem was handled in 9f64df9 ("brcmfmac: Fix bug in flowring management."). Starting with that it's safe to apply this original patch as it doesn't cause a regression anymore. This patch fixes an infinite loop on BCM4366 which is supported since 4.4 so it makes sense to apply it to stable 4.4+. Reviewed-by: Arend Van Spriel <arend@broadcom.com> Reviewed-by: Franky (Zhenhui) Lin <frankyl@broadcom.com> Reviewed-by: Pieter-Paul Giesberts <pieterpg@broadcom.com> Signed-off-by: Hante Meuleman <meuleman@broadcom.com> Signed-off-by: Arend van Spriel <arend@broadcom.com> Signed-off-by: Rafał Miłecki <zajec5@gmail.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit 19c8f421a61947116898c9f8a28823b9d988df74 upstream.

New generation devices have firmware which has more than 256 flowrings.
E.g. following debugging message comes from 14e4:4365 BCM4366:
[  194.606245] brcmfmac: brcmf_pcie_init_ringbuffers Nr of flowrings is 264

At various code places (related to flowrings) we were using u8 which
could lead to storing wrong number or infinite loops when indexing with
this type. This issue was quite easy to spot in brcmf_flowring_detach
where it led to infinite loop e.g. on failed initialization.

This patch switches code to proper types and increases the maximum
number of supported flowrings to 512.

Originally this change was sent in September 2015, but back it was
causing a regression on BCM43602 resulting in:
Unable to handle kernel NULL pointer dereference at virtual address ...

The reason for this regression was missing update (s/u8/u16) of struct
brcmf_flowring_ring. This problem was handled in 9f64df9 ("brcmfmac: Fix
bug in flowring management."). Starting with that it's safe to apply
this original patch as it doesn't cause a regression anymore.

This patch fixes an infinite loop on BCM4366 which is supported since
4.4 so it makes sense to apply it to stable 4.4+.

Reviewed-by: Arend Van Spriel <arend@broadcom.com>
Reviewed-by: Franky (Zhenhui) Lin <frankyl@broadcom.com>
Reviewed-by: Pieter-Paul Giesberts <pieterpg@broadcom.com>
Signed-off-by: Hante Meuleman <meuleman@broadcom.com>
Signed-off-by: Arend van Spriel <arend@broadcom.com>
Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
rt2x00: add new rt2800usb device Buffalo WLI-UC-G450 2016-04-12T14:33:22+00:00 Anthony Wong anthony.wong@ubuntu.com 2016-02-23T15:09:22+00:00 0e7ed31563913a559c090c252c42608744788926 commit f36f299068794ffc5026f25b6a1b3ed615ea832d upstream. Add USB ID 0411:01fd for Buffalo WLI-UC-G450 wireless adapter, RT chipset 3593 Signed-off-by: Anthony Wong <anthony.wong@ubuntu.com> Acked-by: Stanislaw Gruszka <sgruszka@redhat.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit f36f299068794ffc5026f25b6a1b3ed615ea832d upstream.

Add USB ID 0411:01fd for Buffalo WLI-UC-G450 wireless adapter,
RT chipset 3593

Signed-off-by: Anthony Wong <anthony.wong@ubuntu.com>
Acked-by: Stanislaw Gruszka <sgruszka@redhat.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Merge tag 'wireless-drivers-for-davem-2016-03-04' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers 2016-03-07T19:58:11+00:00 David S. Miller davem@davemloft.net 2016-03-07T19:58:11+00:00 7024b68ef1310a9dd3b2b40b082588a9826f05f5 Kalle Valo says: ==================== wireless-drivers fixes for 4.5 iwlwifi * free firmware paging memory when the module is unloaded or device removed * fix pending frames counter to fix an issue when removing stations ssb * fix a build problem related to ssb_fill_sprom_with_fallback() ==================== Signed-off-by: David S. Miller <davem@davemloft.net> 
Kalle Valo says:

====================
wireless-drivers fixes for 4.5

iwlwifi

* free firmware paging memory when the module is unloaded or device removed
* fix pending frames counter to fix an issue when removing stations

ssb

* fix a build problem related to ssb_fill_sprom_with_fallback()
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
Merge tag 'iwlwifi-for-kalle-2016-02-25' of https://git.kernel.org/pub/scm/linux/kernel/git/iwlwifi/iwlwifi-fixes 2016-02-26T10:43:40+00:00 Kalle Valo kvalo@codeaurora.org 2016-02-26T10:43:40+00:00 1a4f6557dd7c7f0eba18aadbc72e3cf09dae496d Two fixes for 4.5: * We forgot to free the paging memory (Matti) * Fix the frames in flight accounting (Liad) 
Two fixes for 4.5:
* We forgot to free the paging memory (Matti)
* Fix the frames in flight accounting (Liad)
iwlwifi: mvm: Fix paging memory leak 2016-02-23T19:51:30+00:00 Matti Gottlieb matti.gottlieb@intel.com 2016-02-14T15:05:39+00:00 905e36ae172c83a30894a3adefab7d4f850fcf54 If the opmode is stopped and started again we did not free the paging buffers. Fix that. In addition when freeing the firmware's paging download buffer, set the pointer to NULL. Signed-off-by: Matti Gottlieb <matti.gottlieb@intel.com> Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com> 
If the opmode is stopped and started again we did not free
the paging buffers. Fix that.
In addition when freeing the firmware's paging download
buffer, set the pointer to NULL.

Signed-off-by: Matti Gottlieb <matti.gottlieb@intel.com>
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Merge tag 'wireless-drivers-for-davem-2016-02-18' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers 2016-02-19T20:51:18+00:00 David S. Miller davem@davemloft.net 2016-02-19T20:51:18+00:00 0b7662cf97ee41af03bc8d4498ff4100d0843338 Kalle Valo says: ==================== rtlwifi * fix broken VHT (802.11ac) support, reported by Linus wlcore * fix firmware initialisation regression on wl1271 iwlwifi * fix a race that users reported when we try to load the firmware and the hardware rfkill interrupt triggers at the same time * fix a very visible bug in scheduled scan: the firmware doesn't support scheduled scan with no profile configured and the supplicant sometimes requests such scheduled scans * build system fix to be able to link iwlwifi statically into kernel * firmware name update for 8265 * typo fix in return value ==================== Signed-off-by: David S. Miller <davem@davemloft.net> 
Kalle Valo says:

====================
rtlwifi

* fix broken VHT (802.11ac) support, reported by Linus

wlcore

* fix firmware initialisation regression on wl1271

iwlwifi

* fix a race that users reported when we try to load the firmware
  and the hardware rfkill interrupt triggers at the same time
* fix a very visible bug in scheduled scan: the firmware
  doesn't support scheduled scan with no profile configured and
  the supplicant sometimes requests such scheduled scans
* build system fix to be able to link iwlwifi statically into kernel
* firmware name update for 8265
* typo fix in return value
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
Merge tag 'iwlwifi-for-kalle-2016-02-15' of https://git.kernel.org/pub/scm/linux/kernel/git/iwlwifi/iwlwifi-fixes 2016-02-16T15:58:30+00:00 Kalle Valo kvalo@codeaurora.org 2016-02-16T15:58:30+00:00 c699404db182836498bd9d9a36ef044de2cab4fd These are a few fixes for the current cycle. 3 out of the 5 patches fix a bugzilla. * fix a race that users reported when we try to load the firmware and the hardware rfkill interrupt triggers at the same time. * Luca fixes a very visible bug in scheduled scan: our firmware doesn't support scheduled scan with no profile configured and the supplicant sometimes requests such scheduled scans. * build system fix * firmware name update for 8265 * typo fix in return value 
These are a few fixes for the current cycle.
3 out of the 5 patches fix a bugzilla.

* fix a race that users reported when we try to load the firmware
  and the hardware rfkill interrupt triggers at the same time.
* Luca fixes a very visible bug in scheduled scan: our firmware
  doesn't support scheduled scan with no profile configured and
  the supplicant sometimes requests such scheduled scans.
* build system fix
* firmware name update for 8265
* typo fix in return value
iwlwifi: mvm: inc pending frames counter also when txing non-sta 2016-02-16T09:19:43+00:00 Liad Kaufman liad.kaufman@intel.com 2016-02-14T13:32:58+00:00 fb896c44f88a75843a072cd6961b1615732f7811 Until this patch, when TXing non-sta the pending_frames counter wasn't increased, but it WAS decreased in iwl_mvm_rx_tx_cmd_single(), what makes it negative in certain conditions. This in turn caused much trouble when we need to remove the station since we won't be waiting forever until pending_frames gets 0. In certain cases, we were exhausting the station table even in BSS mode, because we had a lot of stale stations. Increase the counter also in iwl_mvm_tx_skb_non_sta() after a successful TX to avoid this outcome. CC: <stable@vger.kernel.org> [3.18+] Signed-off-by: Liad Kaufman <liad.kaufman@intel.com> Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com> 
Until this patch, when TXing non-sta the pending_frames counter
wasn't increased, but it WAS decreased in
iwl_mvm_rx_tx_cmd_single(), what makes it negative in certain
conditions. This in turn caused much trouble when we need to
remove the station since we won't be waiting forever until
pending_frames gets 0. In certain cases, we were exhausting
the station table even in BSS mode, because we had a lot of
stale stations.

Increase the counter also in iwl_mvm_tx_skb_non_sta() after a
successful TX to avoid this outcome.

CC: <stable@vger.kernel.org> [3.18+]
Signed-off-by: Liad Kaufman <liad.kaufman@intel.com>
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
iwlwifi: pcie: fix erroneous return value 2016-02-15T11:38:31+00:00 Anton Protopopov a.s.protopopov@gmail.com 2016-02-11T06:35:15+00:00 20aa99bbddae74bded68338f9ba200ccae02858b The iwl_trans_pcie_start_fw() function may return the positive value EIO instead of -EIO in case of error. Signed-off-by: Anton Protopopov <a.s.protopopov@gmail.com> Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com> 
The iwl_trans_pcie_start_fw() function may return the positive value EIO
instead of -EIO in case of error.

Signed-off-by: Anton Protopopov <a.s.protopopov@gmail.com>
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>