<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/drivers/net/wireless, branch v4.9.52</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>mwifiex: correct channel stat buffer overflows</title>
<updated>2017-09-09T15:39:40+00:00</updated>
<author>
<name>Brian Norris</name>
<email>briannorris@chromium.org</email>
</author>
<published>2017-06-30T01:23:54+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=0e720cd70631968e506e13fa366da77d4cf770e1'/>
<id>0e720cd70631968e506e13fa366da77d4cf770e1</id>
<content type='text'>
commit 4b5dde2d6234ff5bc68e97e6901d1f2a0a7f3749 upstream.

mwifiex records information about various channels as it receives scan
information. It does this by appending to a buffer that was sized
to the max number of supported channels on any band, but there are
numerous problems:

(a) scans can return info from more than one band (e.g., both 2.4 and 5
    GHz), so the determined "max" is not large enough
(b) some firmware appears to return multiple results for a given
    channel, so the max *really* isn't large enough
(c) there is no bounds checking when stashing these stats, so problems
    (a) and (b) can easily lead to buffer overflows

Let's patch this by setting a slightly-more-correct max (that accounts
for a combination of both 2.4G and 5G bands) and adding a bounds check
when writing to our statistics buffer.

Due to problem (b), we still might not properly report all known survey
information (e.g., with "iw &lt;dev&gt; survey dump"), since duplicate results
(or otherwise "larger than expected" results) will cause some
truncation. But that's a problem for a future bugfix.

(And because of this known deficiency, only log the excess at the WARN
level, since that isn't visible by default in this driver and would
otherwise be a bit too noisy.)

Fixes: bf35443314ac ("mwifiex: channel statistics support for mwifiex")
Cc: Avinash Patil &lt;patila@marvell.com&gt;
Cc: Xinming Hu &lt;huxm@marvell.com&gt;
Signed-off-by: Brian Norris &lt;briannorris@chromium.org&gt;
Reviewed-by: Dmitry Torokhov &lt;dmitry.torokhov@gmail.com&gt;
Reviewed-by: Ganapathi Bhat &lt;gbhat@marvell.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 4b5dde2d6234ff5bc68e97e6901d1f2a0a7f3749 upstream.

mwifiex records information about various channels as it receives scan
information. It does this by appending to a buffer that was sized
to the max number of supported channels on any band, but there are
numerous problems:

(a) scans can return info from more than one band (e.g., both 2.4 and 5
    GHz), so the determined "max" is not large enough
(b) some firmware appears to return multiple results for a given
    channel, so the max *really* isn't large enough
(c) there is no bounds checking when stashing these stats, so problems
    (a) and (b) can easily lead to buffer overflows

Let's patch this by setting a slightly-more-correct max (that accounts
for a combination of both 2.4G and 5G bands) and adding a bounds check
when writing to our statistics buffer.

Due to problem (b), we still might not properly report all known survey
information (e.g., with "iw &lt;dev&gt; survey dump"), since duplicate results
(or otherwise "larger than expected" results) will cause some
truncation. But that's a problem for a future bugfix.

(And because of this known deficiency, only log the excess at the WARN
level, since that isn't visible by default in this driver and would
otherwise be a bit too noisy.)

Fixes: bf35443314ac ("mwifiex: channel statistics support for mwifiex")
Cc: Avinash Patil &lt;patila@marvell.com&gt;
Cc: Xinming Hu &lt;huxm@marvell.com&gt;
Signed-off-by: Brian Norris &lt;briannorris@chromium.org&gt;
Reviewed-by: Dmitry Torokhov &lt;dmitry.torokhov@gmail.com&gt;
Reviewed-by: Ganapathi Bhat &lt;gbhat@marvell.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>iwlwifi: pci: add new PCI ID for 7265D</title>
<updated>2017-09-09T15:39:40+00:00</updated>
<author>
<name>Luca Coelho</name>
<email>luciano.coelho@intel.com</email>
</author>
<published>2017-08-16T05:47:38+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=23b7d4f52b694a0d25ad1f619e90a482898efc85'/>
<id>23b7d4f52b694a0d25ad1f619e90a482898efc85</id>
<content type='text'>
commit 3f7a5e13e85026b6e460bbd6e87f87379421d272 upstream.

We have a new PCI subsystem ID for 7265D.  Add it to the list.

Signed-off-by: Luca Coelho &lt;luciano.coelho@intel.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 3f7a5e13e85026b6e460bbd6e87f87379421d272 upstream.

We have a new PCI subsystem ID for 7265D.  Add it to the list.

Signed-off-by: Luca Coelho &lt;luciano.coelho@intel.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>rtlwifi: rtl_pci_probe: Fix fail path of _rtl_pci_find_adapter</title>
<updated>2017-09-09T15:39:40+00:00</updated>
<author>
<name>Malcolm Priestley</name>
<email>tvboxspy@gmail.com</email>
</author>
<published>2017-07-30T08:02:19+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=b48f7183c64cd12b7451ea677f964e10acd6a52b'/>
<id>b48f7183c64cd12b7451ea677f964e10acd6a52b</id>
<content type='text'>
commit fc81bab5eeb103711925d7510157cf5cd2b153f4 upstream.

_rtl_pci_find_adapter fail path will jump to label fail3 for
unsupported adapter types.

However, on course for fail3 there will be call rtl_deinit_core
before rtl_init_core.

For the inclusion of checking pci_iounmap this fail can be moved to
fail2.

Fixes
[    4.492963] BUG: unable to handle kernel NULL pointer dereference at           (null)
[    4.493067] IP: rtl_deinit_core+0x31/0x90 [rtlwifi]

Signed-off-by: Malcolm Priestley &lt;tvboxspy@gmail.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit fc81bab5eeb103711925d7510157cf5cd2b153f4 upstream.

_rtl_pci_find_adapter fail path will jump to label fail3 for
unsupported adapter types.

However, on course for fail3 there will be call rtl_deinit_core
before rtl_init_core.

For the inclusion of checking pci_iounmap this fail can be moved to
fail2.

Fixes
[    4.492963] BUG: unable to handle kernel NULL pointer dereference at           (null)
[    4.493067] IP: rtl_deinit_core+0x31/0x90 [rtlwifi]

Signed-off-by: Malcolm Priestley &lt;tvboxspy@gmail.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>ath10k: fix memory leak in rx ring buffer allocation</title>
<updated>2017-09-09T15:39:39+00:00</updated>
<author>
<name>Rakesh Pillai</name>
<email>pillair@qti.qualcomm.com</email>
</author>
<published>2017-08-02T10:33:37+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=90a1e2e19ed731d66f95f5471c99d0e16a92021d'/>
<id>90a1e2e19ed731d66f95f5471c99d0e16a92021d</id>
<content type='text'>
commit f35a7f91f66af528b3ee1921de16bea31d347ab0 upstream.

The rx ring buffers are added to a hash table if
firmware support full rx reorder. If the full rx
reorder support flag is not set before allocating
the rx ring buffers, none of the buffers are added
to the hash table.

There is a race condition between rx ring refill and
rx buffer replenish from napi poll. The interrupts are
enabled in hif start, before the rx ring is refilled during init.
We replenish buffers from napi poll due to the interrupts which
get enabled after hif start. Hence before the entire rx ring is
refilled during the init, the napi poll replenishes a few buffers
in steps of 100 buffers per attempt. During this rx ring replenish
from napi poll, the rx reorder flag has not been set due to which
the replenished buffers are not added to the hash table

Set the rx full reorder support flag before we allocate
the rx ring buffer to avoid the memory leak.

Signed-off-by: Rakesh Pillai &lt;pillair@qti.qualcomm.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@qca.qualcomm.com&gt;
Cc: Christian Lamparter &lt;chunkeey@googlemail.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit f35a7f91f66af528b3ee1921de16bea31d347ab0 upstream.

The rx ring buffers are added to a hash table if
firmware support full rx reorder. If the full rx
reorder support flag is not set before allocating
the rx ring buffers, none of the buffers are added
to the hash table.

There is a race condition between rx ring refill and
rx buffer replenish from napi poll. The interrupts are
enabled in hif start, before the rx ring is refilled during init.
We replenish buffers from napi poll due to the interrupts which
get enabled after hif start. Hence before the entire rx ring is
refilled during the init, the napi poll replenishes a few buffers
in steps of 100 buffers per attempt. During this rx ring replenish
from napi poll, the rx reorder flag has not been set due to which
the replenished buffers are not added to the hash table

Set the rx full reorder support flag before we allocate
the rx ring buffer to avoid the memory leak.

Signed-off-by: Rakesh Pillai &lt;pillair@qti.qualcomm.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@qca.qualcomm.com&gt;
Cc: Christian Lamparter &lt;chunkeey@googlemail.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>wl1251: add a missing spin_lock_init()</title>
<updated>2017-09-07T06:35:40+00:00</updated>
<author>
<name>Cong Wang</name>
<email>xiyou.wangcong@gmail.com</email>
</author>
<published>2017-08-31T14:47:43+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=9e2788ce8f17485ddd506b639eeea38b729baf2e'/>
<id>9e2788ce8f17485ddd506b639eeea38b729baf2e</id>
<content type='text'>
commit f581a0dd744fe32b0a8805e279c59ec1ac676d60 upstream.

wl1251: add a missing spin_lock_init()

This fixes the following kernel warning:

 [ 5668.771453] BUG: spinlock bad magic on CPU#0, kworker/u2:3/9745
 [ 5668.771850]  lock: 0xce63ef20, .magic: 00000000, .owner: &lt;none&gt;/-1,
 .owner_cpu: 0
 [ 5668.772277] CPU: 0 PID: 9745 Comm: kworker/u2:3 Tainted: G        W
 4.12.0-03002-gec979a4-dirty #40
 [ 5668.772796] Hardware name: Nokia RX-51 board
 [ 5668.773071] Workqueue: phy1 wl1251_irq_work
 [ 5668.773345] [&lt;c010c9e4&gt;] (unwind_backtrace) from [&lt;c010a274&gt;]
 (show_stack+0x10/0x14)
 [ 5668.773803] [&lt;c010a274&gt;] (show_stack) from [&lt;c01545a4&gt;]
 (do_raw_spin_lock+0x6c/0xa0)
 [ 5668.774230] [&lt;c01545a4&gt;] (do_raw_spin_lock) from [&lt;c06ca578&gt;]
 (_raw_spin_lock_irqsave+0x10/0x18)
 [ 5668.774658] [&lt;c06ca578&gt;] (_raw_spin_lock_irqsave) from [&lt;c048c010&gt;]
 (wl1251_op_tx+0x38/0x5c)
 [ 5668.775115] [&lt;c048c010&gt;] (wl1251_op_tx) from [&lt;c06a12e8&gt;]
 (ieee80211_tx_frags+0x188/0x1c0)
 [ 5668.775543] [&lt;c06a12e8&gt;] (ieee80211_tx_frags) from [&lt;c06a138c&gt;]
 (__ieee80211_tx+0x6c/0x130)
 [ 5668.775970] [&lt;c06a138c&gt;] (__ieee80211_tx) from [&lt;c06a3dbc&gt;]
 (ieee80211_tx+0xdc/0x104)
 [ 5668.776367] [&lt;c06a3dbc&gt;] (ieee80211_tx) from [&lt;c06a4af0&gt;]
 (__ieee80211_subif_start_xmit+0x454/0x8c8)
 [ 5668.776824] [&lt;c06a4af0&gt;] (__ieee80211_subif_start_xmit) from
 [&lt;c06a4f94&gt;] (ieee80211_subif_start_xmit+0x30/0x2fc)
 [ 5668.777343] [&lt;c06a4f94&gt;] (ieee80211_subif_start_xmit) from
 [&lt;c0578848&gt;] (dev_hard_start_xmit+0x80/0x118)
...

    by adding the missing spin_lock_init().

Reported-by: Pavel Machek &lt;pavel@ucw.cz&gt;
Cc: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Cong Wang &lt;xiyou.wangcong@gmail.com&gt;
Acked-by: Pavel Machek &lt;pavel@ucw.cz&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Pavel Machek &lt;pavel@ucw.cz&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit f581a0dd744fe32b0a8805e279c59ec1ac676d60 upstream.

wl1251: add a missing spin_lock_init()

This fixes the following kernel warning:

 [ 5668.771453] BUG: spinlock bad magic on CPU#0, kworker/u2:3/9745
 [ 5668.771850]  lock: 0xce63ef20, .magic: 00000000, .owner: &lt;none&gt;/-1,
 .owner_cpu: 0
 [ 5668.772277] CPU: 0 PID: 9745 Comm: kworker/u2:3 Tainted: G        W
 4.12.0-03002-gec979a4-dirty #40
 [ 5668.772796] Hardware name: Nokia RX-51 board
 [ 5668.773071] Workqueue: phy1 wl1251_irq_work
 [ 5668.773345] [&lt;c010c9e4&gt;] (unwind_backtrace) from [&lt;c010a274&gt;]
 (show_stack+0x10/0x14)
 [ 5668.773803] [&lt;c010a274&gt;] (show_stack) from [&lt;c01545a4&gt;]
 (do_raw_spin_lock+0x6c/0xa0)
 [ 5668.774230] [&lt;c01545a4&gt;] (do_raw_spin_lock) from [&lt;c06ca578&gt;]
 (_raw_spin_lock_irqsave+0x10/0x18)
 [ 5668.774658] [&lt;c06ca578&gt;] (_raw_spin_lock_irqsave) from [&lt;c048c010&gt;]
 (wl1251_op_tx+0x38/0x5c)
 [ 5668.775115] [&lt;c048c010&gt;] (wl1251_op_tx) from [&lt;c06a12e8&gt;]
 (ieee80211_tx_frags+0x188/0x1c0)
 [ 5668.775543] [&lt;c06a12e8&gt;] (ieee80211_tx_frags) from [&lt;c06a138c&gt;]
 (__ieee80211_tx+0x6c/0x130)
 [ 5668.775970] [&lt;c06a138c&gt;] (__ieee80211_tx) from [&lt;c06a3dbc&gt;]
 (ieee80211_tx+0xdc/0x104)
 [ 5668.776367] [&lt;c06a3dbc&gt;] (ieee80211_tx) from [&lt;c06a4af0&gt;]
 (__ieee80211_subif_start_xmit+0x454/0x8c8)
 [ 5668.776824] [&lt;c06a4af0&gt;] (__ieee80211_subif_start_xmit) from
 [&lt;c06a4f94&gt;] (ieee80211_subif_start_xmit+0x30/0x2fc)
 [ 5668.777343] [&lt;c06a4f94&gt;] (ieee80211_subif_start_xmit) from
 [&lt;c0578848&gt;] (dev_hard_start_xmit+0x80/0x118)
...

    by adding the missing spin_lock_init().

Reported-by: Pavel Machek &lt;pavel@ucw.cz&gt;
Cc: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Cong Wang &lt;xiyou.wangcong@gmail.com&gt;
Acked-by: Pavel Machek &lt;pavel@ucw.cz&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Pavel Machek &lt;pavel@ucw.cz&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>p54: memset(0) whole array</title>
<updated>2017-09-02T05:07:53+00:00</updated>
<author>
<name>Jiri Slaby</name>
<email>jslaby@suse.cz</email>
</author>
<published>2016-10-14T09:23:09+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=f71996c3ce5d3b7ee0f581f6c2c37a19d50d72e8'/>
<id>f71996c3ce5d3b7ee0f581f6c2c37a19d50d72e8</id>
<content type='text'>
commit 6f17581788206444cbbcdbc107498f85e9765e3d upstream.

gcc 7 complains:
drivers/net/wireless/intersil/p54/fwio.c: In function 'p54_scan':
drivers/net/wireless/intersil/p54/fwio.c:491:4: warning: 'memset' used with length equal to number of elements without multiplication by element size [-Wmemset-elt-size]

Fix that by passing the correct size to memset.

Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
Cc: Christian Lamparter &lt;chunkeey@googlemail.com&gt;
Cc: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Acked-by: Christian Lamparter &lt;chunkeey@googlemail.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 6f17581788206444cbbcdbc107498f85e9765e3d upstream.

gcc 7 complains:
drivers/net/wireless/intersil/p54/fwio.c: In function 'p54_scan':
drivers/net/wireless/intersil/p54/fwio.c:491:4: warning: 'memset' used with length equal to number of elements without multiplication by element size [-Wmemset-elt-size]

Fix that by passing the correct size to memset.

Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
Cc: Christian Lamparter &lt;chunkeey@googlemail.com&gt;
Cc: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Acked-by: Christian Lamparter &lt;chunkeey@googlemail.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>brcmfmac: fix memleak due to calling brcmf_sdiod_sgtable_alloc() twice</title>
<updated>2017-08-11T15:49:28+00:00</updated>
<author>
<name>Arend Van Spriel</name>
<email>arend.vanspriel@broadcom.com</email>
</author>
<published>2017-07-26T12:09:24+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=f5214eb4baf87b0134acf98c29150071fa3b815c'/>
<id>f5214eb4baf87b0134acf98c29150071fa3b815c</id>
<content type='text'>
commit 5f5d03143de5e0c593da4ab18fc6393c2815e108 upstream.

Due to a bugfix in wireless tree and the commit mentioned below a merge
was needed which went haywire. So the submitted change resulted in the
function brcmf_sdiod_sgtable_alloc() being called twice during the probe
thus leaking the memory of the first call.

Fixes: 4d7928959832 ("brcmfmac: switch to new platform data")
Reported-by: Stefan Wahren &lt;stefan.wahren@i2se.com&gt;
Tested-by: Stefan Wahren &lt;stefan.wahren@i2se.com&gt;
Reviewed-by: Hante Meuleman &lt;hante.meuleman@broadcom.com&gt;
Signed-off-by: Arend van Spriel &lt;arend.vanspriel@broadcom.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 5f5d03143de5e0c593da4ab18fc6393c2815e108 upstream.

Due to a bugfix in wireless tree and the commit mentioned below a merge
was needed which went haywire. So the submitted change resulted in the
function brcmf_sdiod_sgtable_alloc() being called twice during the probe
thus leaking the memory of the first call.

Fixes: 4d7928959832 ("brcmfmac: switch to new platform data")
Reported-by: Stefan Wahren &lt;stefan.wahren@i2se.com&gt;
Tested-by: Stefan Wahren &lt;stefan.wahren@i2se.com&gt;
Reviewed-by: Hante Meuleman &lt;hante.meuleman@broadcom.com&gt;
Signed-off-by: Arend van Spriel &lt;arend.vanspriel@broadcom.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>iwlwifi: dvm: prevent an out of bounds access</title>
<updated>2017-08-11T15:49:28+00:00</updated>
<author>
<name>Emmanuel Grumbach</name>
<email>emmanuel.grumbach@intel.com</email>
</author>
<published>2017-06-08T07:55:26+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=de8c33290f1c8fdd037b6e3d43ea888928f21e8c'/>
<id>de8c33290f1c8fdd037b6e3d43ea888928f21e8c</id>
<content type='text'>
commit 0b0f934e92a8eaed2e6c48a50eae6f84661f74f3 upstream.

iwlagn_check_ratid_empty takes the tid as a parameter, but
it doesn't check that it is not IWL_TID_NON_QOS.
Since IWL_TID_NON_QOS = 8 and iwl_priv::tid_data is an array
with 8 entries, accessing iwl_priv::tid_data[IWL_TID_NON_QOS]
is a bad idea.
This happened in iwlagn_rx_reply_tx. Since
iwlagn_check_ratid_empty is relevant only to check whether
we can open A-MPDU, this flow is irrelevant if tid is
IWL_TID_NON_QOS. Call iwlagn_check_ratid_empty only inside
the
	if (tid != IWL_TID_NON_QOS)

a few lines earlier in the function.

Reported-by: Seraphime Kirkovski &lt;kirkseraph@gmail.com&gt;
Tested-by: Seraphime Kirkovski &lt;kirkseraph@gmail.com&gt;
Signed-off-by: Emmanuel Grumbach &lt;emmanuel.grumbach@intel.com&gt;
Signed-off-by: Luca Coelho &lt;luciano.coelho@intel.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 0b0f934e92a8eaed2e6c48a50eae6f84661f74f3 upstream.

iwlagn_check_ratid_empty takes the tid as a parameter, but
it doesn't check that it is not IWL_TID_NON_QOS.
Since IWL_TID_NON_QOS = 8 and iwl_priv::tid_data is an array
with 8 entries, accessing iwl_priv::tid_data[IWL_TID_NON_QOS]
is a bad idea.
This happened in iwlagn_rx_reply_tx. Since
iwlagn_check_ratid_empty is relevant only to check whether
we can open A-MPDU, this flow is irrelevant if tid is
IWL_TID_NON_QOS. Call iwlagn_check_ratid_empty only inside
the
	if (tid != IWL_TID_NON_QOS)

a few lines earlier in the function.

Reported-by: Seraphime Kirkovski &lt;kirkseraph@gmail.com&gt;
Tested-by: Seraphime Kirkovski &lt;kirkseraph@gmail.com&gt;
Signed-off-by: Emmanuel Grumbach &lt;emmanuel.grumbach@intel.com&gt;
Signed-off-by: Luca Coelho &lt;luciano.coelho@intel.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>wil6210: fix deadlock when using fw_no_recovery option</title>
<updated>2017-08-07T01:59:42+00:00</updated>
<author>
<name>Lior David</name>
<email>qca_liord@qca.qualcomm.com</email>
</author>
<published>2016-11-23T14:06:41+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=2f16bcd4dba9980a1d237b0fa0c697aa7547c2d6'/>
<id>2f16bcd4dba9980a1d237b0fa0c697aa7547c2d6</id>
<content type='text'>
commit dfb5b098e0f40b68aa07f2ec55f4dd762efefbfa upstream.

When FW crashes with no_fw_recovery option, driver
waits for manual recovery with wil-&gt;mutex held, this
can easily create deadlocks.
Fix the problem by moving the wait outside the lock.

Signed-off-by: Lior David &lt;qca_liord@qca.qualcomm.com&gt;
Signed-off-by: Maya Erez &lt;qca_merez@qca.qualcomm.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@qca.qualcomm.com&gt;
Signed-off-by: Amit Pundir &lt;amit.pundir@linaro.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit dfb5b098e0f40b68aa07f2ec55f4dd762efefbfa upstream.

When FW crashes with no_fw_recovery option, driver
waits for manual recovery with wil-&gt;mutex held, this
can easily create deadlocks.
Fix the problem by moving the wait outside the lock.

Signed-off-by: Lior David &lt;qca_liord@qca.qualcomm.com&gt;
Signed-off-by: Maya Erez &lt;qca_merez@qca.qualcomm.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@qca.qualcomm.com&gt;
Signed-off-by: Amit Pundir &lt;amit.pundir@linaro.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>ath10k: fix null deref on wmi-tlv when trying spectral scan</title>
<updated>2017-08-07T01:59:42+00:00</updated>
<author>
<name>Michal Kazior</name>
<email>michal.kazior@tieto.com</email>
</author>
<published>2016-11-14T13:25:23+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=59153e6589366f09eb42b92c8bc8c2fce72fe8fe'/>
<id>59153e6589366f09eb42b92c8bc8c2fce72fe8fe</id>
<content type='text'>
commit 18ae68fff392e445af3c2d8be9bef8a16e1c72a7 upstream.

WMI ops wrappers did not properly check for null
function pointers for spectral scan. This caused
null dereference crash with WMI-TLV based firmware
which doesn't implement spectral scan.

The crash could be triggered with:

  ip link set dev wlan0 up
  echo background &gt; /sys/kernel/debug/ieee80211/phy0/ath10k/spectral_scan_ctl

The crash looked like this:

  [  168.031989] BUG: unable to handle kernel NULL pointer dereference at           (null)
  [  168.037406] IP: [&lt;          (null)&gt;]           (null)
  [  168.040395] PGD cdd4067 PUD fa0f067 PMD 0
  [  168.043303] Oops: 0010 [#1] SMP
  [  168.045377] Modules linked in: ath10k_pci(O) ath10k_core(O) ath mac80211 cfg80211 [last unloaded: cfg80211]
  [  168.051560] CPU: 1 PID: 1380 Comm: bash Tainted: G        W  O    4.8.0 #78
  [  168.054336] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014
  [  168.059183] task: ffff88000c460c00 task.stack: ffff88000d4bc000
  [  168.061736] RIP: 0010:[&lt;0000000000000000&gt;]  [&lt;          (null)&gt;]           (null)
  ...
  [  168.100620] Call Trace:
  [  168.101910]  [&lt;ffffffffa03b9566&gt;] ? ath10k_spectral_scan_config+0x96/0x200 [ath10k_core]
  [  168.104871]  [&lt;ffffffff811386e2&gt;] ? filemap_fault+0xb2/0x4a0
  [  168.106696]  [&lt;ffffffffa03b97e6&gt;] write_file_spec_scan_ctl+0x116/0x280 [ath10k_core]
  [  168.109618]  [&lt;ffffffff812da3a1&gt;] full_proxy_write+0x51/0x80
  [  168.111443]  [&lt;ffffffff811957b8&gt;] __vfs_write+0x28/0x120
  [  168.113090]  [&lt;ffffffff812f1a2d&gt;] ? security_file_permission+0x3d/0xc0
  [  168.114932]  [&lt;ffffffff8109b912&gt;] ? percpu_down_read+0x12/0x60
  [  168.116680]  [&lt;ffffffff811965f8&gt;] vfs_write+0xb8/0x1a0
  [  168.118293]  [&lt;ffffffff81197966&gt;] SyS_write+0x46/0xa0
  [  168.119912]  [&lt;ffffffff818f2972&gt;] entry_SYSCALL_64_fastpath+0x1a/0xa4
  [  168.121737] Code:  Bad RIP value.
  [  168.123318] RIP  [&lt;          (null)&gt;]           (null)

Signed-off-by: Michal Kazior &lt;michal.kazior@tieto.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@qca.qualcomm.com&gt;
Signed-off-by: Amit Pundir &lt;amit.pundir@linaro.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 18ae68fff392e445af3c2d8be9bef8a16e1c72a7 upstream.

WMI ops wrappers did not properly check for null
function pointers for spectral scan. This caused
null dereference crash with WMI-TLV based firmware
which doesn't implement spectral scan.

The crash could be triggered with:

  ip link set dev wlan0 up
  echo background &gt; /sys/kernel/debug/ieee80211/phy0/ath10k/spectral_scan_ctl

The crash looked like this:

  [  168.031989] BUG: unable to handle kernel NULL pointer dereference at           (null)
  [  168.037406] IP: [&lt;          (null)&gt;]           (null)
  [  168.040395] PGD cdd4067 PUD fa0f067 PMD 0
  [  168.043303] Oops: 0010 [#1] SMP
  [  168.045377] Modules linked in: ath10k_pci(O) ath10k_core(O) ath mac80211 cfg80211 [last unloaded: cfg80211]
  [  168.051560] CPU: 1 PID: 1380 Comm: bash Tainted: G        W  O    4.8.0 #78
  [  168.054336] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014
  [  168.059183] task: ffff88000c460c00 task.stack: ffff88000d4bc000
  [  168.061736] RIP: 0010:[&lt;0000000000000000&gt;]  [&lt;          (null)&gt;]           (null)
  ...
  [  168.100620] Call Trace:
  [  168.101910]  [&lt;ffffffffa03b9566&gt;] ? ath10k_spectral_scan_config+0x96/0x200 [ath10k_core]
  [  168.104871]  [&lt;ffffffff811386e2&gt;] ? filemap_fault+0xb2/0x4a0
  [  168.106696]  [&lt;ffffffffa03b97e6&gt;] write_file_spec_scan_ctl+0x116/0x280 [ath10k_core]
  [  168.109618]  [&lt;ffffffff812da3a1&gt;] full_proxy_write+0x51/0x80
  [  168.111443]  [&lt;ffffffff811957b8&gt;] __vfs_write+0x28/0x120
  [  168.113090]  [&lt;ffffffff812f1a2d&gt;] ? security_file_permission+0x3d/0xc0
  [  168.114932]  [&lt;ffffffff8109b912&gt;] ? percpu_down_read+0x12/0x60
  [  168.116680]  [&lt;ffffffff811965f8&gt;] vfs_write+0xb8/0x1a0
  [  168.118293]  [&lt;ffffffff81197966&gt;] SyS_write+0x46/0xa0
  [  168.119912]  [&lt;ffffffff818f2972&gt;] entry_SYSCALL_64_fastpath+0x1a/0xa4
  [  168.121737] Code:  Bad RIP value.
  [  168.123318] RIP  [&lt;          (null)&gt;]           (null)

Signed-off-by: Michal Kazior &lt;michal.kazior@tieto.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@qca.qualcomm.com&gt;
Signed-off-by: Amit Pundir &lt;amit.pundir@linaro.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
</feed>
