<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux.git/drivers/net/wireless/marvell, branch v5.6</title>
<subtitle>Linux kernel source tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/'/>
<entry>
<title>libertas: make lbs_ibss_join_existing() return error code on rates overflow</title>
<updated>2020-01-27T14:36:33+00:00</updated>
<author>
<name>Nicolai Stange</name>
<email>nstange@suse.de</email>
</author>
<published>2020-01-14T10:39:03+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=1754c4f60aaf1e17d886afefee97e94d7f27b4cb'/>
<id>1754c4f60aaf1e17d886afefee97e94d7f27b4cb</id>
<content type='text'>
Commit e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss
descriptor") introduced a bounds check on the number of supplied rates to
lbs_ibss_join_existing() and made it to return on overflow.

However, the aforementioned commit doesn't set the return value accordingly
and thus, lbs_ibss_join_existing() would return with zero even though it
failed.

Make lbs_ibss_join_existing return -EINVAL in case the bounds check on the
number of supplied rates fails.

Fixes: e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss descriptor")
Signed-off-by: Nicolai Stange &lt;nstange@suse.de&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Commit e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss
descriptor") introduced a bounds check on the number of supplied rates to
lbs_ibss_join_existing() and made it to return on overflow.

However, the aforementioned commit doesn't set the return value accordingly
and thus, lbs_ibss_join_existing() would return with zero even though it
failed.

Make lbs_ibss_join_existing return -EINVAL in case the bounds check on the
number of supplied rates fails.

Fixes: e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss descriptor")
Signed-off-by: Nicolai Stange &lt;nstange@suse.de&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>libertas: don't exit from lbs_ibss_join_existing() with RCU read lock held</title>
<updated>2020-01-27T14:35:55+00:00</updated>
<author>
<name>Nicolai Stange</name>
<email>nstange@suse.de</email>
</author>
<published>2020-01-14T10:39:02+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=c7bf1fb7ddca331780b9a733ae308737b39f1ad4'/>
<id>c7bf1fb7ddca331780b9a733ae308737b39f1ad4</id>
<content type='text'>
Commit e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss
descriptor") introduced a bounds check on the number of supplied rates to
lbs_ibss_join_existing().

Unfortunately, it introduced a return path from within a RCU read side
critical section without a corresponding rcu_read_unlock(). Fix this.

Fixes: e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss descriptor")
Signed-off-by: Nicolai Stange &lt;nstange@suse.de&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Commit e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss
descriptor") introduced a bounds check on the number of supplied rates to
lbs_ibss_join_existing().

Unfortunately, it introduced a return path from within a RCU read side
critical section without a corresponding rcu_read_unlock(). Fix this.

Fixes: e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss descriptor")
Signed-off-by: Nicolai Stange &lt;nstange@suse.de&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>mwifiex: Fix possible buffer overflows in mwifiex_cmd_append_vsie_tlv()</title>
<updated>2020-01-27T14:34:34+00:00</updated>
<author>
<name>Qing Xu</name>
<email>m1s5p6688@gmail.com</email>
</author>
<published>2020-01-02T02:39:27+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=b70261a288ea4d2f4ac7cd04be08a9f0f2de4f4d'/>
<id>b70261a288ea4d2f4ac7cd04be08a9f0f2de4f4d</id>
<content type='text'>
mwifiex_cmd_append_vsie_tlv() calls memcpy() without checking
the destination size may trigger a buffer overflower,
which a local user could use to cause denial of service
or the execution of arbitrary code.
Fix it by putting the length check before calling memcpy().

Signed-off-by: Qing Xu &lt;m1s5p6688@gmail.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
mwifiex_cmd_append_vsie_tlv() calls memcpy() without checking
the destination size may trigger a buffer overflower,
which a local user could use to cause denial of service
or the execution of arbitrary code.
Fix it by putting the length check before calling memcpy().

Signed-off-by: Qing Xu &lt;m1s5p6688@gmail.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>mwifiex: Fix possible buffer overflows in mwifiex_ret_wmm_get_status()</title>
<updated>2020-01-27T14:34:33+00:00</updated>
<author>
<name>Qing Xu</name>
<email>m1s5p6688@gmail.com</email>
</author>
<published>2020-01-02T02:39:26+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=3a9b153c5591548612c3955c9600a98150c81875'/>
<id>3a9b153c5591548612c3955c9600a98150c81875</id>
<content type='text'>
mwifiex_ret_wmm_get_status() calls memcpy() without checking the
destination size.Since the source is given from remote AP which
contains illegal wmm elements , this may trigger a heap buffer
overflow.
Fix it by putting the length check before calling memcpy().

Signed-off-by: Qing Xu &lt;m1s5p6688@gmail.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
mwifiex_ret_wmm_get_status() calls memcpy() without checking the
destination size.Since the source is given from remote AP which
contains illegal wmm elements , this may trigger a heap buffer
overflow.
Fix it by putting the length check before calling memcpy().

Signed-off-by: Qing Xu &lt;m1s5p6688@gmail.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>mwifiex: fix unbalanced locking in mwifiex_process_country_ie()</title>
<updated>2020-01-27T14:33:14+00:00</updated>
<author>
<name>Brian Norris</name>
<email>briannorris@chromium.org</email>
</author>
<published>2020-01-06T22:42:12+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=65b1aae0d9d5962faccc06bdb8e91a2a0b09451c'/>
<id>65b1aae0d9d5962faccc06bdb8e91a2a0b09451c</id>
<content type='text'>
We called rcu_read_lock(), so we need to call rcu_read_unlock() before
we return.

Fixes: 3d94a4a8373b ("mwifiex: fix possible heap overflow in mwifiex_process_country_ie()")
Cc: stable@vger.kernel.org
Cc: huangwen &lt;huangwenabc@gmail.com&gt;
Cc: Ganapathi Bhat &lt;ganapathi.bhat@nxp.com&gt;
Signed-off-by: Brian Norris &lt;briannorris@chromium.org&gt;
Acked-by: Ganapathi Bhat &lt;ganapathi.bhat@nxp.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
We called rcu_read_lock(), so we need to call rcu_read_unlock() before
we return.

Fixes: 3d94a4a8373b ("mwifiex: fix possible heap overflow in mwifiex_process_country_ie()")
Cc: stable@vger.kernel.org
Cc: huangwen &lt;huangwenabc@gmail.com&gt;
Cc: Ganapathi Bhat &lt;ganapathi.bhat@nxp.com&gt;
Signed-off-by: Brian Norris &lt;briannorris@chromium.org&gt;
Acked-by: Ganapathi Bhat &lt;ganapathi.bhat@nxp.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Merge tag 'wireless-drivers-next-2020-01-26' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers-next</title>
<updated>2020-01-27T10:25:36+00:00</updated>
<author>
<name>David S. Miller</name>
<email>davem@davemloft.net</email>
</author>
<published>2020-01-27T10:25:36+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=82bc2e4a26a65e8b23590565b89115f8634d4fe6'/>
<id>82bc2e4a26a65e8b23590565b89115f8634d4fe6</id>
<content type='text'>
Kalle Valo says:

====================
wireless-drivers-next patches for v5.6

Second set of patches for v5.6. Nothing special standing out, smaller
new features and fixes allover.

Major changes:

ar5523

* add support for SMCWUSBT-G2 USB device

iwlwifi

* support new versions of the FTM FW APIs

* support new version of the beacon template FW API

* print some extra information when the driver is loaded

rtw88

* support wowlan feature for 8822c

* add support for WIPHY_WOWLAN_NET_DETECT

brcmfmac

* add initial support for monitor mode

qtnfmac

* add module parameter to enable DFS offloading in firmware

* add support for STA HE rates

* add support for TWT responder and spatial reuse
====================

Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Kalle Valo says:

====================
wireless-drivers-next patches for v5.6

Second set of patches for v5.6. Nothing special standing out, smaller
new features and fixes allover.

Major changes:

ar5523

* add support for SMCWUSBT-G2 USB device

iwlwifi

* support new versions of the FTM FW APIs

* support new version of the beacon template FW API

* print some extra information when the driver is loaded

rtw88

* support wowlan feature for 8822c

* add support for WIPHY_WOWLAN_NET_DETECT

brcmfmac

* add initial support for monitor mode

qtnfmac

* add module parameter to enable DFS offloading in firmware

* add support for STA HE rates

* add support for TWT responder and spatial reuse
====================

Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>mwifiex: drop most magic numbers from mwifiex_process_tdls_action_frame()</title>
<updated>2020-01-26T11:34:57+00:00</updated>
<author>
<name>Brian Norris</name>
<email>briannorris@chromium.org</email>
</author>
<published>2019-12-06T19:45:35+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=70e5b8f445fd27fde0c5583460e82539a7242424'/>
<id>70e5b8f445fd27fde0c5583460e82539a7242424</id>
<content type='text'>
Before commit 1e58252e334d ("mwifiex: Fix heap overflow in
mmwifiex_process_tdls_action_frame()"),
mwifiex_process_tdls_action_frame() already had too many magic numbers.
But this commit just added a ton more, in the name of checking for
buffer overflows. That seems like a really bad idea.

Let's make these magic numbers a little less magic, by
(a) factoring out 'pos[1]' as 'ie_len'
(b) using 'sizeof' on the appropriate source or destination fields where
    possible, instead of bare numbers
(c) dropping redundant checks, per below.

Regarding redundant checks: the beginning of the loop has this:

                if (pos + 2 + pos[1] &gt; end)
                        break;

but then individual 'case's include stuff like this:

 			if (pos &gt; end - 3)
 				return;
 			if (pos[1] != 1)
				return;

Note that the second 'return' (validating the length, pos[1]) combined
with the above condition (ensuring 'pos + 2 + length' doesn't exceed
'end'), makes the first 'return' (whose 'if' can be reworded as 'pos &gt;
end - pos[1] - 2') redundant. Rather than unwind the magic numbers
there, just drop those conditions.

Fixes: 1e58252e334d ("mwifiex: Fix heap overflow in mmwifiex_process_tdls_action_frame()")
Signed-off-by: Brian Norris &lt;briannorris@chromium.org&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Before commit 1e58252e334d ("mwifiex: Fix heap overflow in
mmwifiex_process_tdls_action_frame()"),
mwifiex_process_tdls_action_frame() already had too many magic numbers.
But this commit just added a ton more, in the name of checking for
buffer overflows. That seems like a really bad idea.

Let's make these magic numbers a little less magic, by
(a) factoring out 'pos[1]' as 'ie_len'
(b) using 'sizeof' on the appropriate source or destination fields where
    possible, instead of bare numbers
(c) dropping redundant checks, per below.

Regarding redundant checks: the beginning of the loop has this:

                if (pos + 2 + pos[1] &gt; end)
                        break;

but then individual 'case's include stuff like this:

 			if (pos &gt; end - 3)
 				return;
 			if (pos[1] != 1)
				return;

Note that the second 'return' (validating the length, pos[1]) combined
with the above condition (ensuring 'pos + 2 + length' doesn't exceed
'end'), makes the first 'return' (whose 'if' can be reworded as 'pos &gt;
end - pos[1] - 2') redundant. Rather than unwind the magic numbers
there, just drop those conditions.

Fixes: 1e58252e334d ("mwifiex: Fix heap overflow in mmwifiex_process_tdls_action_frame()")
Signed-off-by: Brian Norris &lt;briannorris@chromium.org&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net</title>
<updated>2020-01-26T09:40:21+00:00</updated>
<author>
<name>David S. Miller</name>
<email>davem@davemloft.net</email>
</author>
<published>2020-01-26T09:40:21+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=4d8773b68e83558025303f266070b31bc4101e73'/>
<id>4d8773b68e83558025303f266070b31bc4101e73</id>
<content type='text'>
Minor conflict in mlx5 because changes happened to code that has
moved meanwhile.

Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Minor conflict in mlx5 because changes happened to code that has
moved meanwhile.

Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Merge tag 'wireless-drivers-2020-01-23' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers</title>
<updated>2020-01-23T13:30:20+00:00</updated>
<author>
<name>David S. Miller</name>
<email>davem@davemloft.net</email>
</author>
<published>2020-01-23T13:30:20+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=5169adbc982400f214bc0bcad1fcc076bd342987'/>
<id>5169adbc982400f214bc0bcad1fcc076bd342987</id>
<content type='text'>
Kalle Valo says:

====================
wireless-drivers fixes for v5.5

Second set of fixes for v5.5. There are quite a few patches,
especially on iwlwifi, due to me being on a long break. Libertas also
has a security fix and mt76 a build fix.

iwlwifi

* don't send the PPAG command when PPAG is disabled, since it can cause problems

* a few fixes for a HW bug

* a fix for RS offload;

* a fix for 3168 devices where the NVM tables where the wrong tables were being read

* fix a couple of potential memory leaks in TXQ code

* disable L0S states in all hardware since our hardware doesn't
 officially support them anymore (and older versions of the hardware
 had instability in these states)

* remove lar_disable parameter since it has been causing issues for
  some people who erroneously disable it

* force the debug monitor HW to stop also when debug is disabled,
  since it sometimes stays on and prevents low system power states

* don't send IWL_MVM_RXQ_NSSN_SYNC notification due to DMA problems

libertas

* fix two buffer overflows

mt76

* build fix related to CONFIG_MT76_LEDS

* fix off by one in bitrates handling
====================

Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Kalle Valo says:

====================
wireless-drivers fixes for v5.5

Second set of fixes for v5.5. There are quite a few patches,
especially on iwlwifi, due to me being on a long break. Libertas also
has a security fix and mt76 a build fix.

iwlwifi

* don't send the PPAG command when PPAG is disabled, since it can cause problems

* a few fixes for a HW bug

* a fix for RS offload;

* a fix for 3168 devices where the NVM tables where the wrong tables were being read

* fix a couple of potential memory leaks in TXQ code

* disable L0S states in all hardware since our hardware doesn't
 officially support them anymore (and older versions of the hardware
 had instability in these states)

* remove lar_disable parameter since it has been causing issues for
  some people who erroneously disable it

* force the debug monitor HW to stop also when debug is disabled,
  since it sometimes stays on and prevents low system power states

* don't send IWL_MVM_RXQ_NSSN_SYNC notification due to DMA problems

libertas

* fix two buffer overflows

mt76

* build fix related to CONFIG_MT76_LEDS

* fix off by one in bitrates handling
====================

Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net</title>
<updated>2019-12-22T23:15:05+00:00</updated>
<author>
<name>David S. Miller</name>
<email>davem@davemloft.net</email>
</author>
<published>2019-12-22T23:15:05+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=ac80010fc94eb0680d9a432b639583bd7ac29066'/>
<id>ac80010fc94eb0680d9a432b639583bd7ac29066</id>
<content type='text'>
Mere overlapping changes in the conflicts here.

Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Mere overlapping changes in the conflicts here.

Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
</feed>
