linux.git/net/wireless/scan.c, branch v2.6.31 Linux kernel source tree cfg80211: add two missing NULL pointer checks 2009-08-03T20:31:21+00:00 Johannes Berg johannes@sipsolutions.net 2009-07-29T20:07:44+00:00 cd3468bad96c00b5a512f551674f36776129520e These pointers can be NULL, the is_mesh() case isn't ever hit in the current kernel, but cmp_ies() can be hit under certain conditions. Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Cc: stable@kernel.org [2.6.29, 2.6.30] Signed-off-by: John W. Linville <linville@tuxdriver.com> 
These pointers can be NULL, the is_mesh() case isn't
ever hit in the current kernel, but cmp_ies() can be
hit under certain conditions.

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Cc: stable@kernel.org [2.6.29, 2.6.30]
Signed-off-by: John W. Linville <linville@tuxdriver.com>
cfg80211: double free in __cfg80211_scan_done 2009-07-21T16:07:44+00:00 Christian Lamparter chunkeey@web.de 2009-07-19T03:05:37+00:00 9e81eccf199d910e5ea8db377a43478e4eccd033 This patch fixes a double free corruption in __cfg80211_scan_done: ================================================ BUG kmalloc-512: Object already free ------------------------------------------------ INFO: Allocated in load_elf_binary+0x18b/0x19af age=6 INFO: Freed in load_elf_binary+0x104e/0x19af age=5 INFO: Slab 0xffffea0001bae4c0 objects=14 used=7 INFO: Object 0xffff88007e8a9918 @offset=6424 fp=0xffff88007e8a9488 Bytes b4 0xffff88007e8a9908: 00 00 00 00 00 00 00 00 5a 5a [...] Pid: 28705, comm: rmmod Tainted: P C 2.6.31-rc2-wl #1 Call Trace: [<ffffffff810da9f4>] print_trailer+0x14e/0x16e [<ffffffff810daa56>] object_err+0x42/0x61 [<ffffffff810dbcd9>] __slab_free+0x2af/0x396 [<ffffffffa0ec9694>] ? wiphy_unregister+0x92/0x142 [cfg80211] [<ffffffff810dd5e3>] kfree+0x13c/0x17a [<ffffffffa0ec9694>] ? wiphy_unregister+0x92/0x142 [cfg80211] [<ffffffffa0ec9694>] wiphy_unregister+0x92/0x142 [cfg80211] [<ffffffffa0eed163>] ieee80211_unregister_hw+0xc8/0xff [mac80211] [<ffffffffa0f3fbc8>] p54_unregister_common+0x31/0x66 [p54common] [...] FIX kmalloc-512: Object at 0xffff88007e8a9918 not freed The code path which leads to the *funny* double free: request = rdev->scan_req; dev = dev_get_by_index(&init_net, request->ifidx); /* * the driver was unloaded recently and * therefore dev_get_by_index will return NULL! */ if (!dev) goto out; [...] rdev->scan_req = NULL; /* not executed... */ [...] out: kfree(request); Signed-off-by: Christian Lamparter <chunkeey@web.de> Signed-off-by: John W. Linville <linville@tuxdriver.com> 
This patch fixes a double free corruption in __cfg80211_scan_done:

 ================================================
 BUG kmalloc-512: Object already free
 ------------------------------------------------

 INFO: Allocated in load_elf_binary+0x18b/0x19af age=6
 INFO: Freed in load_elf_binary+0x104e/0x19af age=5
 INFO: Slab 0xffffea0001bae4c0 objects=14 used=7
 INFO: Object 0xffff88007e8a9918 @offset=6424 fp=0xffff88007e8a9488

 Bytes b4 0xffff88007e8a9908:  00 00 00 00 00 00 00 00 5a 5a
 [...]
 Pid: 28705, comm: rmmod Tainted: P         C 2.6.31-rc2-wl #1
 Call Trace:
  [<ffffffff810da9f4>] print_trailer+0x14e/0x16e
  [<ffffffff810daa56>] object_err+0x42/0x61
  [<ffffffff810dbcd9>] __slab_free+0x2af/0x396
  [<ffffffffa0ec9694>] ? wiphy_unregister+0x92/0x142 [cfg80211]
  [<ffffffff810dd5e3>] kfree+0x13c/0x17a
  [<ffffffffa0ec9694>] ? wiphy_unregister+0x92/0x142 [cfg80211]
  [<ffffffffa0ec9694>] wiphy_unregister+0x92/0x142 [cfg80211]
  [<ffffffffa0eed163>] ieee80211_unregister_hw+0xc8/0xff [mac80211]
  [<ffffffffa0f3fbc8>] p54_unregister_common+0x31/0x66 [p54common]
  [...]
 FIX kmalloc-512: Object at 0xffff88007e8a9918 not freed

The code path which leads to the *funny* double free:

       request = rdev->scan_req;
       dev = dev_get_by_index(&init_net, request->ifidx);
	/*
	 * the driver was unloaded recently and
	 * therefore dev_get_by_index will return NULL!
	 */
        if (!dev)
                goto out;
	[...]
	rdev->scan_req = NULL; /* not executed... */
	[...]
 out:
        kfree(request);

Signed-off-by: Christian Lamparter <chunkeey@web.de>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
cfg80211: fix refcount leak 2009-07-07T16:55:28+00:00 Johannes Berg johannes@sipsolutions.net 2009-07-02T13:46:41+00:00 2dce4c2b5f0b43bd25bf9ea6ded06b7f8a54c91f The code in cfg80211's cfg80211_bss_update erroneously grabs a reference to the BSS, which means that it will never be freed. Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Cc: stable@kernel.org [2.6.29, 2.6.30] Signed-off-by: John W. Linville <linville@tuxdriver.com> 
The code in cfg80211's cfg80211_bss_update erroneously
grabs a reference to the BSS, which means that it will
never be freed.

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Cc: stable@kernel.org [2.6.29, 2.6.30]
Signed-off-by: John W. Linville <linville@tuxdriver.com>
nl80211: bounce scan request back to userspace 2009-06-03T18:05:10+00:00 Johannes Berg johannes@sipsolutions.net 2009-05-24T14:43:15+00:00 362a415dce2130b0e4cebfc8f8fbd8128baff308 When a scan finishes only the program that asked for it knows what kind of scan it was; let's tell everybody else about the scan parameters as well so they can evaluate the result of the scan better. Also helps with debugging. Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com> 
When a scan finishes only the program that asked for it
knows what kind of scan it was; let's tell everybody else
about the scan parameters as well so they can evaluate
the result of the scan better. Also helps with debugging.

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-next-2.6 2009-05-08T19:46:17+00:00 David S. Miller davem@davemloft.net 2009-05-08T19:46:17+00:00 a8679be2073392cf22a910bc25da0c7d36459845 






Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6
2009-05-08T09:48:30+00:00

David S. Miller
davem@davemloft.net

2009-05-08T09:48:30+00:00

22f6dacdfcfdc792d068e9c41234808860498d04

Conflicts:
	include/net/tcp.h





Conflicts:
	include/net/tcp.h







cfg80211: Use the correct IE buffer pointer
2009-05-06T19:14:44+00:00

Michael Buesch
mb@bu3sch.de

2009-04-26T09:27:33+00:00

44e1b98f733e48bb781e4229120e1de5e0c9fdbb

If the IE buffer was allocated, the pub.information_elements pointer
was also changed to the allocated space. So we must not assume anymore
that the pointer points at the "found" tail.

So if it was allocated previously, take the codebranch that grows the
buffer size (if necessary) and put the data into the allocated buffer.

Signed-off-by: Michael Buesch <mb@bu3sch.de>
Acked-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>





If the IE buffer was allocated, the pub.information_elements pointer
was also changed to the allocated space. So we must not assume anymore
that the pointer points at the "found" tail.

So if it was allocated previously, take the codebranch that grows the
buffer size (if necessary) and put the data into the allocated buffer.

Signed-off-by: Michael Buesch <mb@bu3sch.de>
Acked-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>







cfg80211: Remove unnecessary ksize() call
2009-05-06T19:14:42+00:00

Michael Buesch
mb@bu3sch.de

2009-04-25T20:28:55+00:00

273de92c8461776aaac7b32f8d5889a72b38ea10

This removes an unnecessary ksize() call. krealloc() will do this
test internally and won't perform any allocation if the space is
already sufficient to hold the data.
So remove the redundant check.

Signed-off-by: Michael Buesch <mb@bu3sch.de>
Reviewed-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>





This removes an unnecessary ksize() call. krealloc() will do this
test internally and won't perform any allocation if the space is
already sufficient to hold the data.
So remove the redundant check.

Signed-off-by: Michael Buesch <mb@bu3sch.de>
Reviewed-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>







cfg80211: fix truncated IEs
2009-05-04T20:22:10+00:00

Johannes Berg
johannes@sipsolutions.net

2009-04-30T18:09:56+00:00

c0f0aac05fa84b37ed46db8cf6c8bee9a67bbcca

Another bug in the "cfg80211: do not replace BSS structs" patch,
a forgotten length update leads to bogus data being stored and
passed to userspace, often truncated.

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>





Another bug in the "cfg80211: do not replace BSS structs" patch,
a forgotten length update leads to bogus data being stored and
passed to userspace, often truncated.

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>







cfg80211: mark all WEXT handlers _GPL
2009-04-22T20:57:18+00:00

Johannes Berg
johannes@sipsolutions.net

2009-04-20T16:49:39+00:00

ba44cb7226afd4e19308c1d8a90e8b7c566c0d8b

The fact that these are exported is a technical detail
of the conversion period -- we don't want anybody to
start relying on these. Ultimately we want things to
use cfg80211 only, and once everything that is in wext
is converted to cfg80211 drivers will not need to touch
wext _at all_.

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>





The fact that these are exported is a technical detail
of the conversion period -- we don't want anybody to
start relying on these. Ultimately we want things to
use cfg80211 only, and once everything that is in wext
is converted to cfg80211 drivers will not need to touch
wext _at all_.

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>