[ Upstream commit d30f4436f3 ]
The skb is delivered to netif_rx() in rtllib_monitor_rx(), which may free it,
after calling this, dereferencing skb may trigger use-after-free.
Found by Smatch.
Fixes: 94a799425e ("From: wlanfae <wlanfae@realtek.com> [PATCH 1/8] rtl8192e: Import new version of driver from realtek")
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Link: https://lore.kernel.org/r/20221123081253.22296-1-yuehaibing@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 9b6bdbd933 ]
There is a deadlock in rtllib_beacons_stop(), which is shown
below:
(Thread 1) | (Thread 2)
| rtllib_send_beacon()
rtllib_beacons_stop() | mod_timer()
spin_lock_irqsave() //(1) | (wait a time)
... | rtllib_send_beacon_cb()
del_timer_sync() | spin_lock_irqsave() //(2)
(wait timer to stop) | ...
We hold ieee->beacon_lock in position (1) of thread 1 and
use del_timer_sync() to wait timer to stop, but timer handler
also need ieee->beacon_lock in position (2) of thread 2.
As a result, rtllib_beacons_stop() will block forever.
This patch extracts del_timer_sync() from the protection of
spin_lock_irqsave(), which could let timer handler to obtain
the needed lock.
Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
Link: https://lore.kernel.org/r/20220417141641.124388-1-duoming@zju.edu.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
commit b535917c51 upstream.
The free_rtllib() function frees the "dev" pointer so there is use
after free on the next line. Re-arrange things to avoid that.
Fixes: 66898177e7 ("staging: rtl8192e: Fix unload/reload problem")
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Link: https://lore.kernel.org/r/20211117072016.GA5237@kili
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit e78836ae76 upstream.
The "u16 CcxRmState[2];" array field in struct "rtllib_network" has 4
bytes in total while the operations performed on this array through-out
the code base are only 2 bytes.
The "CcxRmState" field is fed only 2 bytes of data using memcpy():
(In rtllib_rx.c:1972)
memcpy(network->CcxRmState, &info_element->data[4], 2)
With "info_element->data[]" being a u8 array, if 2 bytes are written
into "CcxRmState" (whose one element is u16 size), then the 2 u8
elements from "data[]" gets squashed and written into the first element
("CcxRmState[0]") while the second element ("CcxRmState[1]") is never
fed with any data.
Same in file rtllib_rx.c:2522:
memcpy(dst->CcxRmState, src->CcxRmState, 2);
The above line duplicates "src" data to "dst" but only writes 2 bytes
(and not 4, which is the actual size). Again, only 1st element gets the
value while the 2nd element remains uninitialized.
This later makes operations done with CcxRmState unpredictable in the
following lines as the 1st element is having a squashed number while the
2nd element is having an uninitialized random number.
rtllib_rx.c:1973: if (network->CcxRmState[0] != 0)
rtllib_rx.c:1977: network->MBssidMask = network->CcxRmState[1] & 0x07;
network->MBssidMask is also of type u8 and not u16.
Fix this by changing the type of "CcxRmState" from u16 to u8 so that the
data written into this array and read from it make sense and are not
random values.
NOTE: The wrong initialization of "CcxRmState" can be seen in the
following commit:
commit ecdfa44610 ("Staging: add Realtek 8192 PCI wireless driver")
The above commit created a file `rtl8192e/ieee80211.h` which used to
have the faulty line. The file has been deleted (or possibly renamed)
with the contents copied in to a new file `rtl8192e/rtllib.h` along with
additional code in the commit 94a799425e (tagged in Fixes).
Fixes: 94a799425e ("From: wlanfae <wlanfae@realtek.com> [PATCH 1/8] rtl8192e: Import new version of driver from realtek")
Cc: stable@vger.kernel.org
Signed-off-by: Atul Gopinathan <atulgopinathan@gmail.com>
Link: https://lore.kernel.org/r/20210323113413.29179-2-atulgopinathan@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 72ad25fbbb upstream.
The variable "info_element" is of the following type:
struct rtllib_info_element *info_element
defined in drivers/staging/rtl8192e/rtllib.h:
struct rtllib_info_element {
u8 id;
u8 len;
u8 data[];
} __packed;
The "len" field defines the size of the "data[]" array. The code is
supposed to check if "info_element->len" is greater than 4 and later
equal to 6. If this is satisfied then, the last two bytes (the 4th and
5th element of u8 "data[]" array) are copied into "network->CcxRmState".
Right now the code uses "memcpy()" with the source as "&info_element[4]"
which would copy in wrong and unintended information. The struct
"rtllib_info_element" has a size of 2 bytes for "id" and "len",
therefore indexing will be done in interval of 2 bytes. So,
"info_element[4]" would point to data which is beyond the memory
allocated for this pointer (that is, at x+8, while "info_element" has
been allocated only from x to x+7 (2 + 6 => 8 bytes)).
This patch rectifies this error by using "&info_element->data[4]" which
correctly copies the last two bytes of "data[]".
NOTE: The faulty line of code came from the following commit:
commit ecdfa44610 ("Staging: add Realtek 8192 PCI wireless driver")
The above commit created the file `rtl8192e/ieee80211/ieee80211_rx.c`
which had the faulty line of code. This file has been deleted (or
possibly renamed) with the contents copied in to a new file
`rtl8192e/rtllib_rx.c` along with additional code in the commit
94a799425e (tagged in Fixes).
Fixes: 94a799425e ("From: wlanfae <wlanfae@realtek.com> [PATCH 1/8] rtl8192e: Import new version of driver from realtek")
Cc: stable@vger.kernel.org
Signed-off-by: Atul Gopinathan <atulgopinathan@gmail.com>
Link: https://lore.kernel.org/r/20210323113413.29179-1-atulgopinathan@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 8687bf9ef9 upstream.
Function _rtl92e_wx_set_scan calls memcpy without checking the length.
A user could control that length and trigger a buffer overflow.
Fix by checking the length is within the maximum allowed size.
Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Lee Gibson <leegib@gmail.com>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20210226145157.424065-1-leegib@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit b7aa39a2ed upstream.
The variable skb is released via kfree_skb() when the return value of
_rtl92e_tx is not zero. However, after that, skb is accessed again to
read its length, which may result in a use after free bug. This patch
fixes the bug by moving the release operation to where skb is never
used later.
Signed-off-by: Pan Bian <bianpan2016@163.com>
Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/1572965351-6745-1-git-send-email-bianpan2016@163.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 95d93e271d upstream.
TID 7 is a valid value for QoS IEEE 802.11e.
The switch statement that follows states 7 is valid.
Remove function IsACValid and use the default case to filter
invalid TIDs.
Signed-off-by: Malcolm Priestley <tvboxspy@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 90be652c9f upstream.
EPROM_CMD is 2 byte aligned on PCI map so calling with rtl92e_readl
will return invalid data so use rtl92e_readw.
The device is unable to select the right eeprom type.
Signed-off-by: Malcolm Priestley <tvboxspy@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 867510bde1 upstream.
BSSIDR has two byte alignment on PCI ioremap correct the write
by swapping to 16 bits first.
This fixes a problem that the device associates fail because
the filter is not set correctly.
Signed-off-by: Malcolm Priestley <tvboxspy@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit baabd567f8 upstream.
The driver attempts to alter memory that is mapped to PCI device.
This is because tx_fwinfo_8190pci points to skb->data
Move the pci_map_single to when completed buffer is ready to be mapped with
psdec is empty to drop on mapping error.
Signed-off-by: Malcolm Priestley <tvboxspy@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Replace the 0x888e with ETH_P_PAE and 0x0806 with ETH_P_ARP.
These macros can be found in drivers/staging/rtl8192e/rtllib.h
Hexadecimal numbers are not case sensitive,
therefore 0x888e is equal with 0x888E.
The modifications improve the readability of the code.
Signed-off-by: Georgiana Rodica Chelu <georgiana.chelu93@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
fixed use a blank line after function/struct/union/enum declarations
Signed-off-by: Darryl T. Agostinelli <dagostinelli@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
fixed statements should start on a tabstop
Signed-off-by: Darryl T. Agostinelli <dagostinelli@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
shifted over comment block one space
Signed-off-by: Darryl T. Agostinelli <dagostinelli@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Insert blank line after function declaration to resolve checkpatch
issue.
Signed-off-by: Namrata A Shettar <namrataashettar@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Add space around binary operator '+' to resolve checkpatch issue.
Signed-off-by: Namrata A Shettar <namrataashettar@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Add space around '+' to resolve checkpatch issue.
Signed-off-by: Namrata A Shettar <namrataashettar@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Use !x instead of x == NULL. This patch was found by checkpatch.
Signed-off-by: Sandhya Bankar <bankarsandhya512@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
We get a few warnings when building kernel with W=1:
drivers/staging/rtl8192e/rtllib_softmac.c:279:13: warning: no previous declaration for 'softmac_ps_mgmt_xmit' [-Wmissing-declarations]
drivers/staging/rtl8192e/rtllib_softmac.c:773:24: warning: no previous declaration for 'rtllib_authentication_req' [-Wmissing-declarations]
....
In fact, these functions are only used in the file in which they are
declared and don't need a declaration, but can be made static.
In addition, some of these functions are declared in different files,
it looks like that we need to clean the codes of this driver up,
but we can repress these warnings first, then clean it up.
so this patch marks these functions with 'static' now.
Signed-off-by: Baoyou Xie <baoyou.xie@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
For structure types defined in the same file or local header files, find
top-level static structure declarations that have the following
properties:
1. Never reassigned.
2. Address never taken
3. Not passed to a top-level macro call
4. No pointer or array-typed field passed to a function or stored in a
variable.
Declare structures having all of these properties as const.
Done using Coccinelle.
Based on a suggestion by Joe Perches <joe@perches.com>.
Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
The semaphore 'ips_sem' in the rtl8192e is a simple mutex, so it should
be written as one. Semaphores are going away in the future.
Signed-off-by: Binoy Jayan <binoy.jayan@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
The semaphore 'scan_sem' in the rtl8192e is a simple mutex, so it should
be written as one. Semaphores are going away in the future.
Signed-off-by: Binoy Jayan <binoy.jayan@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
The semaphore 'rf_sem' in the rtl8192e is a simple mutex, so it should
be written as one. Semaphores are going away in the future.
Signed-off-by: Binoy Jayan <binoy.jayan@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
The semaphore 'wx_sem' in the r8192_priv is a simple mutex,
so it should be written as one. Semaphores are going away in the future.
Signed-off-by: Binoy Jayan <binoy.jayan@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
The semaphore 'wx_sem' in the rtllib_device is a simple mutex,
so it should be written as one. Semaphores are going away in the future.
Signed-off-by: Binoy Jayan <binoy.jayan@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
There is one remaining warning about a type limit check in rtl8192e:
staging/rtl8192e/rtl819x_TSProc.c:326:14: error: comparison is always true due to limited range of data type [-Werror=type-limits]
This changes a macro into a local function to clarify the types and simplify
the check while removing the warning.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Jes Sorensen <Jes.Sorensen@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Compiling the rtlwifi drivers for ARM with gcc -Wextra warns about lots of
incorrect code that results from 'char' being unsigned here, e.g.
staging/rtl8192e/rtl8192e/r8192E_phy.c:1072:36: error: comparison is always false due to limited range of data type [-Werror=type-limits]
staging/rtl8192e/rtl8192e/r8192E_phy.c:1104:36: error: comparison is always false due to limited range of data type [-Werror=type-limits]
staging/rtl8192e/rtl8192e/rtl_core.c:1987:16: error: comparison is always false due to limited range of data type [-Werror=type-limits]
staging/rtl8192e/rtl8192e/rtl_dm.c:782:37: error: comparison is always false due to limited range of data type [-Werror=type-limits]
staging/rtl8192e/rtllib_softmac_wx.c:465:16: error: comparison is always false due to limited range of data type [-Werror=type-limits]
This patch changes all uses of 'char' in this driver that refer to
8-bit integers to use 's8' instead, which is signed on all architectures.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Jes Sorensen <Jes.Sorensen@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
a trans_start struct member exists twice:
- in struct net_device (legacy)
- in struct netdev_queue
Instead of open-coding dev->trans_start usage to obtain the current
trans_start value, use dev_trans_start() instead.
This is not exactly the same, as dev_trans_start also considers
the trans_start values of the netdev queues owned by the device
and provides the most recent one.
For legacy devices this doesn't matter as dev_trans_start can cope
with netdev trans_start values of 0 (they are ignored).
This is a prerequisite to eventual removal of dev->trans_start.
Cc: linux-rdma@vger.kernel.org
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Here is the big staging driver pull request for 4.6-rc1.
Lots of little things here, over 1600 patches or so. Notible is all of
the good Lustre work happening, those developers have finally woken up
and are cleaning up their code greatly. The Outreachy intern
application process is also happening, which brought in another 400 or
so patches. Full details are in the very long shortlog.
All of these have been in linux-next with no reported issues.
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iEYEABECAAYFAlbrc3EACgkQMUfUDdst+ylu5ACgpdTKjrZn2vHElW3GRhTpzJdQ
wz8AoJDeur2DmBkQrKD5/u/WL4UTRNZJ
=+Q6N
-----END PGP SIGNATURE-----
Merge tag 'staging-4.6-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging
Pull staging driver updates from Greg KH:
"Here is the big staging driver pull request for 4.6-rc1.
Lots of little things here, over 1600 patches or so. Notable is all
of the good Lustre work happening, those developers have finally woken
up and are cleaning up their code greatly. The Outreachy intern
application process is also happening, which brought in another 400 or
so patches. Full details are in the very long shortlog.
All of these have been in linux-next with no reported issues"
* tag 'staging-4.6-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging: (1673 commits)
staging: lustre: fix aligments in lnet selftest
staging: lustre: report minimum of two buffers for LNet selftest load test
staging: lustre: test for proper errno code in lstcon_rpc_trans_abort
staging: lustre: filter remaining extra spacing for lnet selftest
staging: lustre: remove extra spacing when setting variable for lnet selftest
staging: lustre: remove extra spacing of variable declartions for lnet selftest
staging: lustre: fix spacing issues checkpatch reported in lnet selftest
staging: lustre: remove returns in void function for lnet selftest
staging: lustre: fix bogus lst errors for lnet selftest
staging: netlogic: Replacing pr_err with dev_err after the call to devm_kzalloc
staging: mt29f_spinand: Replacing pr_info with dev_info after the call to devm_kzalloc
staging: android: ion: fix up file mode
staging: ion: debugfs invalid gfp mask
staging: rts5208: Replace pci_enable_device with pcim_enable_device
Staging: ieee80211: Place constant on right side of the test.
staging: speakup: Replace del_timer with del_timer_sync
staging: lowmemorykiller: fix 2 checks that checkpatch complained
staging: mt29f_spinand: Drop void pointer cast
staging: rdma: hfi1: file_ops: Replace ALIGN with PAGE_ALIGN
staging: rdma: hfi1: driver: Replace IS_ALIGNED with PAGE_ALIGNED
...
This patch fixes the checkpatch warning that else is not generally
useful after a break or return.
This was done using Coccinelle:
@@
expression e2;
statement s1;
@@
if(e2) { ... return ...; }
-else
s1
Signed-off-by: Bhaktipriya Shridhar <bhaktipriya96@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
The macro random_ether_addr is calling the function eth_random_addr.
Therefore, the call to random_ether_addr can be replaced with
eth_random_addr.
Remove the wrapper function rtllib_randomize_cell and replace its
call with eth_random_addr as it is wrapping random_ether_addr.
Signed-off-by: Bhumika Goyal <bhumirks@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
With conccurency managed workqueues, use of dedicated workqueues can
be replaced by system_wq. Drop priv_wq by using system_wq.
Since there are multiple work items per priv but they do not need
to be ordered, increase of concurrency by switching to system_wq
should not break anything.
All work items are sync canceled on so it is guaranteed that
no work is running when rtl92e_suspend function is called.
Signed-off-by: Amitoj Kaur Chawla <amitoj1606@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Fixed checkpatch.pl issue 'Blank lines aren't necessary before a close
brace'
Signed-off-by: Tapan Prakash T <tapanprakasht@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
With conccurency managed workqueues, use of dedicated workqueues can
be replaced by system_wq. Drop wq by using system_wq.
Since there are multiple work items per rtllib but they do not need to
be ordered, increase of concurrency by switching to system_wq should
not break anything.
All work items are sync canceled on rtllib_stop_protocol() so it is
guaranteed that no work is running when rtl92e_disable/reset/restart
functions are called.
Signed-off-by: Amitoj Kaur Chawla <amitoj1606@gmail.com>
Acked-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Removed initialisation of a varible if it is immediately reassigned.
Changes were made using Coccinelle.
@@
type T;
constant C;
expression e;
identifier i;
@@
T i
- = C
;
i = e;
Signed-off-by: Bhaktipriya Shridhar <bhaktipriya96@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
In this file, the values returned by rtllib_priv() are unnecessarily cast
into a pointer type in some assignment statements. Remove the cast as it
is unneeded.
Signed-off-by: Janani Ravichandran <janani.rvchndrn@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Prefer using the eth_broadcast_addr() instead of memset to broadcast
address 0xFF to the array.
Signed-off-by: Hari Prasath Gujulan Elango <hgujulan@visteon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Use to_delayed_work() instead of open-coding it.
Signed-off-by: Geliang Tang <geliangtang@163.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Fixes a couple of issues detected by checkpatch with regard to blank lines.
Signed-off-by: Amadeusz Pawlik <potrzebye@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
The rtllib driver is not calling try_module_get() when loading the
encryption modules. Because of this, you can never remove the module
once you have used it one (i.e. bring up the wireless interface).
Signed-off-by: Sean MacLennan <seanm@seanm.ca>
Tested-by: Mateusz Kulikowski <mateusz.kulikowski@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
The interfaces blkcipher and hash are obsolete. This patch replaces
them with skcipher and ahash respectively.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This patch removes unnecessary variable by using a single line of code
instead.
Signed-off-by: Amitoj Kaur Chawla <amitoj1606@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
YueHaibing