Linux Kernel https://git.stealer.net/cgit.cgi/user/sven/linux.git/atom?h=v3.1.3 2011-11-26T17:08:34Z 2011-11-26T17:08:34Z Luis R. Rodriguez mcgrof@qca.qualcomm.com 2011-11-08T22:28:06Z urn:sha1:1d8fdb8410ef5aca16ddf01c1176358c9154bcfa commit 58ebacc66bd11be2327edcefc79de94bd6f5bb4a upstream. Commit 4d9d88d1 by Scott James Remnant <keybuk@google.com> added the .uevent() callback for the regulatory device used during the platform device registration. The change was done to account for queuing up udev change requests through udevadm triggers. The change also meant that upon regulatory core exit we will now send a uevent() but the uevent() callback, reg_device_uevent(), also accessed last_request. Right before commiting device suicide we free'd last_request but never set it to NULL so platform_device_unregister() would lead to bogus kernel paging request. Fix this and also simply supress uevents right before we commit suicide as they are pointless. This fix is required for kernels >= v2.6.39 $ git describe --contains 4d9d88d1 v2.6.39-rc1~468^2~25^2^2~21 The impact of not having this present is that a bogus paging access may occur (only read) upon cfg80211 unload time. You may also get this BUG complaint below. Although Johannes could not reproduce the issue this fix is theoretically correct. mac80211_hwsim: unregister radios mac80211_hwsim: closing netlink BUG: unable to handle kernel paging request at ffff88001a06b5ab IP: [<ffffffffa030df9a>] reg_device_uevent+0x1a/0x50 [cfg80211] PGD 1836063 PUD 183a063 PMD 1ffcb067 PTE 1a06b160 Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC CPU 0 Modules linked in: cfg80211(-) [last unloaded: mac80211] Pid: 2279, comm: rmmod Tainted: G W 3.1.0-wl+ #663 Bochs Bochs RIP: 0010:[<ffffffffa030df9a>] [<ffffffffa030df9a>] reg_device_uevent+0x1a/0x50 [cfg80211] RSP: 0000:ffff88001c5f9d58 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff88001d2eda88 RCX: ffff88001c7468fc RDX: ffff88001a06b5a0 RSI: ffff88001c7467b0 RDI: ffff88001c7467b0 RBP: ffff88001c5f9d58 R08: 000000000000ffff R09: 000000000000ffff R10: 0000000000000000 R11: 0000000000000001 R12: ffff88001c7467b0 R13: ffff88001d2eda78 R14: ffffffff8164a840 R15: 0000000000000001 FS: 00007f8a91d8a6e0(0000) GS:ffff88001fc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b CR2: ffff88001a06b5ab CR3: 000000001c62e000 CR4: 00000000000006f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Process rmmod (pid: 2279, threadinfo ffff88001c5f8000, task ffff88000023c780) Stack: ffff88001c5f9d98 ffffffff812ff7e5 ffffffff8176ab3d ffff88001c7468c2 000000000000ffff ffff88001d2eda88 ffff88001c7467b0 ffff880000114820 ffff88001c5f9e38 ffffffff81241dc7 ffff88001c5f9db8 ffffffff81040189 Call Trace: [<ffffffff812ff7e5>] dev_uevent+0xc5/0x170 [<ffffffff81241dc7>] kobject_uevent_env+0x1f7/0x490 [<ffffffff81040189>] ? sub_preempt_count+0x29/0x60 [<ffffffff814cab1a>] ? _raw_spin_unlock_irqrestore+0x4a/0x90 [<ffffffff81305307>] ? devres_release_all+0x27/0x60 [<ffffffff8124206b>] kobject_uevent+0xb/0x10 [<ffffffff812fee27>] device_del+0x157/0x1b0 [<ffffffff8130377d>] platform_device_del+0x1d/0x90 [<ffffffff81303b76>] platform_device_unregister+0x16/0x30 [<ffffffffa030fffd>] regulatory_exit+0x5d/0x180 [cfg80211] [<ffffffffa032bec3>] cfg80211_exit+0x2b/0x45 [cfg80211] [<ffffffff8109a84c>] sys_delete_module+0x16c/0x220 [<ffffffff8108a23e>] ? trace_hardirqs_on_caller+0x7e/0x120 [<ffffffff814cba02>] system_call_fastpath+0x16/0x1b Code: <all your base are belong to me> RIP [<ffffffffa030df9a>] reg_device_uevent+0x1a/0x50 [cfg80211] RSP <ffff88001c5f9d58> CR2: ffff88001a06b5ab ---[ end trace 147c5099a411e8c0 ]--- Reported-by: Johannes Berg <johannes@sipsolutions.net> Cc: Scott James Remnant <keybuk@google.com> Signed-off-by: Luis R. Rodriguez <mcgrof@qca.qualcomm.com> Signed-off-by: John W. Linville <linville@tuxdriver.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 2011-11-26T17:08:34Z Johannes Berg johannes.berg@intel.com 2011-11-03T08:27:01Z urn:sha1:2ebd38f358b941add49441bad15cb75217a0f08b commit 6c7394197af90f6a332180e33f5d025d3037d883 upstream. Since the NL80211_ATTR_HT_CAPABILITY attribute is used as a struct, it needs a minimum, not maximum length. Enforce that properly. Not doing so could potentially lead to reading after the buffer. Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 2011-09-21T19:58:24Z Jouni Malinen jouni@qca.qualcomm.com 2011-09-21T13:13:07Z urn:sha1:1b9ca0272ffae212e726380f66777b30a56ed7a5 Incorrect variable was used in validating the akm_suites array from NL80211_ATTR_AKM_SUITES. In addition, there was no explicit validation of the array length (we only have room for NL80211_MAX_NR_AKM_SUITES). This can result in a buffer write overflow for stack variables with arbitrary data from user space. The nl80211 commands using the affected functionality require GENL_ADMIN_PERM, so this is only exposed to admin users. Cc: stable@kernel.org Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com> Signed-off-by: John W. Linville <linville@tuxdriver.com> 2011-09-16T19:32:11Z Rajkumar Manoharan rmanohar@qca.qualcomm.com 2011-09-15T09:42:29Z urn:sha1:3965ac00204e0ccd89e1e73ead4d2098dc8f7bd1 The scan request received from cfg80211_connect do not have proper rate mast. So the probe request sent on each channel do not have proper the supported rates ie. Cc: stable@kernel.org Reviewed-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: Rajkumar Manoharan <rmanohar@qca.qualcomm.com> Signed-off-by: John W. Linville <linville@tuxdriver.com> 2011-09-16T19:32:08Z Rajkumar Manoharan rmanohar@qca.qualcomm.com 2011-09-14T08:58:17Z urn:sha1:aa3d7eef398dd4f29045e9889b817d5161afe03e During the association, the regulatory is updated by country IE that reaps the previously found beacons. The impact is that after a STA disconnects *or* when for any reason a regulatory domain change happens the beacon hint flag is not cleared therefore preventing future beacon hints to be learned. This is important as a regulatory domain change or a restore of regulatory settings would set back the passive scan and no-ibss flags on the channel. This is the right place to do this given that it covers any regulatory domain change. Cc: stable@kernel.org Reviewed-by: Luis R. Rodriguez <mcgrof@gmail.com> Signed-off-by: Rajkumar Manoharan <rmanohar@qca.qualcomm.com> Acked-by: Luis R. Rodriguez <mcgrof@qca.qualcomm.com> Signed-off-by: John W. Linville <linville@tuxdriver.com> 2011-08-22T18:21:40Z Stanislaw Gruszka sgruszka@redhat.com 2011-08-12T12:00:59Z urn:sha1:ecb4433550f0620f3d1471ae7099037ede30a91e Do not call ->suspend, ->resume methods after we unregister wiphy. Also delete sta_clanup timer after we finish wiphy unregister to avoid this: WARNING: at lib/debugobjects.c:262 debug_print_object+0x85/0xa0() Hardware name: 6369CTO ODEBUG: free active (active state 0) object type: timer_list hint: sta_info_cleanup+0x0/0x180 [mac80211] Modules linked in: aes_i586 aes_generic fuse bridge stp llc autofs4 sunrpc cpufreq_ondemand acpi_cpufreq mperf ext2 dm_mod uinput thinkpad_acpi hwmon sg arc4 rt2800usb rt2800lib crc_ccitt rt2x00usb rt2x00lib mac80211 cfg80211 i2c_i801 iTCO_wdt iTCO_vendor_support e1000e ext4 mbcache jbd2 sd_mod crc_t10dif sr_mod cdrom yenta_socket ahci libahci pata_acpi ata_generic ata_piix i915 drm_kms_helper drm i2c_algo_bit video [last unloaded: microcode] Pid: 5663, comm: pm-hibernate Not tainted 3.1.0-rc1-wl+ #19 Call Trace: [<c0454cfd>] warn_slowpath_common+0x6d/0xa0 [<c05e05e5>] ? debug_print_object+0x85/0xa0 [<c05e05e5>] ? debug_print_object+0x85/0xa0 [<c0454dae>] warn_slowpath_fmt+0x2e/0x30 [<c05e05e5>] debug_print_object+0x85/0xa0 [<f8a808e0>] ? sta_info_alloc+0x1a0/0x1a0 [mac80211] [<c05e0bd2>] debug_check_no_obj_freed+0xe2/0x180 [<c051175b>] kfree+0x8b/0x150 [<f8a126ae>] cfg80211_dev_free+0x7e/0x90 [cfg80211] [<f8a13afd>] wiphy_dev_release+0xd/0x10 [cfg80211] [<c068d959>] device_release+0x19/0x80 [<c05d06ba>] kobject_release+0x7a/0x1c0 [<c07646a8>] ? rtnl_unlock+0x8/0x10 [<f8a13adb>] ? wiphy_resume+0x6b/0x80 [cfg80211] [<c05d0640>] ? kobject_del+0x30/0x30 [<c05d1a6d>] kref_put+0x2d/0x60 [<c05d056d>] kobject_put+0x1d/0x50 [<c08015f4>] ? mutex_lock+0x14/0x40 [<c068d60f>] put_device+0xf/0x20 [<c069716a>] dpm_resume+0xca/0x160 [<c04912bd>] hibernation_snapshot+0xcd/0x260 [<c04903df>] ? freeze_processes+0x3f/0x90 [<c049151b>] hibernate+0xcb/0x1e0 [<c048fdc0>] ? pm_async_store+0x40/0x40 [<c048fe60>] state_store+0xa0/0xb0 [<c048fdc0>] ? pm_async_store+0x40/0x40 [<c05d0200>] kobj_attr_store+0x20/0x30 [<c0575ea4>] sysfs_write_file+0x94/0xf0 [<c051e26a>] vfs_write+0x9a/0x160 [<c0575e10>] ? sysfs_open_file+0x200/0x200 [<c051e3fd>] sys_write+0x3d/0x70 [<c080959f>] sysenter_do_call+0x12/0x28 Cc: stable@kernel.org Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com> Signed-off-by: John W. Linville <linville@tuxdriver.com> 2011-08-01T17:46:46Z Dan Carpenter error27@gmail.com 2011-07-29T08:52:18Z urn:sha1:84404623da45aac04595a8f5760a58df0e955d87 The test is off by one so we'd read past the end of the wiphy->bands[] array on the next line. Signed-off-by: Dan Carpenter <error27@gmail.com> Signed-off-by: John W. Linville <linville@tuxdriver.com> 2011-07-26T20:27:32Z Mihai Moldovan ionic@ionic.de 2011-07-25T09:18:58Z urn:sha1:5bc91db8933bce07c3af86da2bd956414aa5a725 Just a typo fix changing regulaotry to regulatory. Signed-off-by: Mihai Moldovan <ionic@ionic.de> CC: John W. Linville <linville@tuxdriver.com> CC: Mohammed Shafi <shafi.wireless@gmail.com> Signed-off-by: John W. Linville <linville@tuxdriver.com> 2011-07-26T20:27:29Z Sven Neumann s.neumann@raumfeld.com 2011-07-12T13:52:07Z urn:sha1:a203c2aa4cefccb879c879b8e1cad1a09a679e55 At the beginning of wiphy_update_regulatory() a check is performed whether the request is to be ignored. Then the request is sent to the driver nevertheless. This happens even if last_request points to NULL, leading to a crash in the driver: [<bf01d864>] (lbs_set_11d_domain_info+0x28/0x1e4 [libertas]) from [<c03b714c>] (wiphy_update_regulatory+0x4d0/0x4f4) [<c03b714c>] (wiphy_update_regulatory+0x4d0/0x4f4) from [<c03b4008>] (wiphy_register+0x354/0x420) [<c03b4008>] (wiphy_register+0x354/0x420) from [<bf01b17c>] (lbs_cfg_register+0x80/0x164 [libertas]) [<bf01b17c>] (lbs_cfg_register+0x80/0x164 [libertas]) from [<bf020e64>] (lbs_start_card+0x20/0x88 [libertas]) [<bf020e64>] (lbs_start_card+0x20/0x88 [libertas]) from [<bf02cbd8>] (if_sdio_probe+0x898/0x9c0 [libertas_sdio]) Fix this by returning early. Also remove the out: label as it is not any longer needed. Signed-off-by: Sven Neumann <s.neumann@raumfeld.com> Cc: linux-wireless@vger.kernel.org Cc: Johannes Berg <johannes@sipsolutions.net> Cc: Daniel Mack <daniel@zonque.org> Cc: stable@kernel.org Signed-off-by: John W. Linville <linville@tuxdriver.com> 2011-07-20T19:04:38Z Johannes Berg johannes.berg@intel.com 2011-07-19T22:52:16Z urn:sha1:a401d2bb363d942245acdd81c5b5a754011696ee commit 58389c69150e6032504dfcd3edca6b1975c8b5bc Author: Johannes Berg <johannes.berg@intel.com> Date: Mon Jul 18 18:08:35 2011 +0200 cfg80211: allow userspace to control supported rates in scan made single-band cards crash since it would always access all wiphy->bands[]. Fix this and reject any attempts in the new helper ieee80211_get_ratemask() to do the same, rejecting rates configuration for unsupported bands. Reported-by: Pavel Roskin <proski@gnu.org> Tested-by: Pavel Roskin <proski@gnu.org> Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>