_Read/Write_MACREG callbacks are NULL so the read/write_macreg_hdl()
functions don't do anything except free the "pcmd" pointer. It
results in a use after free. Delete them.
Fixes: 2865d42c78 ("staging: r8712u: Add the new driver to the mainline kernel")
Cc: stable <stable@kernel.org>
Reported-by: Zheng Wang <hackerzheng666@gmail.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Link: https://lore.kernel.org/r/Yw4ASqkYcUhUfoY2@kili
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
When 'status' returned from usb_control_msg() is not equal to 'len',
that usb_control_msg() is on partial failure, r8712_usbctrl_vendorreq()
will treat partial reads as success.
Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Wang Cheng <wanngchenng@gmail.com>
Link: https://lore.kernel.org/r/e33ea53d36c422fbe7eabec5bd9eecb0ebce1bc5.1652618244.git.wanngchenng@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This patch gets rid of the following error from checkpatch.pl:
WARNING: Unnecessary typecast of c90 int constant.
Signed-off-by: Solomon Tan <solomonbstoner@protonmail.ch>
Link: https://lore.kernel.org/r/YlxGTMBsLqdOIrpC@ArchDesktop
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Remove the unnecessary space immediately after a cast. Identified by
checkpatch: CHECK: No space is necessary after a cast.
Signed-off-by: Aliya Rahmani <aliyarahmani786@gmail.com>
Link: https://lore.kernel.org/r/20220413113531.31224-1-aliyarahmani786@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
In r871xu_drv_init(), if r8712_init_drv_sw() fails, then the memory
allocated by r8712_alloc_io_queue() in r8712_usb_dvobj_init() is not
properly released as there is no action will be performed by
r8712_usb_dvobj_deinit().
To properly release it, we should call r8712_free_io_queue() in
r8712_usb_dvobj_deinit().
Besides, in r871xu_dev_remove(), r8712_usb_dvobj_deinit() will be called
by r871x_dev_unload() under condition `padapter->bup` and
r8712_free_io_queue() is called by r8712_free_drv_sw().
However, r8712_usb_dvobj_deinit() does not rely on `padapter->bup` and
calling r8712_free_io_queue() in r8712_free_drv_sw() is negative for
better understading the code.
So I move r8712_usb_dvobj_deinit() into r871xu_dev_remove(), and remove
r8712_free_io_queue() from r8712_free_drv_sw().
Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Xiaoke Wang <xkernel.wang@foxmail.com>
Link: https://lore.kernel.org/r/tencent_B8048C592777830380A23A7C4409F9DF1305@qq.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
The function iterates an index from 0 to NUM_PMKID_CACHE and returns
the first index for which the condition is true. If no such index is
found, the function returns -1. Current code has a complex control
flow that obfuscates this simple task. Replace it with a loop.
Also, given the shortened function body, replace the long variable
name psecuritypriv with a short variable name p.
Reported by checkpatch:
WARNING: else is not generally useful after a break or return
Signed-off-by: Sevinj Aghayeva <sevinj.aghayeva@gmail.com>
Link: https://lore.kernel.org/r/20220403165325.GA374638@euclid
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
r8712_sitesurvey_cmd() uses a variable to notify r8712_SetFilter() that it
has completed operation. There is no sort of assurance that the variable will
actually change and it could cache the value the first time it is read and
then never update it for the whole loop logic.
Use completion variables because they are better suited for the purpose.
This patch fixes the checkpatch.pl warnings like:
CHECK: Avoid CamelCase: <blnEnableRxFF0Filter>
+ u8 blnEnableRxFF0Filter;
Reviewed-by: Fabio M. De Francesco <fmdefrancesco@gmail.com>
Signed-off-by: Sathish Kumar <skumark1902@gmail.com>
Link: https://lore.kernel.org/r/20220323045515.2513-1-skumark1902@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Here is the big set of staging driver updates for 5.18-rc1.
Loads of tiny cleanups for almost all staging drivers in here, nothing
major at all. Highlights include:
- remove the ashmem Android driver. It is long-dead and if
there are any legacy userspace applications still using it,
the Android kernel images will maintain it, the community
shouldn't care about it anymore
- wfx wifi driver major cleanups. Should be ready to merge out
of staging soon, and will coordinate with the wifi maintainers
after -rc1 is out
- major cleanups and unwinding of the layers of the r8188eu
driver. It's amazing just how many unneeded layers of
abstraction is in there, just when we think it's done, another
is found...
- lots of tiny coding style cleanups in many other staging
drivers.
There will be merge conflict with a fbtft change and the spi driver
changes in your tree, but it's pretty obvious what to do (the function
shouldn't return anything.)
All have been in linux-next for a while with no reported problems.
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-----BEGIN PGP SIGNATURE-----
iG0EABECAC0WIQT0tgzFv3jCIUoxPcsxR9QN2y37KQUCYkG1cA8cZ3JlZ0Brcm9h
aC5jb20ACgkQMUfUDdst+ylndwCfVhxKnbTYKtOs6UEr5pgPCoQCioUAn0Y2i0TG
4aFeeKUyL8VGdAitL+tp
=E6v7
-----END PGP SIGNATURE-----
Merge tag 'staging-5.18-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging
Pull staging driver updates from Greg KH:
"Here is the big set of staging driver updates for 5.18-rc1.
Loads of tiny cleanups for almost all staging drivers in here, nothing
major at all. Highlights include:
- remove the ashmem Android driver. It is long-dead and if there are
any legacy userspace applications still using it, the Android
kernel images will maintain it, the community shouldn't care about
it anymore
- wfx wifi driver major cleanups. Should be ready to merge out of
staging soon, and will coordinate with the wifi maintainers after
-rc1 is out
- major cleanups and unwinding of the layers of the r8188eu driver.
It's amazing just how many unneeded layers of abstraction is in
there, just when we think it's done, another is found...
- lots of tiny coding style cleanups in many other staging drivers.
All have been in linux-next for a while with no reported problems"
* tag 'staging-5.18-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging: (455 commits)
staging: r8188eu: remove unnecessary memset in r8188eu
staging: greybus: introduce pwm_ops::apply
staging: rts5208: Resolve checkpatch.pl issues.
staging: sm750fb: fix naming style
staging: fbtft: Consider type of init sequence values in fbtft_init_display()
staging: fbtft: Constify buf parameter in fbtft_dbg_hex()
staging: mmal-vchiq: clear redundant item named bulk_scratch
mips: dts: ralink: add MT7621 SoC
staging: r8188eu: remove some unused local ieee80211 macros
staging: r8188eu: make rtl8188e_process_phy_info static
staging: r8188eu: remove unused function prototype
staging: r8188eu: remove three unused receive defines
staging: r8188eu: remove unnecessary initializations
staging: rtl8192e: Fix spelling mistake "RESQUEST" -> "REQUEST"
MAINTAINERS: remove the obsolete file entry for staging in ANDROID DRIVERS
staging: r8188eu: proper error handling in rtw_init_drv_sw
staging: r8188eu: call _cancel_timer_ex from _rtw_free_recv_priv
staging: vt6656: Removed unused variable vt3342_vnt_threshold
staging: vt6656: Removed unused variable bb_vga_0
staging: remove ashmem
...
There is a regular need in the kernel to provide a way to declare
having a dynamically sized set of trailing elements in a structure.
Kernel code should always use “flexible array members”[1] for these
cases. The older style of one-element or zero-length arrays should
no longer be used[2].
This code was transformed with the help of Coccinelle:
(next-20220214$ spatch --jobs $(getconf _NPROCESSORS_ONLN) --sp-file script.cocci --include-headers --dir . > output.patch)
@@
identifier S, member, array;
type T1, T2;
@@
struct S {
...
T1 member;
T2 array[
- 0
];
};
UAPI and wireless changes were intentionally excluded from this patch
and will be sent out separately.
[1] https://en.wikipedia.org/wiki/Flexible_array_member
[2] https://www.kernel.org/doc/html/v5.16/process/deprecated.html#zero-length-and-one-element-arrays
Link: https://github.com/KSPP/linux/issues/78
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
As done for rtl8723bs and r8188eu, drop get_recvframe_data(), as it
introduces an impossible value (NULL) for the compiler to check code
paths against which could result in nonsensical warnings.
Cc: Larry Finger <Larry.Finger@lwfinger.net>
Cc: Florian Schilhabel <florian.c.schilhabel@googlemail.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Cc: Zhansaya Bagdauletkyzy <zhansayabagdaulet@gmail.com>
Cc: Ivan Safonov <insafonov@gmail.com>
Cc: linux-staging@lists.linux.dev
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20220118193327.2822099-4-keescook@chromium.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Fixed two CHECKs of Alignment should match open parenthesis and flipped
a condition to pull the code in one tab.
Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Ngo Tak Fong <simon.fodin@gmail.com>
Link: https://lore.kernel.org/r/20211207212223.GA70594@simon-desktop
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Pull exit cleanups from Eric Biederman:
"While looking at some issues related to the exit path in the kernel I
found several instances where the code is not using the existing
abstractions properly.
This set of changes introduces force_fatal_sig a way of sending a
signal and not allowing it to be caught, and corrects the misuse of
the existing abstractions that I found.
A lot of the misuse of the existing abstractions are silly things such
as doing something after calling a no return function, rolling BUG by
hand, doing more work than necessary to terminate a kernel thread, or
calling do_exit(SIGKILL) instead of calling force_sig(SIGKILL).
In the review a deficiency in force_fatal_sig and force_sig_seccomp
where ptrace or sigaction could prevent the delivery of the signal was
found. I have added a change that adds SA_IMMUTABLE to change that
makes it impossible to interrupt the delivery of those signals, and
allows backporting to fix force_sig_seccomp
And Arnd found an issue where a function passed to kthread_run had the
wrong prototype, and after my cleanup was failing to build."
* 'exit-cleanups-for-v5.16' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace: (23 commits)
soc: ti: fix wkup_m3_rproc_boot_thread return type
signal: Add SA_IMMUTABLE to ensure forced siganls do not get changed
signal: Replace force_sigsegv(SIGSEGV) with force_fatal_sig(SIGSEGV)
exit/r8188eu: Replace the macro thread_exit with a simple return 0
exit/rtl8712: Replace the macro thread_exit with a simple return 0
exit/rtl8723bs: Replace the macro thread_exit with a simple return 0
signal/x86: In emulate_vsyscall force a signal instead of calling do_exit
signal/sparc32: In setup_rt_frame and setup_fram use force_fatal_sig
signal/sparc32: Exit with a fatal signal when try_to_clear_window_buffer fails
exit/syscall_user_dispatch: Send ordinary signals on failure
signal: Implement force_fatal_sig
exit/kthread: Have kernel threads return instead of calling do_exit
signal/s390: Use force_sigsegv in default_trap_handler
signal/vm86_32: Properly send SIGSEGV when the vm86 state cannot be saved.
signal/vm86_32: Replace open coded BUG_ON with an actual BUG_ON
signal/sparc: In setup_tsb_params convert open coded BUG into BUG
signal/powerpc: On swapcontext failure force SIGSEGV
signal/sh: Use force_sig(SIGKILL) instead of do_group_exit(SIGKILL)
signal/mips: Update (_save|_restore)_fp_context to fail with -EFAULT
signal/sparc32: Remove unreachable do_exit in do_sparc_fault
...
Here is the big set of staging driver updates and cleanups for 5.16-rc1.
Overall we ended up removing a lot of code this time, a bit over 20,000
lines are now gone thanks to a lot of cleanup work by many developers.
Nothing huge in here functionality wise, just loads of cleanups:
- r8188eu driver major cleanups and removal of unused and dead
code
- wlan-ng minor cleanups
- fbtft driver cleanups
- most driver cleanups
- rtl8* drivers cleanups
- rts5208 driver cleanups
- vt6655 driver cleanups
- vc04_services drivers cleanups
- wfx cleanups on the way to almost getting this merged out of
staging (it's close!)
- tiny mips changes needed for the mt7621 drivers, they have
been acked by the respective subsystem maintainers to go
through this tree.
All of these have been in linux-next for a while with no reported
issues.
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-----BEGIN PGP SIGNATURE-----
iG0EABECAC0WIQT0tgzFv3jCIUoxPcsxR9QN2y37KQUCYYPZQQ8cZ3JlZ0Brcm9h
aC5jb20ACgkQMUfUDdst+yml9wCeJl83anYno0xh+UP6CsEkbe64VJEAoIEKyry/
tlUowcatxGfz3aYA1wTc
=FyAK
-----END PGP SIGNATURE-----
Merge tag 'staging-5.16-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging
Pull staging driver updates from Greg KH:
"Here is the big set of staging driver updates and cleanups for
5.16-rc1.
Overall we ended up removing a lot of code this time, a bit over
20,000 lines are now gone thanks to a lot of cleanup work by many
developers.
Nothing huge in here functionality wise, just loads of cleanups:
- r8188eu driver major cleanups and removal of unused and dead code
- wlan-ng minor cleanups
- fbtft driver cleanups
- most driver cleanups
- rtl8* drivers cleanups
- rts5208 driver cleanups
- vt6655 driver cleanups
- vc04_services drivers cleanups
- wfx cleanups on the way to almost getting this merged out of
staging (it's close!)
- tiny mips changes needed for the mt7621 drivers, they have been
acked by the respective subsystem maintainers to go through this
tree.
All of these have been in linux-next for a while with no reported
issues"
* tag 'staging-5.16-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging: (622 commits)
staging: r8188eu: hal: remove goto statement and local variable
staging: rtl8723bs: hal remove the assignment to itself
staging: rtl8723bs: fix unmet dependency on CRYPTO for CRYPTO_LIB_ARC4
staging: vchiq_core: get rid of typedef
staging: fieldbus: anybus: reframe comment to avoid warning
staging: r8188eu: fix missing unlock in rtw_resume()
staging: r8188eu: core: remove the goto from rtw_IOL_accquire_xmit_frame
staging: r8188eu: core: remove goto statement
staging: vt6655: Rename `dwAL7230InitTable` array
staging: vt6655: Rename `dwAL2230PowerTable` array
staging: vt6655: Rename `dwAL7230InitTableAMode` array
staging: vt6655: Rename `dwAL7230ChannelTable2` array
staging: vt6655: Rename `dwAL7230ChannelTable1` array
staging: vt6655: Rename `dwAL7230ChannelTable0` array
staging: vt6655: Rename `dwAL2230ChannelTable1` array
staging: vt6655: Rename `dwAL2230ChannelTable0` array
staging: r8712u: fix control-message timeout
staging: rtl8192u: fix control-message timeouts
staging: mt7621-dts: add missing SPDX license to files
staging: vchiq_core: fix quoted strings split across lines
...
The macro thread_exit is called is at the end of a function started
with kthread_run. The code in kthread_run has arranged things so a
kernel thread can just return and do_exit will be called.
So just have the cmd_thread return instead of calling complete_and_exit.
Link: https://lkml.kernel.org/r/20211020174406.17889-19-ebiederm@xmission.com
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
USB control-message timeouts are specified in milliseconds and should
specifically not vary with CONFIG_HZ.
Fixes: 2865d42c78 ("staging: r8712u: Add the new driver to the mainline kernel")
Cc: stable@vger.kernel.org # 2.6.37
Acked-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://lore.kernel.org/r/20211025120910.6339-3-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Syzbot reported use-after-free in rtl8712_dl_fw(). The problem was in
race condition between r871xu_dev_remove() ->ndo_open() callback.
It's easy to see from crash log, that driver accesses released firmware
in ->ndo_open() callback. It may happen, since driver was releasing
firmware _before_ unregistering netdev. Fix it by moving
unregister_netdev() before cleaning up resources.
Call Trace:
...
rtl871x_open_fw drivers/staging/rtl8712/hal_init.c:83 [inline]
rtl8712_dl_fw+0xd95/0xe10 drivers/staging/rtl8712/hal_init.c:170
rtl8712_hal_init drivers/staging/rtl8712/hal_init.c:330 [inline]
rtl871x_hal_init+0xae/0x180 drivers/staging/rtl8712/hal_init.c:394
netdev_open+0xe6/0x6c0 drivers/staging/rtl8712/os_intfs.c:380
__dev_open+0x2bc/0x4d0 net/core/dev.c:1484
Freed by task 1306:
...
release_firmware+0x1b/0x30 drivers/base/firmware_loader/main.c:1053
r871xu_dev_remove+0xcc/0x2c0 drivers/staging/rtl8712/usb_intf.c:599
usb_unbind_interface+0x1d8/0x8d0 drivers/usb/core/driver.c:458
Fixes: 8c213fa591 ("staging: r8712u: Use asynchronous firmware loading")
Cc: stable <stable@vger.kernel.org>
Reported-and-tested-by: syzbot+c55162be492189fb4f51@syzkaller.appspotmail.com
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
Link: https://lore.kernel.org/r/20211019211718.26354-1-paskripkin@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
netdev->dev_addr will be const soon, make sure the qualifier
is respected by drivers.
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Link: https://lore.kernel.org/r/20211019171243.1412240-6-kuba@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Commit 406f42fa0d ("net-next: When a bond have a massive amount
of VLANs...") introduced a rbtree for faster Ethernet address look
up. To maintain netdev->dev_addr in this tree we need to make all
the writes to it got through appropriate helpers.
Convert staging from ether_addr_copy() to eth_hw_addr_set():
@@
expression dev, np;
@@
- ether_addr_copy(dev->dev_addr, np)
+ eth_hw_addr_set(dev, np)
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Link: https://lore.kernel.org/r/20211019171243.1412240-3-kuba@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Commit 406f42fa0d ("net-next: When a bond have a massive amount
of VLANs...") introduced a rbtree for faster Ethernet address look
up. To maintain netdev->dev_addr in this tree we need to make all
the writes to it got through appropriate helpers.
Convert staging drivers from memcpy(... ETH_ADDR) to eth_hw_addr_set():
@@
expression dev, np;
@@
- memcpy(dev->dev_addr, np, ETH_ALEN)
+ eth_hw_addr_set(dev, np)
@@
- memcpy(dev->dev_addr, np, 6)
+ eth_hw_addr_set(dev, np)
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Link: https://lore.kernel.org/r/20211019171243.1412240-2-kuba@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
The 0-element arrays that are used as memcpy() destinations are actually
flexible arrays. Adjust their structures accordingly so that memcpy()
can better reason able their destination size (i.e. they need to be seen
as "unknown" length rather than "zero").
In some cases, use of the DECLARE_FLEX_ARRAY() helper is needed when a
flexible array is alone in a struct.
Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Kalle Valo <kvalo@codeaurora.org>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: Nilesh Javali <njavali@marvell.com>
Cc: Manish Rangankar <mrangankar@marvell.com>
Cc: GR-QLogic-Storage-Upstream@marvell.com
Cc: "James E.J. Bottomley" <jejb@linux.ibm.com>
Cc: "Martin K. Petersen" <martin.petersen@oracle.com>
Cc: Larry Finger <Larry.Finger@lwfinger.net>
Cc: Phillip Potter <phil@philpotter.co.uk>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Florian Schilhabel <florian.c.schilhabel@googlemail.com>
Cc: Johannes Berg <johannes@sipsolutions.net>
Cc: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Cc: Fabio Aiuto <fabioaiuto83@gmail.com>
Cc: Ross Schmidt <ross.schm.dev@gmail.com>
Cc: Marco Cesati <marcocesati@gmail.com>
Cc: ath10k@lists.infradead.org
Cc: linux-wireless@vger.kernel.org
Cc: netdev@vger.kernel.org
Cc: linux-scsi@vger.kernel.org
Cc: linux-staging@lists.linux.dev
Signed-off-by: Kees Cook <keescook@chromium.org>
This path fixes four checkpatch.pl warnings:
Statements should start on a tabstop
Signed-off-by: Dawid Esterhuizen <desterhuizen@gmail.com>
Link: https://lore.kernel.org/r/YVXGsMZDGmdGjErJ@kkobus.whirley.local
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
There was strange error handling logic in case of fw load failure. For
some reason fw loader callback was doing clean up stuff when fw is not
available. I don't see any reason behind doing this. Since this driver
doesn't have EEPROM firmware let's just disconnect it in case of fw load
failure. Doing clean up stuff in 2 different place which can run
concurently is not good idea and syzbot found 2 bugs related to this
strange approach.
So, in this pacth I deleted all clean up code from fw callback and made
a call to device_release_driver() under device_lock(parent) in case of fw
load failure. This approach is more generic and it defend driver from UAF
bugs, since all clean up code is moved to one place.
Fixes: e02a3b9458 ("staging: rtl8712: fix memory leak in rtl871x_load_fw_cb")
Fixes: 8c213fa591 ("staging: r8712u: Use asynchronous firmware loading")
Cc: stable <stable@vger.kernel.org>
Reported-and-tested-by: syzbot+5872a520e0ce0a7c7230@syzkaller.appspotmail.com
Reported-and-tested-by: syzbot+cc699626e48a6ebaf295@syzkaller.appspotmail.com
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
Link: https://lore.kernel.org/r/d49ecc56e97c4df181d7bd4d240b031f315eacc3.1626895918.git.paskripkin@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This patch is preparation for following patch for error handling
refactoring.
flush_scheduled_work() takes (wq_completion)events lock and
it can lead to deadlock when r871xu_dev_remove() is called from workqueue.
To avoid deadlock sutiation we can change flush_scheduled_work() call to
flush_work() call for all possibly scheduled works in this driver,
since next patch adds device_release_driver() in case of fw load failure.
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/6e028b4c457eeb7156c76c6ea3cdb3cb0207c7e1.1626895918.git.paskripkin@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
strcpy() performs no bounds checking on the destination buffer. This
could result in linear overflows beyond the end of the buffer, leading
to all kinds of misbehaviors. The safe replacement is strscpy().
Signed-off-by: Len Baker <len.baker@gmx.com>
Link: https://lore.kernel.org/r/20210717155145.15041-1-len.baker@gmx.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This patch fixes the checkpatch.pl issue:
CHECK: Alignment should match open parenthesis.
Signed-off-by: Alexander Greyling <alexandergreyling5@gmail.com>
Link: https://lore.kernel.org/r/20210710220815.GA1654486@alexlaptop
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
There is a leak in rtl8712 driver.
The problem was in non-freed adapter data if
firmware load failed.
This leak can be reproduced with this code:
https://syzkaller.appspot.com/text?tag=ReproC&x=16612f02d00000,
Autoload must fail (to not hit memory leak reported by syzkaller)
There are 2 possible ways how rtl871x_load_fw_cb() and
r871xu_dev_remove() can be called (in case of fw load error).
1st case:
r871xu_dev_remove() then rtl871x_load_fw_cb()
In this case r871xu_dev_remove() will wait for
completion and then will jump to the end, because
rtl871x_load_fw_cb() set intfdata to NULL:
if (pnetdev) {
struct _adapter *padapter = netdev_priv(pnetdev);
/* never exit with a firmware callback pending */
wait_for_completion(&padapter->rtl8712_fw_ready);
pnetdev = usb_get_intfdata(pusb_intf);
usb_set_intfdata(pusb_intf, NULL);
if (!pnetdev)
goto firmware_load_fail;
... clean up code here ...
}
2nd case:
rtl871x_load_fw_cb() then r871xu_dev_remove()
In this case pnetdev (from code snippet above) will
be zero (because rtl871x_load_fw_cb() set it to NULL)
And clean up code won't be executed again.
So, in all cases we need to free adapted data in rtl871x_load_fw_cb(),
because disconnect function cannot take care of it. And there won't be
any race conditions, because complete() call happens after setting
intfdata to NULL.
In previous patch I moved out free_netdev() from r8712_free_drv_sw()
and that's why now it's possible to free adapter data and then call
complete.
Fixes: 8c213fa591 ("staging: r8712u: Use asynchronous firmware loading")
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
Link: https://lore.kernel.org/r/81e68fe0194499cc2e7692d35bc4dcf167827d8f.1623620630.git.paskripkin@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Previous error handling path was unique for all
possible errors and there was unnecessary branching.
Also, one step for freeing drv_sw was missing. All
these problems was fixed by restructuring error
handling path.
Also, moved out free_netdev() from r8712_free_drv_sw() for
correct error handling.
Fixes: 2865d42c78 ("staging: r8712u: Add the new driver to the mainline kernel")
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
Link: https://lore.kernel.org/r/febb00f72354449bb4d305f373d6d2f47e539ab4.1623620630.git.paskripkin@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Replaced printk() with netdev_dbg() because the latter is preferred in
network devices drivers.
Suggested-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Fabio M. De Francesco <fmdefrancesco@gmail.com>
Link: https://lore.kernel.org/r/20210609135659.4054-1-fmdefrancesco@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This module defines four alias for printk(). Removed them
all, because they are not used anywhere else in the driver.
Converted the only exception to the explicit use of printk().
Signed-off-by: Fabio M. De Francesco <fmdefrancesco@gmail.com>
Link: https://lore.kernel.org/r/20210606034038.9657-1-fmdefrancesco@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
We recently moved "bssid" off the stack, and allocated it with kmalloc()
instead. Unfortunately, this one line was overlooked so it will copy
random data into the &tgt_network->network instead of the data we want.
Fixes: 0b18e5fe60 ("staging: rtl8712: rtl871x_mp_ioctl: Move a large data struct onto the heap")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Link: https://lore.kernel.org/r/YJ6IrfkbdaTHgpEv@mwanda
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Commit 6e2baa44c6 ("staging: rtl8712: remove enum WIFI_FRAME_SUBTYPE")
was wrong because:
WIFI_DATA_NULL != IEEE80211_STYPE_NULLFUNC
WIFI_DATA_CFACK != IEEE80211_STYPE_DATA_CFACK
WIFI_DATA_CFPOLL != IEEE80211_STYPE_DATA_CFPOLL
WIFI_DATA_CFACKPOLL != IEEE80211_STYPE_DATA_CFACKPOLL
the WIFI_DATA_xxx definitions include WIFI_DATA_TYPE, which is 'BIT(3)'.
Restore the previous behavior by adding the missing
'IEEE80211_FTYPE_DATA |' (0x0008, that is to say BIT(3)) when these values
are used.
Hopefully, the wrong commit was small enough and hand review is possible.
Fixes: 6e2baa44c6 ("staging: rtl8712: remove enum WIFI_FRAME_SUBTYPE")
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Link: https://lore.kernel.org/r/44aebfa3c5ce8f45ae05369c73e9ff77c6d271f9.1619939806.git.christophe.jaillet@wanadoo.fr
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Documentation/process/coding-style.rst says (in line 88)
"Don't put multiple assignments on a single line either."
This patch fixes the coding style issue reported by checkpatch.pl.
Signed-off-by: Alexander Vorwerk <alec@vc-celle.de>
Link: https://lore.kernel.org/r/20210501234501.5411-1-alec@vc-celle.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Use existing list iterators and helper functions.
The following coccinelle script was used to convert the code.
@@
identifier v1, v2, v3, v4;
symbol next;
expression e;
iterator name list_for_each;
statement S;
@@
<+...
(
- e = v1->next;
|
- e = get_next(v1);
)
... when != e
- while ( \( v1 != e \| e != v1 \) )
+ list_for_each (e, v1)
{
...
- v2 = container_of(e, struct v3, v4);
+ v2 = list_entry(e, struct v3, v4);
?- if (!v2) S
...
(
- e = e->next;
|
- e = get_next(e);
)
... when != e
}
...+>
Compile tested only.
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Link: https://lore.kernel.org/r/20210428173523.149958-1-linux@roeck-us.net
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Dan Carpenter