diff options
| author | Rafał Miłecki <zajec5@gmail.com> | 2016-09-29 14:59:38 +0200 |
|---|---|---|
| committer | Zoltan HERPAI <wigyori@uid0.hu> | 2016-09-29 14:59:38 +0200 |
| commit | f9755e28776fdce0c2136492b43380d0eefe3c5a (patch) | |
| tree | 81b8f52e4cb211f6a7c9ddedcd4efb69ecabe1a1 /package/kernel/mac80211/patches/351-0046-brcmfmac-fix-out-of-bound-access-on-clearing-wowl-wa.patch | |
| parent | bc004132213820368cc3af1e54e18f5cdb760972 (diff) | |
| download | upstream-f9755e28776fdce0c2136492b43380d0eefe3c5a.tar.gz upstream-f9755e28776fdce0c2136492b43380d0eefe3c5a.tar.bz2 upstream-f9755e28776fdce0c2136492b43380d0eefe3c5a.zip | |
mac80211: brcmfmac: backport changes from 2016-09-27
This fixes memory leaks, some possible crashes and bug that could cause
WARNING on every add_key/del_key call. It also replaces WARNING with
a simple message. They may still occur e.g. on station going out of
range and A-MPDU stall in the firmware.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Diffstat (limited to 'package/kernel/mac80211/patches/351-0046-brcmfmac-fix-out-of-bound-access-on-clearing-wowl-wa.patch')
| -rw-r--r-- | package/kernel/mac80211/patches/351-0046-brcmfmac-fix-out-of-bound-access-on-clearing-wowl-wa.patch | 44 |
1 files changed, 44 insertions, 0 deletions
diff --git a/package/kernel/mac80211/patches/351-0046-brcmfmac-fix-out-of-bound-access-on-clearing-wowl-wa.patch b/package/kernel/mac80211/patches/351-0046-brcmfmac-fix-out-of-bound-access-on-clearing-wowl-wa.patch new file mode 100644 index 0000000000..a47cb3266f --- /dev/null +++ b/package/kernel/mac80211/patches/351-0046-brcmfmac-fix-out-of-bound-access-on-clearing-wowl-wa.patch @@ -0,0 +1,44 @@ +From a7ed7828ecda0c2b5e0d7f55dedd4230afd4b583 Mon Sep 17 00:00:00 2001 +From: Hante Meuleman <hante.meuleman@broadcom.com> +Date: Mon, 19 Sep 2016 12:09:58 +0100 +Subject: [PATCH] brcmfmac: fix out of bound access on clearing wowl wake + indicator + +Clearing the wowl wakeindicator happens with a rather odd +construction where the string "clear" is used to set the iovar +wowl_wakeind. This was implemented incorrectly as it caused an +out of bound access. Use an intermediate variable of correct +length and copy string in that. Problem was found using coverity. + +Reviewed-by: Arend Van Spriel <arend.vanspriel@broadcom.com> +Reviewed-by: Franky Lin <franky.lin@broadcom.com> +Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com> +Signed-off-by: Hante Meuleman <hante.meuleman@broadcom.com> +Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com> +Signed-off-by: Kalle Valo <kvalo@codeaurora.org> +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c +@@ -3623,6 +3623,7 @@ static void brcmf_configure_wowl(struct + struct cfg80211_wowlan *wowl) + { + u32 wowl_config; ++ struct brcmf_wowl_wakeind_le wowl_wakeind; + u32 i; + + brcmf_dbg(TRACE, "Suspend, wowl config.\n"); +@@ -3664,8 +3665,9 @@ static void brcmf_configure_wowl(struct + if (!test_bit(BRCMF_VIF_STATUS_CONNECTED, &ifp->vif->sme_state)) + wowl_config |= BRCMF_WOWL_UNASSOC; + +- brcmf_fil_iovar_data_set(ifp, "wowl_wakeind", "clear", +- sizeof(struct brcmf_wowl_wakeind_le)); ++ memcpy(&wowl_wakeind, "clear", 6); ++ brcmf_fil_iovar_data_set(ifp, "wowl_wakeind", &wowl_wakeind, ++ sizeof(wowl_wakeind)); + brcmf_fil_iovar_int_set(ifp, "wowl", wowl_config); + brcmf_fil_iovar_int_set(ifp, "wowl_activate", 1); + brcmf_bus_wowl_config(cfg->pub->bus_if, true); |