qiurui
/
Ubuntu-focal-kernel
mirror of https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/focal
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
Ubuntu-focal-kernel/drivers
History
Sascha Hauer e0544369c8 wifi: mwifiex: Do not return unused priv in mwifiex_get_priv_by_id() 
BugLink: https://bugs.launchpad.net/bugs/2081278

[ Upstream commit c145eea2f75ff7949392aebecf7ef0a81c1f6c14 ]

mwifiex_get_priv_by_id() returns the priv pointer corresponding to
the bss_num and bss_type, but without checking if the priv is actually
currently in use.
Unused priv pointers do not have a wiphy attached to them which can
lead to NULL pointer dereferences further down the callstack.  Fix
this by returning only used priv pointers which have priv->bss_mode
set to something else than NL80211_IFTYPE_UNSPECIFIED.

Said NULL pointer dereference happened when an Accesspoint was started
with wpa_supplicant -i mlan0 with this config:

network={
        ssid="somessid"
        mode=2
        frequency=2412
        key_mgmt=WPA-PSK WPA-PSK-SHA256
        proto=RSN
        group=CCMP
        pairwise=CCMP
        psk="12345678"
}

When waiting for the AP to be established, interrupting wpa_supplicant
with <ctrl-c> and starting it again this happens:

| Unable to handle kernel NULL pointer dereference at virtual address 0000000000000140
| Mem abort info:
|   ESR = 0x0000000096000004
|   EC = 0x25: DABT (current EL), IL = 32 bits
|   SET = 0, FnV = 0
|   EA = 0, S1PTW = 0
|   FSC = 0x04: level 0 translation fault
| Data abort info:
|   ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
|   CM = 0, WnR = 0, TnD = 0, TagAccess = 0
|   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
| user pgtable: 4k pages, 48-bit VAs, pgdp=0000000046d96000
| [0000000000000140] pgd=0000000000000000, p4d=0000000000000000
| Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP
| Modules linked in: caam_jr caamhash_desc spidev caamalg_desc crypto_engine authenc libdes mwifiex_sdio
+mwifiex crct10dif_ce cdc_acm onboard_usb_hub fsl_imx8_ddr_perf imx8m_ddrc rtc_ds1307 lm75 rtc_snvs
+imx_sdma caam imx8mm_thermal spi_imx error imx_cpufreq_dt fuse ip_tables x_tables ipv6
| CPU: 0 PID: 8 Comm: kworker/0:1 Not tainted 6.9.0-00007-g937242013fce-dirty #18
| Hardware name: somemachine (DT)
| Workqueue: events sdio_irq_work
| pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
| pc : mwifiex_get_cfp+0xd8/0x15c [mwifiex]
| lr : mwifiex_get_cfp+0x34/0x15c [mwifiex]
| sp : ffff8000818b3a70
| x29: ffff8000818b3a70 x28: ffff000006bfd8a5 x27: 0000000000000004
| x26: 000000000000002c x25: 0000000000001511 x24: 0000000002e86bc9
| x23: ffff000006bfd996 x22: 0000000000000004 x21: ffff000007bec000
| x20: 000000000000002c x19: 0000000000000000 x18: 0000000000000000
| x17: 000000040044ffff x16: 00500072b5503510 x15: ccc283740681e517
| x14: 0201000101006d15 x13: 0000000002e8ff43 x12: 002c01000000ffb1
| x11: 0100000000000000 x10: 02e8ff43002c0100 x9 : 0000ffb100100157
| x8 : ffff000003d20000 x7 : 00000000000002f1 x6 : 00000000ffffe124
| x5 : 0000000000000001 x4 : 0000000000000003 x3 : 0000000000000000
| x2 : 0000000000000000 x1 : 0001000000011001 x0 : 0000000000000000
| Call trace:
|  mwifiex_get_cfp+0xd8/0x15c [mwifiex]
|  mwifiex_parse_single_response_buf+0x1d0/0x504 [mwifiex]
|  mwifiex_handle_event_ext_scan_report+0x19c/0x2f8 [mwifiex]
|  mwifiex_process_sta_event+0x298/0xf0c [mwifiex]
|  mwifiex_process_event+0x110/0x238 [mwifiex]
|  mwifiex_main_process+0x428/0xa44 [mwifiex]
|  mwifiex_sdio_interrupt+0x64/0x12c [mwifiex_sdio]
|  process_sdio_pending_irqs+0x64/0x1b8
|  sdio_irq_work+0x4c/0x7c
|  process_one_work+0x148/0x2a0
|  worker_thread+0x2fc/0x40c
|  kthread+0x110/0x114
|  ret_from_fork+0x10/0x20
| Code: a94153f3 a8c37bfd d50323bf d65f03c0 (f940a000)
| ---[ end trace 0000000000000000 ]---

Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
Acked-by: Brian Norris <briannorris@chromium.org>
Reviewed-by: Francesco Dolcini <francesco.dolcini@toradex.com>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://patch.msgid.link/20240703072409.556618-1-s.hauer@pengutronix.de
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Koichiro Den <koichiro.den@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
 		2024-09-27 10:50:33 +02:00
..
accessibility
acpi ACPI: SBS: manage alarm sysfs attribute through psy core 2024-09-27 10:50:18 +02:00
amba amba: bus: fix refcount leak 2023-10-30 11:42:15 +01:00
android binder: fix hang of unregistered readers 2024-09-27 10:50:15 +02:00
ata ata: libata: Fix memory leak for error path in ata_host_alloc() 2024-09-27 10:50:30 +02:00
atm atm: idt77252: prevent use after free in dequeue_rx() 2024-09-27 10:50:23 +02:00
auxdisplay
base devres: Initialize an uninitialized struct member 2024-09-27 10:50:32 +02:00
bcma
block rbd: don't assume RBD_LOCK_STATE_LOCKED for exclusive mappings 2024-09-27 10:50:16 +02:00
bluetooth Bluetooth: btusb: Add Realtek RTL8852BE support ID 0x13d3:0x3591 2024-09-27 10:50:16 +02:00
bus bus: tegra-aconnect: Update dependency to ARCH_TEGRA 2024-06-07 15:01:25 +02:00
cdrom
char hwrng: amd - Convert PCIBIOS_* return codes to errnos 2024-09-27 10:50:15 +02:00
clk clk: qcom: clk-alpha-pll: Fix the trion pll postdiv set rate API 2024-09-27 10:50:31 +02:00
clocksource clocksource/drivers/sh_cmt: Address race condition for clock events 2024-09-27 10:50:18 +02:00
connector
counter
cpufreq cpufreq: brcmstb-avs-cpufreq: ISO C90 forbids mixed declarations 2024-09-27 10:50:22 +02:00
cpuidle
crypto crypto: qat - Fix ADF_DEV_RESET_SYNC memory leak 2024-07-05 10:52:03 +02:00
dax
dca
devfreq PM / devfreq: Fix buffer overflow in trans_stat_show 2024-09-27 10:50:28 +02:00
dio
dma dmaengine: ioatdma: Fix missing kmem_cache_destroy() 2024-08-02 16:16:19 +02:00
dma-buf dma-buf/sw-sync: don't enable IRQ from sync_print_obj() 2024-07-05 10:52:01 +02:00
edac EDAC, i10nm: make skx_common.o a separate module 2024-09-27 10:50:10 +02:00
eisa
extcon extcon: max8997: select IRQ_DOMAIN instead of depending on it 2024-07-05 10:52:00 +02:00
firewire firewire: nosy: ensure user_length is taken into account when fetching packet contents 2024-07-05 10:51:53 +02:00
firmware firmware: turris-mox-rwtm: Initialize completion before mailbox 2024-09-27 10:50:11 +02:00
fpga
fsi fsi: master-ast-cf: Add MODULE_FIRMWARE macro 2023-10-30 11:42:05 +01:00
gnss
gpio gpio: davinci: Validate the obtained number of IRQs 2024-08-02 16:16:21 +02:00
gpu drm/amd/display: Skip wbscl_set_scaler_filter if filter is null 2024-09-27 10:50:30 +02:00
greybus greybus: Fix use-after-free bug in gb_interface_release due to race condition. 2024-08-02 16:16:17 +02:00
hid HID: microsoft: Add rumble support to latest xbox controllers 2024-09-27 10:50:26 +02:00
hsi
hv hv_utils: drain the timesync packets on onchannelcallback 2024-08-02 16:16:17 +02:00
hwmon hwmon: (w83627ehf) Fix underflows seen when writing limit attributes 2024-09-27 10:50:33 +02:00
hwspinlock
hwtracing intel_th: pci: Add Lunar Lake support 2024-08-02 16:16:17 +02:00
i2c i2c: riic: avoid potential division by zero 2024-09-27 10:50:23 +02:00
i3c i3c: master: cdns: Update maximum prescaler value for i2c clock 2024-03-28 15:18:37 +01:00
ide
idle
iio iio: chemical: bme680: Fix sensor data read operation 2024-08-02 16:16:22 +02:00
infiniband IB/hfi1: Fix potential deadlock on &irq_src_lock and &dd->uctxt_lock 2024-09-27 10:50:24 +02:00
input Input: MT - limit max slots 2024-09-27 10:50:27 +02:00
interconnect interconnect: Treat xlate() returning NULL node as an error 2024-02-12 09:10:25 +01:00
iommu iommu/vt-d: Handle volatile descriptor status read 2024-09-27 10:50:32 +02:00
ipack
irqchip irqchip/armada-370-xp: Do not allow mapping IRQ 0 and 1 2024-09-27 10:50:31 +02:00
isdn mISDN: Fix a use after free in hfcmulti_tx() 2024-09-27 10:50:16 +02:00
leds leds: ss4200: Convert PCIBIOS_* return codes to errnos 2024-09-27 10:50:14 +02:00
lightnvm
macintosh macintosh/therm_windtunnel: fix module unload. 2024-09-27 10:50:13 +02:00
mailbox
mcb mcb: fix error handling for different scenarios when parsing 2024-02-02 14:13:10 +01:00
md dm init: Handle minors larger than 255 2024-09-27 10:50:32 +02:00
media media: qcom: camss: Add check for v4l2_fwnode_endpoint_parse 2024-09-27 10:50:31 +02:00
memory
memstick
message
mfd mfd: omap-usb-tll: Use struct_size to allocate tll 2024-09-27 10:50:12 +02:00
misc eeprom: at24: fix memory corruption race condition 2024-09-27 10:50:29 +02:00
mmc mmc: sdhci-of-aspeed: fix module autoloading 2024-09-27 10:50:30 +02:00
mtd ubi: eba: properly rollback inside self_check_eba 2024-09-27 10:50:15 +02:00
mux
net wifi: mwifiex: Do not return unused priv in mwifiex_get_priv_by_id() 2024-09-27 10:50:33 +02:00
nfc nfc: pn533: Add poll mod list filling check 2024-09-27 10:50:27 +02:00
ntb ntb: Fix calculation ntb_transport_tx_free_entry() 2023-10-30 11:42:16 +01:00
nubus
nvdimm nd_btt: Make BTT lanes preemptible 2024-02-02 14:13:03 +01:00
nvme nvme: avoid double free special payload 2024-09-27 10:50:29 +02:00
nvmem nvmem: meson-efuse: Fix return value of nvmem callbacks 2024-08-02 16:16:34 +02:00
of of: gpio unittest kfree() wrong object 2024-03-28 15:18:44 +01:00
opp OPP: Fix passing 0 to PTR_ERR in _opp_attach_genpd() 2023-10-30 11:42:07 +01:00
oprofile
parisc parisc: iosapic.c: Fix sparse warnings 2024-01-05 14:29:48 +01:00
parport dev/parport: fix the array out-of-bounds risk 2024-09-27 10:50:17 +02:00
pci pci/hotplug/pnv_php: Fix hotplug driver crash on Powernv 2024-09-27 10:50:32 +02:00
pcmcia pcmcia: Use resource_size function on resource object 2024-09-27 10:50:31 +02:00
perf perf/smmuv3: Enable HiSilicon Erratum 162001900 quirk for HIP08/09 2023-10-30 11:42:22 +01:00
phy phy: ti: phy-omap-usb2: Fix NULL pointer dereference for SRP 2024-03-28 15:18:40 +01:00
pinctrl pinctrl: single: fix potential NULL dereference in pcs_get_function() 2024-09-27 10:50:27 +02:00
platform platform/x86: dell-smbios: Fix error path in dell_smbios_init() 2024-09-27 10:50:32 +02:00
pnp PNP: ACPI: fix fortify warning 2024-03-28 15:18:34 +01:00
power power: supply: axp288_charger: Round constant_charge_voltage writes down 2024-09-27 10:50:21 +02:00
powercap
pps
ps3
ptp ptp: Fix error message on failed pin verification 2024-08-02 16:16:10 +02:00
pwm pwm: stm32: Always do lazy disabling 2024-09-27 10:50:10 +02:00
rapidio
ras
regulator regulator: core: Fix modpost error "regulator_get_regmap" undefined 2024-08-02 16:16:19 +02:00
remoteproc remoteproc: imx_rproc: Skip over memory region when node value is NULL 2024-09-27 10:50:17 +02:00
reset reset: hi6220: Add support for AO reset controller 2024-09-27 10:50:31 +02:00
rpmsg rpmsg: virtio: Free driver_override when rpmsg_remove() 2024-03-28 15:18:31 +01:00
rtc rtc: isl1208: Fix return value of nvmem callbacks 2024-09-27 10:50:15 +02:00
s390 s390/cio: rename bitmap_size() -> idset_bitmap_size() 2024-09-27 10:50:22 +02:00
sbus
scsi scsi: aacraid: Fix double-free on probe failure 2024-09-27 10:50:28 +02:00
sfi
sh
siox
slimbus slimbus: core: Remove usage of the deprecated ida_simple_xx() API 2024-06-07 15:01:35 +02:00
soc soc: qcom: cmd-db: Map shared memory as WC, not WB 2024-09-27 10:50:27 +02:00
soundwire soundwire: stream: fix programming slave ports for non-continous port maps 2024-09-27 10:50:27 +02:00
spi spi: spi-fsl-lpspi: Fix scldiv calculation 2024-09-27 10:50:20 +02:00
spmi
ssb ssb: Fix division by zero issue in ssb_calc_clock_rate 2024-09-27 10:50:23 +02:00
staging staging: ks7010: disable bh on tx_dev_lock 2024-09-27 10:50:23 +02:00
target scsi: target: Fix SELinux error when systemd-modules loads the target module 2024-07-05 10:51:52 +02:00
tc
tee
thermal thermal: core: prevent potential string overflow 2024-02-02 14:13:02 +01:00
thunderbolt
tty serial: core: check uartclk for zero to avoid divide by zero 2024-09-27 10:50:21 +02:00
uio uio_hv_generic: Fix another memory leak in error handling paths 2024-04-26 10:54:04 +02:00
usb usb: uas: set host status byte on data completion error 2024-09-27 10:50:31 +02:00
vfio vfio/platform: Create persistent IRQ handlers 2024-06-07 15:01:39 +02:00
vhost vhost: Add smp_rmb() in vhost_vq_avail_empty() 2024-06-07 15:01:43 +02:00
video fbdev: savage: Handle err return when savagefb_check_var failed 2024-07-05 10:52:03 +02:00
virt
virtio virtio: delete vq in vp_find_vqs_msix() when request_irq() fails 2024-07-05 10:52:01 +02:00
visorbus
vlynq
vme
w1
watchdog watchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger 2024-09-27 10:50:08 +02:00
xen xen/events: close evtchn after mapping cleanup 2024-06-07 15:01:36 +02:00
zorro
Kconfig
Makefile