github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-08 14:42:37 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
367222df91
linux/drivers
History
Zhi Chen 367222df91 ath10k: fix scan crash due to incorrect length calculation 
commit c829198880 upstream.

Length of WMI scan message was not calculated correctly. The allocated
buffer was smaller than what we expected. So WMI message corrupted
skb_info, which is at the end of skb->data. This fix takes TLV header
into account even if the element is zero-length.

Crash log:
  [49.629986] Unhandled kernel unaligned access[#1]:
  [49.634932] CPU: 0 PID: 1176 Comm: logd Not tainted 4.4.60 #180
  [49.641040] task: 83051460 ti: 8329c000 task.ti: 8329c000
  [49.646608] $ 0   : 00000000 00000001 80984a80 00000000
  [49.652038] $ 4   : 45259e89 8046d484 8046df30 8024ba70
  [49.657468] $ 8   : 00000000 804cc4c0 00000001 20306320
  [49.662898] $12   : 33322037 000110f2 00000000 31203930
  [49.668327] $16   : 82792b40 80984a80 00000001 804207fc
  [49.673757] $20   : 00000000 0000012c 00000040 80470000
  [49.679186] $24   : 00000000 8024af7c
  [49.684617] $28   : 8329c000 8329db88 00000001 802c58d0
  [49.690046] Hi    : 00000000
  [49.693022] Lo    : 453c0000
  [49.696013] epc   : 800efae4 put_page+0x0/0x58
  [49.700615] ra    : 802c58d0 skb_release_data+0x148/0x1d4
  [49.706184] Status: 1000fc03 KERNEL EXL IE
  [49.710531] Cause : 00800010 (ExcCode 04)
  [49.714669] BadVA : 45259e89
  [49.717644] PrId  : 00019374 (MIPS 24Kc)

Signed-off-by: Zhi Chen <zhichen@codeaurora.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Cc: Brian Norris <briannorris@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-10-13 09:11:35 +02:00
..
accessibility
acpi ACPI / PM: save NVS memory for ASUS 1025C laptop 2018-08-22 07:48:37 +02:00
amba ARM: amba: Don't read past the end of sysfs "driver_override" buffer 2018-05-02 07:53:42 -07:00
android binder: add missing binder_unlock() 2018-02-28 10:17:23 +01:00
ata ata: libahci: Correct setting of DEVSLP register 2018-09-19 22:48:58 +02:00
atm atm: zatm: Fix potential Spectre v1 2018-07-22 14:25:52 +02:00
auxdisplay
base PM / core: Clear the direct_complete flag on errors 2018-10-13 09:11:32 +02:00
bcma
block floppy: Do not copy a kernel pointer to user memory in FDGETPRM ioctl 2018-10-10 08:52:07 +02:00
bluetooth Bluetooth: Add a new Realtek 8723DE ID 0bda:b009 2018-10-10 08:52:04 +02:00
bus bus: brcmstb_gisb: correct support for 64-bit address output 2018-04-13 19:50:05 +02:00
cdrom cdrom: Fix info leak/OOB read in cdrom_ioctl_drive_status 2018-09-05 09:18:41 +02:00
char tpm: fix race condition in tpm_common_write() 2018-08-15 17:42:04 +02:00
clk clk: imx6ul: fix missing of_node_put() 2018-09-26 08:35:05 +02:00
clocksource clocksource/drivers/fsl_ftm_timer: Fix error return checking 2018-05-30 07:49:01 +02:00
connector
cpufreq cpufreq: Fix new policy initialization during limits updates via sysfs 2018-07-03 11:21:26 +02:00
cpuidle cpuidle: powernv: Fix promotion from snooze if next state disabled 2018-07-03 11:21:29 +02:00
crypto crypto: mxs-dcp - Fix wait logic on chan threads 2018-10-10 08:52:13 +02:00
dca
devfreq PM / devfreq: Propagate error from devfreq_add_device() 2018-02-22 15:44:58 +01:00
dio
dma dmaengine: pl330: fix irq race with terminate_all 2018-09-26 08:35:05 +02:00
dma-buf
edac EDAC, i7core: Fix memleaks and use-after-free on probe and remove 2018-10-10 08:52:06 +02:00
eisa
extcon
firewire firewire-ohci: work around oversized DMA reads on JMicron controllers 2018-05-30 07:48:52 +02:00
firmware firmware: dmi_scan: Fix handling of empty DMI strings 2018-05-30 07:48:56 +02:00
fmc
fpga
gpio gpio: adp5588: Fix sleep-in-atomic-context bug 2018-10-10 08:52:10 +02:00
gpu drm/nouveau/TBDdevinit: don't fail when PMU/PRE_OS is missing from VBIOS 2018-10-10 08:52:12 +02:00
hid HID: hid-ntrig: add error handling for sysfs_create_group 2018-10-10 08:52:06 +02:00
hsi HSI: ssi_protocol: double free in ssip_pn_xmit() 2018-03-24 10:58:42 +01:00
hv Drivers: hv: vmbus: fix build warning 2018-02-25 11:03:46 +01:00
hwmon hwmon: (adt7475) Make adt7475_read_word() return errors 2018-10-10 08:52:09 +02:00
hwspinlock
hwtracing coresight: tpiu: Fix disabling timeouts 2018-09-26 08:35:09 +02:00
i2c i2c: uniphier-f: issue STOP only for last message or I2C_M_STOP 2018-10-10 08:52:11 +02:00
ide cdrom: do not call check_disk_change() inside cdrom_open() 2018-05-30 07:49:13 +02:00
idle idle: i7300: add PCI dependency 2018-02-25 11:03:51 +01:00
iio iio: ad9523: Fix return value for ad952x_store() 2018-09-09 20:04:33 +02:00
infiniband ucma: fix a use-after-free in ucma_resolve_ip() 2018-10-13 09:11:34 +02:00
input Input: elantech - enable middle button of touchpad on ThinkPad P72 2018-10-10 08:52:08 +02:00
iommu iommu/arm-smmu-v3: sync the OVACKFLG to PRIQ consumer register 2018-09-26 08:35:04 +02:00
ipack
irqchip irqchip/gic: Make interrupt ID 1020 invalid 2018-09-15 09:40:41 +02:00
isdn isdn: Disable IIOCDBGVAR 2018-08-22 07:48:38 +02:00
leds leds: pca955x: Correct I2C Functionality 2018-04-13 19:50:09 +02:00
lguest
lightnvm
macintosh macintosh/via-pmu: Add missing mmio accessors 2018-09-19 22:48:57 +02:00
mailbox
mcb
md dm cache: fix resize crash if user doesn't reload cache table 2018-10-13 09:11:32 +02:00
media media: v4l: event: Prevent freeing event subscriptions while accessed 2018-10-10 08:52:10 +02:00
memory memory: tegra: Apply interrupts mask per SoC 2018-08-06 16:24:38 +02:00
memstick
message scsi: mptfusion: Add bounds check in mptctl_hp_targetinfo() 2018-05-30 07:48:58 +02:00
mfd mfd: ti_am335x_tscadc: Fix struct clk memory leak 2018-09-19 22:48:59 +02:00
misc vmci: type promotion bug in qp_host_get_user_memory() 2018-10-10 08:52:03 +02:00
mmc mmc: sdhci-iproc: fix 32bit writes for TRANSFER_MODE register 2018-05-30 07:48:51 +02:00
mtd mtdchar: fix overflows in adjustment of count 2018-09-26 08:35:08 +02:00
net ath10k: fix scan crash due to incorrect length calculation 2018-10-13 09:11:35 +02:00
nfc NFC: nfcmrvl: double free on error path 2018-03-22 09:23:23 +01:00
ntb ntb_transport: Fix bug with max_mw_size parameter 2018-05-30 07:48:55 +02:00
nubus
nvdimm linvdimm, pmem: Preserve read-only setting for pmem devices 2018-07-03 11:21:31 +02:00
nvme nvme-pci: initialize queue memory before interrupts 2018-07-11 16:03:47 +02:00
nvmem
of of: unittest: Disable interrupt node tests for old world MAC systems 2018-10-13 09:11:33 +02:00
oprofile
parisc parisc/pci: Switch LBA PCI bus from Hard Fail to Soft Fail mode 2018-05-30 07:49:10 +02:00
parport parport: sunbpp: fix error return code 2018-09-26 08:35:09 +02:00
pci PCI: Reprogram bridge prefetch registers on resume 2018-10-13 09:11:32 +02:00
pcmcia
perf drivers/perf: arm_pmu: handle no platform_device 2018-03-22 09:23:26 +01:00
phy phy: work around 'phys' references to usb-nop-xceiv devices 2018-01-23 19:50:16 +01:00
pinctrl pinctrl: qcom: spmi-gpio: Fix pmic_gpio_config_get() to be compliant 2018-09-26 08:35:10 +02:00
platform platform/x86: alienware-wmi: Correct a memory leak 2018-09-29 03:08:51 -07:00
pnp
power power: vexpress: fix corruption in notifier registration 2018-10-10 08:52:04 +02:00
powercap PowerCap: Fix an error code in powercap_register_zone() 2018-04-13 19:50:05 +02:00
pps
ps3
ptp ptp: fix missing break in switch 2018-07-25 10:18:17 +02:00
pwm pwm: tiehrpwm: Fix disabling of output of PWMs 2018-09-09 20:04:35 +02:00
rapidio
ras
regulator regulator: pfuze100: add .is_enable() for pfuze100_swb_regulator_ops 2018-08-06 16:24:35 +02:00
remoteproc
reset
rpmsg
rtc rtc: bq4802: add error handling for devm_ioremap 2018-09-26 08:35:09 +02:00
s390 s390/qeth: don't dump past end of unknown HW header 2018-10-10 08:52:12 +02:00
sbus
scsi scsi: bnx2i: add error handling for ioremap_nocache 2018-10-10 08:52:06 +02:00
sfi
sh
sn
soc
spi spi: rspi: Fix interrupted DMA transfers 2018-10-10 08:52:07 +02:00
spmi
ssb ssb: mark ssb_bus_register as __maybe_unused 2018-02-25 11:03:44 +01:00
staging staging: android: ashmem: Fix mmap size validation 2018-10-10 08:52:06 +02:00
target scsi: target: iscsi: Use bin2hex instead of a re-implementation 2018-10-10 08:52:08 +02:00
tc
thermal thermal: of-thermal: disable passive polling when thermal zone is disabled 2018-10-10 08:52:08 +02:00
thunderbolt thunderbolt: Resume control channel after hibernation image is created 2018-04-24 09:32:07 +02:00
tty serial: imx: restore handshaking irq for imx1 2018-10-10 08:52:08 +02:00
uio uio: potential double frees if __uio_register_device() fails 2018-09-19 22:48:57 +02:00
usb USB: serial: simple: add Motorola Tetra MTP6550 id 2018-10-13 09:11:33 +02:00
uwb uwb: hwa-rc: fix memory leak at probe 2018-10-10 08:52:04 +02:00
vfio vfio/pci: Virtualize Maximum Read Request Size 2018-04-24 09:32:09 +02:00
vhost vhost_net: validate sock before trying to put its fd 2018-07-22 14:25:53 +02:00
video fbdev/omapfb: fix omapfb_memory_read infoleak 2018-10-13 09:11:31 +02:00
virt
virtio virtio_balloon: fix another race between migration and ballooning 2018-08-06 16:24:42 +02:00
vlynq
vme
w1 1wire: family module autoload fails because of upper/lower case mismatch. 2018-07-03 11:21:27 +02:00
watchdog watchdog: f71808e_wdt: Fix magic close handling 2018-05-30 07:49:03 +02:00
xen xen: fix GCC warning and remove duplicate EVTCHN_ROW/EVTCHN_COL usage 2018-10-10 08:52:13 +02:00
zorro zorro: Set up z->dev.dma_mask for the DMA API 2018-05-30 07:49:11 +02:00
Kconfig
Makefile usb: build drivers/usb/common/ when USB_SUPPORT is set 2018-02-25 11:03:38 +01:00