github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-09 15:12:59 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
a4bf4fecff
linux/drivers
History
Wen Gong a4bf4fecff ath10k: add peer id check in ath10k_peer_find_by_id 
[ Upstream commit 49ed34b835 ]

For some SDIO chip, the peer id is 65535 for MPDU with error status,
then test_bit will trigger buffer overflow for peer's memory, if kasan
enabled, it will report error.

Reason is when station is in disconnecting status, firmware do not delete
the peer info since it not disconnected completely, meanwhile some AP will
still send data packet to station, then hardware will receive the packet
and send to firmware, firmware's logic will report peer id of 65535 for
MPDU with error status.

Add check for overflow the size of peer's peer_ids will avoid the buffer
overflow access.

Call trace of kasan:
dump_backtrace+0x0/0x2ec
show_stack+0x20/0x2c
__dump_stack+0x20/0x28
dump_stack+0xc8/0xec
print_address_description+0x74/0x240
kasan_report+0x250/0x26c
__asan_report_load8_noabort+0x20/0x2c
ath10k_peer_find_by_id+0x180/0x1e4 [ath10k_core]
ath10k_htt_t2h_msg_handler+0x100c/0x2fd4 [ath10k_core]
ath10k_htt_htc_t2h_msg_handler+0x20/0x34 [ath10k_core]
ath10k_sdio_irq_handler+0xcc8/0x1678 [ath10k_sdio]
process_sdio_pending_irqs+0xec/0x370
sdio_run_irqs+0x68/0xe4
sdio_irq_work+0x1c/0x28
process_one_work+0x3d8/0x8b0
worker_thread+0x508/0x7cc
kthread+0x24c/0x264
ret_from_fork+0x10/0x18

Tested with QCA6174 SDIO with firmware
WLAN.RMH.4.4.1-00007-QCARMSWP-1.

Signed-off-by: Wen Gong <wgong@codeaurora.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2019-07-26 09:13:58 +02:00
..
accessibility
acpi ACPI/PCI: PM: Add missing wakeup.flags.valid checks 2019-06-22 08:15:17 +02:00
amba
android binder: fix memory leak in error path 2019-07-14 08:11:21 +02:00
ata libata: Extend quirks for the ST1000LM024 drives with NOLPM quirk 2019-06-19 08:17:59 +02:00
atm
auxdisplay auxdisplay: hd44780: Fix memory leak on ->remove() 2019-04-20 09:15:55 +02:00
base regmap-irq: do not write mask register if mask_base is zero 2019-07-21 09:03:16 +02:00
bcma
block xen-blkfront: switch kcalloc to kvcalloc for large array allocation 2019-06-11 12:20:53 +02:00
bluetooth Bluetooth: hci_qca: Give enough time to ROME controller to bootup. 2019-05-31 06:46:16 -07:00
bus
cdrom
char hwrng: omap - Set default quality 2019-05-31 06:46:31 -07:00
clk clk: ti: clkctrl: Fix returning uninitialized data 2019-07-21 09:03:04 +02:00
clocksource clocksource/drivers/oxnas: Fix OX820 compatible 2019-05-16 19:41:21 +02:00
connector
cpufreq cpufreq: kirkwood: fix possible object reference leak 2019-05-31 06:46:24 -07:00
cpuidle
crypto crypto/NX: Set receive window credits to max number of CRBs in RxFIFO 2019-07-21 09:03:16 +02:00
dax mm/huge_memory: fix vmf_insert_pfn_{pmd, pud}() crash, handle unaligned addresses 2019-05-22 07:37:40 +02:00
dca
devfreq
dio
dma dmaengine: imx-sdma: fix use-after-free on probe error path 2019-07-26 09:13:56 +02:00
dma-buf
edac EDAC/mpc85xx: Prevent building as a module 2019-06-15 11:54:03 +02:00
eisa
extcon extcon: arizona: Disable mic detect if running when driver is removed 2019-05-31 06:46:23 -07:00
firewire
firmware efi/bgrt: Drop BGRT status field reserved bits check 2019-07-21 09:03:04 +02:00
fmc
fpga fpga: dfl: Add lockdep classes for pdata->lock 2019-06-25 11:35:55 +08:00
fsi
gnss
gpio gpio: fix gpio-adp5588 build errors 2019-06-22 08:15:16 +02:00
gpu drm/udl: move to embedding drm device inside udl device. 2019-07-21 09:03:18 +02:00
hid HID: multitouch: Add pointstick support for ALPS Touchpad 2019-07-21 09:03:10 +02:00
hsi
hv Drivers: hv: vmbus: Remove the undesired put_cpu_ptr() in hv_synic_cleanup() 2019-05-10 17:54:04 +02:00
hwmon hwmon: (pmbus/core) Treat parameters as paged if on multiple pages 2019-06-25 11:35:59 +08:00
hwspinlock
hwtracing intel_th: msu: Fix single mode with IOMMU 2019-05-25 18:23:26 +02:00
i2c i2c: pca-platform: Fix GPIO lookup code 2019-07-10 09:53:39 +02:00
ide
idle x86/cpu: Sanitize FAM6_ATOM naming 2019-05-14 19:17:53 +02:00
iio iio: temperature: mlx90632 Relax the compatibility check 2019-06-25 11:35:54 +08:00
infiniband RDMA: Directly cast the sockaddr union to sockaddr 2019-07-03 13:14:49 +02:00
input Input: synaptics - enable SMBUS on T480 thinkpad trackpad 2019-07-21 09:03:02 +02:00
iommu iommu/arm-smmu: Avoid constant zero in TLBI writes 2019-06-19 08:18:00 +02:00
ipack
irqchip irqchip/gic-v3-its: Fix command queue pointer comparison bug 2019-07-21 09:03:03 +02:00
isdn mISDN: make sure device name is NUL terminated 2019-06-22 08:15:16 +02:00
leds leds: trigger: netdev: use memcpy in device_name_store 2019-05-04 09:20:22 +02:00
lightnvm
macintosh
mailbox mailbox: stm32-ipcc: check invalid irq 2019-06-15 11:54:04 +02:00
mcb
md dm verity: use message limit for data block corruption message 2019-07-21 09:03:08 +02:00
media media: stv0297: fix frequency range limit 2019-07-14 08:11:16 +02:00
memory memory: tegra: Fix integer overflow on tick value calculation 2019-05-25 18:23:32 +02:00
memstick
message
mfd mfd: twl6040: Fix device init errors for ACCCTL register 2019-06-15 11:54:03 +02:00
misc VMCI: Fix integer overflow in VMCI handle arrays 2019-07-14 08:11:21 +02:00
mmc mmc: core: complete HS400 before checking status 2019-07-14 08:11:13 +02:00
mtd mtd: spinand: macronix: Fix ECC Status Read 2019-06-11 12:20:50 +02:00
mux
net ath10k: add peer id check in ath10k_peer_find_by_id 2019-07-26 09:13:58 +02:00
nfc spi: ST ST95HF NFC: declare missing of table 2019-05-16 19:41:25 +02:00
ntb
nubus
nvdimm libnvdimm: Fix compilation warnings with W=1 2019-06-19 08:18:03 +02:00
nvme nvme: Fix u32 overflow in the number of namespace list calculation 2019-06-25 11:35:59 +08:00
nvmem nvmem: sunxi_sid: Support SID on A83T and H5 2019-06-15 11:54:07 +02:00
of of: overlay: set node fields from properties when add new overlay node 2019-06-09 09:17:24 +02:00
opp
oprofile
parisc parisc: Use implicit space register selection for loading the coherence index of I/O pdirs 2019-06-11 12:20:51 +02:00
parport parport: Fix mem leak in parport_register_dev_model 2019-06-25 11:35:55 +08:00
pci ACPI/PCI: PM: Add missing wakeup.flags.valid checks 2019-06-22 08:15:17 +02:00
pcmcia
perf perf/arm-cci: Remove broken race mitigation 2019-05-31 06:46:17 -07:00
phy phy: mapphone-mdm6600: add gpiolib dependency 2019-05-31 06:46:20 -07:00
pinctrl pinctrl: mediatek: Update cur_mask in mask/mask ops 2019-07-21 09:03:11 +02:00
platform platform/mellanox: mlxreg-hotplug: Add devm_free_irq call to remove flow 2019-07-10 09:53:38 +02:00
pnp
power power: supply: max14656: fix potential use-before-alloc 2019-06-15 11:54:09 +02:00
powercap x86/cpu: Sanitize FAM6_ATOM naming 2019-05-14 19:17:53 +02:00
pps
ps3
ptp
pwm pwm: Fix deadlock warning when removing PWM device 2019-06-15 11:54:10 +02:00
rapidio rapidio: fix a NULL pointer dereference when create_workqueue() fails 2019-06-15 11:53:59 +02:00
ras RAS/CEC: Fix binary search function 2019-06-19 08:18:06 +02:00
regulator
remoteproc
reset reset: meson-audio-arb: Fix missing .owner setting of reset_controller_dev 2019-05-08 07:21:47 +02:00
rpmsg
rtc rtc: pcf8523: don't return invalid date when battery is low 2019-06-19 08:18:07 +02:00
s390 s390/qdio: don't touch the dsci in tiqdio_add_input_queues() 2019-07-21 09:03:15 +02:00
sbus
scsi scsi: qedi: Check targetname while finding boot target information 2019-07-14 08:11:15 +02:00
sfi
sh
siox
slimbus slimbus: fix a potential NULL pointer dereference in of_qcom_slim_ngd_register 2019-05-31 06:46:14 -07:00
sn
soc soc: bcm: brcmstb: biuctrl: Register writes require a barrier 2019-07-14 08:11:03 +02:00
soundwire soundwire: intel: set dai min and max channels correctly 2019-07-14 08:11:07 +02:00
spi spi: bitbang: Fix NULL pointer dereference in spi_unregister_master 2019-07-10 09:53:32 +02:00
spmi
ssb ssb: Fix possible NULL pointer dereference in ssb_host_pcmcia_exit 2019-05-31 06:46:04 -07:00
staging staging: rtl8712: reduce stack usage, again 2019-07-14 08:11:22 +02:00
target scsi: iscsi: set auth_protocol back to NULL if CHAP_A value is not supported 2019-07-26 09:13:56 +02:00
tc
tee
thermal drivers: thermal: tsens: Don't print error message on -EPROBE_DEFER 2019-06-15 11:54:02 +02:00
thunderbolt thunderbolt: property: Fix a NULL pointer dereference 2019-05-31 06:46:31 -07:00
tty Revert "serial: 8250: Don't service RX FIFO if interrupts are disabled" 2019-07-14 08:11:19 +02:00
uio
usb drivers/usb/typec/tps6598x.c: fix 4CC cmd write 2019-07-14 08:11:20 +02:00
uwb
vfio vfio: Fix WARNING "do not call blocking ops when !TASK_RUNNING" 2019-06-15 11:54:07 +02:00
vhost vhost: reject zero size iova range 2019-04-27 09:36:31 +02:00
video video: imsttfb: fix potential NULL pointer dereferences 2019-06-15 11:54:10 +02:00
virt drivers/virt/fsl_hypervisor.c: prevent integer overflow in ioctl 2019-05-16 19:41:31 +02:00
virtio virtio_pci: fix a NULL pointer reference in vp_del_vqs 2019-05-10 17:54:08 +02:00
visorbus
vlynq
vme
w1 w1: fix the resume command API 2019-05-31 06:46:14 -07:00
watchdog watchdog: fix compile time error of pretimeout governors 2019-06-15 11:54:06 +02:00
xen xenbus: Avoid deadlock during suspend due to open transactions 2019-06-22 08:15:19 +02:00
zorro
Kconfig
Makefile