Received: by 2002:a05:6a11:4021:0:0:0:0 with SMTP id ky33csp1733281pxb; Thu, 16 Sep 2021 14:16:34 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxSEa7lotp9+Ew8ujsYA9q+NfwtJUVwO+2Zj9JU2WXN7sWSIwW7uL5ov7BCJXWAOQldzsQ9 X-Received: by 2002:a05:6638:14cf:: with SMTP id l15mr6003366jak.8.1631826994195; Thu, 16 Sep 2021 14:16:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1631826994; cv=none; d=google.com; s=arc-20160816; b=aM3xeDlmRIrc/u2BXq0qVC68gk1FkWS9jSZQsoExvewqZ56H16505WBGUT3Ut0XDL/ 0SwVO6YafwEZwr57rFzDY2gew+4O1oTNXOu7LP+a3d0GOa6lDJ6krrBfmGCy5WzVgozJ ftKjNQWqa1EUGBBMpTXhrDJ8gFoVR3tHqi5q3N2ztjUR1vKuS+vFNVssH9Gx/TT43Y4T 4NqfIzEkVxMsCT/csR8jT9SW9qsgs+jemNV59B3cCgUHuXi93ibzD1x7FkVYLsoWWbqh vAUTchN98qLivRfiBwNd6YnNloDAIJ01vROk2ewnFX/iqTB+RmbvCkjoDlU13hmFB3ig 2Nag== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=crLdazqz1wFFvlPDpxLGcuCPJneqn/VNbNkjX7iBEMo=; b=dNYJsJfIHOnafbxjz8Ues/LN/Pk4U4/kjZrbbPtCoH7Hygti0tJAbE1V7tVtN6qvjB t13x6q33fqEUPqd46Bf9b9FzGR/ZkzoCk5u0WpMc5Lyp4WrGfPFbi8lvrkI2XzD8nHQa ONhGVfpFXNW6rqWjdLLhAVaGTHsg2dEOyx6kmnZZ+VDXaaUda8g71cuP3Hr995SI0Pmt 5g4+I2tvzuxy0sTlKA8eLRyi81X4gvInS4b8LVQhEkuagIRItD+CeTKI3I+QB0KEaDKl ogoJiV+Vod8seuR/sB4AzoRpr10Ocjvze8RUXUMKt3jKcK6zjaXmYTk8eJjqEcpE6EEZ HnpA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=uJe9hJj9; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id d4si4274005ilq.4.2021.09.16.14.16.22; Thu, 16 Sep 2021 14:16:34 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=uJe9hJj9; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242465AbhIPQ21 (ORCPT + 99 others); Thu, 16 Sep 2021 12:28:27 -0400 Received: from mail.kernel.org ([198.145.29.99]:59264 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S241664AbhIPQT6 (ORCPT ); Thu, 16 Sep 2021 12:19:58 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 8C6BC613D3; Thu, 16 Sep 2021 16:13:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1631808837; bh=RPUn723YwuyKp0Qjlf9A2KJKCf03ZrJex2xjJmeSgd0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=uJe9hJj9XtRyjpYrPrLhps/EIvhZhOcGArdBzVg0mKjWD3Clwa7+EluFH9fPCjA8l Uk1P1vIbneFEpjG+5VHuDilhui6iGnEUhTUODwyWKb1V4d0mfUBrgZw1J/jHFrK5Lo /JF+ZomqprWSwpwqpP8HEBWYljF1aaAfZaw9EFmg= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Chin-Yen Lee , Ping-Ke Shih , Kalle Valo , Sasha Levin Subject: [PATCH 5.10 239/306] rtw88: wow: fix size access error of probe request Date: Thu, 16 Sep 2021 17:59:44 +0200 Message-Id: <20210916155802.201747229@linuxfoundation.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20210916155753.903069397@linuxfoundation.org> References: <20210916155753.903069397@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Chin-Yen Lee [ Upstream commit 69c7044526d984df672b8d9b6d6998c34617cde4 ] Current flow will lead to null ptr access because of trying to get the size of freed probe-request packets. We store the information of packet size into rsvd page instead and also fix the size error issue, which will cause unstable behavoir of sending probe request by wow firmware. Signed-off-by: Chin-Yen Lee Signed-off-by: Ping-Ke Shih Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20210728014335.8785-6-pkshih@realtek.com Signed-off-by: Sasha Levin --- drivers/net/wireless/realtek/rtw88/fw.c | 8 ++++++-- drivers/net/wireless/realtek/rtw88/fw.h | 1 + 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/realtek/rtw88/fw.c b/drivers/net/wireless/realtek/rtw88/fw.c index b2fd87834f23..0452630bcfac 100644 --- a/drivers/net/wireless/realtek/rtw88/fw.c +++ b/drivers/net/wireless/realtek/rtw88/fw.c @@ -684,7 +684,7 @@ static u16 rtw_get_rsvd_page_probe_req_size(struct rtw_dev *rtwdev, continue; if ((!ssid && !rsvd_pkt->ssid) || rtw_ssid_equal(rsvd_pkt->ssid, ssid)) - size = rsvd_pkt->skb->len; + size = rsvd_pkt->probe_req_size; } return size; @@ -912,6 +912,8 @@ static struct sk_buff *rtw_get_rsvd_page_skb(struct ieee80211_hw *hw, ssid->ssid_len, 0); else skb_new = ieee80211_probereq_get(hw, vif->addr, NULL, 0, 0); + if (skb_new) + rsvd_pkt->probe_req_size = (u16)skb_new->len; break; case RSVD_NLO_INFO: skb_new = rtw_nlo_info_get(hw); @@ -1508,6 +1510,7 @@ int rtw_fw_dump_fifo(struct rtw_dev *rtwdev, u8 fifo_sel, u32 addr, u32 size, static void __rtw_fw_update_pkt(struct rtw_dev *rtwdev, u8 pkt_id, u16 size, u8 location) { + struct rtw_chip_info *chip = rtwdev->chip; u8 h2c_pkt[H2C_PKT_SIZE] = {0}; u16 total_size = H2C_PKT_HDR_SIZE + H2C_PKT_UPDATE_PKT_LEN; @@ -1518,6 +1521,7 @@ static void __rtw_fw_update_pkt(struct rtw_dev *rtwdev, u8 pkt_id, u16 size, UPDATE_PKT_SET_LOCATION(h2c_pkt, location); /* include txdesc size */ + size += chip->tx_pkt_desc_sz; UPDATE_PKT_SET_SIZE(h2c_pkt, size); rtw_fw_send_h2c_packet(rtwdev, h2c_pkt); @@ -1527,7 +1531,7 @@ void rtw_fw_update_pkt_probe_req(struct rtw_dev *rtwdev, struct cfg80211_ssid *ssid) { u8 loc; - u32 size; + u16 size; loc = rtw_get_rsvd_page_probe_req_location(rtwdev, ssid); if (!loc) { diff --git a/drivers/net/wireless/realtek/rtw88/fw.h b/drivers/net/wireless/realtek/rtw88/fw.h index 08644540d259..f4aed247e3bd 100644 --- a/drivers/net/wireless/realtek/rtw88/fw.h +++ b/drivers/net/wireless/realtek/rtw88/fw.h @@ -117,6 +117,7 @@ struct rtw_rsvd_page { u8 page; bool add_txdesc; struct cfg80211_ssid *ssid; + u16 probe_req_size; }; enum rtw_keep_alive_pkt_type { -- 2.30.2