LinuxLists.cc - [PATCH 1/2] staging: vt6656: fix sign of rx_dbm to bb_pre_ed

2020-02-02 12:31:52

Subject: [PATCH 1/2] staging: vt6656: fix sign of rx_dbm to bb_pre_ed_rssi.

bb_pre_ed_rssi is an u8 rx_dm always returns negative signed
values add minus operator to always yield positive.

fixes issue where rx sensitivity is always set to maximum because
the unsigned numbers were always greater then 100.

Cc: stable <[email protected]>
Signed-off-by: Malcolm Priestley <[email protected]>
---
drivers/staging/vt6656/dpc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/staging/vt6656/dpc.c b/drivers/staging/vt6656/dpc.c
index 821aae8ca402..a0b60e7d1086 100644
--- a/drivers/staging/vt6656/dpc.c
+++ b/drivers/staging/vt6656/dpc.c
@@ -98,7 +98,7 @@ int vnt_rx_data(struct vnt_private *priv, struct vnt_rcb *ptr_rcb,

vnt_rf_rssi_to_dbm(priv, tail->rssi, &rx_dbm);

- priv->bb_pre_ed_rssi = (u8)rx_dbm + 1;
+ priv->bb_pre_ed_rssi = (u8)-rx_dbm + 1;
priv->current_rssi = priv->bb_pre_ed_rssi;

skb_pull(skb, sizeof(*head));
--
2.25.0

2020-02-03 10:16:49

by Dan Carpenter

[permalink] [raw]

Subject: Re: [PATCH 1/2] staging: vt6656: fix sign of rx_dbm to bb_pre_ed_rssi.

On Sun, Feb 02, 2020 at 12:27:25PM +0000, Malcolm Priestley wrote:
> bb_pre_ed_rssi is an u8 rx_dm always returns negative signed
> values add minus operator to always yield positive.
>
> fixes issue where rx sensitivity is always set to maximum because
> the unsigned numbers were always greater then 100.
>
> Cc: stable <[email protected]>

Can you add a Fixes tag for stable kernels?

Fixes: 63b9907f58f1 ("staging: vt6656: mac80211 conversion: create rx function.")

Otherwise we don't backport it far enough and then it becomes an
actively exploited Android vulnerability and Google writes an article
about it. Then everyone gets annoyed with us and shakes their head
because OpenBSD never has Android vulnerabilities etc...

> Signed-off-by: Malcolm Priestley <[email protected]>
> ---
> drivers/staging/vt6656/dpc.c | 2 +-

It appears that the vt6655 driver has the same issue.

regards,
dan carpenter

2020-02-04 19:36:39

by Malcolm Priestley

[permalink] [raw]

Subject: [PATCH v2 1/2] staging: vt6656: fix sign of rx_dbm to bb_pre_ed_rssi.

bb_pre_ed_rssi is an u8 rx_dm always returns negative signed
values add minus operator to always yield positive.

fixes issue where rx sensitivity is always set to maximum because
the unsigned numbers were always greater then 100.

Fixes: 63b9907f58f1 ("staging: vt6656: mac80211 conversion: create rx function.")
Cc: stable <[email protected]>
Signed-off-by: Malcolm Priestley <[email protected]>
---
Added fixes tag

drivers/staging/vt6656/dpc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/staging/vt6656/dpc.c b/drivers/staging/vt6656/dpc.c
index 821aae8ca402..a0b60e7d1086 100644
--- a/drivers/staging/vt6656/dpc.c
+++ b/drivers/staging/vt6656/dpc.c
@@ -98,7 +98,7 @@ int vnt_rx_data(struct vnt_private *priv, struct vnt_rcb *ptr_rcb,

vnt_rf_rssi_to_dbm(priv, tail->rssi, &rx_dbm);

- priv->bb_pre_ed_rssi = (u8)rx_dbm + 1;
+ priv->bb_pre_ed_rssi = (u8)-rx_dbm + 1;
priv->current_rssi = priv->bb_pre_ed_rssi;

skb_pull(skb, sizeof(*head));
--
2.25.0

2020-02-04 19:50:48

by Malcolm Priestley

[permalink] [raw]

Subject: Re: [PATCH 1/2] staging: vt6656: fix sign of rx_dbm to bb_pre_ed_rssi.

On 03/02/2020 09:42, Dan Carpenter wrote:
> On Sun, Feb 02, 2020 at 12:27:25PM +0000, Malcolm Priestley wrote:
>> bb_pre_ed_rssi is an u8 rx_dm always returns negative signed
>> values add minus operator to always yield positive.
>>
>> fixes issue where rx sensitivity is always set to maximum because
>> the unsigned numbers were always greater then 100.
>>
>> Cc: stable <[email protected]>
>> ---
...

>> drivers/staging/vt6656/dpc.c | 2 +-
>
> It appears that the vt6655 driver has the same issue.

In the vt6655 it is not used.

Regards

Malcolm