1. 15 Aug, 2020 1 commit
    • Wen Gong's avatar
      ath10k: add wmi service peer stat info for wmi tlv · e39f32af
      Wen Gong authored
      ath10k_sta_statistics is used to report info for iw wlan0 link,
      it check ath10k_peer_stats_enabled, and ath10k_peer_stats_enabled
      check WMI_SERVICE_PEER_STATS bit of ar->wmi.svc_map. SVCMAP() for
      WMI_SERVICE_PEER_STATS was defined only for wmi_10x_svc_map and
      wmi_10_4_svc_map interfaces, it missed in wmi_tlv_svc_map, so it is
      not usable for iw wlan0 link for wmi tlv interface.
      
      If firmware report WMI_TLV_SERVICE_PEER_STATS_INFO for wmi tlv, then
      enable the WMI_SERVICE_PEER_STATS bit in ath10k, and then it pass check
      in ath10k_peer_stats_enabled and ath10k_sta_statistics pass check.
      
      Tested-on: QCA6174 hw3.2 SDIO WLAN.RMH.4.4.1-00048
      Tested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00110-QCARMSWP-1
      Signed-off-by: default avatarWen Gong <wgong@codeaurora.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Link: https://lore.kernel.org/r/1597312029-32348-2-git-send-email-wgong@codeaurora.org
      e39f32af
  2. 14 Aug, 2020 11 commits
  3. 20 Jul, 2020 2 commits
    • Zekun Shen's avatar
      ath10k: check idx validity in __ath10k_htt_rx_ring_fill_n() · bad60b8d
      Zekun Shen authored
      The idx in __ath10k_htt_rx_ring_fill_n function lives in
      consistent dma region writable by the device. Malfunctional
      or malicious device could manipulate such idx to have a OOB
      write. Either by
          htt->rx_ring.netbufs_ring[idx] = skb;
      or by
          ath10k_htt_set_paddrs_ring(htt, paddr, idx);
      
      The idx can also be negative as it's signed, giving a large
      memory space to write to.
      
      It's possibly exploitable by corruptting a legit pointer with
      a skb pointer. And then fill skb with payload as rougue object.
      
      Part of the log here. Sometimes it appears as UAF when writing
      to a freed memory by chance.
      
       [   15.594376] BUG: unable to handle page fault for address: ffff887f5c1804f0
       [   15.595483] #PF: supervisor write access in kernel mode
       [   15.596250] #PF: error_code(0x0002) - not-present page
       [   15.597013] PGD 0 P4D 0
       [   15.597395] Oops: 0002 [#1] SMP KASAN PTI
       [   15.597967] CPU: 0 PID: 82 Comm: kworker/u2:2 Not tainted 5.6.0 #69
       [   15.598843] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
       BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
       [   15.600438] Workqueue: ath10k_wq ath10k_core_register_work [ath10k_core]
       [   15.601389] RIP: 0010:__ath10k_htt_rx_ring_fill_n
       (linux/drivers/net/wireless/ath/ath10k/htt_rx.c:173) ath10k_core
      Signed-off-by: default avatarZekun Shen <bruceshenzk@gmail.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Link: https://lore.kernel.org/r/20200623221105.3486-1-bruceshenzk@gmail.com
      bad60b8d
    • Bolarinwa Olayemi Saheed's avatar
      ath9k: Check the return value of pcie_capability_read_*() · 9a8ab2bf
      Bolarinwa Olayemi Saheed authored
      On failure pcie_capability_read_dword() sets it's last parameter, val
      to 0. However, with Patch 14/14, it is possible that val is set to ~0 on
      failure. This would introduce a bug because (x & x) == (~0 & x).
      
      This bug can be avoided without changing the function's behaviour if the
      return value of pcie_capability_read_dword is checked to confirm success.
      
      Check the return value of pcie_capability_read_dword() to ensure success.
      Suggested-by: default avatarBjorn Helgaas <bjorn@helgaas.com>
      Signed-off-by: default avatarBolarinwa Olayemi Saheed <refactormyself@gmail.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Link: https://lore.kernel.org/r/20200713175529.29715-2-refactormyself@gmail.com
      9a8ab2bf
  4. 23 Jun, 2020 13 commits
  5. 16 Jun, 2020 6 commits
  6. 15 Jun, 2020 7 commits