Currently, these three get_key functions return -1 when the provided len
value is less a specific key length value, which can result in buffer
overflow depending on how the returned value is used. These functions are
used in three places in ieee80211/ieee80211_wx.c:
ieee80211_wx_get_encode() :
The behavior of this function will be unchanged.
ieee80211_wx_get_encode_ext() :
The result of the get_key function is written to ext->key_len,
resulting in a buffer overflow if the result is negative.
ieee80211_wx_set_encode() :
The behavior of this function will change. When len is less than the
key length value, it will set a default key of all 0.
Suggested-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Rebecca Mckeever <remckee0@gmail.com>
Link: https://lore.kernel.org/r/Yl/7QPKXer7YtXOs@bertie
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
There is a deadlock in rtllib_beacons_stop(), which is shown
below:
(Thread 1) | (Thread 2)
| rtllib_send_beacon()
rtllib_beacons_stop() | mod_timer()
spin_lock_irqsave() //(1) | (wait a time)
... | rtllib_send_beacon_cb()
del_timer_sync() | spin_lock_irqsave() //(2)
(wait timer to stop) | ...
We hold ieee->beacon_lock in position (1) of thread 1 and
use del_timer_sync() to wait timer to stop, but timer handler
also need ieee->beacon_lock in position (2) of thread 2.
As a result, rtllib_beacons_stop() will block forever.
This patch extracts del_timer_sync() from the protection of
spin_lock_irqsave(), which could let timer handler to obtain
the needed lock.
Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
Link: https://lore.kernel.org/r/20220417141641.124388-1-duoming@zju.edu.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
There is a deadlock in ieee80211_beacons_stop(), which is shown below:
(Thread 1) | (Thread 2)
| ieee80211_send_beacon()
ieee80211_beacons_stop() | mod_timer()
spin_lock_irqsave() //(1) | (wait a time)
... | ieee80211_send_beacon_cb()
del_timer_sync() | spin_lock_irqsave() //(2)
(wait timer to stop) | ...
We hold ieee->beacon_lock in position (1) of thread 1 and use
del_timer_sync() to wait timer to stop, but timer handler
also need ieee->beacon_lock in position (2) of thread 2.
As a result, ieee80211_beacons_stop() will block forever.
This patch extracts del_timer_sync() from the protection of
spin_lock_irqsave(), which could let timer handler to obtain
the needed lock.
Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
Link: https://lore.kernel.org/r/20220417135407.109536-1-duoming@zju.edu.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Add " == 0" to the condition in both else if branches to address a
possible bug. strcmp returns 0 when its arguments are equal, which
evaluates to false, often leading to errors when used in if statements.
Currently, the statement in the first else if branch does not execute
when its arguments are equal, but it does execute when crypt->ops->name
equals any string other than "WEP" or "TKIP".
Similarly, the second else if branch does not execute when its arguments
are equal, and it only executes when crypt->ops->name equals "TKIP".
The else branch never executes.
It is unlikely that this is working as intended.
Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Rebecca Mckeever <remckee0@gmail.com>
Link: https://lore.kernel.org/r/20220416102434.97567-1-remckee0@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Variable negative is being assigned a value that is never read, it is
being re-assigned later. The assignment is redundant and can be removed.
Cleans up clang scan build warning:
drivers/staging/iio/resolver/ad2s1210.c:502:3: warning: Value stored
to 'negative' is never read [deadcode.DeadStores]
Signed-off-by: Colin Ian King <colin.i.king@gmail.com>
Link: https://lore.kernel.org/r/20220418134603.81336-1-colin.i.king@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
The Unisys sub-tree of drivers/staging contains three drivers for the
"Unisys Secure Partition" (s-Par(R)): visorhba, visorinput, visornic.
They have no maintainers, in fact the only one that is listed in
MAINTAINERS has an unreacheable email address. During 2021 and 2022
several patches have been submitted to these drivers but nobody at
Unisys cared of reviewing the changes. Probably, also the
"sparmaintainer" internal list of unisys.com is not anymore read by
interested Unisys' engineers.
Therefore, remove the drivers/staging/unisys directory and delete the
relevant entries in the MAINTAINERS, Kconfig, Makefile files, then
remove also the drivers/visorbus directory which is not anymore needed
(it contained the driver for the virtualized bus for the Unisys s-Par
firmware).
Cc: David Kershner <david.kershner@unisys.com>
Cc: <sparmaintainer@unisys.com>
Cc: Ken Cox <jkc@redhat.com>
Suggested-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Fabio M. De Francesco <fmdefrancesco@gmail.com>
Link: https://lore.kernel.org/r/20220414103217.32058-1-fmdefrancesco@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
The structures
rtw_ieee80211_hdr
rtw_ieee80211_hdr_3addr
rtw_ieee80211_hdr_3addr_qos
in drivers/staging/r8188eu/include/ieee80211.h just duplicate the
in-kernel structures from include/linux/ieee80211.h.
ieee80211_hdr
ieee80211_hdr_3addr
ieee80211_qos_hdr
Remove the rtw_ prefixed structures and use the in-kernel versions.
Signed-off-by: Michael Straube <straube.linux@gmail.com>
Link: https://lore.kernel.org/r/20220418180916.11311-1-straube.linux@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
mlme_sta_tbl is an array of struct mlme_handler. mlme_handler's num and
str components are not used. The code in mgt_dispatcher uses the subtype
number of the incoming frame to select the array entry for compiling the
repsonse.
We can remove struct mlme_handler and make mlme_sta_tbl an array of
function pointers.
Signed-off-by: Martin Kaiser <martin@kaiser.cx>
Link: https://lore.kernel.org/r/20220417102221.466524-5-martin@kaiser.cx
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
The driver's local GetFrameSubType macro returns both frame type and
subtype.
Use the ieee80211 framework to extract the two fields. This shows more
clearly that both type and subtype are read.
Convert everything to host endianness before we use bit operations.
Signed-off-by: Martin Kaiser <martin@kaiser.cx>
Link: https://lore.kernel.org/r/20220417102221.466524-3-martin@kaiser.cx
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Remove the loop in rtw_pwr_wakeup that waits while the system is
suspended.
pwrpriv->bInSuspend is set in rtw_suspend and cleared in rtw_resume. These
functions are the .suspend and .resume functions of the struct usb_driver
for r8188eu.
A usb_driver's suspend and resume functions are called when the entire
system goes into suspend or runtime suspend.
All of the code paths for rtw_pwr_wakeup start at ioctl handlers.
We can remove the loop that checks bInSuspend. It's not possible to call
an ioctl while the entire system is suspended.
Signed-off-by: Martin Kaiser <martin@kaiser.cx>
Link: https://lore.kernel.org/r/20220413193654.258507-8-martin@kaiser.cx
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Clean up the code in rtw_pwr_wakeup that sets pwrpriv->ips_deny_time.
Make ips_deny_time an unsigned long, this type is used by the kernel
functions that process jiffies.
Remove the temporary variable ips_deffer_ms and use
RTW_PWR_STATE_CHK_INTERVAL directly.
There's no need to set ips_deny_time twice, it's sufficient to set it at
the end of rtw_pwr_wakeup.
Use time_before to check if ips_deny_time should be updated.
We can now remove rtw_ms_to_systime, this function is not used any more.
Signed-off-by: Martin Kaiser <martin@kaiser.cx>
Link: https://lore.kernel.org/r/20220413193654.258507-7-martin@kaiser.cx
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
