1. 01 Dec, 2022 4 commits
    • Ping-Ke Shih's avatar
      wifi: rtw89: 8852b: turn off PoP function in monitor mode · a215b2b7
      Ping-Ke Shih authored
      PoP stands for Packet on Packet that can improve performance in noisy
      environment, but it could get RX stuck suddenly. In normal mode, firmware
      can help to resolve the stuck, but firmware doesn't work in monitor mode.
      Therefore, turn off PoP to avoid RX stuck.
      Signed-off-by: default avatarPing-Ke Shih <pkshih@realtek.com>
      Signed-off-by: default avatarKalle Valo <kvalo@kernel.org>
      Link: https://lore.kernel.org/r/20221125072416.94752-4-pkshih@realtek.com
      a215b2b7
    • Ping-Ke Shih's avatar
      wifi: rtw89: add HE radiotap for monitor mode · 51e8ed4e
      Ping-Ke Shih authored
      With basic HE radiotap, we can check data rate in sniffer data. To store
      the radiotap data, we reserve headroom of aligned 64 bytes, and then
      update HE radiotap in monitor mode, so it doesn't affect performance in
      normal mode.
      Signed-off-by: default avatarPing-Ke Shih <pkshih@realtek.com>
      Signed-off-by: default avatarKalle Valo <kvalo@kernel.org>
      Link: https://lore.kernel.org/r/20221125072416.94752-3-pkshih@realtek.com
      51e8ed4e
    • Zong-Zhe Yang's avatar
      wifi: rtw89: enable mac80211 virtual monitor interface · cd9b6b3b
      Zong-Zhe Yang authored
      For running with mac80211 channel context ops and using only as monitor,
      we need to enable WANT_MONITOR_VIF to let mac80211 process virtual monitor
      interface. Then, we are able to set channel on the monitor from user space.
      Signed-off-by: default avatarZong-Zhe Yang <kevin_yang@realtek.com>
      Signed-off-by: default avatarPing-Ke Shih <pkshih@realtek.com>
      Signed-off-by: default avatarKalle Valo <kvalo@kernel.org>
      Link: https://lore.kernel.org/r/20221125072416.94752-2-pkshih@realtek.com
      cd9b6b3b
    • Minsuk Kang's avatar
      wifi: brcmfmac: Check the count value of channel spec to prevent out-of-bounds reads · 4920ab13
      Minsuk Kang authored
      This patch fixes slab-out-of-bounds reads in brcmfmac that occur in
      brcmf_construct_chaninfo() and brcmf_enable_bw40_2g() when the count
      value of channel specifications provided by the device is greater than
      the length of 'list->element[]', decided by the size of the 'list'
      allocated with kzalloc(). The patch adds checks that make the functions
      free the buffer and return -EINVAL if that is the case. Note that the
      negative return is handled by the caller, brcmf_setup_wiphybands() or
      brcmf_cfg80211_attach().
      
      Found by a modified version of syzkaller.
      
      Crash Report from brcmf_construct_chaninfo():
      ==================================================================
      BUG: KASAN: slab-out-of-bounds in brcmf_setup_wiphybands+0x1238/0x1430
      Read of size 4 at addr ffff888115f24600 by task kworker/0:2/1896
      
      CPU: 0 PID: 1896 Comm: kworker/0:2 Tainted: G        W  O      5.14.0+ #132
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
      Workqueue: usb_hub_wq hub_event
      Call Trace:
       dump_stack_lvl+0x57/0x7d
       print_address_description.constprop.0.cold+0x93/0x334
       kasan_report.cold+0x83/0xdf
       brcmf_setup_wiphybands+0x1238/0x1430
       brcmf_cfg80211_attach+0x2118/0x3fd0
       brcmf_attach+0x389/0xd40
       brcmf_usb_probe+0x12de/0x1690
       usb_probe_interface+0x25f/0x710
       really_probe+0x1be/0xa90
       __driver_probe_device+0x2ab/0x460
       driver_probe_device+0x49/0x120
       __device_attach_driver+0x18a/0x250
       bus_for_each_drv+0x123/0x1a0
       __device_attach+0x207/0x330
       bus_probe_device+0x1a2/0x260
       device_add+0xa61/0x1ce0
       usb_set_configuration+0x984/0x1770
       usb_generic_driver_probe+0x69/0x90
       usb_probe_device+0x9c/0x220
       really_probe+0x1be/0xa90
       __driver_probe_device+0x2ab/0x460
       driver_probe_device+0x49/0x120
       __device_attach_driver+0x18a/0x250
       bus_for_each_drv+0x123/0x1a0
       __device_attach+0x207/0x330
       bus_probe_device+0x1a2/0x260
       device_add+0xa61/0x1ce0
       usb_new_device.cold+0x463/0xf66
       hub_event+0x10d5/0x3330
       process_one_work+0x873/0x13e0
       worker_thread+0x8b/0xd10
       kthread+0x379/0x450
       ret_from_fork+0x1f/0x30
      
      Allocated by task 1896:
       kasan_save_stack+0x1b/0x40
       __kasan_kmalloc+0x7c/0x90
       kmem_cache_alloc_trace+0x19e/0x330
       brcmf_setup_wiphybands+0x290/0x1430
       brcmf_cfg80211_attach+0x2118/0x3fd0
       brcmf_attach+0x389/0xd40
       brcmf_usb_probe+0x12de/0x1690
       usb_probe_interface+0x25f/0x710
       really_probe+0x1be/0xa90
       __driver_probe_device+0x2ab/0x460
       driver_probe_device+0x49/0x120
       __device_attach_driver+0x18a/0x250
       bus_for_each_drv+0x123/0x1a0
       __device_attach+0x207/0x330
       bus_probe_device+0x1a2/0x260
       device_add+0xa61/0x1ce0
       usb_set_configuration+0x984/0x1770
       usb_generic_driver_probe+0x69/0x90
       usb_probe_device+0x9c/0x220
       really_probe+0x1be/0xa90
       __driver_probe_device+0x2ab/0x460
       driver_probe_device+0x49/0x120
       __device_attach_driver+0x18a/0x250
       bus_for_each_drv+0x123/0x1a0
       __device_attach+0x207/0x330
       bus_probe_device+0x1a2/0x260
       device_add+0xa61/0x1ce0
       usb_new_device.cold+0x463/0xf66
       hub_event+0x10d5/0x3330
       process_one_work+0x873/0x13e0
       worker_thread+0x8b/0xd10
       kthread+0x379/0x450
       ret_from_fork+0x1f/0x30
      
      The buggy address belongs to the object at ffff888115f24000
       which belongs to the cache kmalloc-2k of size 2048
      The buggy address is located 1536 bytes inside of
       2048-byte region [ffff888115f24000, ffff888115f24800)
      
      Memory state around the buggy address:
       ffff888115f24500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
       ffff888115f24580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      >ffff888115f24600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                         ^
       ffff888115f24680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
       ffff888115f24700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      ==================================================================
      
      Crash Report from brcmf_enable_bw40_2g():
      ==================================================================
      BUG: KASAN: slab-out-of-bounds in brcmf_cfg80211_attach+0x3d11/0x3fd0
      Read of size 4 at addr ffff888103787600 by task kworker/0:2/1896
      
      CPU: 0 PID: 1896 Comm: kworker/0:2 Tainted: G        W  O      5.14.0+ #132
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
      Workqueue: usb_hub_wq hub_event
      Call Trace:
       dump_stack_lvl+0x57/0x7d
       print_address_description.constprop.0.cold+0x93/0x334
       kasan_report.cold+0x83/0xdf
       brcmf_cfg80211_attach+0x3d11/0x3fd0
       brcmf_attach+0x389/0xd40
       brcmf_usb_probe+0x12de/0x1690
       usb_probe_interface+0x25f/0x710
       really_probe+0x1be/0xa90
       __driver_probe_device+0x2ab/0x460
       driver_probe_device+0x49/0x120
       __device_attach_driver+0x18a/0x250
       bus_for_each_drv+0x123/0x1a0
       __device_attach+0x207/0x330
       bus_probe_device+0x1a2/0x260
       device_add+0xa61/0x1ce0
       usb_set_configuration+0x984/0x1770
       usb_generic_driver_probe+0x69/0x90
       usb_probe_device+0x9c/0x220
       really_probe+0x1be/0xa90
       __driver_probe_device+0x2ab/0x460
       driver_probe_device+0x49/0x120
       __device_attach_driver+0x18a/0x250
       bus_for_each_drv+0x123/0x1a0
       __device_attach+0x207/0x330
       bus_probe_device+0x1a2/0x260
       device_add+0xa61/0x1ce0
       usb_new_device.cold+0x463/0xf66
       hub_event+0x10d5/0x3330
       process_one_work+0x873/0x13e0
       worker_thread+0x8b/0xd10
       kthread+0x379/0x450
       ret_from_fork+0x1f/0x30
      
      Allocated by task 1896:
       kasan_save_stack+0x1b/0x40
       __kasan_kmalloc+0x7c/0x90
       kmem_cache_alloc_trace+0x19e/0x330
       brcmf_cfg80211_attach+0x3302/0x3fd0
       brcmf_attach+0x389/0xd40
       brcmf_usb_probe+0x12de/0x1690
       usb_probe_interface+0x25f/0x710
       really_probe+0x1be/0xa90
       __driver_probe_device+0x2ab/0x460
       driver_probe_device+0x49/0x120
       __device_attach_driver+0x18a/0x250
       bus_for_each_drv+0x123/0x1a0
       __device_attach+0x207/0x330
       bus_probe_device+0x1a2/0x260
       device_add+0xa61/0x1ce0
       usb_set_configuration+0x984/0x1770
       usb_generic_driver_probe+0x69/0x90
       usb_probe_device+0x9c/0x220
       really_probe+0x1be/0xa90
       __driver_probe_device+0x2ab/0x460
       driver_probe_device+0x49/0x120
       __device_attach_driver+0x18a/0x250
       bus_for_each_drv+0x123/0x1a0
       __device_attach+0x207/0x330
       bus_probe_device+0x1a2/0x260
       device_add+0xa61/0x1ce0
       usb_new_device.cold+0x463/0xf66
       hub_event+0x10d5/0x3330
       process_one_work+0x873/0x13e0
       worker_thread+0x8b/0xd10
       kthread+0x379/0x450
       ret_from_fork+0x1f/0x30
      
      The buggy address belongs to the object at ffff888103787000
       which belongs to the cache kmalloc-2k of size 2048
      The buggy address is located 1536 bytes inside of
       2048-byte region [ffff888103787000, ffff888103787800)
      
      Memory state around the buggy address:
       ffff888103787500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
       ffff888103787580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      >ffff888103787600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                         ^
       ffff888103787680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
       ffff888103787700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      ==================================================================
      Reported-by: default avatarDokyung Song <dokyungs@yonsei.ac.kr>
      Reported-by: default avatarJisoo Jang <jisoo.jang@yonsei.ac.kr>
      Reported-by: default avatarMinsuk Kang <linuxlovemin@yonsei.ac.kr>
      Reviewed-by: default avatarArend van Spriel <arend.vanspriel@broadcom.com>
      Signed-off-by: default avatarMinsuk Kang <linuxlovemin@yonsei.ac.kr>
      Signed-off-by: default avatarKalle Valo <kvalo@kernel.org>
      Link: https://lore.kernel.org/r/20221116142952.518241-1-linuxlovemin@yonsei.ac.kr
      4920ab13
  2. 28 Nov, 2022 5 commits
  3. 25 Nov, 2022 2 commits
  4. 22 Nov, 2022 10 commits
  5. 18 Nov, 2022 19 commits