Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 081c46c2 authored by Ahmad Masri's avatar Ahmad Masri Committed by Maya Erez
Browse files

wil6210: check mid is valid 



Check that the mid is valid and that it does not exceed the memory
size allocated to vifs array.

Change-Id: I76adf61a78db468bd3a3232f7311f9c6dd9e674a
Signed-off-by: default avatarAhmad Masri <amasri@codeaurora.org>
Signed-off-by: default avatarMaya Erez <merez@codeaurora.org>
Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
Git-commit: e4a29bdd8f82627d88644971235dc12b70c4150b
Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/ath.git


[merez@codeaurora.org: trivial merge conflict]
Signed-off-by: default avatarMaya Erez <merez@codeaurora.org>
parent cb1205ea

drivers/net/wireless/ath/wil6210/cfg80211.c

+3 −3
Original line number Diff line number Diff line
@@ -730,7 +730,7 @@ static int wil_cfg80211_validate_add_iface(struct wil6210_priv *wil, 
		.num_different_channels = 1,

	};



	for (i = 0; i < wil->max_vifs; i++) {

	for (i = 0; i < GET_MAX_VIFS(wil); i++) {

		if (wil->vifs[i]) {

			wdev = vif_to_wdev(wil->vifs[i]);

			params.iftype_num[wdev->iftype]++;
@@ -751,7 +751,7 @@ static int wil_cfg80211_validate_change_iface(struct wil6210_priv *wil, 
	};

	bool check_combos = false;



	for (i = 0; i < wil->max_vifs; i++) {

	for (i = 0; i < GET_MAX_VIFS(wil); i++) {

		struct wil6210_vif *vif_pos = wil->vifs[i];



		if (vif_pos && vif != vif_pos) {
@@ -2106,7 +2106,7 @@ void wil_cfg80211_ap_recovery(struct wil6210_priv *wil) 
	int rc, i;

	struct wiphy *wiphy = wil_to_wiphy(wil);



	for (i = 0; i < wil->max_vifs; i++) {

	for (i = 0; i < GET_MAX_VIFS(wil); i++) {

		struct wil6210_vif *vif = wil->vifs[i];

		struct net_device *ndev;

		struct cfg80211_beacon_data bcon = {};

drivers/net/wireless/ath/wil6210/debugfs.c

+5 −5
Original line number Diff line number Diff line
@@ -1512,7 +1512,7 @@ static int wil_link_debugfs_show(struct seq_file *s, void *data) 
		if (p->status != wil_sta_connected)

			continue;



		vif = (mid < wil->max_vifs) ? wil->vifs[mid] : NULL;

		vif = (mid < GET_MAX_VIFS(wil)) ? wil->vifs[mid] : NULL;

		if (vif) {

			rc = wil_cid_fill_sinfo(vif, i, sinfo);

			if (rc)
@@ -1732,7 +1732,7 @@ __acquires(&p->tid_rx_lock) __releases(&p->tid_rx_lock) 
			break;

		}

		mid = (p->status != wil_sta_unused) ? p->mid : U8_MAX;

		if (mid < wil->max_vifs) {

		if (mid < GET_MAX_VIFS(wil)) {

			struct wil6210_vif *vif = wil->vifs[mid];



			if (vif->wdev.iftype == NL80211_IFTYPE_STATION &&
@@ -1809,7 +1809,7 @@ static int wil_mids_debugfs_show(struct seq_file *s, void *data) 
	int i;



	mutex_lock(&wil->vif_mutex);

	for (i = 0; i < wil->max_vifs; i++) {

	for (i = 0; i < GET_MAX_VIFS(wil); i++) {

		vif = wil->vifs[i];



		if (vif) {
@@ -2041,7 +2041,7 @@ static int wil_link_stats_debugfs_show(struct seq_file *s, void *data) 
	/* iterate over all MIDs and show per-cid statistics. Then show the

	 * global statistics

	 */

	for (i = 0; i < wil->max_vifs; i++) {

	for (i = 0; i < GET_MAX_VIFS(wil); i++) {

		vif = wil->vifs[i];



		seq_printf(s, "MID %d ", i);
@@ -2097,7 +2097,7 @@ static ssize_t wil_link_stats_write(struct file *file, const char __user *buf, 
	if (rc)

		return rc;



	for (i = 0; i < wil->max_vifs; i++) {

	for (i = 0; i < GET_MAX_VIFS(wil); i++) {

		vif = wil->vifs[i];

		if (!vif)

			continue;

drivers/net/wireless/ath/wil6210/main.c

+4 −4
Original line number Diff line number Diff line
@@ -687,7 +687,7 @@ void wil_bcast_fini_all(struct wil6210_priv *wil) 
	int i;

	struct wil6210_vif *vif;



	for (i = 0; i < wil->max_vifs; i++) {

	for (i = 0; i < GET_MAX_VIFS(wil); i++) {

		vif = wil->vifs[i];

		if (vif)

			wil_bcast_fini(vif);
@@ -1520,7 +1520,7 @@ void wil_abort_scan_all_vifs(struct wil6210_priv *wil, bool sync) 


	lockdep_assert_held(&wil->vif_mutex);



	for (i = 0; i < wil->max_vifs; i++) {

	for (i = 0; i < GET_MAX_VIFS(wil); i++) {

		struct wil6210_vif *vif = wil->vifs[i];



		if (vif)
@@ -1583,7 +1583,7 @@ static int wil_restore_vifs(struct wil6210_priv *wil) 
	struct wireless_dev *wdev;

	int i, rc;



	for (i = 0; i < wil->max_vifs; i++) {

	for (i = 0; i < GET_MAX_VIFS(wil); i++) {

		vif = wil->vifs[i];

		if (!vif)

			continue;
@@ -1659,7 +1659,7 @@ int wil_reset(struct wil6210_priv *wil, bool load_fw) 
	wil_abort_scan_all_vifs(wil, false);

	mutex_unlock(&wil->vif_mutex);



	for (i = 0; i < wil->max_vifs; i++) {

	for (i = 0; i < GET_MAX_VIFS(wil); i++) {

		vif = wil->vifs[i];

		if (vif) {

			cancel_work_sync(&vif->disconnect_worker);

drivers/net/wireless/ath/wil6210/netdev.c

+4 −4
Original line number Diff line number Diff line
@@ -21,7 +21,7 @@ bool wil_has_other_active_ifaces(struct wil6210_priv *wil, 
	struct wil6210_vif *vif;

	struct net_device *ndev_i;



	for (i = 0; i < wil->max_vifs; i++) {

	for (i = 0; i < GET_MAX_VIFS(wil); i++) {

		vif = wil->vifs[i];

		if (vif) {

			ndev_i = vif_to_ndev(vif);
@@ -157,7 +157,7 @@ static int wil6210_netdev_poll_tx(struct napi_struct *napi, int budget) 
		struct wil6210_vif *vif;



		if (!ring->va || !txdata->enabled ||

		    txdata->mid >= wil->max_vifs)

		    txdata->mid >= GET_MAX_VIFS(wil))

			continue;



		vif = wil->vifs[txdata->mid];
@@ -307,7 +307,7 @@ static u8 wil_vif_find_free_mid(struct wil6210_priv *wil) 
{

	u8 i;



	for (i = 0; i < wil->max_vifs; i++) {

	for (i = 0; i < GET_MAX_VIFS(wil); i++) {

		if (!wil->vifs[i])

			return i;

	}
@@ -514,7 +514,7 @@ void wil_vif_remove(struct wil6210_priv *wil, u8 mid) 
	bool any_active = wil_has_active_ifaces(wil, true, false);



	ASSERT_RTNL();

	if (mid >= wil->max_vifs) {

	if (mid >= GET_MAX_VIFS(wil)) {

		wil_err(wil, "invalid MID: %d\n", mid);

		return;

	}

drivers/net/wireless/ath/wil6210/pcie_bus.c

+1 −1
Original line number Diff line number Diff line
@@ -165,7 +165,7 @@ static void wil_remove_all_additional_vifs(struct wil6210_priv *wil) 
	struct wil6210_vif *vif;

	int i;



	for (i = 1; i < wil->max_vifs; i++) {

	for (i = 1; i < GET_MAX_VIFS(wil); i++) {

		vif = wil->vifs[i];

		if (vif) {

			wil_vif_prepare_stop(vif);