From d07f1e8600ccb885c8f4143402b8912f7d827bcb Mon Sep 17 00:00:00 2001 From: Dan Carpenter Date: Mon, 1 Sep 2014 20:27:29 +0300 Subject: [PATCH 1/6] NFC: microread: Potential overflows in microread_target_discovered() Smatch says that skb->data is untrusted so we need to check to make sure that the memcpy() doesn't overflow. Fixes: cfad1ba87150 ('NFC: Initial support for Inside Secure microread') Signed-off-by: Dan Carpenter Signed-off-by: Samuel Ortiz --- drivers/nfc/microread/microread.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/drivers/nfc/microread/microread.c b/drivers/nfc/microread/microread.c index f868333271aa..963a4a5dc88e 100644 --- a/drivers/nfc/microread/microread.c +++ b/drivers/nfc/microread/microread.c @@ -501,9 +501,13 @@ static void microread_target_discovered(struct nfc_hci_dev *hdev, u8 gate, targets->sens_res = be16_to_cpu(*(u16 *)&skb->data[MICROREAD_EMCF_A_ATQA]); targets->sel_res = skb->data[MICROREAD_EMCF_A_SAK]; - memcpy(targets->nfcid1, &skb->data[MICROREAD_EMCF_A_UID], - skb->data[MICROREAD_EMCF_A_LEN]); targets->nfcid1_len = skb->data[MICROREAD_EMCF_A_LEN]; + if (targets->nfcid1_len > sizeof(targets->nfcid1)) { + r = -EINVAL; + goto exit_free; + } + memcpy(targets->nfcid1, &skb->data[MICROREAD_EMCF_A_UID], + targets->nfcid1_len); break; case MICROREAD_GATE_ID_MREAD_ISO_A_3: targets->supported_protocols = @@ -511,9 +515,13 @@ static void microread_target_discovered(struct nfc_hci_dev *hdev, u8 gate, targets->sens_res = be16_to_cpu(*(u16 *)&skb->data[MICROREAD_EMCF_A3_ATQA]); targets->sel_res = skb->data[MICROREAD_EMCF_A3_SAK]; - memcpy(targets->nfcid1, &skb->data[MICROREAD_EMCF_A3_UID], - skb->data[MICROREAD_EMCF_A3_LEN]); targets->nfcid1_len = skb->data[MICROREAD_EMCF_A3_LEN]; + if (targets->nfcid1_len > sizeof(targets->nfcid1)) { + r = -EINVAL; + goto exit_free; + } + memcpy(targets->nfcid1, &skb->data[MICROREAD_EMCF_A3_UID], + targets->nfcid1_len); break; case MICROREAD_GATE_ID_MREAD_ISO_B: targets->supported_protocols = NFC_PROTO_ISO14443_B_MASK; From a1b27b3867b17356089e2906c538a1049873ab42 Mon Sep 17 00:00:00 2001 From: Christophe Ricard Date: Wed, 3 Sep 2014 23:30:33 +0200 Subject: [PATCH 2/6] NFC: st21nfcb: Fix depmod dependency cycle This fix issue reported here: https://lists.01.org/pipermail/linux-nfc/2014-September/002871.html depmod: WARNING: found 6 modules in dependency cycles! depmod: WARNING: /lib/modules/3.17.0-rc3-00002-g7505cea/kernel/drivers/nfc/st21nfcb/st21nfcb.ko in dependency cycle! depmod: WARNING: /lib/modules/3.17.0-rc3-00002-g7505cea/kernel/drivers/nfc/st21nfcb/ndlc.ko in dependency cycle! depmod: WARNING: /lib/modules/3.17.0-rc3-00002-g7505cea/kernel/net/rfkill/rfkill.ko in dependency cycle! depmod: WARNING: /lib/modules/3.17.0-rc3-00002-g7505cea/kernel/net/nfc/nfc.ko in dependency cycle! depmod: WARNING: /lib/modules/3.17.0-rc3-00002-g7505cea/kernel/net/nfc/nci/nci.ko in dependency cycle! depmod: WARNING: /lib/modules/3.17.0-rc3-00002-g7505cea/kernel/lib/crc-ccitt.ko in dependency cycle! ./scripts/depmod.sh: line 57: 23387 Segmentation fault (core dumped) "$DEPMOD" "$@" "$KERNELRELEASE" $SYMBOL_PREFIX make: *** [_modinst_post] Error 139 Reported-by: Daniel Wagner Signed-off-by: Christophe Ricard Signed-off-by: Samuel Ortiz --- drivers/nfc/st21nfcb/Makefile | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/nfc/st21nfcb/Makefile b/drivers/nfc/st21nfcb/Makefile index 13d9f03b2fea..f4d835dd15f2 100644 --- a/drivers/nfc/st21nfcb/Makefile +++ b/drivers/nfc/st21nfcb/Makefile @@ -2,7 +2,8 @@ # Makefile for ST21NFCB NCI based NFC driver # -st21nfcb_i2c-objs = i2c.o +st21nfcb_nci-objs = ndlc.o st21nfcb.o +obj-$(CONFIG_NFC_ST21NFCB) += st21nfcb_nci.o -obj-$(CONFIG_NFC_ST21NFCB) += st21nfcb.o ndlc.o +st21nfcb_i2c-objs = i2c.o obj-$(CONFIG_NFC_ST21NFCB_I2C) += st21nfcb_i2c.o From 300c627fbc52aa5b2117ca267907ab8d7b990ead Mon Sep 17 00:00:00 2001 From: Christophe Ricard Date: Wed, 3 Sep 2014 23:30:31 +0200 Subject: [PATCH 3/6] NFC: st21nfca: Fix potential depmod dependency cycle In the previous makefile 2 modules were generated for CONFIG_NFC_ST21NFCA (st21nfca.ko and st21nfca_dep.ko). Merge both of them into st21nfca_hci.ko and fix a potential depmod dependency cycle, similar to the one we saw on st21nfcb: depmod: WARNING: found 6 modules in dependency cycles! depmod: WARNING: /lib/modules/3.17.0-rc3-00002-g7505cea/kernel/drivers/nfc/st21nfcb/st21nfcb.ko in dependency cycle! depmod: WARNING: /lib/modules/3.17.0-rc3-00002-g7505cea/kernel/drivers/nfc/st21nfcb/ndlc.ko in dependency cycle! depmod: WARNING: /lib/modules/3.17.0-rc3-00002-g7505cea/kernel/net/rfkill/rfkill.ko in dependency cycle! depmod: WARNING: /lib/modules/3.17.0-rc3-00002-g7505cea/kernel/net/nfc/nfc.ko in dependency cycle! depmod: WARNING: /lib/modules/3.17.0-rc3-00002-g7505cea/kernel/net/nfc/nci/nci.ko in dependency cycle! depmod: WARNING: /lib/modules/3.17.0-rc3-00002-g7505cea/kernel/lib/crc-ccitt.ko in dependency cycle! ./scripts/depmod.sh: line 57: 23387 Segmentation fault (core dumped) "$DEPMOD" "$@" "$KERNELRELEASE" $SYMBOL_PREFIX make: *** [_modinst_post] Error 139 Reported-by: Daniel Wagner Signed-off-by: Christophe Ricard Signed-off-by: Samuel Ortiz --- drivers/nfc/st21nfca/Makefile | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/nfc/st21nfca/Makefile b/drivers/nfc/st21nfca/Makefile index db7a38ae05f7..7d688f97aa27 100644 --- a/drivers/nfc/st21nfca/Makefile +++ b/drivers/nfc/st21nfca/Makefile @@ -2,7 +2,8 @@ # Makefile for ST21NFCA HCI based NFC driver # -st21nfca_i2c-objs = i2c.o +st21nfca_hci-objs = st21nfca.o st21nfca_dep.o +obj-$(CONFIG_NFC_ST21NFCA) += st21nfca_hci.o -obj-$(CONFIG_NFC_ST21NFCA) += st21nfca.o st21nfca_dep.o +st21nfca_i2c-objs = i2c.o obj-$(CONFIG_NFC_ST21NFCA_I2C) += st21nfca_i2c.o From fa5c107cc887886a04ee2dbce05af86de220ae48 Mon Sep 17 00:00:00 2001 From: Loic Poulain Date: Tue, 16 Sep 2014 14:53:58 +0200 Subject: [PATCH 4/6] net: rfkill: gpio: Fix clock status Clock is disabled when the device is blocked. So, clock_enabled is the logical negation of "blocked". Signed-off-by: Loic Poulain Signed-off-by: John W. Linville --- net/rfkill/rfkill-gpio.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/rfkill/rfkill-gpio.c b/net/rfkill/rfkill-gpio.c index 5fa54dd78e25..0f62326c0f5e 100644 --- a/net/rfkill/rfkill-gpio.c +++ b/net/rfkill/rfkill-gpio.c @@ -54,7 +54,7 @@ static int rfkill_gpio_set_power(void *data, bool blocked) if (blocked && !IS_ERR(rfkill->clk) && rfkill->clk_enabled) clk_disable(rfkill->clk); - rfkill->clk_enabled = blocked; + rfkill->clk_enabled = !blocked; return 0; } From 2ba7d144d39a596cf5d09390ee7de21cfb69cf2b Mon Sep 17 00:00:00 2001 From: Wojciech Dubowik Date: Thu, 18 Sep 2014 08:30:41 +0200 Subject: [PATCH 5/6] ath9k: Fix NULL pointer dereference on early irq The ah struct might not have been initialized when interrupt comes so check for it. Signed-off-by: Wojciech Dubowik Signed-off-by: John W. Linville --- drivers/net/wireless/ath/ath9k/main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/wireless/ath/ath9k/main.c b/drivers/net/wireless/ath/ath9k/main.c index e6ac8d2e610c..4b148bbb2bf6 100644 --- a/drivers/net/wireless/ath/ath9k/main.c +++ b/drivers/net/wireless/ath/ath9k/main.c @@ -513,7 +513,7 @@ irqreturn_t ath_isr(int irq, void *dev) * touch anything. Note this can happen early * on if the IRQ is shared. */ - if (test_bit(ATH_OP_INVALID, &common->op_flags)) + if (!ah || test_bit(ATH_OP_INVALID, &common->op_flags)) return IRQ_NONE; /* shared irq, not for us */ From f8adaf0ae978252c9f7e29e96aefcd8fcaf806ba Mon Sep 17 00:00:00 2001 From: Emil Goode Date: Tue, 23 Sep 2014 00:49:55 +0200 Subject: [PATCH 6/6] brcmfmac: Fix off by one bug in brcmf_count_20mhz_channels() In the brcmf_count_20mhz_channels function we are looping through a list of channels received from firmware. Since the index of the first channel is 0 the condition leads to an off by one bug. This is causing us to hit the WARN_ON_ONCE(1) calls in the brcmu_d11n_decchspec function, which is how I discovered the bug. Introduced by: commit b48d891676f756d48b4d0ee131e4a7a5d43ca417 ("brcmfmac: rework wiphy structure setup") Acked-by: Arend van Spriel Signed-off-by: Emil Goode Signed-off-by: John W. Linville --- drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c b/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c index f3a9804988a6..16a246bfc343 100644 --- a/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c +++ b/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c @@ -4921,7 +4921,7 @@ static void brcmf_count_20mhz_channels(struct brcmf_cfg80211_info *cfg, struct brcmu_chan ch; int i; - for (i = 0; i <= total; i++) { + for (i = 0; i < total; i++) { ch.chspec = (u16)le32_to_cpu(chlist->element[i]); cfg->d11inf.decchspec(&ch);