From 276556dbd2d9f56f8933393f927e88fae142ce8f Mon Sep 17 00:00:00 2001 From: Dan Carpenter Date: Fri, 8 Jul 2011 10:21:15 +0300 Subject: [PATCH 1/6] NFC: pn533: use after free in pn533_disconnect() We freed "dev" on the line before. Signed-off-by: Dan Carpenter Signed-off-by: John W. Linville --- drivers/nfc/pn533.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/nfc/pn533.c b/drivers/nfc/pn533.c index 037231540719..c77e0543e502 100644 --- a/drivers/nfc/pn533.c +++ b/drivers/nfc/pn533.c @@ -1596,7 +1596,7 @@ static void pn533_disconnect(struct usb_interface *interface) usb_free_urb(dev->out_urb); kfree(dev); - nfc_dev_info(&dev->interface->dev, "NXP PN533 NFC device disconnected"); + nfc_dev_info(&interface->dev, "NXP PN533 NFC device disconnected"); } static struct usb_driver pn533_driver = { From a203c2aa4cefccb879c879b8e1cad1a09a679e55 Mon Sep 17 00:00:00 2001 From: Sven Neumann Date: Tue, 12 Jul 2011 15:52:07 +0200 Subject: [PATCH 2/6] cfg80211: really ignore the regulatory request At the beginning of wiphy_update_regulatory() a check is performed whether the request is to be ignored. Then the request is sent to the driver nevertheless. This happens even if last_request points to NULL, leading to a crash in the driver: [] (lbs_set_11d_domain_info+0x28/0x1e4 [libertas]) from [] (wiphy_update_regulatory+0x4d0/0x4f4) [] (wiphy_update_regulatory+0x4d0/0x4f4) from [] (wiphy_register+0x354/0x420) [] (wiphy_register+0x354/0x420) from [] (lbs_cfg_register+0x80/0x164 [libertas]) [] (lbs_cfg_register+0x80/0x164 [libertas]) from [] (lbs_start_card+0x20/0x88 [libertas]) [] (lbs_start_card+0x20/0x88 [libertas]) from [] (if_sdio_probe+0x898/0x9c0 [libertas_sdio]) Fix this by returning early. Also remove the out: label as it is not any longer needed. Signed-off-by: Sven Neumann Cc: linux-wireless@vger.kernel.org Cc: Johannes Berg Cc: Daniel Mack Cc: stable@kernel.org Signed-off-by: John W. Linville --- net/wireless/reg.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/net/wireless/reg.c b/net/wireless/reg.c index 1ad0f39fe091..4453eb721e13 100644 --- a/net/wireless/reg.c +++ b/net/wireless/reg.c @@ -1125,12 +1125,13 @@ void wiphy_update_regulatory(struct wiphy *wiphy, enum ieee80211_band band; if (ignore_reg_update(wiphy, initiator)) - goto out; + return; + for (band = 0; band < IEEE80211_NUM_BANDS; band++) { if (wiphy->bands[band]) handle_band(wiphy, band, initiator); } -out: + reg_process_beacons(wiphy); reg_process_ht_flags(wiphy); if (wiphy->reg_notifier) From f76f424353e678f904c6c13f997851efb6077419 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= Date: Fri, 22 Jul 2011 13:11:04 +0200 Subject: [PATCH 3/6] b43: bus: fix memory corruption when setting driver's data MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes bug described in: https://bugzilla.kernel.org/show_bug.cgi?id=39172 Signed-off-by: Rafał Miłecki Signed-off-by: John W. Linville --- drivers/net/wireless/b43/bus.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/net/wireless/b43/bus.c b/drivers/net/wireless/b43/bus.c index 64c3f65ff8c0..05f6c7bff6ab 100644 --- a/drivers/net/wireless/b43/bus.c +++ b/drivers/net/wireless/b43/bus.c @@ -244,10 +244,12 @@ void b43_bus_set_wldev(struct b43_bus_dev *dev, void *wldev) #ifdef CONFIG_B43_BCMA case B43_BUS_BCMA: bcma_set_drvdata(dev->bdev, wldev); + break; #endif #ifdef CONFIG_B43_SSB case B43_BUS_SSB: ssb_set_drvdata(dev->sdev, wldev); + break; #endif } } From 6f89062a66d8b88ca89a15a6cebc0bc0db284441 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= Date: Fri, 22 Jul 2011 13:11:05 +0200 Subject: [PATCH 4/6] b43: bcma: drop BROKEN MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We've fixed the last issue with BCMA support which caused memory corruption on loading and unloading b43. Support for BCMA in b43 was tested with 14e4:4353, 14e4:4357, 14e4:4727 and 14e4:4331. First two cards (BCM43224 and BCM43225) are supported. Signed-off-by: Rafał Miłecki Signed-off-by: John W. Linville --- drivers/net/wireless/b43/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/wireless/b43/Kconfig b/drivers/net/wireless/b43/Kconfig index d2293dcc117f..3cab843afb05 100644 --- a/drivers/net/wireless/b43/Kconfig +++ b/drivers/net/wireless/b43/Kconfig @@ -28,7 +28,7 @@ config B43 config B43_BCMA bool "Support for BCMA bus" - depends on B43 && BCMA && BROKEN + depends on B43 && BCMA default y config B43_SSB From e61b52d1309df08b86a35e54a61f0cc932b28291 Mon Sep 17 00:00:00 2001 From: Pavel Roskin Date: Fri, 22 Jul 2011 18:07:13 -0400 Subject: [PATCH 5/6] b43: fix invalid memory access in b43_ssb_remove() wldev is freed in b43_one_core_detach() and should not be accessed after that call. Keep wldev->dev in a local variable. Signed-off-by: Pavel Roskin Signed-off-by: John W. Linville --- drivers/net/wireless/b43/main.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/b43/main.c b/drivers/net/wireless/b43/main.c index d9f53b791b21..85d6a1f03a08 100644 --- a/drivers/net/wireless/b43/main.c +++ b/drivers/net/wireless/b43/main.c @@ -5350,6 +5350,7 @@ static void b43_ssb_remove(struct ssb_device *sdev) { struct b43_wl *wl = ssb_get_devtypedata(sdev); struct b43_wldev *wldev = ssb_get_drvdata(sdev); + struct b43_bus_dev *dev = wldev->dev; /* We must cancel any work here before unregistering from ieee80211, * as the ieee80211 unreg will destroy the workqueue. */ @@ -5365,14 +5366,14 @@ static void b43_ssb_remove(struct ssb_device *sdev) ieee80211_unregister_hw(wl->hw); } - b43_one_core_detach(wldev->dev); + b43_one_core_detach(dev); if (list_empty(&wl->devlist)) { b43_leds_unregister(wl); /* Last core on the chip unregistered. * We can destroy common struct b43_wl. */ - b43_wireless_exit(wldev->dev, wl); + b43_wireless_exit(dev, wl); } } From 5bc91db8933bce07c3af86da2bd956414aa5a725 Mon Sep 17 00:00:00 2001 From: Mihai Moldovan Date: Mon, 25 Jul 2011 11:18:58 +0200 Subject: [PATCH 6/6] wireless: fix a typo in ignore_reg_update Just a typo fix changing regulaotry to regulatory. Signed-off-by: Mihai Moldovan CC: John W. Linville CC: Mohammed Shafi Signed-off-by: John W. Linville --- net/wireless/reg.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/wireless/reg.c b/net/wireless/reg.c index 4453eb721e13..02751dbc5a97 100644 --- a/net/wireless/reg.c +++ b/net/wireless/reg.c @@ -903,7 +903,7 @@ static bool ignore_reg_update(struct wiphy *wiphy, initiator != NL80211_REGDOM_SET_BY_COUNTRY_IE && !is_world_regdom(last_request->alpha2)) { REG_DBG_PRINT("Ignoring regulatory request %s " - "since the driver requires its own regulaotry " + "since the driver requires its own regulatory " "domain to be set first", reg_initiator_name(initiator)); return true;