* [PATCH 1/2] mwifiex: fix requesting zero memory for firmware dump
@ 2019-11-13 5:15 Ganapathi Bhat
2019-11-13 5:15 ` [PATCH 2/2] mwifiex: do not download TX packets if interface has not resumed Ganapathi Bhat
2019-11-14 15:18 ` [PATCH 1/2] mwifiex: fix requesting zero memory for firmware dump Kalle Valo
0 siblings, 2 replies; 3+ messages in thread
From: Ganapathi Bhat @ 2019-11-13 5:15 UTC (permalink / raw
To: linux-wireless
Cc: Cathy Luo, Zhiyuan Yang, James Cao, Rakesh Parmar, Brian Norris,
Sharvari Harisangam, Ganapathi Bhat
From: Sharvari Harisangam <sharvari@marvell.com>
mwifiex_pcie_fw_dump would read firmware scratch registers, to
get the size of the dump. It does a vmalloc of memory_size + 1,
read above, to save the dump. It is possible that the value read
by memory_size scratch register be invalid, i.e 0xffffffff. This
would pass an invalid size(0) to vmalloc. To fix this check for
invalid scratch register read.
Signed-off-by: Sharvari Harisangam <sharvari@marvell.com>
Signed-off-by: Ganapathi Bhat <gbhat@marvell.com>
---
drivers/net/wireless/marvell/mwifiex/pcie.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/net/wireless/marvell/mwifiex/pcie.c b/drivers/net/wireless/marvell/mwifiex/pcie.c
index fc1706d..483b521 100644
--- a/drivers/net/wireless/marvell/mwifiex/pcie.c
+++ b/drivers/net/wireless/marvell/mwifiex/pcie.c
@@ -2727,6 +2727,13 @@ static void mwifiex_pcie_fw_dump(struct mwifiex_adapter *adapter)
break;
}
+ if (memory_size == 0xffffffff) {
+ mwifiex_dbg(adapter, ERROR,
+ "Invalid dump size: 0x%x, for %s\n",
+ memory_size, entry->mem_name);
+ return;
+ }
+
mwifiex_dbg(adapter, DUMP,
"%s_SIZE=0x%x\n", entry->mem_name, memory_size);
entry->mem_ptr = vmalloc(memory_size + 1);
--
1.9.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [PATCH 2/2] mwifiex: do not download TX packets if interface has not resumed
2019-11-13 5:15 [PATCH 1/2] mwifiex: fix requesting zero memory for firmware dump Ganapathi Bhat
@ 2019-11-13 5:15 ` Ganapathi Bhat
2019-11-14 15:18 ` [PATCH 1/2] mwifiex: fix requesting zero memory for firmware dump Kalle Valo
1 sibling, 0 replies; 3+ messages in thread
From: Ganapathi Bhat @ 2019-11-13 5:15 UTC (permalink / raw
To: linux-wireless
Cc: Cathy Luo, Zhiyuan Yang, James Cao, Rakesh Parmar, Brian Norris,
Sharvari Harisangam, Ganapathi Bhat
From: Sharvari Harisangam <sharvari@marvell.com>
mwifiex_queue_tx_pkt would queue the TX packet to driver queues
and before return, would invoke main_work, which in turn would
download the packet to firmware. In case the card is in sleep
state, driver would wakeup the card(via interface).
During resume it is possible that, the applications send packets
even before interface has completed its resume. If driver try to
access interface register(to wakeup the card), it would lead to
invalid results.
To avoid this, don't invoke main_work, when hs_activated is set.
Signed-off-by: Sharvari Harisangam <sharvari@marvell.com>
Signed-off-by: Ganapathi Bhat <gbhat@marvell.com>
---
drivers/net/wireless/marvell/mwifiex/main.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/net/wireless/marvell/mwifiex/main.c b/drivers/net/wireless/marvell/mwifiex/main.c
index a9657ae..7b5cf2c0 100644
--- a/drivers/net/wireless/marvell/mwifiex/main.c
+++ b/drivers/net/wireless/marvell/mwifiex/main.c
@@ -808,6 +808,11 @@ int mwifiex_queue_tx_pkt(struct mwifiex_private *priv, struct sk_buff *skb)
mwifiex_wmm_add_buf_txqueue(priv, skb);
}
+ if (priv->adapter->hs_activated) {
+ mwifiex_dbg(priv->adapter, ERROR, "hs_activated: queue TX\n");
+ return 0;
+ }
+
mwifiex_queue_main_work(priv->adapter);
return 0;
--
1.9.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH 1/2] mwifiex: fix requesting zero memory for firmware dump
2019-11-13 5:15 [PATCH 1/2] mwifiex: fix requesting zero memory for firmware dump Ganapathi Bhat
2019-11-13 5:15 ` [PATCH 2/2] mwifiex: do not download TX packets if interface has not resumed Ganapathi Bhat
@ 2019-11-14 15:18 ` Kalle Valo
1 sibling, 0 replies; 3+ messages in thread
From: Kalle Valo @ 2019-11-14 15:18 UTC (permalink / raw
To: Ganapathi Bhat
Cc: linux-wireless, Cathy Luo, Zhiyuan Yang, James Cao, Rakesh Parmar,
Brian Norris, Sharvari Harisangam
Ganapathi Bhat <gbhat@marvell.com> writes:
> From: Sharvari Harisangam <sharvari@marvell.com>
>
> mwifiex_pcie_fw_dump would read firmware scratch registers, to
> get the size of the dump. It does a vmalloc of memory_size + 1,
> read above, to save the dump. It is possible that the value read
> by memory_size scratch register be invalid, i.e 0xffffffff. This
> would pass an invalid size(0) to vmalloc. To fix this check for
> invalid scratch register read.
>
> Signed-off-by: Sharvari Harisangam <sharvari@marvell.com>
> Signed-off-by: Ganapathi Bhat <gbhat@marvell.com>
> ---
> drivers/net/wireless/marvell/mwifiex/pcie.c | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/drivers/net/wireless/marvell/mwifiex/pcie.c b/drivers/net/wireless/marvell/mwifiex/pcie.c
> index fc1706d..483b521 100644
> --- a/drivers/net/wireless/marvell/mwifiex/pcie.c
> +++ b/drivers/net/wireless/marvell/mwifiex/pcie.c
> @@ -2727,6 +2727,13 @@ static void mwifiex_pcie_fw_dump(struct mwifiex_adapter *adapter)
> break;
> }
>
> + if (memory_size == 0xffffffff) {
> + mwifiex_dbg(adapter, ERROR,
> + "Invalid dump size: 0x%x, for %s\n",
> + memory_size, entry->mem_name);
> + return;
> + }
> +
> mwifiex_dbg(adapter, DUMP,
> "%s_SIZE=0x%x\n", entry->mem_name, memory_size);
> entry->mem_ptr = vmalloc(memory_size + 1);
So 0xfffffffe would be a valid length for vmalloc()? I doubt that :) A
proper fix would be to add a reasonable maximum for memory_size and
return if it's anything bigger than the limit. Never trust the firmware.
--
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-11-14 15:18 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-11-13 5:15 [PATCH 1/2] mwifiex: fix requesting zero memory for firmware dump Ganapathi Bhat
2019-11-13 5:15 ` [PATCH 2/2] mwifiex: do not download TX packets if interface has not resumed Ganapathi Bhat
2019-11-14 15:18 ` [PATCH 1/2] mwifiex: fix requesting zero memory for firmware dump Kalle Valo
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.