kernel/linux.git/drivers/net/wireless/intersil, branch v6.12.80

wifi: p54: prevent buffer-overflow in p54_rx_eeprom_readback()

2025-06-27T10:11:14+00:00

commit da1b9a55ff116cb040528ef664c70a4eec03ae99 upstream. Robert Morris reported: |If a malicious USB device pretends to be an Intersil p54 wifi |interface and generates an eeprom_readback message with a large |eeprom->v1.len, p54_rx_eeprom_readback() will copy data from the |message beyond the end of priv->eeprom. | |static void p54_rx_eeprom_readback(struct p54_common *priv, | struct sk_buff *skb) |{ | struct p54_hdr *hdr = (struct p54_hdr *) skb->data; | struct p54_eeprom_lm86 *eeprom = (struct p54_eeprom_lm86 *) hdr->data; | | if (priv->fw_var >= 0x509) { | memcpy(priv->eeprom, eeprom->v2.data, | le16_to_cpu(eeprom->v2.len)); | } else { | memcpy(priv->eeprom, eeprom->v1.data, | le16_to_cpu(eeprom->v1.len)); | } | [...] The eeprom->v{1,2}.len is set by the driver in p54_download_eeprom(). The device is supposed to provide the same length back to the driver. But yes, it's possible (like shown in the report) to alter the value to something that causes a crash/panic due to overrun. This patch addresses the issue by adding the size to the common device context, so p54_rx_eeprom_readback no longer relies on possibly tampered values... That said, it also checks if the "firmware" altered the value and no longer copies them. The one, small saving grace is: Before the driver tries to read the eeprom, it needs to upload >a< firmware. the vendor firmware has a proprietary license and as a reason, it is not present on most distributions by default. Cc: Reported-by: Robert Morris Closes: https://lore.kernel.org/linux-wireless/28782.1747258414@localhost/ Fixes: 7cb770729ba8 ("p54: move eeprom code into common library") Signed-off-by: Christian Lamparter Link: https://patch.msgid.link/20250516184107.47794-1-chunkeey@gmail.com Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman

wifi: p54: Use IRQF_NO_AUTOEN flag in request_irq()

2024-12-05T13:01:37+00:00

[ Upstream commit bcd1371bd85e560ccc9159b7747f94bfe43b77a6 ] disable_irq() after request_irq() still has a time gap in which interrupts can come. request_irq() with IRQF_NO_AUTOEN flag will disable IRQ auto-enable when request IRQ. Fixes: cd8d3d321285 ("p54spi: p54spi driver") Signed-off-by: Jinjie Ruan Signed-off-by: Kalle Valo Link: https://patch.msgid.link/20240910124314.698896-2-ruanjinjie@huawei.com Signed-off-by: Sasha Levin

wifi: mac80211: inform the low level if drv_stop() is a suspend

2024-06-26T08:25:46+00:00

This will allow the low level driver to take different actions for different flows. Signed-off-by: Emmanuel Grumbach Signed-off-by: Miri Korenblit Link: https://patch.msgid.link/20240618192529.739036208b6e.Ie18a2fe8e02bf2717549d39420b350cfdaf3d317@changeid Signed-off-by: Johannes Berg

wifi: p54: use 'time_left' variable with wait_for_completion_interruptible_timeout()

2024-06-12T12:01:09+00:00

There is a confusing pattern in the kernel to use a variable named 'timeout' to store the result of wait_for_completion_interruptible_timeout() causing patterns like: timeout = wait_for_completion_interruptible_timeout(...) if (!timeout) return -ETIMEDOUT; with all kinds of permutations. Use 'time_left' as a variable to make the code self explaining. Fix to the proper variable type 'long' while here. Signed-off-by: Wolfram Sang Signed-off-by: Kalle Valo Link: https://msgid.link/20240603091541.8367-5-wsa+renesas@sang-engineering.com

wifi: mac80211: simplify non-chanctx drivers

2024-02-08T11:58:32+00:00

There are still surprisingly many non-chanctx drivers, but in mac80211 that code is a bit awkward. Simplify this by having those drivers assign 'emulated' ops, so that the mac80211 code can be more unified between non-chanctx/chanctx drivers. This cuts the number of places caring about it by about 15, which are scattered across - now they're fewer and no longer in the channel context handling. Link: https://msgid.link/20240129194108.6d0ead50f5cf.I60d093b2fc81ca1853925a4d0ac3a2337d5baa5b@changeid Signed-off-by: Johannes Berg

wifi: fill in MODULE_DESCRIPTION()s for p54spi

2024-01-31T16:32:32+00:00

W=1 builds now warn if module is built without a MODULE_DESCRIPTION(). Add descriptions to the Prism54 SPI wireless driver. Signed-off-by: Breno Leitao Signed-off-by: Kalle Valo Link: https://msgid.link/20240130104243.3025393-7-leitao@debian.org

Merge tag 'wireless-2024-01-22' of git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless

2024-01-23T16:38:13+00:00

Kalle Valo says: ==================== wireless fixes for v6.8-rc2 The most visible fix here is the ath11k crash fix which was introduced in v6.7. We also have a fix for iwlwifi memory corruption and few smaller fixes in the stack. * tag 'wireless-2024-01-22' of git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless: wifi: mac80211: fix race condition on enabling fast-xmit wifi: iwlwifi: fix a memory corruption wifi: mac80211: fix potential sta-link leak wifi: cfg80211/mac80211: remove dependency on non-existing option wifi: cfg80211: fix missing interfaces when dumping wifi: ath11k: rely on mac80211 debugfs handling for vif wifi: p54: fix GCC format truncation warning with wiphy->fw_version ==================== Link: https://lore.kernel.org/r/20240122153434.E0254C433C7@smtp.kernel.org Signed-off-by: Jakub Kicinski

wifi: p54: fix GCC format truncation warning with wiphy->fw_version

2024-01-11T10:54:04+00:00

GCC 13.2 warns: drivers/net/wireless/intersil/p54/fwio.c:128:34: warning: '%s' directive output may be truncated writing up to 39 bytes into a region of size 32 [-Wformat-truncation=] drivers/net/wireless/intersil/p54/fwio.c:128:33: note: directive argument in the range [0, 16777215] drivers/net/wireless/intersil/p54/fwio.c:128:33: note: directive argument in the range [0, 255] drivers/net/wireless/intersil/p54/fwio.c:127:17: note: 'snprintf' output between 7 and 52 bytes into a destination of size 32 The issue here is that wiphy->fw_version is 32 bytes and in theory the string we try to place there can be 39 bytes. wiphy->fw_version is used for providing the firmware version to user space via ethtool, so not really important. fw_version in theory can be 24 bytes but in practise it's shorter, so even if print only 19 bytes via ethtool there should not be any practical difference. I did consider removing fw_var from the string altogether or making the maximum length for fw_version 19 bytes, but chose this approach as it was the least intrusive. Compile tested only. Signed-off-by: Kalle Valo Acked-by: Christian Lamparter # Tested with Dell 1450 USB Signed-off-by: Kalle Valo Link: https://msgid.link/20231219162516.898205-1-kvalo@kernel.org

wifi: remove orphaned orinoco driver

2023-10-30T17:29:52+00:00

Orinoco is a PIO-only ISA/PCMCIA 802.11b device with extra bus interface connections for PCI/Cardbus/mini-PCI and a few pre-2002 Apple PowerMac variants. It supports both wireless extensions and CFG80211, but I could not tell if it requires using both. This device used to be one of the most common ones 20 years ago, but has been orphaned for most of the time since then, and the conversion to cfg80211 has stalled in 2010. Signed-off-by: Arnd Bergmann Signed-off-by: Kalle Valo

wifi: remove obsolete hostap driver

2023-10-30T17:29:52+00:00

HostAP is an ISA/PCMCIA style 802.11b driver supporting only wireless extensions, and some custom ioctls (already removed). Some devices include a legacy PCI bridge but no DMA. The driver was marked obsolete in 2016 and is highly unlikely to still have any users. Signed-off-by: Arnd Bergmann Signed-off-by: Kalle Valo