[ Upstream commit 1b97013bfb11d66f041de691de6f0fec748ce016 ]
Fix more memory leaks in ip_cmsg_send() callers. Part of them were fixed
earlier in 919483096bfe.
* udp_sendmsg one was there since the beginning when linux sources were
first added to git;
* ping_v4_sendmsg one was copy/pasted in c319b4d76b.
Whenever return happens in udp_sendmsg() or ping_v4_sendmsg() IP options
have to be freed if they were allocated previously.
Add label so that future callers (if any) can use it instead of kfree()
before return that is easy to forget.
Fixes: c319b4d76b (net: ipv4: add IPPROTO_ICMP socket kind)
Signed-off-by: Andrey Ignatov <rdna@fb.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit b13dda9f9aa7caceeee61c080c2e544d5f5d85e5 upstream.
syzbot reported __skb_try_recv_from_queue() was using skb->peeked
while it was potentially unitialized.
We need to clear it in __skb_clone()
Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit b1993a2de12c9e75c35729e2ffbc3a92d50c0d31 upstream.
syzbot reported :
BUG: KMSAN: uninit-value in rtnh_ok include/net/nexthop.h:11 [inline]
BUG: KMSAN: uninit-value in fib_count_nexthops net/ipv4/fib_semantics.c:469 [inline]
BUG: KMSAN: uninit-value in fib_create_info+0x554/0x8d20 net/ipv4/fib_semantics.c:1091
@remaining is an integer, coming from user space.
If it is negative we want rtnh_ok() to return false.
Fixes: 4e902c5741 ("[IPv4]: FIB configuration using struct fib_config")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit f13876e2c33a657a71bcbb10f767c0951b165020 upstream.
Since snd_pcm_ioctl_xfern_compat() has no PCM state check, it may go
further and hit the sanity check pcm_sanity_check() when the ioctl is
called right after open. It may eventually spew a kernel warning, as
triggered by syzbot, depending on kconfig.
The lack of PCM state check there was just an oversight. Although
it's no real crash, the spurious kernel warning is annoying, so let's
add the proper check.
Reported-by: syzbot+1dac3a4f6bc9c1c675d4@syzkaller.appspotmail.com
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
prima to qcacld-2.0 propagation
Current implementation does not handle to send a SCAN ABORT indication
to upper layers, on a Band change when a scan is in progress
Changes are made on SME layer by configuring a 'abortScanIndication'
flag which is a part of the scan command, so that the necessary
action is taken care based on the flag value.
Change-Id: Iffe7e65dc1e8c7951ce3c4be3c21ef2103091d13
CRs-Fixed: 879520
If the CSR state of the STA changes eCSR_ROAMING_STATE_SCANNING.
And the same time when the AP changes its capability, the STA
gets the beacon and detects that the beacon is changed. In this
case, the STA is unable to disassociate with the AP.
The fix is to disconnect even when the change in beacon is
detected, and CSR state is in eCSR_ROAMING_STATE_SCANNING.
Change-Id: I884fc936f543ad56cdb74b50d568f52f4d80ad79
CRs-Fixed: 1098370
Currently there are some places where value is assigned incorrectly.
Add fix to correct it.
CRs-Fixed: 1063255
Change-Id: I1d48b464ad67d112af6f3ffeea340a56633556f9
prima to qcacld-2.0 propagation
Once the beacon miss event is received in driver, sta cleanup
happens and sends deauth reason code as 505 which is internal
value to driver(eSIR_SME_LOST_LINK_WITH_PEER_RESULT_CODE).
Send reason code as zero to Supplicant for Beacon miss kickout.
Cleanup the similar handling in csrApiRoam as it is redundant.
Change-Id: I6df97e05ac20f285646df3d5fe73800138a18d89
CRs-Fixed: 1025871
Currently there are some places where array name is compared to NULL
in SME. Add fix to correct it.
CRs-Fixed: 1063255
Change-Id: Id37e8b6fc483d41c4e5b48bb78c295acc08a0328
pronto to qcacld-2.0 propagation
The csr roam state is moved to joined after connection but on
receiving disconnect the state is changed to idle state even
before the disconnect indication is sent to SME. This lead to
dropping of the disconnect indication in SME as it is not
processed in idle state.
Fixed it by moving csr roam state to idle state after disconnect
done indication.
Change-Id: Ic31a2d8a0d68eaf0f4d8c6456344c78d4635f161
CRs-Fixed: 1058611
In RoamReadTSF function, bss description field is read without
checking the value of initializing function which can result in
a null pointer exception.
Check the return value of function NeighborRoamGetHandoffAPInfo
which will fetch neighboring hand-off information.
Change-Id: I74288d09b1c1cb8e4e7c65881a6fbc67010b4670
CRs-Fixed: 1017942
1.Fix unitialized heap use in csrGetStatistics by initializing
pointer of struct type WLANTL_TRANSFER_STA_TYPE to zero.
2.Fix unitialized stack use in csrRoamReadTSF by initializing
variable of struct type tCsrNeighborRoamBSSInfo to zero.
Change-Id: I4211b41b5e30d414e45691a5bab4048587cc8499
CRs-Fixed: 1018486
prima to qcacld-2.0 propagation
Currently stats timer is started only when variable periodicity
is non-zero. During cleanup, check for variable periodicity is
not present before stopping stats timer. This results in
unnecessary assert. Add a check to stop timer only when variable
periodicity is non-zero. Also, add a change to update status
properly when staid is within permissible limits.
Change-Id: Idf0fcc7f118aaae29dae26f0176b3093f47bd865
CRs-Fixed: 939678
On HL(sdio) platform, if /sys/module/lpm_levels/parameters/sleep_disabled
set to N, ramdump collecting time will be over 300 seconds which is too
long. Disable cpu sleep by request minimum pm qos value when collecting
ramdump.
Change-Id: Ib5514c174a53427ae14c0218201b810dde1bb650
CRs-Fixed: 2031145
qcacld-3.0 to qcacld-2.0 propagation
Presently, while processing SET_PASSPOINT_LIST vendor command
HDD is not making sure realm string passed by upper-layer is NULL
terminated, this may lead to buffer overflow as strlen is used
to get realm string length to construct PASSPOINT WMA command.
Make sure realm is NULL terminated before passing the same to
down layers.
Change-Id: I417f2b89dc219664afe5deac00dc361cac4048d6
CRs-Fixed: 2217476
Propagation from cld3.0 to cld2.0.
In the function wma_passpoint_match_event_handler, fixed param event data
from firmware is filled in the destination buffer and indication is sent
to upper layers. The buffer allocation is done for the size
(wmi_passpoint_event_hdr*) + event->ie_length + event->anqp_length. The
maximum firmware event message size is WMI_SVC_MSG_MAX_SIZE. If either,
ie_length and anqp_length combined is greater than WMI_SVC_MSG_MAX_SIZE or
either of the two exceeds WMI_SVC_MSG_MAC_SIZE, an OOB write will occur in
wma_passpoint_match_event_handler.
Add check to ensure either of the values ie_length or anqp_lenth or
(ie_length + anqp_length) doesnt exceed the WMI_SVC_MAX_SIZE. Return
failure if it exceeds.
Change-Id: I21f473ca0b99ebb8488f2cca3c0774817ea97c3a
CRs-Fixed: 2212696
Prima to qcacld-2.0 propagation
Currently driver goes into full power mode for sending
disassociation frames which is not required since these are
management frames.
Add changes to reject full power request for disassociation
frames.
Change-Id: I4cc6a75d4a45e2973eb233193e6e9cbf398ef09e
CRs-Fixed: 1109516
The change Ie4aedc891c90364d8e5d21191d89bd60894797f5 overrode the
scan type for AP mode to ACTIVE without checking for the intended
scenario of AP+AP. This leads to sending probe requests unintentionally
even for standalone AP case, leading to active scan on DFS channels.
Fix by checking active sessions of AP to address the original issue
Thus the standalone scenario shall not be affected.
Change-Id: I06dc96d1dc30fc30c33a80a295144b3404e8af5a
CRs-Fixed: 2003916
Currently, driver uses passive scan for OBSS in SAP.
In AP+AP case, the second AP is restricted to 28ms
offchannel dwell time in WMA layer in order to keep
the first AP's beaconing. But the 28ms is not enough
to find the overlap APs in environment by passive scan.
That causes the second APs OBSS scan failed.
This fix is to change scan to active for SAP OBSS scan.
Change-Id: Ie4aedc891c90364d8e5d21191d89bd60894797f5
CRs-Fixed: 1102763
In htt_tx_function, due to lack of initializations of target_delta
and bus_delta, target_tx_credit remains zero even after the first
credit update indication from fw due to which HOST driver is not able
to send any packet to fw causing connection failure.
Add initializations for target_delta and bus_delta in htt_tx_attach func.
Change-Id: I87078dce40bf18d5a7d68bfccd43a6af9c088f8e
CRs-Fixed: 1048714
commit f853dcaae2f5bbe021161e421bd1576845bae8f6 upstream.
It looks like a simple mistake that this struct member
was forgotten.
Audio_tstamp isn't used much, and on some archs (such as x86) this
ioctl is not used by default, so that might be the reason why this
has slipped for so long.
Fixes: 4eeaaeaea1 ("ALSA: core: add hooks for audio timestamps")
Signed-off-by: David Henningsson <diwic@ubuntu.com>
Reviewed-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Cc: <stable@vger.kernel.org> # v3.8+
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Currently STA advertising the max. measurement duration of RM
capability as half the beacon interval. When STA receives beacon
report request frame, it is not using measurement duration
indicated if it is above the advertised max. measurement duration
However, firmware expects a minimum of one beacon interval to
find the AP.
Modify the max. measurement capability of RRM as one beacon interval.
Also engineered the code to make use of the INI parameters for
adjusting the max measurement duration.
Change-Id: Idc0b4f15f2b7464507aacfaefb99e1ba48ad1eca
CRs-Fixed: 1030590
qcacld-3.0 to qcacld-2.0 propagation
In function rrmProcessBeaconReportReq, add bound check before
writing to channel list which is of fixed size.
Change-Id: I3c80974bba84a96f7b85e4ce62bbb01c23b4babf
CRs-Fixed: 2072780
Currently, driver doesn't consider tx power which was negotiated
at the time of connection for max tx power for RRM Link Measurement
Request.
Fix this by not allowing tx power more than pSessionEntry->maxTxPower.
Change-Id: Idebe6d11e05da0b3b8186e2c84ff8ad4ac124fdc
CRs-Fixed: 2021835
prima to qcacld-2.0 propagation
Currently few MTRACE logs captured repetitively which leads to
overwriting of other important MTRACE logs.
To avoid this,
1. Remove MTRACE logs which are seen repetitively in scan,
connect/disconnect path and few timer functions.
2. MTRACE log captured for few enums in both limProcessMessages() and
limProcessMlmReqMessages(). To avoid redundancy remove MTRACE in
limProcessMlmReqMessages() and add in limPostMlmMessage() for which
are not captured in limProcessMessages.
3. Similar way for limProcessSmeReqMessages() also, remove MTRACE in
limProcessSmeReqMessages() and add in limPostSmeMessage()
Change-Id: I1478f3e9ab8fb57d8b8b2f65cf2eb3450eb7b64c
CRs-Fixed: 855840
Fix memory leak in oem related messages. While oem data request/
response is passed through multiple layers, memory was not freed
correctly in some layer. This change set will fix the memory leak
related issues.
Change-Id: Ib92640c478e4ddef5cd67b292da2c8cacf70fdfd
CRs-Fixed: 1005630
qcacld-3.0 to qcacld-2.0 propagation
Increase maximum size of oem data request from 280 to 500. This
change set also remove the following unused macros in UMAC,
- OEM_DATA_REQ_SIZE
- OEM_DATA_RSP_SIZE
Change-Id: I768da4dd03c2de618c528cb72b86a5df72dd2efe
CRs-Fixed: 997085
oem data request len size should be of 4 byte instead of
1 byte.
Add changes to correct len size in oem data structure across the
layers.
Change-Id: I9b377420c50ff1160964f94be5eaa0072df0f63d
CRs-Fixed: 1013488
While doing ACS, driver opens SME session and closes once
the scan is done. If scan happens for AP1 then ACS SKIP SCAN
flag will be set. For AP2 there is no need to open sme session
as anyway based on this flag scan is skipped
Check if it is ACS Skip scan and dont open/close SME session.
Change-Id: I92049ee9e430262d38d3ad55806ee29b6042e68e
CRs-Fixed: 1019083
prima to qcacld-2.0 propagation.
Currently MAX_CHANNEL to scan is 45 which should be 46.
Making MAX_CHANNEL as 46.
Change-Id: Id0f4ab4a27b46af5c1f4ef0e214cf340dae6aafb
CRs-Fixed: 951742
If ACS failed, the __wlan_hdd_cfg80211_stop_ap
will not be called to free the ch_list.
Add new API wlan_hdd_undo_acs to do cleanup of
DO_ACS to free ch_list memory. And call the API
in hdd_deinit_adapter to fix ch_list leak issue.
CRs-Fixed: 1002207
Change-Id: If3285739f2387928a1d7578f9d14089a486a6d9e
As per current implementaion whenever ACS is enabled via
INI all the update beacon from cfg80211 module fails because
sapconfig channel points to AUTO_CHANNEL_SELECT(0).
When driver ACS is enabled skip channel validation to fix
this issue.
Change-Id: Ie3e7d19332629fc860752b2240690fd6a15bb0a2
CRs-Fixed: 977101
If unloading the driver at the time __wlan_hdd_cfg80211_stop_ap is
called, free the memory allocated for ch_list before returing
from the __wlan_hdd_cfg80211_stop_ap. Otherwise it will result in
memory leak.
Change-Id: I16ab508f74068f7ca1452c97c6105a1ae6e38ef0
CRs-Fixed: 971886
Take wake_lock for rx packet processing in hdd_rx_packet_cbk
only in authenticated state to avoid taking lock for sta cached_bufq
for which the wake_lock is acquired for all packets one by one
till entire flush duration.
Change-Id: I844bf7c86d4cb3b0a198b54b0968e71e0ad8fb61
CRs-Fixed: 2081961
In function __hdd_softap_hard_start_xmit, station id is
not validated with max station count, this might lead to
a buffer overflow situation for array aStaInfo in SapCtx.
Validate station id with max sta count.
CRs-Fixed: 1093122
Change-Id: If9f59c5a7b76845bb7783a96453e595b5afa4f30
To find optimal rx wakelock duration, change hard coded wakelock
to configurable parameter.
Added new ini item.
rx_wakelock_timeout, default 0, max 100msec.
If duration is 0msec, wakelock will not be called.
Do not take wakelock for Rx multicast/broadcast packets.
Change-Id: I7e91d32bc9cddc1a507b84ce68e90319360d1df2
CRs-Fixed: 1040730
Currently even for non local ARP requests wake lock is getting
acquired which is preventing the system suspend which is a power
penalty. Do not acquire wake lock for the non local ARP requests.
Change-Id: Iec8f5870a03ed48ae08f20363c473cef8d5c19dc
CRs-Fixed: 1088974
[ Upstream commit eb1c28c05894a4b1f6b56c5bf072205e64cfa280 ]
Check sockaddr_len before dereferencing sp->sa_protocol, to ensure that
it actually points to valid data.
Fixes: fd558d186d ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
Reported-by: syzbot+a70ac890b23b1bf29f5c@syzkaller.appspotmail.com
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 5171b37d959641bbc619781caf62e61f7b940871 ]
In order to remove the race caught by syzbot [1], we need
to lock the socket before using po->tp_version as this could
change under us otherwise.
This means lock_sock() and release_sock() must be done by
packet_set_ring() callers.
[1] :
BUG: KMSAN: uninit-value in packet_set_ring+0x1254/0x3870 net/packet/af_packet.c:4249
CPU: 0 PID: 20195 Comm: syzkaller707632 Not tainted 4.16.0+ #83
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x185/0x1d0 lib/dump_stack.c:53
kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
__msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676
packet_set_ring+0x1254/0x3870 net/packet/af_packet.c:4249
packet_setsockopt+0x12c6/0x5a90 net/packet/af_packet.c:3662
SYSC_setsockopt+0x4b8/0x570 net/socket.c:1849
SyS_setsockopt+0x76/0xa0 net/socket.c:1828
do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x3d/0xa2
RIP: 0033:0x449099
RSP: 002b:00007f42b5307ce8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036
RAX: ffffffffffffffda RBX: 000000000070003c RCX: 0000000000449099
RDX: 0000000000000005 RSI: 0000000000000107 RDI: 0000000000000003
RBP: 0000000000700038 R08: 000000000000001c R09: 0000000000000000
R10: 00000000200000c0 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000080eecf R14: 00007f42b53089c0 R15: 0000000000000001
Local variable description: ----req_u@packet_setsockopt
Variable was created at:
packet_setsockopt+0x13f/0x5a90 net/packet/af_packet.c:3612
SYSC_setsockopt+0x4b8/0x570 net/socket.c:1849
Fixes: f6fb8f100b ("af-packet: TPACKET_V3 flexible buffer implementation.")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
prima to qcacld-2.0 propagation
Currently, variable hdd_ReassocScenario is not reset during
11r roaming. This causes rssi value to be stale during 11r roaming
as rssi doesn't gets updated when hdd_ReassocScenario is set
in wlan_hdd_get_roam_rssi/wlan_hdd_get_rssi. Check for
11r association using pRoamInfo->is11rAssoc as well before resetting
hdd_ReassocScenario. This check for 11R association allows
rssi to be updated during 11r roaming.
Also, add a check for 11r association to allow other functionality
during key complete for 11r roaming.
Change-Id: Ie1b4b205618d6744a15cd27e2b8f1391f76564c9
CRs-Fixed: 978677
prima to qcacld-2.0 propagation
When SET_BSSKEY request comes first and then SET_STAKEY, variable
hdd_ReassocScenario is made false during SET_BSSKEY response. Because
of this, hdd_set_pwrparams API is not invoked to send power parameters
to FW. Hence, DTIM is switched from DTIM3 to DTIM1 during roaming.
Fix this by modifying hdd_ReassocScenario to false only during SET_STAKEY
response.
Change-Id: I6c3d6a4798f1537d66612472240a778949c62015
CRs-Fixed: 879769
Lance Richardson
Andrey Ignatov
Eric Dumazet
Takashi Iwai
Theodore Ts'o
Ratnam Rachuri
Nitesh Shah
Yingying Tang
Selvaraj, Sridhar
Abhishek Singh
Manjeet Singh
Masti, Narayanraddi
Padma, Santhosh Kumar
Hong Shi
Hanumanth Reddy Pothula
tinlin
Ashish Kumar Goswami
Visweswara Tanuku
Liangwei Dong
Himanshu Agarwal
David Henningsson
Selvaraj, Sridhar
Nishank Aggarwal
syphyr
Agrawal Ashish
Sreelakshmi Konamki
Krishna Kumaar Natarajan
Gupta, Kapil
Agrawal Ashish
Liangwei Dong
Arun Khandavalli
Ganesh Kondabattini
Poddar, Siddarth
SaidiReddy Yenuga
Leo Chang
Sravan Kumar Kairam
Guillaume Nault