tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag 'wireless-2026-05-06' of https://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless

Johannes Berg says:

====================
Quite a number of fixes now:
- mac80211
- remove HT NSS validation to work with broken APs
(with a kunit fix now)
- remove 'static' that could cause races
- check station link lookup before further processing
- fix use-after-free due to delete in list iteration
- remove AP station on assoc failures to fix crashes
- ath12k
- fix OF node refcount imbalance
- fix queue flush ("REO update") in MLO
- fix RCU assert
- ath12k:
- fix Kconfig with POWER_SEQUENCING
- fix WMI buffer leaks on error conditions
- don't use uninitialized stack data when processing RSSI events
- fix logic for determining the peer ID in the RX path
- ath5k: fix a potential stack buffer overwrite
- rsi: fix thread lifetime race
- brcmfmac: fix potential UAF
- nl80211:
- stricter permissions/checks for PMK and netns
- fix netlink policy vs. code type confusion
- cw1200: revert a broken locking change
- various fixes to not trust values from firmware

* tag 'wireless-2026-05-06' of https://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless: (25 commits)
wifi: nl80211: re-check wiphy netns in nl80211_prepare_wdev_dump() continuation
wifi: nl80211: require CAP_NET_ADMIN over the target netns in SET_WIPHY_NETNS
wifi: nl80211: fix NL80211_PMSR_FTM_REQ_ATTR_FTMS_PER_BURST usage
wifi: mac80211: remove station if connection prep fails
wifi: mac80211: use safe list iteration in radar detect work
wifi: libertas: notify firmware load wait on disconnect
wifi: ath5k: do not access array OOB
wifi: ath12k: fix peer_id usage in normal RX path
wifi: ath12k: initialize RSSI dBm conversion event state
wifi: ath12k: fix leak in some ath12k_wmi_xxx() functions
wifi: cw1200: Revert "Fix locking in error paths"
wifi: mac80211: tests: mark HT check strict
wifi: rsi: fix kthread lifetime race between self-exit and external-stop
wifi: mac80211: drop stray 'static' from fast-RX rx_result
wifi: mac80211: check ieee80211_rx_data_set_link return in pubsta MLO path
wifi: nl80211: require admin perm on SET_PMK / DEL_PMK
wifi: libertas: fix integer underflow in process_cmdrequest()
wifi: b43legacy: enforce bounds check on firmware key index in RX path
wifi: b43: enforce bounds check on firmware key index in b43_rx()
wifi: brcmfmac: Fix potential use-after-free issue when stopping watchdog task
...
====================

Link: https://patch.msgid.link/20260506110325.219675-3-johannes@sipsolutions.net
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

Jakub Kicinski b89e0100 3e8ec344

+208 -70
+1
drivers/net/wireless/ath/ath10k/Kconfig
··· 46 46 depends on ARCH_QCOM || COMPILE_TEST 47 47 depends on QCOM_SMEM 48 48 depends on QCOM_RPROC_COMMON || QCOM_RPROC_COMMON=n 49 + select POWER_SEQUENCING 49 50 select QCOM_SCM 50 51 select QCOM_QMI_HELPERS 51 52 help
+48 -29
drivers/net/wireless/ath/ath12k/core.c
··· 1838 1838 return ag; 1839 1839 } 1840 1840 1841 + static void ath12k_core_free_wsi_info(struct ath12k_hw_group *ag) 1842 + { 1843 + int i; 1844 + 1845 + for (i = 0; i < ag->num_devices; i++) { 1846 + of_node_put(ag->wsi_node[i]); 1847 + ag->wsi_node[i] = NULL; 1848 + } 1849 + ag->num_devices = 0; 1850 + } 1851 + 1841 1852 static void ath12k_core_hw_group_free(struct ath12k_hw_group *ag) 1842 1853 { 1843 1854 mutex_lock(&ath12k_hw_group_mutex); 1844 1855 1856 + ath12k_core_free_wsi_info(ag); 1845 1857 list_del(&ag->list); 1846 1858 kfree(ag); 1847 1859 ··· 1879 1867 static int ath12k_core_get_wsi_info(struct ath12k_hw_group *ag, 1880 1868 struct ath12k_base *ab) 1881 1869 { 1882 - struct device_node *wsi_dev = ab->dev->of_node, *next_wsi_dev; 1883 - struct device_node *tx_endpoint, *next_rx_endpoint; 1884 - int device_count = 0; 1870 + struct device_node *next_wsi_dev; 1871 + int device_count = 0, ret = 0; 1872 + struct device_node *wsi_dev; 1885 1873 1886 - next_wsi_dev = wsi_dev; 1887 - 1888 - if (!next_wsi_dev) 1874 + wsi_dev = of_node_get(ab->dev->of_node); 1875 + if (!wsi_dev) 1889 1876 return -ENODEV; 1890 1877 1891 1878 do { 1892 - ag->wsi_node[device_count] = next_wsi_dev; 1879 + if (device_count >= ATH12K_MAX_DEVICES) { 1880 + ath12k_warn(ab, "device count in DT %d is more than limit %d\n", 1881 + device_count, ATH12K_MAX_DEVICES); 1882 + ret = -EINVAL; 1883 + break; 1884 + } 1893 1885 1894 - tx_endpoint = of_graph_get_endpoint_by_regs(next_wsi_dev, 0, -1); 1886 + ag->wsi_node[device_count++] = of_node_get(wsi_dev); 1887 + 1888 + struct device_node *tx_endpoint __free(device_node) = 1889 + of_graph_get_endpoint_by_regs(wsi_dev, 0, -1); 1895 1890 if (!tx_endpoint) { 1896 - of_node_put(next_wsi_dev); 1897 - return -ENODEV; 1891 + ret = -ENODEV; 1892 + break; 1898 1893 } 1899 1894 1900 - next_rx_endpoint = of_graph_get_remote_endpoint(tx_endpoint); 1895 + struct device_node *next_rx_endpoint __free(device_node) = 1896 + of_graph_get_remote_endpoint(tx_endpoint); 1901 1897 if (!next_rx_endpoint) { 1902 - of_node_put(next_wsi_dev); 1903 - of_node_put(tx_endpoint); 1904 - return -ENODEV; 1898 + ret = -ENODEV; 1899 + break; 1905 1900 } 1906 - 1907 - of_node_put(tx_endpoint); 1908 - of_node_put(next_wsi_dev); 1909 1901 1910 1902 next_wsi_dev = of_graph_get_port_parent(next_rx_endpoint); 1911 1903 if (!next_wsi_dev) { 1912 - of_node_put(next_rx_endpoint); 1913 - return -ENODEV; 1904 + ret = -ENODEV; 1905 + break; 1914 1906 } 1915 1907 1916 - of_node_put(next_rx_endpoint); 1908 + of_node_put(wsi_dev); 1909 + wsi_dev = next_wsi_dev; 1910 + } while (ab->dev->of_node != wsi_dev); 1917 1911 1918 - device_count++; 1919 - if (device_count > ATH12K_MAX_DEVICES) { 1920 - ath12k_warn(ab, "device count in DT %d is more than limit %d\n", 1921 - device_count, ATH12K_MAX_DEVICES); 1922 - of_node_put(next_wsi_dev); 1923 - return -EINVAL; 1912 + if (ret) { 1913 + while (--device_count >= 0) { 1914 + of_node_put(ag->wsi_node[device_count]); 1915 + ag->wsi_node[device_count] = NULL; 1924 1916 } 1925 - } while (wsi_dev != next_wsi_dev); 1926 1917 1927 - of_node_put(next_wsi_dev); 1918 + of_node_put(wsi_dev); 1919 + return ret; 1920 + } 1921 + 1922 + of_node_put(wsi_dev); 1928 1923 ag->num_devices = device_count; 1929 1924 1930 1925 return 0; ··· 2002 1983 ath12k_core_get_wsi_index(ag, ab)) { 2003 1984 ath12k_dbg(ab, ATH12K_DBG_BOOT, 2004 1985 "unable to get wsi info from dt, grouping single device"); 1986 + ath12k_core_free_wsi_info(ag); 2005 1987 ag->id = ATH12K_INVALID_GROUP_ID; 2006 1988 ag->num_devices = 1; 2007 - memset(ag->wsi_node, 0, sizeof(ag->wsi_node)); 2008 1989 wsi->index = 0; 2009 1990 } 2010 1991
+4 -1
drivers/net/wireless/ath/ath12k/dp_rx.c
··· 565 565 566 566 lockdep_assert_held(&dp->dp_lock); 567 567 568 + if (!peer->primary_link) 569 + return 0; 570 + 568 571 elem = kzalloc_obj(*elem, GFP_ATOMIC); 569 572 if (!elem) 570 573 return -ENOMEM; ··· 1340 1337 bool is_mcbc = rxcb->is_mcbc; 1341 1338 bool is_eapol = rxcb->is_eapol; 1342 1339 1343 - peer = ath12k_dp_peer_find_by_peerid(dp_pdev, rx_info->peer_id); 1340 + peer = ath12k_dp_peer_find_by_peerid(dp_pdev, rxcb->peer_id); 1344 1341 1345 1342 pubsta = peer ? peer->sta : NULL; 1346 1343
+1 -1
drivers/net/wireless/ath/ath12k/mac.c
··· 788 788 789 789 /* To use the arvif returned, caller must have held rcu read lock. 790 790 */ 791 - WARN_ON(!rcu_read_lock_any_held()); 791 + lockdep_assert_in_rcu_read_lock(); 792 792 arvif_iter.vdev_id = vdev_id; 793 793 arvif_iter.ar = ar; 794 794
+1 -1
drivers/net/wireless/ath/ath12k/p2p.c
··· 123 123 struct ath12k_p2p_noa_arg *arg = data; 124 124 struct ath12k_link_vif *arvif; 125 125 126 - WARN_ON(!rcu_read_lock_any_held()); 126 + lockdep_assert_in_rcu_read_lock(); 127 127 arvif = &ahvif->deflink; 128 128 if (!arvif->is_created || arvif->ar != arg->ar || arvif->vdev_id != arg->vdev_id) 129 129 return;
+89 -16
drivers/net/wireless/ath/ath12k/wmi.c
··· 9778 9778 ath12k_wmi_rssi_dbm_conversion_params_info_event(struct ath12k_base *ab, 9779 9779 struct sk_buff *skb) 9780 9780 { 9781 - struct ath12k_wmi_rssi_dbm_conv_info_arg rssi_info; 9781 + struct ath12k_wmi_rssi_dbm_conv_info_arg rssi_info = {}; 9782 9782 struct ath12k *ar; 9783 9783 s32 noise_floor; 9784 9784 u32 pdev_id; ··· 10251 10251 { 10252 10252 struct wmi_hw_data_filter_cmd *cmd; 10253 10253 struct sk_buff *skb; 10254 - int len; 10254 + int ret, len; 10255 10255 10256 10256 len = sizeof(*cmd); 10257 10257 skb = ath12k_wmi_alloc_skb(ar->wmi->wmi_ab, len); ··· 10275 10275 "wmi hw data filter enable %d filter_bitmap 0x%x\n", 10276 10276 arg->enable, arg->hw_filter_bitmap); 10277 10277 10278 - return ath12k_wmi_cmd_send(ar->wmi, skb, WMI_HW_DATA_FILTER_CMDID); 10278 + ret = ath12k_wmi_cmd_send(ar->wmi, skb, WMI_HW_DATA_FILTER_CMDID); 10279 + if (ret) { 10280 + ath12k_warn(ar->ab, "failed to send WMI_HW_DATA_FILTER_CMDID\n"); 10281 + dev_kfree_skb(skb); 10282 + } 10283 + 10284 + return ret; 10279 10285 } 10280 10286 10281 10287 int ath12k_wmi_wow_host_wakeup_ind(struct ath12k *ar) ··· 10289 10283 struct wmi_wow_host_wakeup_cmd *cmd; 10290 10284 struct sk_buff *skb; 10291 10285 size_t len; 10286 + int ret; 10292 10287 10293 10288 len = sizeof(*cmd); 10294 10289 skb = ath12k_wmi_alloc_skb(ar->wmi->wmi_ab, len); ··· 10302 10295 10303 10296 ath12k_dbg(ar->ab, ATH12K_DBG_WMI, "wmi tlv wow host wakeup ind\n"); 10304 10297 10305 - return ath12k_wmi_cmd_send(ar->wmi, skb, WMI_WOW_HOSTWAKEUP_FROM_SLEEP_CMDID); 10298 + ret = ath12k_wmi_cmd_send(ar->wmi, skb, WMI_WOW_HOSTWAKEUP_FROM_SLEEP_CMDID); 10299 + if (ret) { 10300 + ath12k_warn(ar->ab, "failed to send WMI_WOW_HOSTWAKEUP_FROM_SLEEP_CMDID\n"); 10301 + dev_kfree_skb(skb); 10302 + } 10303 + 10304 + return ret; 10306 10305 } 10307 10306 10308 10307 int ath12k_wmi_wow_enable(struct ath12k *ar) 10309 10308 { 10310 10309 struct wmi_wow_enable_cmd *cmd; 10311 10310 struct sk_buff *skb; 10312 - int len; 10311 + int ret, len; 10313 10312 10314 10313 len = sizeof(*cmd); 10315 10314 skb = ath12k_wmi_alloc_skb(ar->wmi->wmi_ab, len); ··· 10330 10317 cmd->pause_iface_config = cpu_to_le32(WOW_IFACE_PAUSE_ENABLED); 10331 10318 ath12k_dbg(ar->ab, ATH12K_DBG_WMI, "wmi tlv wow enable\n"); 10332 10319 10333 - return ath12k_wmi_cmd_send(ar->wmi, skb, WMI_WOW_ENABLE_CMDID); 10320 + ret = ath12k_wmi_cmd_send(ar->wmi, skb, WMI_WOW_ENABLE_CMDID); 10321 + if (ret) { 10322 + ath12k_warn(ar->ab, "failed to send WMI_WOW_ENABLE_CMDID\n"); 10323 + dev_kfree_skb(skb); 10324 + } 10325 + 10326 + return ret; 10334 10327 } 10335 10328 10336 10329 int ath12k_wmi_wow_add_wakeup_event(struct ath12k *ar, u32 vdev_id, ··· 10346 10327 struct wmi_wow_add_del_event_cmd *cmd; 10347 10328 struct sk_buff *skb; 10348 10329 size_t len; 10330 + int ret; 10349 10331 10350 10332 len = sizeof(*cmd); 10351 10333 skb = ath12k_wmi_alloc_skb(ar->wmi->wmi_ab, len); ··· 10363 10343 ath12k_dbg(ar->ab, ATH12K_DBG_WMI, "wmi tlv wow add wakeup event %s enable %d vdev_id %d\n", 10364 10344 wow_wakeup_event(event), enable, vdev_id); 10365 10345 10366 - return ath12k_wmi_cmd_send(ar->wmi, skb, WMI_WOW_ENABLE_DISABLE_WAKE_EVENT_CMDID); 10346 + ret = ath12k_wmi_cmd_send(ar->wmi, skb, WMI_WOW_ENABLE_DISABLE_WAKE_EVENT_CMDID); 10347 + if (ret) { 10348 + ath12k_warn(ar->ab, "failed to send WMI_WOW_ENABLE_DISABLE_WAKE_EVENT_CMDID\n"); 10349 + dev_kfree_skb(skb); 10350 + } 10351 + 10352 + return ret; 10367 10353 } 10368 10354 10369 10355 int ath12k_wmi_wow_add_pattern(struct ath12k *ar, u32 vdev_id, u32 pattern_id, ··· 10382 10356 struct sk_buff *skb; 10383 10357 void *ptr; 10384 10358 size_t len; 10359 + int ret; 10385 10360 10386 10361 len = sizeof(*cmd) + 10387 10362 sizeof(*tlv) + /* array struct */ ··· 10462 10435 ath12k_dbg_dump(ar->ab, ATH12K_DBG_WMI, NULL, "wow bitmask: ", 10463 10436 bitmap->bitmaskbuf, pattern_len); 10464 10437 10465 - return ath12k_wmi_cmd_send(ar->wmi, skb, WMI_WOW_ADD_WAKE_PATTERN_CMDID); 10438 + ret = ath12k_wmi_cmd_send(ar->wmi, skb, WMI_WOW_ADD_WAKE_PATTERN_CMDID); 10439 + if (ret) { 10440 + ath12k_warn(ar->ab, "failed to send WMI_WOW_ADD_WAKE_PATTERN_CMDID\n"); 10441 + dev_kfree_skb(skb); 10442 + } 10443 + 10444 + return ret; 10466 10445 } 10467 10446 10468 10447 int ath12k_wmi_wow_del_pattern(struct ath12k *ar, u32 vdev_id, u32 pattern_id) ··· 10476 10443 struct wmi_wow_del_pattern_cmd *cmd; 10477 10444 struct sk_buff *skb; 10478 10445 size_t len; 10446 + int ret; 10479 10447 10480 10448 len = sizeof(*cmd); 10481 10449 skb = ath12k_wmi_alloc_skb(ar->wmi->wmi_ab, len); ··· 10493 10459 ath12k_dbg(ar->ab, ATH12K_DBG_WMI, "wmi tlv wow del pattern vdev_id %d pattern_id %d\n", 10494 10460 vdev_id, pattern_id); 10495 10461 10496 - return ath12k_wmi_cmd_send(ar->wmi, skb, WMI_WOW_DEL_WAKE_PATTERN_CMDID); 10462 + ret = ath12k_wmi_cmd_send(ar->wmi, skb, WMI_WOW_DEL_WAKE_PATTERN_CMDID); 10463 + if (ret) { 10464 + ath12k_warn(ar->ab, "failed to send WMI_WOW_DEL_WAKE_PATTERN_CMDID\n"); 10465 + dev_kfree_skb(skb); 10466 + } 10467 + 10468 + return ret; 10497 10469 } 10498 10470 10499 10471 static struct sk_buff * ··· 10635 10595 struct wmi_pno_scan_req_arg *pno_scan) 10636 10596 { 10637 10597 struct sk_buff *skb; 10598 + int ret; 10638 10599 10639 10600 if (pno_scan->enable) 10640 10601 skb = ath12k_wmi_op_gen_config_pno_start(ar, vdev_id, pno_scan); ··· 10645 10604 if (IS_ERR_OR_NULL(skb)) 10646 10605 return -ENOMEM; 10647 10606 10648 - return ath12k_wmi_cmd_send(ar->wmi, skb, WMI_NETWORK_LIST_OFFLOAD_CONFIG_CMDID); 10607 + ret = ath12k_wmi_cmd_send(ar->wmi, skb, WMI_NETWORK_LIST_OFFLOAD_CONFIG_CMDID); 10608 + if (ret) { 10609 + ath12k_warn(ar->ab, "failed to send WMI_NETWORK_LIST_OFFLOAD_CONFIG_CMDID\n"); 10610 + dev_kfree_skb(skb); 10611 + } 10612 + 10613 + return ret; 10649 10614 } 10650 10615 10651 10616 static void ath12k_wmi_fill_ns_offload(struct ath12k *ar, ··· 10764 10717 void *buf_ptr; 10765 10718 size_t len; 10766 10719 u8 ns_cnt, ns_ext_tuples = 0; 10720 + int ret; 10767 10721 10768 10722 ns_cnt = offload->ipv6_count; 10769 10723 ··· 10800 10752 if (ns_ext_tuples) 10801 10753 ath12k_wmi_fill_ns_offload(ar, offload, &buf_ptr, enable, 1); 10802 10754 10803 - return ath12k_wmi_cmd_send(ar->wmi, skb, WMI_SET_ARP_NS_OFFLOAD_CMDID); 10755 + ret = ath12k_wmi_cmd_send(ar->wmi, skb, WMI_SET_ARP_NS_OFFLOAD_CMDID); 10756 + if (ret) { 10757 + ath12k_warn(ar->ab, "failed to send WMI_SET_ARP_NS_OFFLOAD_CMDID\n"); 10758 + dev_kfree_skb(skb); 10759 + } 10760 + 10761 + return ret; 10804 10762 } 10805 10763 10806 10764 int ath12k_wmi_gtk_rekey_offload(struct ath12k *ar, ··· 10816 10762 struct wmi_gtk_rekey_offload_cmd *cmd; 10817 10763 struct sk_buff *skb; 10818 10764 __le64 replay_ctr; 10819 - int len; 10765 + int ret, len; 10820 10766 10821 10767 len = sizeof(*cmd); 10822 10768 skb = ath12k_wmi_alloc_skb(ar->wmi->wmi_ab, len); ··· 10843 10789 10844 10790 ath12k_dbg(ar->ab, ATH12K_DBG_WMI, "offload gtk rekey vdev: %d %d\n", 10845 10791 arvif->vdev_id, enable); 10846 - return ath12k_wmi_cmd_send(ar->wmi, skb, WMI_GTK_OFFLOAD_CMDID); 10792 + ret = ath12k_wmi_cmd_send(ar->wmi, skb, WMI_GTK_OFFLOAD_CMDID); 10793 + if (ret) { 10794 + ath12k_warn(ar->ab, "failed to send WMI_GTK_OFFLOAD_CMDID offload\n"); 10795 + dev_kfree_skb(skb); 10796 + } 10797 + 10798 + return ret; 10847 10799 } 10848 10800 10849 10801 int ath12k_wmi_gtk_rekey_getinfo(struct ath12k *ar, ··· 10857 10797 { 10858 10798 struct wmi_gtk_rekey_offload_cmd *cmd; 10859 10799 struct sk_buff *skb; 10860 - int len; 10800 + int ret, len; 10861 10801 10862 10802 len = sizeof(*cmd); 10863 10803 skb = ath12k_wmi_alloc_skb(ar->wmi->wmi_ab, len); ··· 10871 10811 10872 10812 ath12k_dbg(ar->ab, ATH12K_DBG_WMI, "get gtk rekey vdev_id: %d\n", 10873 10813 arvif->vdev_id); 10874 - return ath12k_wmi_cmd_send(ar->wmi, skb, WMI_GTK_OFFLOAD_CMDID); 10814 + ret = ath12k_wmi_cmd_send(ar->wmi, skb, WMI_GTK_OFFLOAD_CMDID); 10815 + if (ret) { 10816 + ath12k_warn(ar->ab, "failed to send WMI_GTK_OFFLOAD_CMDID getinfo\n"); 10817 + dev_kfree_skb(skb); 10818 + } 10819 + 10820 + return ret; 10875 10821 } 10876 10822 10877 10823 int ath12k_wmi_sta_keepalive(struct ath12k *ar, ··· 10888 10822 struct wmi_sta_keepalive_cmd *cmd; 10889 10823 struct sk_buff *skb; 10890 10824 size_t len; 10825 + int ret; 10891 10826 10892 10827 len = sizeof(*cmd) + sizeof(*arp); 10893 10828 skb = ath12k_wmi_alloc_skb(wmi->wmi_ab, len); ··· 10916 10849 "wmi sta keepalive vdev %d enabled %d method %d interval %d\n", 10917 10850 arg->vdev_id, arg->enabled, arg->method, arg->interval); 10918 10851 10919 - return ath12k_wmi_cmd_send(wmi, skb, WMI_STA_KEEPALIVE_CMDID); 10852 + ret = ath12k_wmi_cmd_send(wmi, skb, WMI_STA_KEEPALIVE_CMDID); 10853 + if (ret) { 10854 + ath12k_warn(ar->ab, "failed to send WMI_STA_KEEPALIVE_CMDID\n"); 10855 + dev_kfree_skb(skb); 10856 + } 10857 + 10858 + return ret; 10920 10859 } 10921 10860 10922 10861 int ath12k_wmi_mlo_setup(struct ath12k *ar, struct wmi_mlo_setup_arg *mlo_params)
+2 -1
drivers/net/wireless/ath/ath5k/base.c
··· 1738 1738 } 1739 1739 1740 1740 info->status.rates[ts->ts_final_idx].count = ts->ts_final_retry; 1741 - info->status.rates[ts->ts_final_idx + 1].idx = -1; 1741 + if (ts->ts_final_idx + 1 < IEEE80211_TX_MAX_RATES) 1742 + info->status.rates[ts->ts_final_idx + 1].idx = -1; 1742 1743 1743 1744 if (unlikely(ts->ts_status)) { 1744 1745 ah->stats.ack_fail++;
+2 -1
drivers/net/wireless/broadcom/b43/xmit.c
··· 702 702 * key index, but the ucode passed it slightly different. 703 703 */ 704 704 keyidx = b43_kidx_to_raw(dev, keyidx); 705 - B43_WARN_ON(keyidx >= ARRAY_SIZE(dev->key)); 705 + if (B43_WARN_ON(keyidx >= ARRAY_SIZE(dev->key))) 706 + goto drop; 706 707 707 708 if (dev->key[keyidx].algorithm != B43_SEC_ALGO_NONE) { 708 709 wlhdr_len = ieee80211_hdrlen(fctl);
+2 -1
drivers/net/wireless/broadcom/b43legacy/xmit.c
··· 476 476 * key index, but the ucode passed it slightly different. 477 477 */ 478 478 keyidx = b43legacy_kidx_to_raw(dev, keyidx); 479 - B43legacy_WARN_ON(keyidx >= dev->max_nr_keys); 479 + if (B43legacy_WARN_ON(keyidx >= dev->max_nr_keys)) 480 + goto drop; 480 481 481 482 if (dev->key[keyidx].algorithm != B43legacy_SEC_ALGO_NONE) { 482 483 /* Remove PROTECTED flag to mark it as decrypted. */
+4 -2
drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
··· 2476 2476 brcmf_dbg(TRACE, "Enter\n"); 2477 2477 2478 2478 if (bus->watchdog_tsk) { 2479 + get_task_struct(bus->watchdog_tsk); 2479 2480 send_sig(SIGTERM, bus->watchdog_tsk, 1); 2480 - kthread_stop(bus->watchdog_tsk); 2481 + kthread_stop_put(bus->watchdog_tsk); 2481 2482 bus->watchdog_tsk = NULL; 2482 2483 } 2483 2484 ··· 4568 4567 if (bus) { 4569 4568 /* Stop watchdog task */ 4570 4569 if (bus->watchdog_tsk) { 4570 + get_task_struct(bus->watchdog_tsk); 4571 4571 send_sig(SIGTERM, bus->watchdog_tsk, 1); 4572 - kthread_stop(bus->watchdog_tsk); 4572 + kthread_stop_put(bus->watchdog_tsk); 4573 4573 bus->watchdog_tsk = NULL; 4574 4574 } 4575 4575
+4 -2
drivers/net/wireless/marvell/libertas/if_usb.c
··· 310 310 struct lbs_private *priv = cardp->priv; 311 311 312 312 cardp->surprise_removed = 1; 313 + wake_up(&cardp->fw_wq); 313 314 314 315 if (priv) { 315 316 lbs_stop_card(priv); ··· 634 633 unsigned long flags; 635 634 u8 i; 636 635 637 - if (recvlength > LBS_CMD_BUFFER_SIZE) { 636 + if (recvlength < MESSAGE_HEADER_LEN || 637 + recvlength > LBS_CMD_BUFFER_SIZE) { 638 638 lbs_deb_usbd(&cardp->udev->dev, 639 - "The receive buffer is too large\n"); 639 + "The receive buffer is invalid: %d\n", recvlength); 640 640 kfree_skb(skb); 641 641 return; 642 642 }
+2 -3
drivers/net/wireless/rsi/rsi_common.h
··· 70 70 return 0; 71 71 } 72 72 73 - static inline int rsi_kill_thread(struct rsi_thread *handle) 73 + static inline void rsi_kill_thread(struct rsi_thread *handle) 74 74 { 75 75 atomic_inc(&handle->thread_done); 76 76 rsi_set_event(&handle->event); 77 - 78 - return kthread_stop(handle->task); 77 + wait_for_completion(&handle->completion); 79 78 } 80 79 81 80 void rsi_mac80211_detach(struct rsi_hw *hw);
-2
drivers/net/wireless/st/cw1200/pm.c
··· 264 264 wiphy_err(priv->hw->wiphy, 265 265 "PM request failed: %d. WoW is disabled.\n", ret); 266 266 cw1200_wow_resume(hw); 267 - mutex_unlock(&priv->conf_mutex); 268 267 return -EBUSY; 269 268 } 270 269 271 270 /* Force resume if event is coming from the device. */ 272 271 if (atomic_read(&priv->bh_rx)) { 273 272 cw1200_wow_resume(hw); 274 - mutex_unlock(&priv->conf_mutex); 275 273 return -EAGAIN; 276 274 } 277 275
+13 -5
net/mac80211/mlme.c
··· 438 438 ieee80211_apply_htcap_overrides(sdata, &sta_ht_cap); 439 439 440 440 /* 441 + * Some Xfinity XB8 firmware advertises >1 spatial stream MCS indexes in 442 + * their basic HT-MCS set. On cards with lower spatial streams, the check 443 + * would fail, and we'd be stuck with no HT when it in fact work fine with 444 + * its own supported rate. So check it only in strict mode. 445 + */ 446 + if (!ieee80211_hw_check(&sdata->local->hw, STRICT)) 447 + return true; 448 + 449 + /* 441 450 * P802.11REVme/D7.0 - 6.5.4.2.4 442 451 * ... 443 452 * If the MLME of an HT STA receives an MLME-JOIN.request primitive ··· 9149 9140 struct ieee80211_bss *bss = (void *)cbss->priv; 9150 9141 struct sta_info *new_sta = NULL; 9151 9142 struct ieee80211_link_data *link; 9152 - bool have_sta = false; 9143 + struct sta_info *have_sta = NULL; 9153 9144 bool mlo; 9154 9145 int err; 9155 9146 u16 new_links; ··· 9168 9159 mlo = false; 9169 9160 } 9170 9161 9171 - if (assoc) { 9172 - rcu_read_lock(); 9162 + if (assoc) 9173 9163 have_sta = sta_info_get(sdata, ap_mld_addr); 9174 - rcu_read_unlock(); 9175 - } 9176 9164 9177 9165 if (mlo && !have_sta && 9178 9166 WARN_ON(sdata->vif.valid_links || sdata->vif.active_links)) ··· 9333 9327 out_release_chan: 9334 9328 ieee80211_link_release_channel(link); 9335 9329 out_err: 9330 + if (mlo && have_sta) 9331 + WARN_ON(__sta_info_destroy(have_sta)); 9336 9332 ieee80211_vif_set_links(sdata, 0, 0); 9337 9333 return err; 9338 9334 }
+4 -2
net/mac80211/rx.c
··· 4971 4971 struct sk_buff *skb = rx->skb; 4972 4972 struct ieee80211_hdr *hdr = (void *)skb->data; 4973 4973 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); 4974 - static ieee80211_rx_result res; 4974 + ieee80211_rx_result res; 4975 4975 int orig_len = skb->len; 4976 4976 int hdrlen = ieee80211_hdrlen(hdr->frame_control); 4977 4977 int snap_offs = hdrlen; ··· 5380 5380 if (!link_sta) 5381 5381 goto out; 5382 5382 5383 - ieee80211_rx_data_set_link(&rx, link_sta->link_id); 5383 + if (!ieee80211_rx_data_set_link(&rx, 5384 + link_sta->link_id)) 5385 + goto out; 5384 5386 } 5385 5387 5386 5388 if (ieee80211_prepare_and_rx_handle(&rx, skb, true))
+1
net/mac80211/tests/chan-mode.c
··· 65 65 .ht_capa_mask = { 66 66 .mcs.rx_mask[0] = 0xf7, 67 67 }, 68 + .strict = true, 68 69 }, { 69 70 .desc = "Masking out a RX rate in VHT capabilities", 70 71 .conn_mode = IEEE80211_CONN_MODE_EHT,
+2 -2
net/mac80211/util.c
··· 3700 3700 struct ieee80211_local *local = 3701 3701 container_of(work, struct ieee80211_local, radar_detected_work); 3702 3702 struct cfg80211_chan_def chandef; 3703 - struct ieee80211_chanctx *ctx; 3703 + struct ieee80211_chanctx *ctx, *tmp; 3704 3704 3705 3705 lockdep_assert_wiphy(local->hw.wiphy); 3706 3706 3707 - list_for_each_entry(ctx, &local->chanctx_list, list) { 3707 + list_for_each_entry_safe(ctx, tmp, &local->chanctx_list, list) { 3708 3708 if (ctx->replace_state == IEEE80211_CHANCTX_REPLACES_OTHER) 3709 3709 continue; 3710 3710
+27
net/wireless/nl80211.c
··· 1276 1276 rtnl_unlock(); 1277 1277 return -ENODEV; 1278 1278 } 1279 + 1280 + /* 1281 + * The first invocation validated the wdev's netns against 1282 + * the caller via __cfg80211_wdev_from_attrs(). The wiphy 1283 + * may have moved netns between dumpit invocations (via 1284 + * NL80211_CMD_SET_WIPHY_NETNS), so re-check here. 1285 + */ 1286 + if (!net_eq(wiphy_net(wiphy), sock_net(cb->skb->sk))) { 1287 + rtnl_unlock(); 1288 + return -ENODEV; 1289 + } 1290 + 1279 1291 *rdev = wiphy_to_rdev(wiphy); 1280 1292 *wdev = NULL; 1281 1293 ··· 13879 13867 if (IS_ERR(net)) 13880 13868 return PTR_ERR(net); 13881 13869 13870 + /* 13871 + * The caller already has CAP_NET_ADMIN over the source netns 13872 + * (enforced by GENL_UNS_ADMIN_PERM on the genl op). Mirror the 13873 + * convention used by net/core/rtnetlink.c::rtnl_get_net_ns_capable() 13874 + * and require CAP_NET_ADMIN over the target netns as well, so that 13875 + * a caller that is privileged in their own user namespace cannot 13876 + * push a wiphy into a netns where they have no privilege. 13877 + */ 13878 + if (!ns_capable(net->user_ns, CAP_NET_ADMIN)) { 13879 + put_net(net); 13880 + return -EPERM; 13881 + } 13882 + 13882 13883 err = 0; 13883 13884 13884 13885 /* check if anything to do */ ··· 19853 19828 .cmd = NL80211_CMD_SET_PMK, 19854 19829 .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, 19855 19830 .doit = nl80211_set_pmk, 19831 + .flags = GENL_UNS_ADMIN_PERM, 19856 19832 .internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP | 19857 19833 NL80211_FLAG_CLEAR_SKB), 19858 19834 }, ··· 19861 19835 .cmd = NL80211_CMD_DEL_PMK, 19862 19836 .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, 19863 19837 .doit = nl80211_del_pmk, 19838 + .flags = GENL_UNS_ADMIN_PERM, 19864 19839 .internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP), 19865 19840 }, 19866 19841 {
+1 -1
net/wireless/pmsr.c
··· 88 88 out->ftm.ftms_per_burst = 0; 89 89 if (tb[NL80211_PMSR_FTM_REQ_ATTR_FTMS_PER_BURST]) 90 90 out->ftm.ftms_per_burst = 91 - nla_get_u32(tb[NL80211_PMSR_FTM_REQ_ATTR_FTMS_PER_BURST]); 91 + nla_get_u8(tb[NL80211_PMSR_FTM_REQ_ATTR_FTMS_PER_BURST]); 92 92 93 93 if (capa->ftm.max_ftms_per_burst && 94 94 (out->ftm.ftms_per_burst > capa->ftm.max_ftms_per_burst ||