mirror of
https://github.com/coolsnowwolf/lede.git
synced 2025-04-16 04:13:31 +00:00
d05fbef769
* mac80211: backport security fixes
This mainly affects scanning and beacon parsing, especially with MBSSID enabled
Fixes: CVE-2022-41674
Fixes: CVE-2022-42719
Fixes: CVE-2022-42720
Fixes: CVE-2022-42721
Fixes: CVE-2022-42722
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry-picked from commit 26f400210d6b3780fcc0deb89b9741837df9c8b8)
* mac80211: refresh patches
355-wifi-cfg80211-fix-BSS-refcounting-bugs.patch - 5a52384a51
Co-authored-by: Felix Fietkau <nbd@nbd.name>
Co-authored-by: 1054009064 <1054009064@users.noreply.github.com>
90 lines
2.3 KiB
Diff
90 lines
2.3 KiB
Diff
--- a/drivers/net/wireless/realtek/rtw88/debug.c
|
|
+++ b/drivers/net/wireless/realtek/rtw88/debug.c
|
|
@@ -379,7 +379,9 @@ static ssize_t rtw_debugfs_set_h2c(struc
|
|
return -EINVAL;
|
|
}
|
|
|
|
+ mutex_lock(&rtwdev->mutex);
|
|
rtw_fw_h2c_cmd_dbg(rtwdev, param);
|
|
+ mutex_unlock(&rtwdev->mutex);
|
|
|
|
return count;
|
|
}
|
|
--- a/drivers/net/wireless/realtek/rtw88/fw.c
|
|
+++ b/drivers/net/wireless/realtek/rtw88/fw.c
|
|
@@ -285,7 +285,7 @@ static void rtw_fw_send_h2c_command(stru
|
|
h2c[3], h2c[2], h2c[1], h2c[0],
|
|
h2c[7], h2c[6], h2c[5], h2c[4]);
|
|
|
|
- spin_lock(&rtwdev->h2c.lock);
|
|
+ lockdep_assert_held(&rtwdev->mutex);
|
|
|
|
box = rtwdev->h2c.last_box_num;
|
|
switch (box) {
|
|
@@ -307,7 +307,7 @@ static void rtw_fw_send_h2c_command(stru
|
|
break;
|
|
default:
|
|
WARN(1, "invalid h2c mail box number\n");
|
|
- goto out;
|
|
+ return;
|
|
}
|
|
|
|
ret = read_poll_timeout_atomic(rtw_read8, box_state,
|
|
@@ -316,7 +316,7 @@ static void rtw_fw_send_h2c_command(stru
|
|
|
|
if (ret) {
|
|
rtw_err(rtwdev, "failed to send h2c command\n");
|
|
- goto out;
|
|
+ return;
|
|
}
|
|
|
|
for (idx = 0; idx < 4; idx++)
|
|
@@ -326,9 +326,6 @@ static void rtw_fw_send_h2c_command(stru
|
|
|
|
if (++rtwdev->h2c.last_box_num >= 4)
|
|
rtwdev->h2c.last_box_num = 0;
|
|
-
|
|
-out:
|
|
- spin_unlock(&rtwdev->h2c.lock);
|
|
}
|
|
|
|
void rtw_fw_h2c_cmd_dbg(struct rtw_dev *rtwdev, u8 *h2c)
|
|
@@ -340,15 +337,13 @@ static void rtw_fw_send_h2c_packet(struc
|
|
{
|
|
int ret;
|
|
|
|
- spin_lock(&rtwdev->h2c.lock);
|
|
+ lockdep_assert_held(&rtwdev->mutex);
|
|
|
|
FW_OFFLOAD_H2C_SET_SEQ_NUM(h2c_pkt, rtwdev->h2c.seq);
|
|
ret = rtw_hci_write_data_h2c(rtwdev, h2c_pkt, H2C_PKT_SIZE);
|
|
if (ret)
|
|
rtw_err(rtwdev, "failed to send h2c packet\n");
|
|
rtwdev->h2c.seq++;
|
|
-
|
|
- spin_unlock(&rtwdev->h2c.lock);
|
|
}
|
|
|
|
void
|
|
--- a/drivers/net/wireless/realtek/rtw88/main.c
|
|
+++ b/drivers/net/wireless/realtek/rtw88/main.c
|
|
@@ -1839,7 +1839,6 @@ int rtw_core_init(struct rtw_dev *rtwdev
|
|
skb_queue_head_init(&rtwdev->coex.queue);
|
|
skb_queue_head_init(&rtwdev->tx_report.queue);
|
|
|
|
- spin_lock_init(&rtwdev->h2c.lock);
|
|
spin_lock_init(&rtwdev->txq_lock);
|
|
spin_lock_init(&rtwdev->tx_report.q_lock);
|
|
|
|
--- a/drivers/net/wireless/realtek/rtw88/main.h
|
|
+++ b/drivers/net/wireless/realtek/rtw88/main.h
|
|
@@ -1865,8 +1865,6 @@ struct rtw_dev {
|
|
struct {
|
|
/* incicate the mail box to use with fw */
|
|
u8 last_box_num;
|
|
- /* protect to send h2c to fw */
|
|
- spinlock_t lock;
|
|
u32 seq;
|
|
} h2c;
|
|
|