| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250429022046.1656056-3-megi@xff.cz>
Date: Tue, 29 Apr 2025 04:20:33 +0200
From: Ondřej Jirman <megi@....cz>
To: Ping-Ke Shih <pkshih@...ltek.com>
Cc: Ondrej Jirman <megi@....cz>,
linux-wireless@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: [PATCH v2 2/2] wifi: rtw89: Fix inadverent sharing of struct ieee80211_supported_band data
From: Ondrej Jirman <megi@....cz>
Internally wiphy writes to individual channels in this structure,
so we must not share one static definition of channel list between
multiple device instances, because that causes hard to debug
breakage.
For example, with two rtw89 driven devices in the system, channel
information may get incoherent, preventing channel use.
Signed-off-by: Ondrej Jirman <megi@....cz>
---
drivers/net/wireless/realtek/rtw89/core.c | 33 +++++++++++++++++++----
1 file changed, 28 insertions(+), 5 deletions(-)
diff --git a/drivers/net/wireless/realtek/rtw89/core.c b/drivers/net/wireless/realtek/rtw89/core.c
index b164bc767e82..48e21a3549ff 100644
--- a/drivers/net/wireless/realtek/rtw89/core.c
+++ b/drivers/net/wireless/realtek/rtw89/core.c
@@ -4400,17 +4400,40 @@ static int rtw89_init_he_eht_cap(struct rtw89_dev *rtwdev,
return 0;
}
+static struct ieee80211_supported_band *
+rtw89_core_sband_dup(struct rtw89_dev *rtwdev,
+ const struct ieee80211_supported_band *sband)
+{
+ struct ieee80211_supported_band *dup;
+
+ dup = devm_kmemdup(rtwdev->dev, sband, sizeof(*sband), GFP_KERNEL);
+ if (!dup)
+ return NULL;
+
+ dup->channels = devm_kmemdup(rtwdev->dev, sband->channels,
+ sizeof(struct ieee80211_channel) * sband->n_channels,
+ GFP_KERNEL);
+ if (!dup->channels)
+ return NULL;
+
+ dup->bitrates = devm_kmemdup(rtwdev->dev, sband->bitrates,
+ sizeof(struct ieee80211_rate) * sband->n_bitrates,
+ GFP_KERNEL);
+ if (!dup->bitrates)
+ return NULL;
+
+ return dup;
+}
+
static int rtw89_core_set_supported_band(struct rtw89_dev *rtwdev)
{
struct ieee80211_hw *hw = rtwdev->hw;
struct ieee80211_supported_band *sband;
- u32 size = sizeof(struct ieee80211_supported_band);
u8 support_bands = rtwdev->chip->support_bands;
- struct device *dev = rtwdev->dev;
int ret;
if (support_bands & BIT(NL80211_BAND_2GHZ)) {
- sband = devm_kmemdup(dev, &rtw89_sband_2ghz, size, GFP_KERNEL);
+ sband = rtw89_core_sband_dup(rtwdev, &rtw89_sband_2ghz);
if (!sband)
return -ENOMEM;
rtw89_init_ht_cap(rtwdev, &sband->ht_cap);
@@ -4421,7 +4444,7 @@ static int rtw89_core_set_supported_band(struct rtw89_dev *rtwdev)
}
if (support_bands & BIT(NL80211_BAND_5GHZ)) {
- sband = devm_kmemdup(dev, &rtw89_sband_5ghz, size, GFP_KERNEL);
+ sband = rtw89_core_sband_dup(rtwdev, &rtw89_sband_5ghz);
if (!sband)
return -ENOMEM;
rtw89_init_ht_cap(rtwdev, &sband->ht_cap);
@@ -4433,7 +4456,7 @@ static int rtw89_core_set_supported_band(struct rtw89_dev *rtwdev)
}
if (support_bands & BIT(NL80211_BAND_6GHZ)) {
- sband = devm_kmemdup(dev, &rtw89_sband_6ghz, size, GFP_KERNEL);
+ sband = rtw89_core_sband_dup(rtwdev, &rtw89_sband_6ghz);
if (!sband)
return -ENOMEM;
ret = rtw89_init_he_eht_cap(rtwdev, NL80211_BAND_6GHZ, sband);
--
2.49.0
Powered by blists - more mailing lists