pm24.git/drivers/net/wireless/rsi/rsi_usb.h, branch rust-6.8

rsi: Fix out-of-bounds read in rsi_read_pkt()

2021-11-29T10:43:54Z

rsi_get_* functions rely on an offset variable from usb input. The size of usb input is RSI_MAX_RX_USB_PKT_SIZE(3000), while 2-byte offset can be up to 0xFFFF. Thus a large offset can cause out-of-bounds read. The patch adds a bound checking condition when rcv_pkt_len is 0, indicating it's USB. It's unclear whether this is triggerable from other type of bus. The following check might help in that case. offset > rcv_pkt_len - FRAME_DESC_SZ The bug is trigerrable with conpromised/malfunctioning USB devices. I tested the patch with the crashing input and got no more bug report. Attached is the KASAN report from fuzzing. BUG: KASAN: slab-out-of-bounds in rsi_read_pkt+0x42e/0x500 [rsi_91x] Read of size 2 at addr ffff888019439fdb by task RX-Thread/227 CPU: 0 PID: 227 Comm: RX-Thread Not tainted 5.6.0 #66 Call Trace: dump_stack+0x76/0xa0 print_address_description.constprop.0+0x16/0x200 ? rsi_read_pkt+0x42e/0x500 [rsi_91x] ? rsi_read_pkt+0x42e/0x500 [rsi_91x] __kasan_report.cold+0x37/0x7c ? rsi_read_pkt+0x42e/0x500 [rsi_91x] kasan_report+0xe/0x20 rsi_read_pkt+0x42e/0x500 [rsi_91x] rsi_usb_rx_thread+0x1b1/0x2fc [rsi_usb] ? rsi_probe+0x16a0/0x16a0 [rsi_usb] ? _raw_spin_lock_irqsave+0x7b/0xd0 ? _raw_spin_trylock_bh+0x120/0x120 ? __wake_up_common+0x10b/0x520 ? rsi_probe+0x16a0/0x16a0 [rsi_usb] kthread+0x2b5/0x3b0 ? kthread_create_on_node+0xd0/0xd0 ret_from_fork+0x22/0x40 Reported-by: Brendan Dolan-Gavitt Signed-off-by: Zekun Shen Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/YXxXS4wgu2OsmlVv@10-18-43-117.dynapool.wireless.nyu.edu

rsi: fix comment syntax in file headers

2021-04-18T06:27:35Z

The opening comment mark '/**' is used for highlighting the beginning of kernel-doc comments. There are some files in drivers/net/wireless/rsi which follow this syntax in their file headers, i.e. start with '/**' like comments, which causes unexpected warnings from kernel-doc. E.g., running scripts/kernel-doc -none on drivers/net/wireless/rsi/rsi_coex.h causes this warning: "warning: wrong kernel-doc identifier on line: * Copyright (c) 2018 Redpine Signals Inc." Similarly for other files too. Provide a simple fix by replacing such occurrences with general comment format, i.e., "/*", to prevent kernel-doc from parsing it. Signed-off-by: Aditya Srivastava Reviewed-by: Randy Dunlap Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20210315173259.8757-1-yashsri421@gmail.com

rsi: add new device model for 9116

2019-04-25T16:44:23Z

9116 device id entry is added in both SDIO and USB interfaces. New enumberation value taken for the device model. Based on the device model detected run time, few device specific operations needs to be performed. adding rsi_dev_model to get device type in run time, as we can use same driver for 9113 and 9116 except few firmware load changes. Signed-off-by: Siva Rebbagondla Signed-off-by: Kalle Valo

rsi: remove redundant device ids

2018-07-31T07:15:53Z

Removing redundant device id's from both usb and sdio idtables, as rsi driver currently supporting only one module(RS9113). Also, replaced ids with specific defines. Signed-off-by: Siva Rebbagondla Signed-off-by: Kalle Valo

rsi: disable fw watchdog timer during reset

2018-04-24T17:25:01Z

Firmware's watchdog timer should be disabled as a part of reset sequence. This change fixes a firmware hang issue observed during stress tests. Signed-off-by: Amitkumar Karwar Signed-off-by: Siva Rebbagondla Signed-off-by: Kalle Valo

rsi: improve RX packet handling in USB interface

2018-03-13T16:42:26Z

Curretly, RX packet processing is done sequencially. To improve the efficiency, RX skb queue is introduced. Here, while preparing RX URB skb is allocated and used for RX buffer. When rx done handler is called, enqueue the skb to rx_q and set the thread event. RX thread is modified to dequeue packets from skb queue and process further. Signed-off-by: Prameela Rani Garnepudi Signed-off-by: Kalle Valo

rsi: add bluetooth rx endpoint

2018-03-13T16:36:55Z

USB endpoint 1 is used for WLAN which is presently in use. USB endpoint 2 is introduced for BT Rx traffic. Enumeration of Rx BT endpoint and submitting Rx BT URB are added. >From /sys/kernel/debug/usb/devices, Ad=81(I) is for WLAN EP IN and Ad=01(O) is for Wlan EP OUT. Ad=82(I) is for BT EP IN and Ad=02(O) is for BT EP OUT. T: Bus=01 Lev=01 Prnt=01 Port=09 Cnt=03 Dev#= 4 Spd=480 MxCh= 0 D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 P: Vendor=1618 ProdID=9113 Rev= 0.02 S: Manufacturer=Redpine Signals, Inc. S: Product=Wireless USB Network Module S: SerialNumber=000000000001 C:* #Ifs= 1 Cfg#= 1 Atr=c0 MxPwr= 2mA I:* If#= 0 Alt= 0 #EPs= 6 Cls=00(>ifc ) Sub=00 Prot=00 Driver=(none) E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms Signed-off-by: Siva Rebbagondla Signed-off-by: Prameela Rani Garnepudi Signed-off-by: Amitkumar Karwar Signed-off-by: Kalle Valo

rsi: add rx control block to handle rx packets in USB

2018-03-13T16:36:54Z

Rx bluetooth endpoint shall be added in further patches. Rx control block is introduced here to handle Rx packets properly. Separate function is written to initialize the RX control blocks. Signed-off-by: Prameela Rani Garnepudi Signed-off-by: Siva Rebbagondla Signed-off-by: Amitkumar Karwar Signed-off-by: Kalle Valo

rsi: use macro for allocating USB buffer

2017-07-28T14:27:18Z

4 bytes is fixed size for reading or writing USB register. We will use a macro instead of hardcoding this. Fixes: b97e9b94ad75c ("rsi: Add new host interface operations") Signed-off-by: Amitkumar Karwar Signed-off-by: Kalle Valo

rsi: rename USB endpoint macros

2017-07-28T14:22:36Z

These endpoints are for WLAN and BT protocols. Signed-off-by: Karun Eagalapati Signed-off-by: Amitkumar Karwar Signed-off-by: Kalle Valo