aboutsummaryrefslogtreecommitdiffstats
path: root/drivers/net/wireless/rsi/rsi_usb.h
AgeCommit message (Collapse)Author
2022-01-27rsi: Fix out-of-bounds read in rsi_read_pkt()Zekun Shen
[ Upstream commit f1cb3476e48b60c450ec3a1d7da0805bffc6e43a ] rsi_get_* functions rely on an offset variable from usb input. The size of usb input is RSI_MAX_RX_USB_PKT_SIZE(3000), while 2-byte offset can be up to 0xFFFF. Thus a large offset can cause out-of-bounds read. The patch adds a bound checking condition when rcv_pkt_len is 0, indicating it's USB. It's unclear whether this is triggerable from other type of bus. The following check might help in that case. offset > rcv_pkt_len - FRAME_DESC_SZ The bug is trigerrable with conpromised/malfunctioning USB devices. I tested the patch with the crashing input and got no more bug report. Attached is the KASAN report from fuzzing. BUG: KASAN: slab-out-of-bounds in rsi_read_pkt+0x42e/0x500 [rsi_91x] Read of size 2 at addr ffff888019439fdb by task RX-Thread/227 CPU: 0 PID: 227 Comm: RX-Thread Not tainted 5.6.0 #66 Call Trace: dump_stack+0x76/0xa0 print_address_description.constprop.0+0x16/0x200 ? rsi_read_pkt+0x42e/0x500 [rsi_91x] ? rsi_read_pkt+0x42e/0x500 [rsi_91x] __kasan_report.cold+0x37/0x7c ? rsi_read_pkt+0x42e/0x500 [rsi_91x] kasan_report+0xe/0x20 rsi_read_pkt+0x42e/0x500 [rsi_91x] rsi_usb_rx_thread+0x1b1/0x2fc [rsi_usb] ? rsi_probe+0x16a0/0x16a0 [rsi_usb] ? _raw_spin_lock_irqsave+0x7b/0xd0 ? _raw_spin_trylock_bh+0x120/0x120 ? __wake_up_common+0x10b/0x520 ? rsi_probe+0x16a0/0x16a0 [rsi_usb] kthread+0x2b5/0x3b0 ? kthread_create_on_node+0xd0/0xd0 ret_from_fork+0x22/0x40 Reported-by: Brendan Dolan-Gavitt <brendandg@nyu.edu> Signed-off-by: Zekun Shen <bruceshenzk@gmail.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/YXxXS4wgu2OsmlVv@10-18-43-117.dynapool.wireless.nyu.edu Signed-off-by: Sasha Levin <sashal@kernel.org>
2018-07-31rsi: remove redundant device idsSiva Rebbagondla
Removing redundant device id's from both usb and sdio idtables, as rsi driver currently supporting only one module(RS9113). Also, replaced ids with specific defines. Signed-off-by: Siva Rebbagondla <siva.rebbagondla@redpinesignals.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
2018-04-24rsi: disable fw watchdog timer during resetAmitkumar Karwar
Firmware's watchdog timer should be disabled as a part of reset sequence. This change fixes a firmware hang issue observed during stress tests. Signed-off-by: Amitkumar Karwar <amit.karwar@redpinesignals.com> Signed-off-by: Siva Rebbagondla <siva.rebbagondla@redpinesignals.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
2018-03-13rsi: improve RX packet handling in USB interfacePrameela Rani Garnepudi
Curretly, RX packet processing is done sequencially. To improve the efficiency, RX skb queue is introduced. Here, while preparing RX URB skb is allocated and used for RX buffer. When rx done handler is called, enqueue the skb to rx_q and set the thread event. RX thread is modified to dequeue packets from skb queue and process further. Signed-off-by: Prameela Rani Garnepudi <prameela.j04cs@gmail.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
2018-03-13rsi: add bluetooth rx endpointSiva Rebbagondla
USB endpoint 1 is used for WLAN which is presently in use. USB endpoint 2 is introduced for BT Rx traffic. Enumeration of Rx BT endpoint and submitting Rx BT URB are added. >From /sys/kernel/debug/usb/devices, Ad=81(I) is for WLAN EP IN and Ad=01(O) is for Wlan EP OUT. Ad=82(I) is for BT EP IN and Ad=02(O) is for BT EP OUT. T: Bus=01 Lev=01 Prnt=01 Port=09 Cnt=03 Dev#= 4 Spd=480 MxCh= 0 D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 P: Vendor=1618 ProdID=9113 Rev= 0.02 S: Manufacturer=Redpine Signals, Inc. S: Product=Wireless USB Network Module S: SerialNumber=000000000001 C:* #Ifs= 1 Cfg#= 1 Atr=c0 MxPwr= 2mA I:* If#= 0 Alt= 0 #EPs= 6 Cls=00(>ifc ) Sub=00 Prot=00 Driver=(none) E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms Signed-off-by: Siva Rebbagondla <siva.rebbagondla@redpinesignals.com> Signed-off-by: Prameela Rani Garnepudi <prameela.j04cs@gmail.com> Signed-off-by: Amitkumar Karwar <amit.karwar@redpinesignals.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
2018-03-13rsi: add rx control block to handle rx packets in USBPrameela Rani Garnepudi
Rx bluetooth endpoint shall be added in further patches. Rx control block is introduced here to handle Rx packets properly. Separate function is written to initialize the RX control blocks. Signed-off-by: Prameela Rani Garnepudi <prameela.j04cs@gmail.com> Signed-off-by: Siva Rebbagondla <siva.rebbagondla@redpinesignals.com> Signed-off-by: Amitkumar Karwar <amit.karwar@redpinesignals.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
2017-07-28rsi: use macro for allocating USB bufferAmitkumar Karwar
4 bytes is fixed size for reading or writing USB register. We will use a macro instead of hardcoding this. Fixes: b97e9b94ad75c ("rsi: Add new host interface operations") Signed-off-by: Amitkumar Karwar <amit.karwar@redpinesignals.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
2017-07-28rsi: rename USB endpoint macrosKarun Eagalapati
These endpoints are for WLAN and BT protocols. Signed-off-by: Karun Eagalapati <karun256@gmail.com> Signed-off-by: Amitkumar Karwar <amit.karwar@redpinesignals.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
2017-07-28rsi: card reset for USB interfaceKarun Eagalapati
We need to reset the chip in teardown path so that it can work next time when driver is loaded. This patch adds support for this reset configuration for USB. Signed-off-by: Karun Eagalapati <karun256@gmail.com> Signed-off-by: Amitkumar Karwar <amit.karwar@redpinesignals.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
2017-05-24rsi: Remove old firmware loading methodPrameela Rani Garnepudi
The older firmware loading method is not usable by any Redpine chipset. Hence removing that part of the code. Older firmware image with rsi_91x.fw name is deprecated Signed-off-by: Prameela Rani Garnepudi <prameela.j04cs@gmail.com> Signed-off-by: Amitkumar Karwar <amit.karwar@redpinesignals.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
2017-05-24rsi: Changes in USB read and write operationsPrameela Rani Garnepudi
USB read and write registers maximum size is limited 2^16. More than this size is not used in the driver. Signed-off-by: Prameela Rani Garnepudi <prameela.j04cs@gmail.com> Signed-off-by: Amitkumar Karwar <amit.karwar@redpinesignals.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
2017-05-24rsi: define RSI_USB_BUF_SIZE macroamit karwar
RSI_USB_BUF_SIZE macro is used instead of hardcoding a buffer size to 4096. Signed-off-by: Amitkumar Karwar <amit.karwar@redpinesignals.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
2014-03-17rsi: Add RS9113 wireless driverFariya Fatima
This patch adds the Redpine Signals' 91x wireless driver. Signed-off-by: Fariya Fatima <fariyaf@gmail.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
generated by cgit 1.2.3-korg (git 2.39.0) at 2024-06-27 02:00:45 +0000