kernel_samsung_a53x/drivers
Sascha Hauer 47d3b537a5 wifi: mwifiex: Do not return unused priv in mwifiex_get_priv_by_id()
[ Upstream commit c145eea2f75ff7949392aebecf7ef0a81c1f6c14 ]

mwifiex_get_priv_by_id() returns the priv pointer corresponding to
the bss_num and bss_type, but without checking if the priv is actually
currently in use.
Unused priv pointers do not have a wiphy attached to them which can
lead to NULL pointer dereferences further down the callstack.  Fix
this by returning only used priv pointers which have priv->bss_mode
set to something else than NL80211_IFTYPE_UNSPECIFIED.

Said NULL pointer dereference happened when an Accesspoint was started
with wpa_supplicant -i mlan0 with this config:

network={
        ssid="somessid"
        mode=2
        frequency=2412
        key_mgmt=WPA-PSK WPA-PSK-SHA256
        proto=RSN
        group=CCMP
        pairwise=CCMP
        psk="12345678"
}

When waiting for the AP to be established, interrupting wpa_supplicant
with <ctrl-c> and starting it again this happens:

| Unable to handle kernel NULL pointer dereference at virtual address 0000000000000140
| Mem abort info:
|   ESR = 0x0000000096000004
|   EC = 0x25: DABT (current EL), IL = 32 bits
|   SET = 0, FnV = 0
|   EA = 0, S1PTW = 0
|   FSC = 0x04: level 0 translation fault
| Data abort info:
|   ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
|   CM = 0, WnR = 0, TnD = 0, TagAccess = 0
|   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
| user pgtable: 4k pages, 48-bit VAs, pgdp=0000000046d96000
| [0000000000000140] pgd=0000000000000000, p4d=0000000000000000
| Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP
| Modules linked in: caam_jr caamhash_desc spidev caamalg_desc crypto_engine authenc libdes mwifiex_sdio
+mwifiex crct10dif_ce cdc_acm onboard_usb_hub fsl_imx8_ddr_perf imx8m_ddrc rtc_ds1307 lm75 rtc_snvs
+imx_sdma caam imx8mm_thermal spi_imx error imx_cpufreq_dt fuse ip_tables x_tables ipv6
| CPU: 0 PID: 8 Comm: kworker/0:1 Not tainted 6.9.0-00007-g937242013fce-dirty #18
| Hardware name: somemachine (DT)
| Workqueue: events sdio_irq_work
| pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
| pc : mwifiex_get_cfp+0xd8/0x15c [mwifiex]
| lr : mwifiex_get_cfp+0x34/0x15c [mwifiex]
| sp : ffff8000818b3a70
| x29: ffff8000818b3a70 x28: ffff000006bfd8a5 x27: 0000000000000004
| x26: 000000000000002c x25: 0000000000001511 x24: 0000000002e86bc9
| x23: ffff000006bfd996 x22: 0000000000000004 x21: ffff000007bec000
| x20: 000000000000002c x19: 0000000000000000 x18: 0000000000000000
| x17: 000000040044ffff x16: 00500072b5503510 x15: ccc283740681e517
| x14: 0201000101006d15 x13: 0000000002e8ff43 x12: 002c01000000ffb1
| x11: 0100000000000000 x10: 02e8ff43002c0100 x9 : 0000ffb100100157
| x8 : ffff000003d20000 x7 : 00000000000002f1 x6 : 00000000ffffe124
| x5 : 0000000000000001 x4 : 0000000000000003 x3 : 0000000000000000
| x2 : 0000000000000000 x1 : 0001000000011001 x0 : 0000000000000000
| Call trace:
|  mwifiex_get_cfp+0xd8/0x15c [mwifiex]
|  mwifiex_parse_single_response_buf+0x1d0/0x504 [mwifiex]
|  mwifiex_handle_event_ext_scan_report+0x19c/0x2f8 [mwifiex]
|  mwifiex_process_sta_event+0x298/0xf0c [mwifiex]
|  mwifiex_process_event+0x110/0x238 [mwifiex]
|  mwifiex_main_process+0x428/0xa44 [mwifiex]
|  mwifiex_sdio_interrupt+0x64/0x12c [mwifiex_sdio]
|  process_sdio_pending_irqs+0x64/0x1b8
|  sdio_irq_work+0x4c/0x7c
|  process_one_work+0x148/0x2a0
|  worker_thread+0x2fc/0x40c
|  kthread+0x110/0x114
|  ret_from_fork+0x10/0x20
| Code: a94153f3 a8c37bfd d50323bf d65f03c0 (f940a000)
| ---[ end trace 0000000000000000 ]---

Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
Acked-by: Brian Norris <briannorris@chromium.org>
Reviewed-by: Francesco Dolcini <francesco.dolcini@toradex.com>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://patch.msgid.link/20240703072409.556618-1-s.hauer@pengutronix.de
Signed-off-by: Sasha Levin <sashal@kernel.org>
2025-01-19 00:10:00 +01:00
..
accessibility
acpi ACPI: processor: Fix memory leaks in error paths of processor_add() 2025-01-19 00:09:58 +01:00
amba
android binder: fix UAF caused by offsets overwrite 2025-01-19 00:09:59 +01:00
ata ata: pata_macio: Use WARN instead of BUG 2025-01-19 00:09:59 +01:00
atm atm: idt77252: prevent use after free in dequeue_rx() 2024-11-23 23:20:43 +01:00
auxdisplay
base regmap: Use correct format specifier for logging range errors 2025-01-15 16:29:50 +01:00
battery Revert "battery: nuke sm5451_charger driver from a53x" 2025-01-18 22:11:40 +01:00
bcma
block virtio-blk: don't keep queue frozen during system suspend 2025-01-15 16:29:50 +01:00
bluetooth Bluetooth: btusb: Add RTL8852BE device 0489:e123 to device tables 2024-12-17 13:24:31 +01:00
bts
bus Revert "bus: integrator-lm: fix OF node leak in probe()" 2024-11-24 00:23:16 +01:00
cdrom
char Revert "tpm: Clean up TPM space after command failure" 2024-11-24 00:23:24 +01:00
clk Revert "clkdev: remove CONFIG_CLKDEV_LOOKUP" 2025-01-02 17:01:18 +01:00
clocksource clocksource/drivers/imx-tpm: Fix return -ETIME when delta exceeds INT_MAX 2025-01-19 00:09:59 +01:00
connector
counter counter: ti-eqep: enable clock at probe 2024-11-19 14:19:33 +01:00
cpufreq exynos: acme: dumb down code to take in any freq table 2025-01-15 16:39:44 +01:00
cpuidle cpuidle: menu: Take negative "sleep length" values into account 2024-11-19 18:01:28 +01:00
crypto crypto: cavium - Fix an error handling path in cpt_ucode_load_fw() 2024-12-17 13:24:00 +01:00
dax
dca
devfreq
dio
dma dmaengine: dw: Select only supported masters for ACPI devices 2025-01-15 16:29:54 +01:00
dma-buf UPSTREAM: dma-buf: heaps: Fix off-by-one in CMA heap fault handler 2025-01-19 00:09:58 +01:00
edac EDAC/fsl_ddr: Fix bad bit shift operations 2024-12-17 13:23:59 +01:00
eisa
extcon
fingerprint
firewire
firmware BACKPORT: firmware: arm_scmi: Queue in scmi layer for mailbox implementation 2025-01-19 00:09:58 +01:00
fpga
fsi
gnss
gpio gpio: grgpio: Add NULL check in grgpio_probe 2024-12-17 13:24:27 +01:00
gpu drm: adv7511: Drop dsi single lane support 2025-01-15 16:29:56 +01:00
greybus
gud
hid HID: cougar: fix slab-out-of-bounds Read in cougar_report_fixup 2025-01-19 00:09:59 +01:00
hsi
hv Drivers: hv: vmbus: Fix rescind handling in uio_hv_generic 2025-01-19 00:09:59 +01:00
hwmon hwmon: (tmp513) Fix interpretation of values of Temperature Result and Limit Registers 2025-01-15 16:29:45 +01:00
hwspinlock Revert "hwspinlock: Introduce hwspin_lock_bust()" 2024-11-24 00:23:48 +01:00
hwtracing Revert "coresight: tmc: sg: Do not leak sg_table" 2024-11-24 00:23:19 +01:00
i2c i2c: riic: Always round-up when calculating bus period 2025-01-15 16:29:41 +01:00
i3c i3c: Use i3cdev->desc->info instead of calling i3c_device_get_info() to avoid deadlock 2024-12-17 13:24:32 +01:00
ide
idle
ifconn
iio iio: buffer-dmaengine: fix releasing dma channel on error 2025-01-19 00:09:59 +01:00
infiniband RDMA/uverbs: Prevent integer overflow issue 2025-01-15 16:29:56 +01:00
input Input: uinput - reject requests with unreasonable number of slots 2025-01-19 00:09:59 +01:00
interconnect Revert "interconnect: qcom: sm8250: Enable sync_state" 2024-11-24 00:23:19 +01:00
iommu iommu/arm-smmu: Defer probe of clients after smmu device bound 2024-12-17 13:24:29 +01:00
ipack
irqchip irqchip/gic: Correct declaration of *percpu_base pointer in union gic_base 2025-01-15 16:29:56 +01:00
isdn mISDN: Fix a use after free in hfcmulti_tx() 2024-11-23 23:20:17 +01:00
kperfmon
kq/mesh
leds leds: class: Protect brightness_show() with led_cdev->led_access mutex 2024-12-17 13:24:32 +01:00
lightnvm
macintosh macintosh/therm_windtunnel: fix module unload. 2024-11-23 23:20:11 +01:00
mailbox Revert "mailbox: rockchip: fix a typo in module autoloading" 2024-11-24 00:23:13 +01:00
mcb
md bcache: revert replacing IS_ERR_OR_NULL with IS_ERR again 2024-12-17 13:24:28 +01:00
media media: platform: exynos: camera: Fix enum-compare compilation error from clang 19 2025-01-16 23:06:54 +01:00
memory memory: stm32-fmc2-ebi: check regmap_read return value 2024-11-23 23:20:46 +01:00
memstick
message scsi: fusion: Remove unused variable 'rc' 2024-12-17 13:24:09 +01:00
mfd mfd: rt5033: Fix missing regmap_del_irq_chip() 2024-12-17 13:24:08 +01:00
misc VMCI: Fix use-after-free when removing resource in vmci_resource_remove() 2025-01-19 00:09:59 +01:00
mmc mmc: cqhci: Fix checking of CQHCI_HALT state 2025-01-19 00:09:58 +01:00
most
mtd mtd: rawnand: fix double free in atmel_pmecc_create_user() 2025-01-15 16:29:50 +01:00
muic
mux
net wifi: mwifiex: Do not return unused priv in mwifiex_get_priv_by_id() 2025-01-19 00:10:00 +01:00
nfc nfc: pn533: Add poll mod list filling check 2024-11-23 23:20:55 +01:00
ntb Revert "ntb: intel: Fix the NULL vs IS_ERR() bug for debugfs_create_dir()" 2024-11-24 00:23:20 +01:00
nubus
nvdimm nvdimm: rectify the illogical code within nd_dax_probe() 2024-12-17 13:24:32 +01:00
nvme nvmet-tcp: fix kernel crash if commands allocation fails 2025-01-19 00:09:58 +01:00
nvmem nvmem: Fix return type of devm_nvmem_device_get() in kerneldoc 2025-01-19 00:09:59 +01:00
of of/irq: Prevent device address out-of-bounds read in interrupt map walk 2025-01-19 00:09:59 +01:00
opp
oprofile
parisc
parport Revert "parport: Proper fix for array out-of-bounds access" 2024-11-24 00:22:51 +01:00
pci PCI: Add missing bridge lock to pci_bus_lock() 2025-01-19 00:10:00 +01:00
pcmcia Revert "pcmcia: Use resource_size function on resource object" 2024-11-24 00:23:42 +01:00
perf
phy phy: core: Fix that API devm_phy_destroy() fails to destroy the phy 2025-01-15 16:29:49 +01:00
pinctrl pinctrl: mcp23s08: Fix sleeping in atomic context due to regmap locking 2025-01-15 16:29:56 +01:00
platform platform/x86: asus-nb-wmi: Ignore unknown event 0xCF 2025-01-15 16:29:50 +01:00
pnp
power power: supply: gpio-charger: Fix set charge current limits 2025-01-15 16:29:51 +01:00
powercap Revert "powercap: RAPL: fix invalid initialization for pl4_supported field" 2024-11-24 00:23:18 +01:00
pps Revert "pps: remove usage of the deprecated ida_simple_xx() API" 2024-11-24 00:23:14 +01:00
ps3
ptp ptp: Add error handling for adjfine callback in ptp_clock_adjtime 2024-12-17 13:24:25 +01:00
pwm pwm: imx27: Workaround of the pwm output bug when decrease the duty cycle 2024-12-17 13:24:02 +01:00
rapidio
ras
regulator regulator: rk808: Add apply_bit for BUCK3 on RK809 2024-12-17 13:23:58 +01:00
remoteproc remoteproc: qcom_q6v5_mss: Re-order writes to the IMEM region 2024-12-17 13:24:13 +01:00
reset Revert "reset: berlin: fix OF node leak in probe() error path" 2024-11-24 00:23:27 +01:00
rpmsg rpmsg: glink: Propagate TX failures in intentless mode as well 2024-12-17 13:24:21 +01:00
rtc rtc: ab-eoz9: don't fail temperature reads on undervoltage notification 2024-12-17 13:24:22 +01:00
s390 Revert "s390/zcore: no need to check return value of debugfs_create functions" 2024-11-24 00:22:59 +01:00
samsung
sbus
scsi scsi: storvsc: Do not flag MAINTENANCE_IN return of SRB_STATUS_DATA_OVERRUN as an error 2025-01-15 16:29:50 +01:00
sensorhub
sensors
sfi
sh sh: clk: Fix clk_enable() to return 0 on NULL clk 2025-01-15 16:29:45 +01:00
siox
slimbus
soc fvmap: move undervolting settings to Kconfig 2025-01-15 16:40:04 +01:00
soundwire Revert "soundwire: stream: fix programming slave ports for non-continous port maps" 2024-11-24 00:23:49 +01:00
spi spi: mpc52xx: Add cancel_work_sync before module remove 2024-12-17 13:24:27 +01:00
spmi
spu_verify
ssb ssb: Fix division by zero issue in ssb_calc_clock_rate 2024-11-23 23:20:44 +01:00
staging staging: iio: frequency: ad9834: Validate frequency parameter value 2025-01-19 00:09:59 +01:00
sti
target scsi: target: core: Fix null-ptr-deref in target_alloc_device() 2024-11-23 23:21:59 +01:00
tc
tee
thermal
thunderbolt thunderbolt: Add support for Intel Panther Lake-M/P 2025-01-15 16:29:53 +01:00
tty serial: 8250: omap: Move pm_runtime_get_sync 2024-12-17 13:24:19 +01:00
uh
uio uio_hv_generic: Fix kernel NULL pointer dereference in hv_uio_rescind 2025-01-19 00:09:59 +01:00
usb USB: serial: option: add MediaTek T7XX compositions 2025-01-15 16:29:41 +01:00
vdpa vdpa/mlx5: Fix suboptimal range on iotlb iteration 2024-12-17 13:24:13 +01:00
vfio vfio/pci: Properly hide first-in-list PCIe extended capability 2024-12-17 13:24:13 +01:00
vhost Revert "vdpa: Add eventfd for the vdpa callback" 2024-11-24 00:23:19 +01:00
vibrator
video fbdev: sh7760fb: Fix a possible memory leak in sh7760fb_alloc_mem() 2024-12-17 13:24:09 +01:00
virt
virtio Revert "vdpa: Add eventfd for the vdpa callback" 2024-11-24 00:23:19 +01:00
vision
vision3
visorbus
vlynq
vme
w1
watchdog watchdog: it87_wdt: add PWRGD enable quirk for Qotom QCML04 2025-01-15 16:29:50 +01:00
xen xen: Fix the issue of resource not being properly released in xenbus_dev_probe() 2024-12-17 13:24:17 +01:00
zorro
Kconfig Added KernelSU 2024-11-19 22:44:48 +01:00
Kconfig.variant1
kernelsu Welcome KernelSU Next 2025-01-15 16:32:35 +01:00
Makefile Added KernelSU 2024-11-19 22:44:48 +01:00
Makefile.variant1