The testmode NVS push command is no longer in use. In addition, it has
several implementation issues that prevent it from working correctly:
1. wl1271_tm_cmd_configure relies on wl->chip.id being set. However,
since the device was not necessarily booted by the time the function
is called, wl->chip.id will be initialized to 0.
2. The NVS file is fetched by calling request_firmware() before it is
possible to push an NVS file.
3. The maximum allowed size of nl binary payloads is not sufficient for
pushing NVS files.
4. Pushing 128x NVS files will always fail due to a bug in the
validation code.
5. In case the pushed NVS file is found invalid, the mutex will be kept
locked and the nvs member will become a dangling pointer.
Since this feature is not being used, remove it completely instead of
fixing it.
Signed-off-by: Ido Yariv <ido@wizery.com>
Acked-by: Luciano Coelho <coelho@ti.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
In each case, the freed data should be freed in the error handling code
as
well.
A simplified version of the semantic match that finds this problem is as
follows: (http://coccinelle.lip6.fr/)
// <smpl>
@exists@
local idexpression x;
statement S,S1;
expression E;
identifier fl;
expression *ptr != NULL;
@@
x = \(kmalloc\|kzalloc\|kcalloc\)(...);
...
if (x == NULL) S
<... when != x
when != if (...) { <+...kfree(x)...+> }
when any
when != true x == NULL
x->fl
...>
(
if (x == NULL) S1
|
if (...) { ... when != x
when forall
(
return \(0\|<+...x...+>\|ptr\);
|
* return ...;
)
}
)
// </smpl>
Signed-off-by: Julia Lawall <julia@diku.dk>
Acked-by: Luciano Coelho <coelho@ti.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
During recovery work commands sent to the FW could fail and schedule
additional recovery work. Since the chip is going to be powered off,
avoid recursive recoveries.
Signed-off-by: Ido Yariv <ido@wizery.com>
Signed-off-by: Arik Nemtsov <arik@wizery.com>
Signed-off-by: Luciano Coelho <coelho@ti.com>
Take care of FW & NVS with the auto-detection between wl127x and
wl128x.
[Moved some common code outside if statements and added notes about
NVS structure assumptions; Fixed a bug when checking the nvs size: if
the size was incorrect, the local nvs variable was set to NULL, it
should be wl->nvs instead. -- Luca]
[Merged with potential buffer overflow fix -- Luca]
Signed-off-by: Shahar Levi <shahar_levi@ti.com>
Reviewed-by: Luciano Coelho <coelho@ti.com>
Signed-off-by: Luciano Coelho <coelho@ti.com>
We were allocating the size of the NVS file struct and not checking
whether the length of the buffer passed was correct before copying it
into the allocated memory. This is a security hole because buffer
overflows can occur if the userspace passes a bigger file than what is
expected.
With this patch, we check if the size of the data passed from
userspace matches the size required.
This bug was introduced in 2.6.36.
Cc: stable@kernel.org
Reported-by: Ido Yariv <ido@wizery.com>
Signed-off-by: Luciano Coelho <coelho@ti.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
All files name prefix removed due to the fact that wl12xx driver supports
wl1271 and wl1273.
Also the definition in Kconfig and header files changed respectively.
Signed-off-by: Shahar Levi <shahar_levi@ti.com>
Signed-off-by: Luciano Coelho <luciano.coelho@nokia.com>