linux/drivers/net/wireless/mwifiex
Mark A. Greer f873ded213 mwifiex: debugfs: Fix out of bounds array access
When reading the contents of '/sys/kernel/debug/mwifiex/p2p0/info',
the following panic occurs:

$ cat /sys/kernel/debug/mwifiex/p2p0/info
Unable to handle kernel paging request at virtual address 74706164
pgd = de530000
[74706164] *pgd=00000000
Internal error: Oops: 5 [#1] SMP ARM
Modules linked in: phy_twl4030_usb omap2430 musb_hdrc mwifiex_sdio mwifiex
CPU: 0 PID: 1635 Comm: cat Not tainted 3.10.0-rc1-00010-g1268390 #1
task: de16b6c0 ti: de048000 task.ti: de048000
PC is at strnlen+0xc/0x4c
LR is at string+0x3c/0xf8
pc : [<c02c123c>]    lr : [<c02c2d1c>]    psr: a0000013
sp : de049e10  ip : c06efba0  fp : de6d2092
r10: bf01a260  r9 : ffffffff  r8 : 74706164
r7 : 0000ffff  r6 : ffffffff  r5 : de6d209c  r4 : 00000000
r3 : ff0a0004  r2 : 74706164  r1 : ffffffff  r0 : 74706164
Flags: NzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
Control: 10c5387d  Table: 9e530019  DAC: 00000015
Process cat (pid: 1635, stack limit = 0xde048240)
Stack: (0xde049e10 to 0xde04a000)
9e00:                                     de6d2092 00000002 bf01a25e de6d209c
9e20: de049e80 c02c438c 0000000a ff0a0004 ffffffff 00000000 00000000 de049e48
9e40: 00000000 2192df6d ff0a0004 ffffffff 00000000 de6d2092 de049ef8 bef3cc00
9e60: de6b0000 dc358000 de6d2000 00000000 00000003 c02c45a4 bf01790c bf01a254
9e80: 74706164 bf018698 00000000 de59c3c0 de048000 de049f80 00001000 bef3cc00
9ea0: 00000008 00000000 00000000 00000000 00000000 00000000 00000000 00000000
9ec0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
9ee0: 00000000 00000000 00000000 00000001 00000000 00000000 6669776d 20786569
9f00: 20302e31 2e343128 392e3636 3231702e 00202933 00000000 00000003 c0294898
9f20: 00000000 00000000 00000000 00000000 de59c3c0 c0107c04 de554000 de59c3c0
9f40: 00001000 bef3cc00 de049f80 bef3cc00 de049f80 00000000 00000003 c0108a00
9f60: de048000 de59c3c0 00000000 00000000 de59c3c0 00001000 bef3cc00 c0108b60
9f80: 00000000 00000000 00001000 bef3cc00 00000003 00000003 c0014128 de048000
9fa0: 00000000 c0013f80 00001000 bef3cc00 00000003 bef3cc00 00001000 00000000
9fc0: 00001000 bef3cc00 00000003 00000003 00000001 00000001 00000001 00000003
9fe0: 00000000 bef3cbdc 00011984 b6f1127c 60000010 00000003 18dbdd2c 7f7bfffd
[<c02c123c>] (strnlen+0xc/0x4c) from [<c02c2d1c>] (string+0x3c/0xf8)
[<c02c2d1c>] (string+0x3c/0xf8) from [<c02c438c>] (vsnprintf+0x1e8/0x3e8)
[<c02c438c>] (vsnprintf+0x1e8/0x3e8) from [<c02c45a4>] (sprintf+0x18/0x24)
[<c02c45a4>] (sprintf+0x18/0x24) from [<bf01790c>] (mwifiex_info_read+0xfc/0x3e8 [mwifiex])
[<bf01790c>] (mwifiex_info_read+0xfc/0x3e8 [mwifiex]) from [<c0108a00>] (vfs_read+0xb0/0x144)
[<c0108a00>] (vfs_read+0xb0/0x144) from [<c0108b60>] (SyS_read+0x44/0x70)
[<c0108b60>] (SyS_read+0x44/0x70) from [<c0013f80>] (ret_fast_syscall+0x0/0x30)
Code: e12fff1e e3510000 e1a02000 0a00000d (e5d03000)
---[ end trace ca98273dc605a04f ]---

The panic is caused by the mwifiex_info_read() routine assuming that
there can only be four modes (0-3) which is an invalid assumption.
For example, when testing P2P, the mode is '8' (P2P_CLIENT) so the
code accesses data beyond the bounds of the bss_modes[] array which
causes the panic.  Fix this by updating bss_modes[] to support the
current list of modes and adding a check to prevent the out-of-bounds
access from occuring in the future when more modes are added.

Signed-off-by: Mark A. Greer <mgreer@animalcreek.com>
Acked-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2013-06-12 10:20:55 -04:00
..
11ac.c mwifiex: correct bss_mode check while appending vht operation IE 2013-04-22 15:20:28 -04:00
11ac.h mwifiex: add support to configure VHT for AP mode 2013-03-25 16:43:39 -04:00
11n_aggr.c mwifiex: rework round robin scheduling of bss nodes. 2013-04-23 15:18:40 -04:00
11n_aggr.h
11n_rxreorder.c mwifiex: make use of msecs_to_jiffies() 2013-04-22 15:20:28 -04:00
11n_rxreorder.h
11n.c mwifiex: change default tx/rx win_size for BA setup 2013-04-01 16:06:49 -04:00
11n.h mwifiex: add 802.11AC support 2013-02-18 15:30:39 -05:00
cfg80211.c Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless into for-davem 2013-05-10 10:29:24 -04:00
cfg80211.h
cfp.c mwifiex: add 802.11AC support 2013-02-18 15:30:39 -05:00
cmdevt.c mwifiex: clear is_suspended flag when interrupt is received early 2013-05-08 17:15:08 -04:00
debugfs.c mwifiex: debugfs: Fix out of bounds array access 2013-06-12 10:20:55 -04:00
decl.h mwifiex: use separate AMPDU tx/rx window sizes in 11ac networks 2013-04-01 16:06:49 -04:00
ethtool.c mwifiex: add "ethtool wol" command support 2013-03-06 16:29:15 -05:00
fw.h mwifiex: add support to configure VHT for AP mode 2013-03-25 16:43:39 -04:00
ie.c
init.c mwifiex: rework round robin scheduling of bss nodes. 2013-04-23 15:18:40 -04:00
ioctl.h mwifiex: add support to configure VHT for AP mode 2013-03-25 16:43:39 -04:00
join.c mwifiex: use separate AMPDU tx/rx window sizes in 11ac networks 2013-04-01 16:06:49 -04:00
Kconfig mwifiex: add PCIe8897 support 2013-02-11 15:34:57 -05:00
main.c mwifiex: fix memory leak issue when driver unload 2013-05-08 17:15:08 -04:00
main.h mwifiex: replace ra_list_curr by list rotation. 2013-04-23 15:18:40 -04:00
Makefile mwifiex: add "ethtool wol" command support 2013-03-06 16:29:15 -05:00
pcie.c mwifiex: Correct pci_unmap_single's size 2013-04-26 08:42:22 -04:00
pcie.h mwifiex: device specific sleep cookie handling for PCIe 2013-02-14 14:24:07 -05:00
README mwifiex: remove max_tx_buf_size 2013-02-01 14:27:23 -05:00
scan.c mwifiex: remove redundant initialization for bss_descriptor 2013-04-22 15:38:36 -04:00
sdio.c Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless into for-davem 2013-02-25 14:50:31 -05:00
sdio.h
sta_cmd.c mwifiex: add support to configure VHT for AP mode 2013-03-25 16:43:39 -04:00
sta_cmdresp.c mwifiex: fix negative cmd_pending count 2013-04-08 15:28:37 -04:00
sta_event.c Merge branch 'for-john' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211-next 2012-11-26 14:46:41 -05:00
sta_ioctl.c mwifiex: fix setting of multicast filter 2013-05-08 17:15:09 -04:00
sta_rx.c
sta_tx.c
txrx.c mwifiex: Trigger a card reset on reaching tx_timeout threshold 2013-03-08 16:02:48 -05:00
uap_cmd.c mwifiex: add support to configure VHT for AP mode 2013-03-25 16:43:39 -04:00
uap_event.c
uap_txrx.c
usb.c mwifiex: do not overwrite error code from lower layer driver 2013-01-30 15:07:05 -05:00
usb.h
util.c mwifiex: fix negative cmd_pending count 2013-04-08 15:28:37 -04:00
util.h mwifiex: use pci_alloc/free_consistent APIs for PCIe 2013-01-07 15:18:30 -05:00
wmm.c mwifiex: rework round robin scheduling of bss nodes. 2013-04-23 15:18:40 -04:00
wmm.h mwifiex: replace ra_list_curr by list rotation. 2013-04-23 15:18:40 -04:00

# Copyright (C) 2011, Marvell International Ltd.
#
# This software file (the "File") is distributed by Marvell International
# Ltd. under the terms of the GNU General Public License Version 2, June 1991
# (the "License").  You may use, redistribute and/or modify this File in
# accordance with the terms and conditions of the License, a copy of which
# is available by writing to the Free Software Foundation, Inc.,
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA or on the
# worldwide web at http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
#
# THE FILE IS DISTRIBUTED AS-IS, WITHOUT WARRANTY OF ANY KIND, AND THE
# IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE
# ARE EXPRESSLY DISCLAIMED.  The License provides additional details about
# this warranty disclaimer.


===============================================================================
			U S E R  M A N U A L

1) FOR DRIVER INSTALL

	a) Copy sd8787.bin to /lib/firmware/mrvl/ directory,
	   create the directory if it doesn't exist.
	b) Install WLAN driver,
		insmod mwifiex.ko
	c) Uninstall WLAN driver,
		ifconfig mlanX down
		rmmod mwifiex


2) FOR DRIVER CONFIGURATION AND INFO
	The configurations can be done either using the 'iw' user space
	utility or debugfs.

	a) 'iw' utility commands

	Following are some useful iw commands:-

iw dev mlan0 scan

	This command will trigger a scan.
	The command will then display the scan table entries

iw dev mlan0 connect -w <SSID> [<freq in MHz>] [<bssid>] [key 0:abcde d:1123456789a]
	The above command can be used to connect to an AP with a particular SSID.
	Ap's operating frequency can be specified or even the bssid. If the AP is using
	WEP encryption, wep keys can be specified in the command.
	Note: Every time before connecting to an AP scan command (iw dev mlan0 scan) should be used by user.

iw dev mlan0 disconnect
	This command will be used to disconnect from an AP.


iw dev mlan0 ibss join <SSID> <freq in MHz> [fixed-freq] [fixed-bssid] [key 0:abcde]
	The command will be used to join or create an ibss. Optionally, operating frequency,
	bssid and the security related parameters can be specified while joining/creating
	and ibss.

iw dev mlan0 ibss leave
	The command will be used to leave an ibss network.

iw dev mlan0 link
	The command will be used to get the connection status. The command will return parameters
	such as SSID, operating frequency, rx/tx packets, signal strength, tx bitrate.

	Apart from the iw utility all standard configurations using the 'iwconfig' utility are also supported.

	b) Debugfs interface

	The debugfs interface can be used for configurations and for getting
	some useful information from the driver.
	The section below explains the configurations that can be
	done.

	Mount debugfs to /debugfs mount point:

		mkdir /debugfs
		mount -t debugfs debugfs /debugfs

	The information is provided in /debugfs/mwifiex/mlanX/:

iw reg set <country code>
	The command will be used to change the regulatory domain.

iw reg get
	The command will be used to get current regulatory domain.

info
	This command is used to get driver info.

	Usage:
		cat info

	driver_name = "mwifiex"
	driver_version = <driver_name, driver_version, (firmware_version)>
	interface_name = "mlanX"
	bss_mode = "Ad-hoc" | "Managed" | "Auto" | "Unknown"
	media_state = "Disconnected" | "Connected"
	mac_address = <6-byte adapter MAC address>
	multicase_count = <multicast address count>
	essid = <current SSID>
	bssid = <current BSSID>
	channel = <current channel>
	region_code = <current region code>
	multicasr_address[n] = <multicast address>
	num_tx_bytes = <number of bytes sent to device>
	num_rx_bytes = <number of bytes received from device and sent to kernel>
	num_tx_pkts = <number of packets sent to device>
	num_rx_pkts = <number of packets received from device and sent to kernel>
	num_tx_pkts_dropped = <number of Tx packets dropped by driver>
	num_rx_pkts_dropped = <number of Rx packets dropped by driver>
	num_tx_pkts_err = <number of Tx packets failed to send to device>
	num_rx_pkts_err = <number of Rx packets failed to receive from device>
	carrier "on" | "off"
	tx queue "stopped" | "started"

	The following debug info are provided in /debugfs/mwifiex/mlanX/debug:

	int_counter = <interrupt count, cleared when interrupt handled>
	wmm_ac_vo = <number of packets sent to device from WMM AcVo queue>
	wmm_ac_vi = <number of packets sent to device from WMM AcVi queue>
	wmm_ac_be = <number of packets sent to device from WMM AcBE queue>
	wmm_ac_bk = <number of packets sent to device from WMM AcBK queue>
	tx_buf_size = <current Tx buffer size>
	curr_tx_buf_size = <current Tx buffer size>
	ps_mode = <0/1, CAM mode/PS mode>
	ps_state = <0/1/2/3, full power state/awake state/pre-sleep state/sleep state>
	is_deep_sleep = <0/1, not deep sleep state/deep sleep state>
	wakeup_dev_req = <0/1, wakeup device not required/required>
	wakeup_tries = <wakeup device count, cleared when device awake>
	hs_configured = <0/1, host sleep not configured/configured>
	hs_activated = <0/1, extended host sleep not activated/activated>
	num_tx_timeout = <number of Tx timeout>
	num_cmd_timeout = <number of timeout commands>
	timeout_cmd_id = <command id of the last timeout command>
	timeout_cmd_act = <command action of the last timeout command>
	last_cmd_id = <command id of the last several commands sent to device>
	last_cmd_act = <command action of the last several commands sent to device>
	last_cmd_index = <0 based last command index>
	last_cmd_resp_id = <command id of the last several command responses received from device>
	last_cmd_resp_index = <0 based last command response index>
	last_event = <event id of the last several events received from device>
	last_event_index = <0 based last event index>
	num_cmd_h2c_fail = <number of commands failed to send to device>
	num_cmd_sleep_cfm_fail = <number of sleep confirm failed to send to device>
	num_tx_h2c_fail = <number of data packets failed to send to device>
	num_evt_deauth = <number of deauthenticated events received from device>
	num_evt_disassoc = <number of disassociated events received from device>
	num_evt_link_lost = <number of link lost events received from device>
	num_cmd_deauth = <number of deauthenticate commands sent to device>
	num_cmd_assoc_ok = <number of associate commands with success return>
	num_cmd_assoc_fail = <number of associate commands with failure return>
	cmd_sent = <0/1, send command resources available/sending command to device>
	data_sent = <0/1, send data resources available/sending data to device>
	mp_rd_bitmap = <SDIO multi-port read bitmap>
	mp_wr_bitmap = <SDIO multi-port write bitmap>
	cmd_resp_received = <0/1, no cmd response to process/response received and yet to process>
	event_received = <0/1, no event to process/event received and yet to process>
	cmd_pending = <number of cmd pending>
	tx_pending = <number of Tx packet pending>
	rx_pending = <number of Rx packet pending>


3) FOR DRIVER CONFIGURATION

regrdwr
	This command is used to read/write the adapter register.

	Usage:
		echo " <type> <offset> [value]" > regrdwr
		cat regrdwr

	where the parameters are,
		<type>:     1:MAC/SOC, 2:BBP, 3:RF, 4:PMIC, 5:CAU
		<offset>:   offset of register
		[value]:    value to be written

	Examples:
		echo "1 0xa060" > regrdwr           : Read the MAC register
		echo "1 0xa060 0x12" > regrdwr      : Write the MAC register
		echo "1 0xa794 0x80000000" > regrdwr
		                                    : Write 0x80000000 to MAC register
rdeeprom
	This command is used to read the EEPROM contents of the card.

	Usage:
		echo "<offset> <length>" > rdeeprom
		cat rdeeprom

	where the parameters are,
		<offset>:   multiples of 4
		<length>:   4-20, multiples of 4

	Example:
		echo "0 20" > rdeeprom      : Read 20 bytes of EEPROM data from offset 0

getlog
        This command is used to get the statistics available in the station.
	Usage:

	cat getlog

===============================================================================