From e7f91a03b979352b85a77d75a3aab4c5222941f2 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 10 Jul 2025 15:48:04 +0200 Subject: [PATCH] 5.4-stable patches added patches: acpi-pad-fix-crash-in-exit_round_robin.patch media-uvcvideo-return-the-number-of-processed-controls.patch media-uvcvideo-rollback-non-processed-entities-on-error.patch media-uvcvideo-send-control-events-for-partial-succeeds.patch staging-rtl8723bs-avoid-memset-in-aes_cipher-and-aes_decipher.patch --- ...pi-pad-fix-crash-in-exit_round_robin.patch | 93 ++++++++++++ ...urn-the-number-of-processed-controls.patch | 71 +++++++++ ...back-non-processed-entities-on-error.patch | 113 ++++++++++++++ ...-control-events-for-partial-succeeds.patch | 64 ++++++++ queue-5.4/series | 5 + ...emset-in-aes_cipher-and-aes_decipher.patch | 140 ++++++++++++++++++ 6 files changed, 486 insertions(+) create mode 100644 queue-5.4/acpi-pad-fix-crash-in-exit_round_robin.patch create mode 100644 queue-5.4/media-uvcvideo-return-the-number-of-processed-controls.patch create mode 100644 queue-5.4/media-uvcvideo-rollback-non-processed-entities-on-error.patch create mode 100644 queue-5.4/media-uvcvideo-send-control-events-for-partial-succeeds.patch create mode 100644 queue-5.4/staging-rtl8723bs-avoid-memset-in-aes_cipher-and-aes_decipher.patch diff --git a/queue-5.4/acpi-pad-fix-crash-in-exit_round_robin.patch b/queue-5.4/acpi-pad-fix-crash-in-exit_round_robin.patch new file mode 100644 index 0000000000..5daeb22691 --- /dev/null +++ b/queue-5.4/acpi-pad-fix-crash-in-exit_round_robin.patch @@ -0,0 +1,93 @@ +From 0a2ed70a549e61c5181bad5db418d223b68ae932 Mon Sep 17 00:00:00 2001 +From: Seiji Nishikawa +Date: Sun, 25 Aug 2024 23:13:52 +0900 +Subject: ACPI: PAD: fix crash in exit_round_robin() + +From: Seiji Nishikawa + +commit 0a2ed70a549e61c5181bad5db418d223b68ae932 upstream. + +The kernel occasionally crashes in cpumask_clear_cpu(), which is called +within exit_round_robin(), because when executing clear_bit(nr, addr) with +nr set to 0xffffffff, the address calculation may cause misalignment within +the memory, leading to access to an invalid memory address. + +---------- +BUG: unable to handle kernel paging request at ffffffffe0740618 + ... +CPU: 3 PID: 2919323 Comm: acpi_pad/14 Kdump: loaded Tainted: G OE X --------- - - 4.18.0-425.19.2.el8_7.x86_64 #1 + ... +RIP: 0010:power_saving_thread+0x313/0x411 [acpi_pad] +Code: 89 cd 48 89 d3 eb d1 48 c7 c7 55 70 72 c0 e8 64 86 b0 e4 c6 05 0d a1 02 00 01 e9 bc fd ff ff 45 89 e4 42 8b 04 a5 20 82 72 c0 48 0f b3 05 f4 9c 01 00 42 c7 04 a5 20 82 72 c0 ff ff ff ff 31 +RSP: 0018:ff72a5d51fa77ec8 EFLAGS: 00010202 +RAX: 00000000ffffffff RBX: ff462981e5d8cb80 RCX: 0000000000000000 +RDX: 0000000000000000 RSI: 0000000000000246 RDI: 0000000000000246 +RBP: ff46297556959d80 R08: 0000000000000382 R09: ff46297c8d0f38d8 +R10: 0000000000000000 R11: 0000000000000001 R12: 000000000000000e +R13: 0000000000000000 R14: ffffffffffffffff R15: 000000000000000e +FS: 0000000000000000(0000) GS:ff46297a800c0000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: ffffffffe0740618 CR3: 0000007e20410004 CR4: 0000000000771ee0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +PKRU: 55555554 +Call Trace: + ? acpi_pad_add+0x120/0x120 [acpi_pad] + kthread+0x10b/0x130 + ? set_kthread_struct+0x50/0x50 + ret_from_fork+0x1f/0x40 + ... +CR2: ffffffffe0740618 + +crash> dis -lr ffffffffc0726923 + ... +/usr/src/debug/kernel-4.18.0-425.19.2.el8_7/linux-4.18.0-425.19.2.el8_7.x86_64/./include/linux/cpumask.h: 114 +0xffffffffc0726918 : mov %r12d,%r12d +/usr/src/debug/kernel-4.18.0-425.19.2.el8_7/linux-4.18.0-425.19.2.el8_7.x86_64/./include/linux/cpumask.h: 325 +0xffffffffc072691b : mov -0x3f8d7de0(,%r12,4),%eax +/usr/src/debug/kernel-4.18.0-425.19.2.el8_7/linux-4.18.0-425.19.2.el8_7.x86_64/./arch/x86/include/asm/bitops.h: 80 +0xffffffffc0726923 : lock btr %rax,0x19cf4(%rip) # 0xffffffffc0740620 + +crash> px tsk_in_cpu[14] +$66 = 0xffffffff + +crash> px 0xffffffffc072692c+0x19cf4 +$99 = 0xffffffffc0740620 + +crash> sym 0xffffffffc0740620 +ffffffffc0740620 (b) pad_busy_cpus_bits [acpi_pad] + +crash> px pad_busy_cpus_bits[0] +$42 = 0xfffc0 +---------- + +To fix this, ensure that tsk_in_cpu[tsk_index] != -1 before calling +cpumask_clear_cpu() in exit_round_robin(), just as it is done in +round_robin_cpu(). + +Signed-off-by: Seiji Nishikawa +Link: https://patch.msgid.link/20240825141352.25280-1-snishika@redhat.com +[ rjw: Subject edit, avoid updates to the same value ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Nobuhiro Iwamatsu (CIP) +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/acpi_pad.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/acpi/acpi_pad.c ++++ b/drivers/acpi/acpi_pad.c +@@ -128,8 +128,11 @@ static void round_robin_cpu(unsigned int + static void exit_round_robin(unsigned int tsk_index) + { + struct cpumask *pad_busy_cpus = to_cpumask(pad_busy_cpus_bits); +- cpumask_clear_cpu(tsk_in_cpu[tsk_index], pad_busy_cpus); +- tsk_in_cpu[tsk_index] = -1; ++ ++ if (tsk_in_cpu[tsk_index] != -1) { ++ cpumask_clear_cpu(tsk_in_cpu[tsk_index], pad_busy_cpus); ++ tsk_in_cpu[tsk_index] = -1; ++ } + } + + static unsigned int idle_pct = 5; /* percentage */ diff --git a/queue-5.4/media-uvcvideo-return-the-number-of-processed-controls.patch b/queue-5.4/media-uvcvideo-return-the-number-of-processed-controls.patch new file mode 100644 index 0000000000..02ddbd9daf --- /dev/null +++ b/queue-5.4/media-uvcvideo-return-the-number-of-processed-controls.patch @@ -0,0 +1,71 @@ +From ba4fafb02ad6a4eb2e00f861893b5db42ba54369 Mon Sep 17 00:00:00 2001 +From: Ricardo Ribalda +Date: Mon, 24 Feb 2025 10:34:53 +0000 +Subject: media: uvcvideo: Return the number of processed controls + +From: Ricardo Ribalda + +commit ba4fafb02ad6a4eb2e00f861893b5db42ba54369 upstream. + +If we let know our callers that we have not done anything, they will be +able to optimize their decisions. + +Cc: stable@kernel.org +Fixes: b4012002f3a3 ("[media] uvcvideo: Add support for control events") +Reviewed-by: Laurent Pinchart +Signed-off-by: Ricardo Ribalda +Message-ID: <20250224-uvc-data-backup-v2-1-de993ed9823b@chromium.org> +Signed-off-by: Hans de Goede +Signed-off-by: Hans Verkuil +Signed-off-by: Ricardo Ribalda +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/uvc/uvc_ctrl.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/drivers/media/usb/uvc/uvc_ctrl.c ++++ b/drivers/media/usb/uvc/uvc_ctrl.c +@@ -1560,11 +1560,16 @@ int uvc_ctrl_begin(struct uvc_video_chai + return mutex_lock_interruptible(&chain->ctrl_mutex) ? -ERESTARTSYS : 0; + } + ++/* ++ * Returns the number of uvc controls that have been correctly set, or a ++ * negative number if there has been an error. ++ */ + static int uvc_ctrl_commit_entity(struct uvc_device *dev, + struct uvc_fh *handle, + struct uvc_entity *entity, + int rollback) + { ++ unsigned int processed_ctrls = 0; + struct uvc_control *ctrl; + unsigned int i; + int ret; +@@ -1598,6 +1603,9 @@ static int uvc_ctrl_commit_entity(struct + else + ret = 0; + ++ if (!ret) ++ processed_ctrls++; ++ + if (rollback || ret < 0) + memcpy(uvc_ctrl_data(ctrl, UVC_CTRL_DATA_CURRENT), + uvc_ctrl_data(ctrl, UVC_CTRL_DATA_BACKUP), +@@ -1613,7 +1621,7 @@ static int uvc_ctrl_commit_entity(struct + uvc_ctrl_set_handle(handle, ctrl, handle); + } + +- return 0; ++ return processed_ctrls; + } + + int __uvc_ctrl_commit(struct uvc_fh *handle, int rollback, +@@ -1634,6 +1642,7 @@ int __uvc_ctrl_commit(struct uvc_fh *han + + if (!rollback) + uvc_ctrl_send_events(handle, xctrls, xctrls_count); ++ ret = 0; + done: + mutex_unlock(&chain->ctrl_mutex); + return ret; diff --git a/queue-5.4/media-uvcvideo-rollback-non-processed-entities-on-error.patch b/queue-5.4/media-uvcvideo-rollback-non-processed-entities-on-error.patch new file mode 100644 index 0000000000..e45beda624 --- /dev/null +++ b/queue-5.4/media-uvcvideo-rollback-non-processed-entities-on-error.patch @@ -0,0 +1,113 @@ +From a70705d3c020d0d5c3ab6a5cc93e011ac35e7d48 Mon Sep 17 00:00:00 2001 +From: Ricardo Ribalda +Date: Mon, 24 Feb 2025 10:34:55 +0000 +Subject: media: uvcvideo: Rollback non processed entities on error + +From: Ricardo Ribalda + +commit a70705d3c020d0d5c3ab6a5cc93e011ac35e7d48 upstream. + +If we fail to commit an entity, we need to restore the +UVC_CTRL_DATA_BACKUP for the other uncommitted entities. Otherwise the +control cache and the device would be out of sync. + +Cc: stable@kernel.org +Fixes: b4012002f3a3 ("[media] uvcvideo: Add support for control events") +Reported-by: Hans de Goede +Closes: https://lore.kernel.org/linux-media/fe845e04-9fde-46ee-9763-a6f00867929a@redhat.com/ +Signed-off-by: Ricardo Ribalda +Message-ID: <20250224-uvc-data-backup-v2-3-de993ed9823b@chromium.org> +Signed-off-by: Hans de Goede +Signed-off-by: Hans Verkuil +Signed-off-by: Ricardo Ribalda +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/uvc/uvc_ctrl.c | 42 ++++++++++++++++++++++++++------------- + 1 file changed, 28 insertions(+), 14 deletions(-) + +--- a/drivers/media/usb/uvc/uvc_ctrl.c ++++ b/drivers/media/usb/uvc/uvc_ctrl.c +@@ -1577,7 +1577,7 @@ static int uvc_ctrl_commit_entity(struct + unsigned int processed_ctrls = 0; + struct uvc_control *ctrl; + unsigned int i; +- int ret; ++ int ret = 0; + + if (entity == NULL) + return 0; +@@ -1605,8 +1605,6 @@ static int uvc_ctrl_commit_entity(struct + dev->intfnum, ctrl->info.selector, + uvc_ctrl_data(ctrl, UVC_CTRL_DATA_CURRENT), + ctrl->info.size); +- else +- ret = 0; + + if (!ret) + processed_ctrls++; +@@ -1618,14 +1616,22 @@ static int uvc_ctrl_commit_entity(struct + + ctrl->dirty = 0; + +- if (ret < 0) +- return ret; +- +- if (!rollback && handle && ++ if (!rollback && handle && !ret && + ctrl->info.flags & UVC_CTRL_FLAG_ASYNCHRONOUS) + uvc_ctrl_set_handle(handle, ctrl, handle); ++ ++ if (ret < 0 && !rollback) { ++ /* ++ * If we fail to set a control, we need to rollback ++ * the next ones. ++ */ ++ rollback = 1; ++ } + } + ++ if (ret) ++ return ret; ++ + return processed_ctrls; + } + +@@ -1635,23 +1641,31 @@ int __uvc_ctrl_commit(struct uvc_fh *han + { + struct uvc_video_chain *chain = handle->chain; + struct uvc_entity *entity; +- int ret = 0; ++ int ret_out = 0; ++ int ret; + + /* Find the control. */ + list_for_each_entry(entity, &chain->entities, chain) { + ret = uvc_ctrl_commit_entity(chain->dev, handle, entity, + rollback); +- if (ret < 0) +- goto done; +- else if (ret > 0 && !rollback) ++ if (ret < 0) { ++ /* ++ * When we fail to commit an entity, we need to ++ * restore the UVC_CTRL_DATA_BACKUP for all the ++ * controls in the other entities, otherwise our cache ++ * and the hardware will be out of sync. ++ */ ++ rollback = 1; ++ ++ ret_out = ret; ++ } else if (ret > 0 && !rollback) { + uvc_ctrl_send_events(handle, entity, xctrls, + xctrls_count); ++ } + } + +- ret = 0; +-done: + mutex_unlock(&chain->ctrl_mutex); +- return ret; ++ return ret_out; + } + + int uvc_ctrl_get(struct uvc_video_chain *chain, diff --git a/queue-5.4/media-uvcvideo-send-control-events-for-partial-succeeds.patch b/queue-5.4/media-uvcvideo-send-control-events-for-partial-succeeds.patch new file mode 100644 index 0000000000..d7f475cfdc --- /dev/null +++ b/queue-5.4/media-uvcvideo-send-control-events-for-partial-succeeds.patch @@ -0,0 +1,64 @@ +From 5c791467aea6277430da5f089b9b6c2a9d8a4af7 Mon Sep 17 00:00:00 2001 +From: Ricardo Ribalda +Date: Mon, 24 Feb 2025 10:34:54 +0000 +Subject: media: uvcvideo: Send control events for partial succeeds + +From: Ricardo Ribalda + +commit 5c791467aea6277430da5f089b9b6c2a9d8a4af7 upstream. + +Today, when we are applying a change to entities A, B. If A succeeds and B +fails the events for A are not sent. + +This change changes the code so the events for A are send right after +they happen. + +Cc: stable@kernel.org +Fixes: b4012002f3a3 ("[media] uvcvideo: Add support for control events") +Signed-off-by: Ricardo Ribalda +Message-ID: <20250224-uvc-data-backup-v2-2-de993ed9823b@chromium.org> +Signed-off-by: Hans de Goede +Signed-off-by: Hans Verkuil +Signed-off-by: Ricardo Ribalda +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/uvc/uvc_ctrl.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +--- a/drivers/media/usb/uvc/uvc_ctrl.c ++++ b/drivers/media/usb/uvc/uvc_ctrl.c +@@ -1429,7 +1429,9 @@ static bool uvc_ctrl_xctrls_has_control( + } + + static void uvc_ctrl_send_events(struct uvc_fh *handle, +- const struct v4l2_ext_control *xctrls, unsigned int xctrls_count) ++ struct uvc_entity *entity, ++ const struct v4l2_ext_control *xctrls, ++ unsigned int xctrls_count) + { + struct uvc_control_mapping *mapping; + struct uvc_control *ctrl; +@@ -1440,6 +1442,9 @@ static void uvc_ctrl_send_events(struct + u32 changes = V4L2_EVENT_CTRL_CH_VALUE; + + ctrl = uvc_find_control(handle->chain, xctrls[i].id, &mapping); ++ if (ctrl->entity != entity) ++ continue; ++ + if (ctrl->info.flags & UVC_CTRL_FLAG_ASYNCHRONOUS) + /* Notification will be sent from an Interrupt event. */ + continue; +@@ -1638,10 +1643,11 @@ int __uvc_ctrl_commit(struct uvc_fh *han + rollback); + if (ret < 0) + goto done; ++ else if (ret > 0 && !rollback) ++ uvc_ctrl_send_events(handle, entity, xctrls, ++ xctrls_count); + } + +- if (!rollback) +- uvc_ctrl_send_events(handle, xctrls, xctrls_count); + ret = 0; + done: + mutex_unlock(&chain->ctrl_mutex); diff --git a/queue-5.4/series b/queue-5.4/series index b150c2f8ca..3415153c78 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -104,3 +104,8 @@ net-rose-fix-fall-through-warnings-for-clang.patch rose-fix-dangling-neighbour-pointers-in-rose_rt_devi.patch logitech-c-270-even-more-broken.patch usb-typec-displayport-fix-potential-deadlock.patch +acpi-pad-fix-crash-in-exit_round_robin.patch +media-uvcvideo-return-the-number-of-processed-controls.patch +media-uvcvideo-send-control-events-for-partial-succeeds.patch +media-uvcvideo-rollback-non-processed-entities-on-error.patch +staging-rtl8723bs-avoid-memset-in-aes_cipher-and-aes_decipher.patch diff --git a/queue-5.4/staging-rtl8723bs-avoid-memset-in-aes_cipher-and-aes_decipher.patch b/queue-5.4/staging-rtl8723bs-avoid-memset-in-aes_cipher-and-aes_decipher.patch new file mode 100644 index 0000000000..9aef2757c8 --- /dev/null +++ b/queue-5.4/staging-rtl8723bs-avoid-memset-in-aes_cipher-and-aes_decipher.patch @@ -0,0 +1,140 @@ +From a55bc4ffc06d8c965a7d6f0a01ed0ed41380df28 Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Mon, 9 Jun 2025 14:13:14 -0700 +Subject: staging: rtl8723bs: Avoid memset() in aes_cipher() and aes_decipher() + +From: Nathan Chancellor + +commit a55bc4ffc06d8c965a7d6f0a01ed0ed41380df28 upstream. + +After commit 6f110a5e4f99 ("Disable SLUB_TINY for build testing"), which +causes CONFIG_KASAN to be enabled in allmodconfig again, arm64 +allmodconfig builds with older versions of clang (15 through 17) show an +instance of -Wframe-larger-than (which breaks the build with +CONFIG_WERROR=y): + + drivers/staging/rtl8723bs/core/rtw_security.c:1287:5: error: stack frame size (2208) exceeds limit (2048) in 'rtw_aes_decrypt' [-Werror,-Wframe-larger-than] + 1287 | u32 rtw_aes_decrypt(struct adapter *padapter, u8 *precvframe) + | ^ + +This comes from aes_decipher() being inlined in rtw_aes_decrypt(). +Running the same build with CONFIG_FRAME_WARN=128 shows aes_cipher() +also uses a decent amount of stack, just under the limit of 2048: + + drivers/staging/rtl8723bs/core/rtw_security.c:864:19: warning: stack frame size (1952) exceeds limit (128) in 'aes_cipher' [-Wframe-larger-than] + 864 | static signed int aes_cipher(u8 *key, uint hdrlen, + | ^ + +-Rpass-analysis=stack-frame-layout only shows one large structure on the +stack, which is the ctx variable inlined from aes128k128d(). A good +number of the other variables come from the additional checks of +fortified string routines, which are present in memset(), which both +aes_cipher() and aes_decipher() use to initialize some temporary +buffers. In this case, since the size is known at compile time, these +additional checks should not result in any code generation changes but +allmodconfig has several sanitizers enabled, which may make it harder +for the compiler to eliminate the compile time checks and the variables +that come about from them. + +The memset() calls are just initializing these buffers to zero, so use +'= {}' instead, which is used all over the kernel and does the exact +same thing as memset() without the fortify checks, which drops the stack +usage of these functions by a few hundred kilobytes. + + drivers/staging/rtl8723bs/core/rtw_security.c:864:19: warning: stack frame size (1584) exceeds limit (128) in 'aes_cipher' [-Wframe-larger-than] + 864 | static signed int aes_cipher(u8 *key, uint hdrlen, + | ^ + drivers/staging/rtl8723bs/core/rtw_security.c:1271:5: warning: stack frame size (1456) exceeds limit (128) in 'rtw_aes_decrypt' [-Wframe-larger-than] + 1271 | u32 rtw_aes_decrypt(struct adapter *padapter, u8 *precvframe) + | ^ + +Cc: stable@vger.kernel.org +Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver") +Signed-off-by: Nathan Chancellor +Reviewed-by: Dan Carpenter +Link: https://lore.kernel.org/r/20250609-rtl8723bs-fix-clang-arm64-wflt-v1-1-e2accba43def@kernel.org +Signed-off-by: Nathan Chancellor +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/rtl8723bs/core/rtw_security.c | 46 +++++++------------------- + 1 file changed, 14 insertions(+), 32 deletions(-) + +--- a/drivers/staging/rtl8723bs/core/rtw_security.c ++++ b/drivers/staging/rtl8723bs/core/rtw_security.c +@@ -1333,30 +1333,21 @@ static sint aes_cipher(u8 *key, uint hdr + num_blocks, payload_index; + + u8 pn_vector[6]; +- u8 mic_iv[16]; +- u8 mic_header1[16]; +- u8 mic_header2[16]; +- u8 ctr_preload[16]; ++ u8 mic_iv[16] = {}; ++ u8 mic_header1[16] = {}; ++ u8 mic_header2[16] = {}; ++ u8 ctr_preload[16] = {}; + + /* Intermediate Buffers */ +- u8 chain_buffer[16]; +- u8 aes_out[16]; +- u8 padded_buffer[16]; ++ u8 chain_buffer[16] = {}; ++ u8 aes_out[16] = {}; ++ u8 padded_buffer[16] = {}; + u8 mic[8]; + uint frtype = GetFrameType(pframe); + uint frsubtype = GetFrameSubType(pframe); + + frsubtype = frsubtype>>4; + +- +- memset((void *)mic_iv, 0, 16); +- memset((void *)mic_header1, 0, 16); +- memset((void *)mic_header2, 0, 16); +- memset((void *)ctr_preload, 0, 16); +- memset((void *)chain_buffer, 0, 16); +- memset((void *)aes_out, 0, 16); +- memset((void *)padded_buffer, 0, 16); +- + if ((hdrlen == WLAN_HDR_A3_LEN) || (hdrlen == WLAN_HDR_A3_QOS_LEN)) + a4_exists = 0; + else +@@ -1581,15 +1572,15 @@ static sint aes_decipher(u8 *key, uint h + num_blocks, payload_index; + sint res = _SUCCESS; + u8 pn_vector[6]; +- u8 mic_iv[16]; +- u8 mic_header1[16]; +- u8 mic_header2[16]; +- u8 ctr_preload[16]; ++ u8 mic_iv[16] = {}; ++ u8 mic_header1[16] = {}; ++ u8 mic_header2[16] = {}; ++ u8 ctr_preload[16] = {}; + + /* Intermediate Buffers */ +- u8 chain_buffer[16]; +- u8 aes_out[16]; +- u8 padded_buffer[16]; ++ u8 chain_buffer[16] = {}; ++ u8 aes_out[16] = {}; ++ u8 padded_buffer[16] = {}; + u8 mic[8]; + + +@@ -1599,15 +1590,6 @@ static sint aes_decipher(u8 *key, uint h + + frsubtype = frsubtype>>4; + +- +- memset((void *)mic_iv, 0, 16); +- memset((void *)mic_header1, 0, 16); +- memset((void *)mic_header2, 0, 16); +- memset((void *)ctr_preload, 0, 16); +- memset((void *)chain_buffer, 0, 16); +- memset((void *)aes_out, 0, 16); +- memset((void *)padded_buffer, 0, 16); +- + /* start to decrypt the payload */ + + num_blocks = (plen-8) / 16; /* plen including LLC, payload_length and mic) */ -- 2.47.2