* [PATCH 0/2] libertas: fix rates overflow code path in lbs_ibss_join_existing() [not found] <87woa04t2v.fsf@suse.de> @ 2020-01-14 10:39 ` Nicolai Stange 2020-01-14 10:39 ` [PATCH 1/2] libertas: don't exit from lbs_ibss_join_existing() with RCU read lock held Nicolai Stange 2020-01-14 10:39 ` [PATCH 2/2] libertas: make lbs_ibss_join_existing() return error code on rates overflow Nicolai Stange 0 siblings, 2 replies; 8+ messages in thread From: Nicolai Stange @ 2020-01-14 10:39 UTC (permalink / raw) To: Kalle Valo Cc: David S. Miller, Wen Huang, Nicolai Stange, libertas-dev, linux-wireless, netdev, linux-kernel, Takashi Iwai, Miroslav Benes Hi, these two patches here attempt to cleanup two related issues ([1]) introduced with commit e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss descriptor"), currently queued at the wireless-drivers tree. Feel free to squash this into one commit. I don't own the hardware and did some compile-testing on x86_64 only. Thanks, Nicolai [1] https://lkml.kernel.org/r/87woa04t2v.fsf@suse.de Nicolai Stange (2): libertas: don't exit from lbs_ibss_join_existing() with RCU read lock held libertas: make lbs_ibss_join_existing() return error code on rates overflow drivers/net/wireless/marvell/libertas/cfg.c | 2 ++ 1 file changed, 2 insertions(+) -- 2.16.4 ^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCH 1/2] libertas: don't exit from lbs_ibss_join_existing() with RCU read lock held 2020-01-14 10:39 ` [PATCH 0/2] libertas: fix rates overflow code path in lbs_ibss_join_existing() Nicolai Stange @ 2020-01-14 10:39 ` Nicolai Stange 2020-01-14 13:43 ` Kalle Valo ` (2 more replies) 2020-01-14 10:39 ` [PATCH 2/2] libertas: make lbs_ibss_join_existing() return error code on rates overflow Nicolai Stange 1 sibling, 3 replies; 8+ messages in thread From: Nicolai Stange @ 2020-01-14 10:39 UTC (permalink / raw) To: Kalle Valo Cc: David S. Miller, Wen Huang, Nicolai Stange, libertas-dev, linux-wireless, netdev, linux-kernel, Takashi Iwai, Miroslav Benes Commit e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss descriptor") introduced a bounds check on the number of supplied rates to lbs_ibss_join_existing(). Unfortunately, it introduced a return path from within a RCU read side critical section without a corresponding rcu_read_unlock(). Fix this. Fixes: e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss descriptor") Signed-off-by: Nicolai Stange <nstange@suse.de> --- drivers/net/wireless/marvell/libertas/cfg.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/net/wireless/marvell/libertas/cfg.c b/drivers/net/wireless/marvell/libertas/cfg.c index c9401c121a14..68985d766349 100644 --- a/drivers/net/wireless/marvell/libertas/cfg.c +++ b/drivers/net/wireless/marvell/libertas/cfg.c @@ -1785,6 +1785,7 @@ static int lbs_ibss_join_existing(struct lbs_private *priv, rates_max = rates_eid[1]; if (rates_max > MAX_RATES) { lbs_deb_join("invalid rates"); + rcu_read_unlock(); goto out; } rates = cmd.bss.rates; -- 2.16.4 ^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH 1/2] libertas: don't exit from lbs_ibss_join_existing() with RCU read lock held 2020-01-14 10:39 ` [PATCH 1/2] libertas: don't exit from lbs_ibss_join_existing() with RCU read lock held Nicolai Stange @ 2020-01-14 13:43 ` Kalle Valo 2020-01-15 6:21 ` Nicolai Stange 2020-01-26 15:14 ` Kalle Valo 2020-01-27 14:37 ` Kalle Valo 2 siblings, 1 reply; 8+ messages in thread From: Kalle Valo @ 2020-01-14 13:43 UTC (permalink / raw) To: Nicolai Stange Cc: David S. Miller, Wen Huang, libertas-dev, linux-wireless, netdev, linux-kernel, Takashi Iwai, Miroslav Benes Nicolai Stange <nstange@suse.de> writes: > Commit e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss > descriptor") introduced a bounds check on the number of supplied rates to > lbs_ibss_join_existing(). > > Unfortunately, it introduced a return path from within a RCU read side > critical section without a corresponding rcu_read_unlock(). Fix this. > > Fixes: e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss > descriptor") This should be in one line, I'll fix it during commit. -- https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 1/2] libertas: don't exit from lbs_ibss_join_existing() with RCU read lock held 2020-01-14 13:43 ` Kalle Valo @ 2020-01-15 6:21 ` Nicolai Stange 0 siblings, 0 replies; 8+ messages in thread From: Nicolai Stange @ 2020-01-15 6:21 UTC (permalink / raw) To: Kalle Valo Cc: Nicolai Stange, David S. Miller, Wen Huang, libertas-dev, linux-wireless, netdev, linux-kernel, Takashi Iwai, Miroslav Benes Kalle Valo <kvalo@codeaurora.org> writes: > Nicolai Stange <nstange@suse.de> writes: > >> Commit e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss >> descriptor") introduced a bounds check on the number of supplied rates to >> lbs_ibss_join_existing(). >> >> Unfortunately, it introduced a return path from within a RCU read side >> critical section without a corresponding rcu_read_unlock(). Fix this. >> >> Fixes: e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss >> descriptor") > > This should be in one line, I'll fix it during commit. Thanks! -- SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany (HRB 36809, AG Nürnberg), GF: Felix Imendörffer ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 1/2] libertas: don't exit from lbs_ibss_join_existing() with RCU read lock held 2020-01-14 10:39 ` [PATCH 1/2] libertas: don't exit from lbs_ibss_join_existing() with RCU read lock held Nicolai Stange 2020-01-14 13:43 ` Kalle Valo @ 2020-01-26 15:14 ` Kalle Valo 2020-01-27 14:37 ` Kalle Valo 2 siblings, 0 replies; 8+ messages in thread From: Kalle Valo @ 2020-01-26 15:14 UTC (permalink / raw) To: Nicolai Stange Cc: David S. Miller, Wen Huang, Nicolai Stange, libertas-dev, linux-wireless, netdev, linux-kernel, Takashi Iwai, Miroslav Benes Nicolai Stange <nstange@suse.de> wrote: > Commit e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss > descriptor") introduced a bounds check on the number of supplied rates to > lbs_ibss_join_existing(). > > Unfortunately, it introduced a return path from within a RCU read side > critical section without a corresponding rcu_read_unlock(). Fix this. > > Fixes: e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss > descriptor") > Signed-off-by: Nicolai Stange <nstange@suse.de> I'll queue these to v5.5, unless Linus releases the final today and then they will go to v5.6. -- https://patchwork.kernel.org/patch/11331869/ https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 1/2] libertas: don't exit from lbs_ibss_join_existing() with RCU read lock held 2020-01-14 10:39 ` [PATCH 1/2] libertas: don't exit from lbs_ibss_join_existing() with RCU read lock held Nicolai Stange 2020-01-14 13:43 ` Kalle Valo 2020-01-26 15:14 ` Kalle Valo @ 2020-01-27 14:37 ` Kalle Valo 2 siblings, 0 replies; 8+ messages in thread From: Kalle Valo @ 2020-01-27 14:37 UTC (permalink / raw) To: Nicolai Stange Cc: David S. Miller, Wen Huang, Nicolai Stange, libertas-dev, linux-wireless, netdev, linux-kernel, Takashi Iwai, Miroslav Benes Nicolai Stange <nstange@suse.de> wrote: > Commit e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss > descriptor") introduced a bounds check on the number of supplied rates to > lbs_ibss_join_existing(). > > Unfortunately, it introduced a return path from within a RCU read side > critical section without a corresponding rcu_read_unlock(). Fix this. > > Fixes: e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss descriptor") > Signed-off-by: Nicolai Stange <nstange@suse.de> 2 patches applied to wireless-drivers.git, thanks. c7bf1fb7ddca libertas: don't exit from lbs_ibss_join_existing() with RCU read lock held 1754c4f60aaf libertas: make lbs_ibss_join_existing() return error code on rates overflow -- https://patchwork.kernel.org/patch/11331869/ https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches ^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCH 2/2] libertas: make lbs_ibss_join_existing() return error code on rates overflow 2020-01-14 10:39 ` [PATCH 0/2] libertas: fix rates overflow code path in lbs_ibss_join_existing() Nicolai Stange 2020-01-14 10:39 ` [PATCH 1/2] libertas: don't exit from lbs_ibss_join_existing() with RCU read lock held Nicolai Stange @ 2020-01-14 10:39 ` Nicolai Stange 2020-01-14 13:44 ` Kalle Valo 1 sibling, 1 reply; 8+ messages in thread From: Nicolai Stange @ 2020-01-14 10:39 UTC (permalink / raw) To: Kalle Valo Cc: David S. Miller, Wen Huang, Nicolai Stange, libertas-dev, linux-wireless, netdev, linux-kernel, Takashi Iwai, Miroslav Benes Commit e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss descriptor") introduced a bounds check on the number of supplied rates to lbs_ibss_join_existing() and made it to return on overflow. However, the aforementioned commit doesn't set the return value accordingly and thus, lbs_ibss_join_existing() would return with zero even though it failed. Make lbs_ibss_join_existing return -EINVAL in case the bounds check on the number of supplied rates fails. Fixes: e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss descriptor") Signed-off-by: Nicolai Stange <nstange@suse.de> --- drivers/net/wireless/marvell/libertas/cfg.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/net/wireless/marvell/libertas/cfg.c b/drivers/net/wireless/marvell/libertas/cfg.c index 68985d766349..4e3de684928b 100644 --- a/drivers/net/wireless/marvell/libertas/cfg.c +++ b/drivers/net/wireless/marvell/libertas/cfg.c @@ -1786,6 +1786,7 @@ static int lbs_ibss_join_existing(struct lbs_private *priv, if (rates_max > MAX_RATES) { lbs_deb_join("invalid rates"); rcu_read_unlock(); + ret = -EINVAL; goto out; } rates = cmd.bss.rates; -- 2.16.4 ^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH 2/2] libertas: make lbs_ibss_join_existing() return error code on rates overflow 2020-01-14 10:39 ` [PATCH 2/2] libertas: make lbs_ibss_join_existing() return error code on rates overflow Nicolai Stange @ 2020-01-14 13:44 ` Kalle Valo 0 siblings, 0 replies; 8+ messages in thread From: Kalle Valo @ 2020-01-14 13:44 UTC (permalink / raw) To: Nicolai Stange Cc: David S. Miller, Wen Huang, libertas-dev, linux-wireless, netdev, linux-kernel, Takashi Iwai, Miroslav Benes Nicolai Stange <nstange@suse.de> writes: > Commit e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss > descriptor") introduced a bounds check on the number of supplied rates to > lbs_ibss_join_existing() and made it to return on overflow. > > However, the aforementioned commit doesn't set the return value accordingly > and thus, lbs_ibss_join_existing() would return with zero even though it > failed. > > Make lbs_ibss_join_existing return -EINVAL in case the bounds check on the > number of supplied rates fails. > > Fixes: e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss > descriptor") This should be in one line, I'll fix it during commit. -- https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2020-01-27 14:37 UTC | newest] Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- [not found] <87woa04t2v.fsf@suse.de> 2020-01-14 10:39 ` [PATCH 0/2] libertas: fix rates overflow code path in lbs_ibss_join_existing() Nicolai Stange 2020-01-14 10:39 ` [PATCH 1/2] libertas: don't exit from lbs_ibss_join_existing() with RCU read lock held Nicolai Stange 2020-01-14 13:43 ` Kalle Valo 2020-01-15 6:21 ` Nicolai Stange 2020-01-26 15:14 ` Kalle Valo 2020-01-27 14:37 ` Kalle Valo 2020-01-14 10:39 ` [PATCH 2/2] libertas: make lbs_ibss_join_existing() return error code on rates overflow Nicolai Stange 2020-01-14 13:44 ` Kalle Valo
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).