* [PATCH 0/2] libertas: fix rates overflow code path in lbs_ibss_join_existing()
[not found] <87woa04t2v.fsf@suse.de>
@ 2020-01-14 10:39 ` Nicolai Stange
2020-01-14 10:39 ` [PATCH 1/2] libertas: don't exit from lbs_ibss_join_existing() with RCU read lock held Nicolai Stange
2020-01-14 10:39 ` [PATCH 2/2] libertas: make lbs_ibss_join_existing() return error code on rates overflow Nicolai Stange
0 siblings, 2 replies; 8+ messages in thread
From: Nicolai Stange @ 2020-01-14 10:39 UTC (permalink / raw)
To: Kalle Valo
Cc: David S. Miller, Wen Huang, Nicolai Stange, libertas-dev,
linux-wireless, netdev, linux-kernel, Takashi Iwai,
Miroslav Benes
Hi,
these two patches here attempt to cleanup two related issues ([1])
introduced with commit e5e884b42639 ("libertas: Fix two buffer overflows
at parsing bss descriptor"), currently queued at the wireless-drivers
tree.
Feel free to squash this into one commit.
I don't own the hardware and did some compile-testing on x86_64 only.
Thanks,
Nicolai
[1] https://lkml.kernel.org/r/87woa04t2v.fsf@suse.de
Nicolai Stange (2):
libertas: don't exit from lbs_ibss_join_existing() with RCU read lock
held
libertas: make lbs_ibss_join_existing() return error code on rates
overflow
drivers/net/wireless/marvell/libertas/cfg.c | 2 ++
1 file changed, 2 insertions(+)
--
2.16.4
^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCH 1/2] libertas: don't exit from lbs_ibss_join_existing() with RCU read lock held
2020-01-14 10:39 ` [PATCH 0/2] libertas: fix rates overflow code path in lbs_ibss_join_existing() Nicolai Stange
@ 2020-01-14 10:39 ` Nicolai Stange
2020-01-14 13:43 ` Kalle Valo
` (2 more replies)
2020-01-14 10:39 ` [PATCH 2/2] libertas: make lbs_ibss_join_existing() return error code on rates overflow Nicolai Stange
1 sibling, 3 replies; 8+ messages in thread
From: Nicolai Stange @ 2020-01-14 10:39 UTC (permalink / raw)
To: Kalle Valo
Cc: David S. Miller, Wen Huang, Nicolai Stange, libertas-dev,
linux-wireless, netdev, linux-kernel, Takashi Iwai,
Miroslav Benes
Commit e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss
descriptor") introduced a bounds check on the number of supplied rates to
lbs_ibss_join_existing().
Unfortunately, it introduced a return path from within a RCU read side
critical section without a corresponding rcu_read_unlock(). Fix this.
Fixes: e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss
descriptor")
Signed-off-by: Nicolai Stange <nstange@suse.de>
---
drivers/net/wireless/marvell/libertas/cfg.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/wireless/marvell/libertas/cfg.c b/drivers/net/wireless/marvell/libertas/cfg.c
index c9401c121a14..68985d766349 100644
--- a/drivers/net/wireless/marvell/libertas/cfg.c
+++ b/drivers/net/wireless/marvell/libertas/cfg.c
@@ -1785,6 +1785,7 @@ static int lbs_ibss_join_existing(struct lbs_private *priv,
rates_max = rates_eid[1];
if (rates_max > MAX_RATES) {
lbs_deb_join("invalid rates");
+ rcu_read_unlock();
goto out;
}
rates = cmd.bss.rates;
--
2.16.4
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH 2/2] libertas: make lbs_ibss_join_existing() return error code on rates overflow
2020-01-14 10:39 ` [PATCH 0/2] libertas: fix rates overflow code path in lbs_ibss_join_existing() Nicolai Stange
2020-01-14 10:39 ` [PATCH 1/2] libertas: don't exit from lbs_ibss_join_existing() with RCU read lock held Nicolai Stange
@ 2020-01-14 10:39 ` Nicolai Stange
2020-01-14 13:44 ` Kalle Valo
1 sibling, 1 reply; 8+ messages in thread
From: Nicolai Stange @ 2020-01-14 10:39 UTC (permalink / raw)
To: Kalle Valo
Cc: David S. Miller, Wen Huang, Nicolai Stange, libertas-dev,
linux-wireless, netdev, linux-kernel, Takashi Iwai,
Miroslav Benes
Commit e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss
descriptor") introduced a bounds check on the number of supplied rates to
lbs_ibss_join_existing() and made it to return on overflow.
However, the aforementioned commit doesn't set the return value accordingly
and thus, lbs_ibss_join_existing() would return with zero even though it
failed.
Make lbs_ibss_join_existing return -EINVAL in case the bounds check on the
number of supplied rates fails.
Fixes: e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss
descriptor")
Signed-off-by: Nicolai Stange <nstange@suse.de>
---
drivers/net/wireless/marvell/libertas/cfg.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/wireless/marvell/libertas/cfg.c b/drivers/net/wireless/marvell/libertas/cfg.c
index 68985d766349..4e3de684928b 100644
--- a/drivers/net/wireless/marvell/libertas/cfg.c
+++ b/drivers/net/wireless/marvell/libertas/cfg.c
@@ -1786,6 +1786,7 @@ static int lbs_ibss_join_existing(struct lbs_private *priv,
if (rates_max > MAX_RATES) {
lbs_deb_join("invalid rates");
rcu_read_unlock();
+ ret = -EINVAL;
goto out;
}
rates = cmd.bss.rates;
--
2.16.4
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH 1/2] libertas: don't exit from lbs_ibss_join_existing() with RCU read lock held
2020-01-14 10:39 ` [PATCH 1/2] libertas: don't exit from lbs_ibss_join_existing() with RCU read lock held Nicolai Stange
@ 2020-01-14 13:43 ` Kalle Valo
2020-01-15 6:21 ` Nicolai Stange
2020-01-26 15:14 ` Kalle Valo
2020-01-27 14:37 ` Kalle Valo
2 siblings, 1 reply; 8+ messages in thread
From: Kalle Valo @ 2020-01-14 13:43 UTC (permalink / raw)
To: Nicolai Stange
Cc: David S. Miller, Wen Huang, libertas-dev, linux-wireless, netdev,
linux-kernel, Takashi Iwai, Miroslav Benes
Nicolai Stange <nstange@suse.de> writes:
> Commit e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss
> descriptor") introduced a bounds check on the number of supplied rates to
> lbs_ibss_join_existing().
>
> Unfortunately, it introduced a return path from within a RCU read side
> critical section without a corresponding rcu_read_unlock(). Fix this.
>
> Fixes: e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss
> descriptor")
This should be in one line, I'll fix it during commit.
--
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 2/2] libertas: make lbs_ibss_join_existing() return error code on rates overflow
2020-01-14 10:39 ` [PATCH 2/2] libertas: make lbs_ibss_join_existing() return error code on rates overflow Nicolai Stange
@ 2020-01-14 13:44 ` Kalle Valo
0 siblings, 0 replies; 8+ messages in thread
From: Kalle Valo @ 2020-01-14 13:44 UTC (permalink / raw)
To: Nicolai Stange
Cc: David S. Miller, Wen Huang, libertas-dev, linux-wireless, netdev,
linux-kernel, Takashi Iwai, Miroslav Benes
Nicolai Stange <nstange@suse.de> writes:
> Commit e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss
> descriptor") introduced a bounds check on the number of supplied rates to
> lbs_ibss_join_existing() and made it to return on overflow.
>
> However, the aforementioned commit doesn't set the return value accordingly
> and thus, lbs_ibss_join_existing() would return with zero even though it
> failed.
>
> Make lbs_ibss_join_existing return -EINVAL in case the bounds check on the
> number of supplied rates fails.
>
> Fixes: e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss
> descriptor")
This should be in one line, I'll fix it during commit.
--
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 1/2] libertas: don't exit from lbs_ibss_join_existing() with RCU read lock held
2020-01-14 13:43 ` Kalle Valo
@ 2020-01-15 6:21 ` Nicolai Stange
0 siblings, 0 replies; 8+ messages in thread
From: Nicolai Stange @ 2020-01-15 6:21 UTC (permalink / raw)
To: Kalle Valo
Cc: Nicolai Stange, David S. Miller, Wen Huang, libertas-dev,
linux-wireless, netdev, linux-kernel, Takashi Iwai,
Miroslav Benes
Kalle Valo <kvalo@codeaurora.org> writes:
> Nicolai Stange <nstange@suse.de> writes:
>
>> Commit e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss
>> descriptor") introduced a bounds check on the number of supplied rates to
>> lbs_ibss_join_existing().
>>
>> Unfortunately, it introduced a return path from within a RCU read side
>> critical section without a corresponding rcu_read_unlock(). Fix this.
>>
>> Fixes: e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss
>> descriptor")
>
> This should be in one line, I'll fix it during commit.
Thanks!
--
SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany
(HRB 36809, AG Nürnberg), GF: Felix Imendörffer
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 1/2] libertas: don't exit from lbs_ibss_join_existing() with RCU read lock held
2020-01-14 10:39 ` [PATCH 1/2] libertas: don't exit from lbs_ibss_join_existing() with RCU read lock held Nicolai Stange
2020-01-14 13:43 ` Kalle Valo
@ 2020-01-26 15:14 ` Kalle Valo
2020-01-27 14:37 ` Kalle Valo
2 siblings, 0 replies; 8+ messages in thread
From: Kalle Valo @ 2020-01-26 15:14 UTC (permalink / raw)
To: Nicolai Stange
Cc: David S. Miller, Wen Huang, Nicolai Stange, libertas-dev,
linux-wireless, netdev, linux-kernel, Takashi Iwai,
Miroslav Benes
Nicolai Stange <nstange@suse.de> wrote:
> Commit e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss
> descriptor") introduced a bounds check on the number of supplied rates to
> lbs_ibss_join_existing().
>
> Unfortunately, it introduced a return path from within a RCU read side
> critical section without a corresponding rcu_read_unlock(). Fix this.
>
> Fixes: e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss
> descriptor")
> Signed-off-by: Nicolai Stange <nstange@suse.de>
I'll queue these to v5.5, unless Linus releases the final today and then they
will go to v5.6.
--
https://patchwork.kernel.org/patch/11331869/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 1/2] libertas: don't exit from lbs_ibss_join_existing() with RCU read lock held
2020-01-14 10:39 ` [PATCH 1/2] libertas: don't exit from lbs_ibss_join_existing() with RCU read lock held Nicolai Stange
2020-01-14 13:43 ` Kalle Valo
2020-01-26 15:14 ` Kalle Valo
@ 2020-01-27 14:37 ` Kalle Valo
2 siblings, 0 replies; 8+ messages in thread
From: Kalle Valo @ 2020-01-27 14:37 UTC (permalink / raw)
To: Nicolai Stange
Cc: David S. Miller, Wen Huang, Nicolai Stange, libertas-dev,
linux-wireless, netdev, linux-kernel, Takashi Iwai,
Miroslav Benes
Nicolai Stange <nstange@suse.de> wrote:
> Commit e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss
> descriptor") introduced a bounds check on the number of supplied rates to
> lbs_ibss_join_existing().
>
> Unfortunately, it introduced a return path from within a RCU read side
> critical section without a corresponding rcu_read_unlock(). Fix this.
>
> Fixes: e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss descriptor")
> Signed-off-by: Nicolai Stange <nstange@suse.de>
2 patches applied to wireless-drivers.git, thanks.
c7bf1fb7ddca libertas: don't exit from lbs_ibss_join_existing() with RCU read lock held
1754c4f60aaf libertas: make lbs_ibss_join_existing() return error code on rates overflow
--
https://patchwork.kernel.org/patch/11331869/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2020-01-27 14:37 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <87woa04t2v.fsf@suse.de>
2020-01-14 10:39 ` [PATCH 0/2] libertas: fix rates overflow code path in lbs_ibss_join_existing() Nicolai Stange
2020-01-14 10:39 ` [PATCH 1/2] libertas: don't exit from lbs_ibss_join_existing() with RCU read lock held Nicolai Stange
2020-01-14 13:43 ` Kalle Valo
2020-01-15 6:21 ` Nicolai Stange
2020-01-26 15:14 ` Kalle Valo
2020-01-27 14:37 ` Kalle Valo
2020-01-14 10:39 ` [PATCH 2/2] libertas: make lbs_ibss_join_existing() return error code on rates overflow Nicolai Stange
2020-01-14 13:44 ` Kalle Valo
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).