Netdev Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH 0/2] libertas: fix rates overflow code path in lbs_ibss_join_existing()
       [not found] <87woa04t2v.fsf@suse.de>
@ 2020-01-14 10:39 ` Nicolai Stange
  2020-01-14 10:39   ` [PATCH 1/2] libertas: don't exit from lbs_ibss_join_existing() with RCU read lock held Nicolai Stange
  2020-01-14 10:39   ` [PATCH 2/2] libertas: make lbs_ibss_join_existing() return error code on rates overflow Nicolai Stange
  0 siblings, 2 replies; 6+ messages in thread
From: Nicolai Stange @ 2020-01-14 10:39 UTC (permalink / raw)
  To: Kalle Valo
  Cc: David S. Miller, Wen Huang, Nicolai Stange, libertas-dev,
	linux-wireless, netdev, linux-kernel, Takashi Iwai,
	Miroslav Benes

Hi,

these two patches here attempt to cleanup two related issues ([1])
introduced with commit e5e884b42639 ("libertas: Fix two buffer overflows
at parsing bss descriptor"), currently queued at the  wireless-drivers
tree.

Feel free to squash this into one commit.

I don't own the hardware and did some compile-testing on x86_64 only.

Thanks,

Nicolai

[1] https://lkml.kernel.org/r/87woa04t2v.fsf@suse.de


Nicolai Stange (2):
  libertas: don't exit from lbs_ibss_join_existing() with RCU read lock
    held
  libertas: make lbs_ibss_join_existing() return error code on rates
    overflow

 drivers/net/wireless/marvell/libertas/cfg.c | 2 ++
 1 file changed, 2 insertions(+)

-- 
2.16.4


^ permalink raw reply	[flat|nested] 6+ messages in thread

* [PATCH 1/2] libertas: don't exit from lbs_ibss_join_existing() with RCU read lock held
  2020-01-14 10:39 ` [PATCH 0/2] libertas: fix rates overflow code path in lbs_ibss_join_existing() Nicolai Stange
@ 2020-01-14 10:39   ` Nicolai Stange
  2020-01-14 13:43     ` Kalle Valo
  2020-01-14 10:39   ` [PATCH 2/2] libertas: make lbs_ibss_join_existing() return error code on rates overflow Nicolai Stange
  1 sibling, 1 reply; 6+ messages in thread
From: Nicolai Stange @ 2020-01-14 10:39 UTC (permalink / raw)
  To: Kalle Valo
  Cc: David S. Miller, Wen Huang, Nicolai Stange, libertas-dev,
	linux-wireless, netdev, linux-kernel, Takashi Iwai,
	Miroslav Benes

Commit e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss
descriptor") introduced a bounds check on the number of supplied rates to
lbs_ibss_join_existing().

Unfortunately, it introduced a return path from within a RCU read side
critical section without a corresponding rcu_read_unlock(). Fix this.

Fixes: e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss
                      descriptor")
Signed-off-by: Nicolai Stange <nstange@suse.de>
---
 drivers/net/wireless/marvell/libertas/cfg.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/net/wireless/marvell/libertas/cfg.c b/drivers/net/wireless/marvell/libertas/cfg.c
index c9401c121a14..68985d766349 100644
--- a/drivers/net/wireless/marvell/libertas/cfg.c
+++ b/drivers/net/wireless/marvell/libertas/cfg.c
@@ -1785,6 +1785,7 @@ static int lbs_ibss_join_existing(struct lbs_private *priv,
 		rates_max = rates_eid[1];
 		if (rates_max > MAX_RATES) {
 			lbs_deb_join("invalid rates");
+			rcu_read_unlock();
 			goto out;
 		}
 		rates = cmd.bss.rates;
-- 
2.16.4


^ permalink raw reply	[flat|nested] 6+ messages in thread

* [PATCH 2/2] libertas: make lbs_ibss_join_existing() return error code on rates overflow
  2020-01-14 10:39 ` [PATCH 0/2] libertas: fix rates overflow code path in lbs_ibss_join_existing() Nicolai Stange
  2020-01-14 10:39   ` [PATCH 1/2] libertas: don't exit from lbs_ibss_join_existing() with RCU read lock held Nicolai Stange
@ 2020-01-14 10:39   ` Nicolai Stange
  2020-01-14 13:44     ` Kalle Valo
  1 sibling, 1 reply; 6+ messages in thread
From: Nicolai Stange @ 2020-01-14 10:39 UTC (permalink / raw)
  To: Kalle Valo
  Cc: David S. Miller, Wen Huang, Nicolai Stange, libertas-dev,
	linux-wireless, netdev, linux-kernel, Takashi Iwai,
	Miroslav Benes

Commit e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss
descriptor") introduced a bounds check on the number of supplied rates to
lbs_ibss_join_existing() and made it to return on overflow.

However, the aforementioned commit doesn't set the return value accordingly
and thus, lbs_ibss_join_existing() would return with zero even though it
failed.

Make lbs_ibss_join_existing return -EINVAL in case the bounds check on the
number of supplied rates fails.

Fixes: e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss
                      descriptor")
Signed-off-by: Nicolai Stange <nstange@suse.de>
---
 drivers/net/wireless/marvell/libertas/cfg.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/net/wireless/marvell/libertas/cfg.c b/drivers/net/wireless/marvell/libertas/cfg.c
index 68985d766349..4e3de684928b 100644
--- a/drivers/net/wireless/marvell/libertas/cfg.c
+++ b/drivers/net/wireless/marvell/libertas/cfg.c
@@ -1786,6 +1786,7 @@ static int lbs_ibss_join_existing(struct lbs_private *priv,
 		if (rates_max > MAX_RATES) {
 			lbs_deb_join("invalid rates");
 			rcu_read_unlock();
+			ret = -EINVAL;
 			goto out;
 		}
 		rates = cmd.bss.rates;
-- 
2.16.4


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH 1/2] libertas: don't exit from lbs_ibss_join_existing() with RCU read lock held
  2020-01-14 10:39   ` [PATCH 1/2] libertas: don't exit from lbs_ibss_join_existing() with RCU read lock held Nicolai Stange
@ 2020-01-14 13:43     ` Kalle Valo
  2020-01-15  6:21       ` Nicolai Stange
  0 siblings, 1 reply; 6+ messages in thread
From: Kalle Valo @ 2020-01-14 13:43 UTC (permalink / raw)
  To: Nicolai Stange
  Cc: David S. Miller, Wen Huang, libertas-dev, linux-wireless, netdev,
	linux-kernel, Takashi Iwai, Miroslav Benes

Nicolai Stange <nstange@suse.de> writes:

> Commit e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss
> descriptor") introduced a bounds check on the number of supplied rates to
> lbs_ibss_join_existing().
>
> Unfortunately, it introduced a return path from within a RCU read side
> critical section without a corresponding rcu_read_unlock(). Fix this.
>
> Fixes: e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss
>                       descriptor")

This should be in one line, I'll fix it during commit.

-- 
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH 2/2] libertas: make lbs_ibss_join_existing() return error code on rates overflow
  2020-01-14 10:39   ` [PATCH 2/2] libertas: make lbs_ibss_join_existing() return error code on rates overflow Nicolai Stange
@ 2020-01-14 13:44     ` Kalle Valo
  0 siblings, 0 replies; 6+ messages in thread
From: Kalle Valo @ 2020-01-14 13:44 UTC (permalink / raw)
  To: Nicolai Stange
  Cc: David S. Miller, Wen Huang, libertas-dev, linux-wireless, netdev,
	linux-kernel, Takashi Iwai, Miroslav Benes

Nicolai Stange <nstange@suse.de> writes:

> Commit e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss
> descriptor") introduced a bounds check on the number of supplied rates to
> lbs_ibss_join_existing() and made it to return on overflow.
>
> However, the aforementioned commit doesn't set the return value accordingly
> and thus, lbs_ibss_join_existing() would return with zero even though it
> failed.
>
> Make lbs_ibss_join_existing return -EINVAL in case the bounds check on the
> number of supplied rates fails.
>
> Fixes: e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss
>                       descriptor")

This should be in one line, I'll fix it during commit.

-- 
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH 1/2] libertas: don't exit from lbs_ibss_join_existing() with RCU read lock held
  2020-01-14 13:43     ` Kalle Valo
@ 2020-01-15  6:21       ` Nicolai Stange
  0 siblings, 0 replies; 6+ messages in thread
From: Nicolai Stange @ 2020-01-15  6:21 UTC (permalink / raw)
  To: Kalle Valo
  Cc: Nicolai Stange, David S. Miller, Wen Huang, libertas-dev,
	linux-wireless, netdev, linux-kernel, Takashi Iwai,
	Miroslav Benes

Kalle Valo <kvalo@codeaurora.org> writes:

> Nicolai Stange <nstange@suse.de> writes:
>
>> Commit e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss
>> descriptor") introduced a bounds check on the number of supplied rates to
>> lbs_ibss_join_existing().
>>
>> Unfortunately, it introduced a return path from within a RCU read side
>> critical section without a corresponding rcu_read_unlock(). Fix this.
>>
>> Fixes: e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss
>>                       descriptor")
>
> This should be in one line, I'll fix it during commit.

Thanks!

-- 
SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany
(HRB 36809, AG Nürnberg), GF: Felix Imendörffer

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, back to index

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <87woa04t2v.fsf@suse.de>
2020-01-14 10:39 ` [PATCH 0/2] libertas: fix rates overflow code path in lbs_ibss_join_existing() Nicolai Stange
2020-01-14 10:39   ` [PATCH 1/2] libertas: don't exit from lbs_ibss_join_existing() with RCU read lock held Nicolai Stange
2020-01-14 13:43     ` Kalle Valo
2020-01-15  6:21       ` Nicolai Stange
2020-01-14 10:39   ` [PATCH 2/2] libertas: make lbs_ibss_join_existing() return error code on rates overflow Nicolai Stange
2020-01-14 13:44     ` Kalle Valo

Netdev Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/netdev/0 netdev/git/0.git
	git clone --mirror https://lore.kernel.org/netdev/1 netdev/git/1.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 netdev netdev/ https://lore.kernel.org/netdev \
		netdev@vger.kernel.org
	public-inbox-index netdev

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.netdev


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git