| Message ID | 20200114103903.2336-2-nstange@suse.de (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | c7bf1fb7ddca331780b9a733ae308737b39f1ad4 |
| Delegated to: | Kalle Valo |
| Headers | show |
| Series | libertas: fix rates overflow code path in lbs_ibss_join_existing() | expand |
Nicolai Stange <nstange@suse.de> writes: > Commit e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss > descriptor") introduced a bounds check on the number of supplied rates to > lbs_ibss_join_existing(). > > Unfortunately, it introduced a return path from within a RCU read side > critical section without a corresponding rcu_read_unlock(). Fix this. > > Fixes: e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss > descriptor") This should be in one line, I'll fix it during commit.
Kalle Valo <kvalo@codeaurora.org> writes: > Nicolai Stange <nstange@suse.de> writes: > >> Commit e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss >> descriptor") introduced a bounds check on the number of supplied rates to >> lbs_ibss_join_existing(). >> >> Unfortunately, it introduced a return path from within a RCU read side >> critical section without a corresponding rcu_read_unlock(). Fix this. >> >> Fixes: e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss >> descriptor") > > This should be in one line, I'll fix it during commit. Thanks!
Nicolai Stange <nstange@suse.de> wrote: > Commit e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss > descriptor") introduced a bounds check on the number of supplied rates to > lbs_ibss_join_existing(). > > Unfortunately, it introduced a return path from within a RCU read side > critical section without a corresponding rcu_read_unlock(). Fix this. > > Fixes: e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss > descriptor") > Signed-off-by: Nicolai Stange <nstange@suse.de> I'll queue these to v5.5, unless Linus releases the final today and then they will go to v5.6.
Nicolai Stange <nstange@suse.de> wrote: > Commit e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss > descriptor") introduced a bounds check on the number of supplied rates to > lbs_ibss_join_existing(). > > Unfortunately, it introduced a return path from within a RCU read side > critical section without a corresponding rcu_read_unlock(). Fix this. > > Fixes: e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss descriptor") > Signed-off-by: Nicolai Stange <nstange@suse.de> 2 patches applied to wireless-drivers.git, thanks. c7bf1fb7ddca libertas: don't exit from lbs_ibss_join_existing() with RCU read lock held 1754c4f60aaf libertas: make lbs_ibss_join_existing() return error code on rates overflow
diff --git a/drivers/net/wireless/marvell/libertas/cfg.c b/drivers/net/wireless/marvell/libertas/cfg.c index c9401c121a14..68985d766349 100644 --- a/drivers/net/wireless/marvell/libertas/cfg.c +++ b/drivers/net/wireless/marvell/libertas/cfg.c @@ -1785,6 +1785,7 @@ static int lbs_ibss_join_existing(struct lbs_private *priv, rates_max = rates_eid[1]; if (rates_max > MAX_RATES) { lbs_deb_join("invalid rates"); + rcu_read_unlock(); goto out; } rates = cmd.bss.rates;
Commit e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss descriptor") introduced a bounds check on the number of supplied rates to lbs_ibss_join_existing(). Unfortunately, it introduced a return path from within a RCU read side critical section without a corresponding rcu_read_unlock(). Fix this. Fixes: e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss descriptor") Signed-off-by: Nicolai Stange <nstange@suse.de> --- drivers/net/wireless/marvell/libertas/cfg.c | 1 + 1 file changed, 1 insertion(+)