From patchwork Tue Sep 1 22:12:11 2009 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bob Copeland X-Patchwork-Id: 45106 Received: from vger.kernel.org (vger.kernel.org [209.132.176.167]) by demeter.kernel.org (8.14.2/8.14.2) with ESMTP id n81MFFNM019921 for ; Tue, 1 Sep 2009 22:15:16 GMT Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755243AbZIAWPL (ORCPT ); Tue, 1 Sep 2009 18:15:11 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1755241AbZIAWPL (ORCPT ); Tue, 1 Sep 2009 18:15:11 -0400 Received: from mail.deathmatch.net ([72.66.92.28]:3525 "EHLO mail.deathmatch.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755236AbZIAWPK (ORCPT ); Tue, 1 Sep 2009 18:15:10 -0400 Received: from hash ([72.83.200.195]) (authenticated user bob@bobcopeland.com) by mail.deathmatch.net (using TLSv1/SSLv3 with cipher AES256-SHA (256 bits)); Tue, 1 Sep 2009 18:12:54 -0400 Received: from bob by hash with local (Exim 4.69) (envelope-from ) id 1MibaF-00057J-Ki; Tue, 01 Sep 2009 18:12:11 -0400 From: Bob Copeland To: linville@tuxdriver.com, johannes@sipsolutions.net Cc: linux-wireless@vger.kernel.org, Bob Copeland , stable@kernel.org Subject: [PATCH] cfg80211: fix looping soft lockup in find_ie() Date: Tue, 1 Sep 2009 18:12:11 -0400 Message-Id: <1251843131-19655-1-git-send-email-me@bobcopeland.com> X-Mailer: git-send-email 1.5.4.1 Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org The find_ie() function uses a size_t for the len parameter, and directly uses len as a loop variable. If any received packets are malformed, it is possible for the decrease of len to overflow, and since the result is unsigned, the loop will not terminate. Change it to a signed int so the loop conditional works for negative values. This fixes the following soft lockup: [38573.102007] BUG: soft lockup - CPU#0 stuck for 61s! [phy0:2230] [38573.102007] Modules linked in: aes_i586 aes_generic fuse af_packet ipt_REJECT xt_tcpudp nf_conntrack_ipv4 nf_defrag_ipv4 xt_state iptable_filter ip_tables x_tables acpi_cpufreq binfmt_misc dm_mirror dm_region_hash dm_log dm_multipath dm_mod kvm_intel kvm uinput i915 arc4 ecb drm snd_hda_codec_idt ath5k snd_hda_intel hid_apple mac80211 usbhid appletouch snd_hda_codec snd_pcm ath cfg80211 snd_timer i2c_algo_bit ohci1394 video snd processor ieee1394 rfkill ehci_hcd sg sky2 backlight snd_page_alloc uhci_hcd joydev output ac thermal button battery sr_mod applesmc cdrom input_polldev evdev unix [last unloaded: scsi_wait_scan] [38573.102007] irq event stamp: 2547724535 [38573.102007] hardirqs last enabled at (2547724534): [] restore_all_notrace+0x0/0x18 [38573.102007] hardirqs last disabled at (2547724535): [] apic_timer_interrupt+0x28/0x34 [38573.102007] softirqs last enabled at (92950144): [] __do_softirq+0x108/0x210 [38573.102007] softirqs last disabled at (92950274): [] _spin_lock_bh+0x14/0x80 [38573.102007] [38573.102007] Pid: 2230, comm: phy0 Tainted: G W (2.6.31-rc7-wl #8) MacBook1,1 [38573.102007] EIP: 0060:[] EFLAGS: 00010292 CPU: 0 [38573.102007] EIP is at cmp_ies+0x30/0x180 [cfg80211] [38573.102007] EAX: 00000082 EBX: 00000000 ECX: ffffffc1 EDX: d8efd014 [38573.102007] ESI: ffffff7c EDI: 0000004d EBP: eee2dc50 ESP: eee2dc3c [38573.102007] DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068 [38573.102007] CR0: 8005003b CR2: d8efd014 CR3: 01694000 CR4: 000026d0 [38573.102007] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000 [38573.102007] DR6: ffff0ff0 DR7: 00000400 [38573.102007] Call Trace: [38573.102007] [] cmp_bss+0xed/0x100 [cfg80211] [38573.102007] [] cfg80211_bss_update+0x84/0x410 [cfg80211] [38573.102007] [] cfg80211_inform_bss_frame+0x114/0x180 [cfg80211] [38573.102007] [] ieee80211_bss_info_update+0x4f/0x180 [mac80211] [38573.102007] [] ieee80211_rx_bss_info+0x88/0xf0 [mac80211] [38573.102007] [] ? ieee802_11_parse_elems+0x27/0x30 [mac80211] [38573.102007] [] ieee80211_rx_mgmt_probe_resp+0xa4/0x1c0 [mac80211] [38573.102007] [] ieee80211_sta_rx_queued_mgmt+0x919/0xc50 [mac80211] [38573.102007] [] ? sched_clock+0x27/0xa0 [38573.102007] [] ? sched_clock+0x27/0xa0 [38573.102007] [] ? mark_held_locks+0x60/0x80 [38573.102007] [] ? _spin_unlock_irqrestore+0x55/0x70 [38573.102007] [] ? sub_preempt_count+0x85/0xc0 [38573.102007] [] ? _spin_unlock_irqrestore+0x3e/0x70 [38573.102007] [] ? skb_dequeue+0x4f/0x70 [38573.102007] [] ieee80211_sta_work+0x91/0xb80 [mac80211] [38573.102007] [] ? sched_clock+0x27/0xa0 [38573.102007] [] ? sub_preempt_count+0x85/0xc0 [38573.102007] [] worker_thread+0x18f/0x320 [38573.102007] [] ? worker_thread+0x12e/0x320 [38573.102007] [] ? _spin_unlock_irqrestore+0x55/0x70 [38573.102007] [] ? ieee80211_sta_work+0x0/0xb80 [mac80211] [38573.102007] [] ? autoremove_wake_function+0x0/0x50 [38573.102007] [] ? worker_thread+0x0/0x320 [38573.102007] [] kthread+0x84/0x90 [38573.102007] [] ? kthread+0x0/0x90 [38573.102007] [] kernel_thread_helper+0x7/0x10 Cc: stable@kernel.org Signed-off-by: Bob Copeland --- net/wireless/scan.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/net/wireless/scan.c b/net/wireless/scan.c index 7043de6..19c5a9a 100644 --- a/net/wireless/scan.c +++ b/net/wireless/scan.c @@ -141,7 +141,7 @@ void cfg80211_bss_expire(struct cfg80211_registered_device *dev) dev->bss_generation++; } -static u8 *find_ie(u8 num, u8 *ies, size_t len) +static u8 *find_ie(u8 num, u8 *ies, int len) { while (len > 2 && ies[0] != num) { len -= ies[1] + 2;