diff mbox series

[v5.15] wifi: mac80211: check basic rates validity

Message ID 20240727125033.1774143-1-vincenzo.mezzela@gmail.com
State Superseded
Headers show
Series [v5.15] wifi: mac80211: check basic rates validity | expand

Commit Message

Vincenzo Mezzela July 27, 2024, 12:50 p.m. UTC 
From: Johannes Berg <johannes.berg@intel.com>

commit ce04abc3fcc62cd5640af981ebfd7c4dc3bded28 upstream.

When userspace sets basic rates, it might send us some rates
list that's empty or consists of invalid values only. We're
currently ignoring invalid values and then may end up with a
rates bitmap that's empty, which later results in a warning.

Reject the call if there were no valid rates.

[ Conflict resolution involved adjusting the patch to accommodate
changes in the function signature of ieee80211_parse_bitrates,
specifically the updated first parameter ]

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Reported-by: syzbot+19013115c9786bfd0c4e@syzkaller.appspotmail.com
Tested-by: syzbot+19013115c9786bfd0c4e@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=19013115c9786bfd0c4e
Signed-off-by: Vincenzo Mezzela <vincenzo.mezzela@gmail.com>
---
 net/mac80211/cfg.c | 21 +++++++++++----------
 1 file changed, 11 insertions(+), 10 deletions(-)

Comments

Greg KH July 29, 2024, 10:50 a.m. UTC | #1 
On Sat, Jul 27, 2024 at 02:50:33PM +0200, Vincenzo Mezzela wrote:
> From: Johannes Berg <johannes.berg@intel.com>
> 
> commit ce04abc3fcc62cd5640af981ebfd7c4dc3bded28 upstream.
> 
> When userspace sets basic rates, it might send us some rates
> list that's empty or consists of invalid values only. We're
> currently ignoring invalid values and then may end up with a
> rates bitmap that's empty, which later results in a warning.
> 
> Reject the call if there were no valid rates.
> 
> [ Conflict resolution involved adjusting the patch to accommodate
> changes in the function signature of ieee80211_parse_bitrates,
> specifically the updated first parameter ]
> 
> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
> Reported-by: syzbot+19013115c9786bfd0c4e@syzkaller.appspotmail.com
> Tested-by: syzbot+19013115c9786bfd0c4e@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=19013115c9786bfd0c4e
> Signed-off-by: Vincenzo Mezzela <vincenzo.mezzela@gmail.com>
> ---
>  net/mac80211/cfg.c | 21 +++++++++++----------
>  1 file changed, 11 insertions(+), 10 deletions(-)
> 

We can't take a patch for 5.15 without it also being in 6.1.y for
obvious reasons.  Please provide a working version for that branch
first, and then resend this backport and we will be glad to queue it up.

thanks,

greg k-h
diff mbox series

Patch

diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index f277ce839ddb..85abd3ff07b4 100644
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -2339,6 +2339,17 @@  static int ieee80211_change_bss(struct wiphy *wiphy,
 	if (!sband)
 		return -EINVAL;
 
+	if (params->basic_rates) {
+		if (!ieee80211_parse_bitrates(&sdata->vif.bss_conf.chandef,
+					      wiphy->bands[sband->band],
+					      params->basic_rates,
+					      params->basic_rates_len,
+					      &sdata->vif.bss_conf.basic_rates))
+			return -EINVAL;
+		changed |= BSS_CHANGED_BASIC_RATES;
+		ieee80211_check_rate_mask(sdata);
+	}
+
 	if (params->use_cts_prot >= 0) {
 		sdata->vif.bss_conf.use_cts_prot = params->use_cts_prot;
 		changed |= BSS_CHANGED_ERP_CTS_PROT;
@@ -2362,16 +2373,6 @@  static int ieee80211_change_bss(struct wiphy *wiphy,
 		changed |= BSS_CHANGED_ERP_SLOT;
 	}
 
-	if (params->basic_rates) {
-		ieee80211_parse_bitrates(&sdata->vif.bss_conf.chandef,
-					 wiphy->bands[sband->band],
-					 params->basic_rates,
-					 params->basic_rates_len,
-					 &sdata->vif.bss_conf.basic_rates);
-		changed |= BSS_CHANGED_BASIC_RATES;
-		ieee80211_check_rate_mask(sdata);
-	}
-
 	if (params->ap_isolate >= 0) {
 		if (params->ap_isolate)
 			sdata->flags |= IEEE80211_SDATA_DONT_BRIDGE_PACKETS;