diff mbox series

[v5.15,RESEND] wifi: mac80211: check basic rates validity

Message ID 20240810095432.89063-1-vincenzo.mezzela@gmail.com
State New
Headers show
Series [v5.15,RESEND] wifi: mac80211: check basic rates validity | expand

Commit Message

Vincenzo Mezzela Aug. 10, 2024, 9:54 a.m. UTC
From: Johannes Berg <johannes.berg@intel.com>

commit ce04abc3fcc62cd5640af981ebfd7c4dc3bded28 upstream.

When userspace sets basic rates, it might send us some rates
list that's empty or consists of invalid values only. We're
currently ignoring invalid values and then may end up with a
rates bitmap that's empty, which later results in a warning.

Reject the call if there were no valid rates.

[ Conflict resolution involved adjusting the patch to accommodate
changes in the function signature of ieee80211_parse_bitrates,
specifically the updated first parameter ]

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Reported-by: syzbot+19013115c9786bfd0c4e@syzkaller.appspotmail.com
Tested-by: syzbot+19013115c9786bfd0c4e@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=19013115c9786bfd0c4e
Signed-off-by: Vincenzo Mezzela <vincenzo.mezzela@gmail.com>
---
Hi,
I'm resending the backport for v5.15 [1], following the one I previously
sent for v6.1 [2].

Best regards,
Vincenzo

- [1] https://lore.kernel.org/all/20240727125033.1774143-1-vincenzo.mezzela@gmail.com/
- [2] https://lore.kernel.org/all/20240729134318.291424-1-vincenzo.mezzela@gmail.com/

 net/mac80211/cfg.c | 21 +++++++++++----------
 1 file changed, 11 insertions(+), 10 deletions(-)

Comments

Greg Kroah-Hartman Aug. 13, 2024, 10:48 a.m. UTC | #1
On Sat, Aug 10, 2024 at 11:54:31AM +0200, Vincenzo Mezzela wrote:
> From: Johannes Berg <johannes.berg@intel.com>
> 
> commit ce04abc3fcc62cd5640af981ebfd7c4dc3bded28 upstream.
> 
> When userspace sets basic rates, it might send us some rates
> list that's empty or consists of invalid values only. We're
> currently ignoring invalid values and then may end up with a
> rates bitmap that's empty, which later results in a warning.
> 
> Reject the call if there were no valid rates.
> 
> [ Conflict resolution involved adjusting the patch to accommodate
> changes in the function signature of ieee80211_parse_bitrates,
> specifically the updated first parameter ]
> 
> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
> Reported-by: syzbot+19013115c9786bfd0c4e@syzkaller.appspotmail.com
> Tested-by: syzbot+19013115c9786bfd0c4e@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=19013115c9786bfd0c4e
> Signed-off-by: Vincenzo Mezzela <vincenzo.mezzela@gmail.com>
> ---
> Hi,
> I'm resending the backport for v5.15 [1], following the one I previously
> sent for v6.1 [2].

Now queued up, thanks.

greg k-h
diff mbox series

Patch

diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index f277ce839ddb..85abd3ff07b4 100644
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -2339,6 +2339,17 @@  static int ieee80211_change_bss(struct wiphy *wiphy,
 	if (!sband)
 		return -EINVAL;
 
+	if (params->basic_rates) {
+		if (!ieee80211_parse_bitrates(&sdata->vif.bss_conf.chandef,
+					      wiphy->bands[sband->band],
+					      params->basic_rates,
+					      params->basic_rates_len,
+					      &sdata->vif.bss_conf.basic_rates))
+			return -EINVAL;
+		changed |= BSS_CHANGED_BASIC_RATES;
+		ieee80211_check_rate_mask(sdata);
+	}
+
 	if (params->use_cts_prot >= 0) {
 		sdata->vif.bss_conf.use_cts_prot = params->use_cts_prot;
 		changed |= BSS_CHANGED_ERP_CTS_PROT;
@@ -2362,16 +2373,6 @@  static int ieee80211_change_bss(struct wiphy *wiphy,
 		changed |= BSS_CHANGED_ERP_SLOT;
 	}
 
-	if (params->basic_rates) {
-		ieee80211_parse_bitrates(&sdata->vif.bss_conf.chandef,
-					 wiphy->bands[sband->band],
-					 params->basic_rates,
-					 params->basic_rates_len,
-					 &sdata->vif.bss_conf.basic_rates);
-		changed |= BSS_CHANGED_BASIC_RATES;
-		ieee80211_check_rate_mask(sdata);
-	}
-
 	if (params->ap_isolate >= 0) {
 		if (params->ap_isolate)
 			sdata->flags |= IEEE80211_SDATA_DONT_BRIDGE_PACKETS;