[PATCH 4.4 29/50] mac80211: fix use of uninitialised values in RX aggregation

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org,
	Chris Bainbridge <chris.bainbridge@gmail.com>,
	Johannes Berg <johannes.berg@intel.com>
Subject: [PATCH 4.4 29/50] mac80211: fix use of uninitialised values in RX aggregation
Date: Mon, 14 Mar 2016 10:50:47 -0700	[thread overview]
Message-ID: <20160314175017.597460053@linuxfoundation.org> (raw)
In-Reply-To: <20160314175013.403628835@linuxfoundation.org>

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Chris Bainbridge <chris.bainbridge@gmail.com>

commit f39ea2690bd61efec97622c48323f40ed6e16317 upstream.

Use kzalloc instead of kmalloc for struct tid_ampdu_rx to
initialize the "removed" field (all others are initialized
manually). That fixes:

UBSAN: Undefined behaviour in net/mac80211/rx.c:932:29
load of value 2 is not a valid value for type '_Bool'
CPU: 3 PID: 1134 Comm: kworker/u16:7 Not tainted 4.5.0-rc1+ #265
Workqueue: phy0 rt2x00usb_work_rxdone
 0000000000000004 ffff880254a7ba50 ffffffff8181d866 0000000000000007
 ffff880254a7ba78 ffff880254a7ba68 ffffffff8188422d ffffffff8379b500
 ffff880254a7bab8 ffffffff81884747 0000000000000202 0000000348620032
Call Trace:
 [<ffffffff8181d866>] dump_stack+0x45/0x5f
 [<ffffffff8188422d>] ubsan_epilogue+0xd/0x40
 [<ffffffff81884747>] __ubsan_handle_load_invalid_value+0x67/0x70
 [<ffffffff82227b4d>] ieee80211_sta_reorder_release.isra.16+0x5ed/0x730
 [<ffffffff8222ca14>] ieee80211_prepare_and_rx_handle+0xd04/0x1c00
 [<ffffffff8222db03>] __ieee80211_rx_handle_packet+0x1f3/0x750
 [<ffffffff8222e4a7>] ieee80211_rx_napi+0x447/0x990

While at it, convert to use sizeof(*tid_agg_rx) instead.

Fixes: 788211d81bfdf ("mac80211: fix RX A-MPDU session reorder timer deletion")
Signed-off-by: Chris Bainbridge <chris.bainbridge@gmail.com>
[reword commit message, use sizeof(*tid_agg_rx)]
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/mac80211/agg-rx.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/mac80211/agg-rx.c
+++ b/net/mac80211/agg-rx.c
@@ -291,7 +291,7 @@ void __ieee80211_start_rx_ba_session(str
 	}
 
 	/* prepare A-MPDU MLME for Rx aggregation */
-	tid_agg_rx = kmalloc(sizeof(struct tid_ampdu_rx), GFP_KERNEL);
+	tid_agg_rx = kzalloc(sizeof(*tid_agg_rx), GFP_KERNEL);
 	if (!tid_agg_rx)
 		goto end;

next prev parent reply	other threads:[~2016-03-14 18:16 UTC|newest]

Thread overview: 50+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-03-14 17:50 [PATCH 4.4 00/50] 4.4.6-stable review Greg Kroah-Hartman
2016-03-14 17:50 ` [PATCH 4.4 01/50] arm64: account for sparsemem section alignment when choosing vmemmap offset Greg Kroah-Hartman
2016-03-14 17:50 ` [PATCH 4.4 02/50] ARM: mvebu: fix overlap of Crypto SRAM with PCIe memory window Greg Kroah-Hartman
2016-03-14 17:50 ` [PATCH 4.4 03/50] ARM: dts: dra7: do not gate cpsw clock due to errata i877 Greg Kroah-Hartman
2016-03-14 17:50 ` [PATCH 4.4 04/50] ARM: OMAP2+: hwmod: Introduce ti,no-idle dt property Greg Kroah-Hartman
2016-03-14 17:50 ` [PATCH 4.4 06/50] kvm: cap halt polling at exactly halt_poll_ns Greg Kroah-Hartman
2016-03-14 17:50 ` [PATCH 4.4 08/50] KVM: s390: correct fprs on SIGP (STOP AND) STORE STATUS Greg Kroah-Hartman
2016-03-14 17:50 ` [PATCH 4.4 09/50] KVM: PPC: Book3S HV: Sanitize special-purpose register values on guest exit Greg Kroah-Hartman
2016-03-14 17:50 ` [PATCH 4.4 10/50] KVM: MMU: fix ept=0/pte.u=1/pte.w=0/CR0.WP=0/CR4.SMEP=1/EFER.NX=0 combo Greg Kroah-Hartman
2016-03-14 17:50 ` [PATCH 4.4 11/50] KVM: MMU: fix reserved bit check for ept=0/CR0.WP=0/CR4.SMEP=1/EFER.NX=0 Greg Kroah-Hartman
2016-03-14 17:50 ` [PATCH 4.4 13/50] s390/dasd: fix diag 0x250 inline assembly Greg Kroah-Hartman
2016-03-14 17:50 ` [PATCH 4.4 14/50] tracing: Fix check for cpu online when event is disabled Greg Kroah-Hartman
2016-03-14 17:50 ` [PATCH 4.4 15/50] dmaengine: at_xdmac: fix residue computation Greg Kroah-Hartman
2016-03-14 17:50 ` [PATCH 4.4 16/50] jffs2: reduce the breakage on recovery from halfway failed rename() Greg Kroah-Hartman
2016-03-14 17:50 ` [PATCH 4.4 17/50] ncpfs: fix a braino in OOM handling in ncp_fill_cache() Greg Kroah-Hartman
2016-03-14 17:50 ` [PATCH 4.4 18/50] ASoC: dapm: Fix ctl value accesses in a wrong type Greg Kroah-Hartman
2016-03-14 17:50 ` [PATCH 4.4 19/50] ASoC: samsung: Use IRQ safe spin lock calls Greg Kroah-Hartman
2016-03-14 17:50 ` [PATCH 4.4 20/50] ASoC: wm8994: Fix enum ctl accesses in a wrong type Greg Kroah-Hartman
2016-03-14 17:50 ` [PATCH 4.4 21/50] ASoC: wm8958: " Greg Kroah-Hartman
2016-03-14 17:50 ` [PATCH 4.4 22/50] ovl: ignore lower entries when checking purity of non-directory entries Greg Kroah-Hartman
2016-03-14 17:50 ` [PATCH 4.4 23/50] ovl: fix working on distributed fs as lower layer Greg Kroah-Hartman
2016-03-14 17:50 ` [PATCH 4.4 24/50] wext: fix message delay/ordering Greg Kroah-Hartman
2016-03-16 12:49   ` Ben Hutchings
2016-03-14 17:50 ` [PATCH 4.4 25/50] cfg80211/wext: fix message ordering Greg Kroah-Hartman
2016-03-14 17:50 ` [PATCH 4.4 26/50] can: gs_usb: fixed disconnect bug by removing erroneous use of kfree() Greg Kroah-Hartman
2016-03-14 17:50 ` [PATCH 4.4 27/50] iwlwifi: mvm: inc pending frames counter also when txing non-sta Greg Kroah-Hartman
2016-03-14 17:50 ` [PATCH 4.4 28/50] mac80211: minstrel: Change expected throughput unit back to Kbps Greg Kroah-Hartman
2016-03-14 17:50 ` Greg Kroah-Hartman [this message]
2016-03-14 17:50 ` [PATCH 4.4 30/50] mac80211: minstrel_ht: set default tx aggregation timeout to 0 Greg Kroah-Hartman
2016-03-14 17:50 ` [PATCH 4.4 32/50] mac80211: check PN correctly for GCMP-encrypted fragmented MPDUs Greg Kroah-Hartman
2016-03-14 17:50 ` [PATCH 4.4 33/50] mac80211: Fix Public Action frame RX in AP mode Greg Kroah-Hartman
2016-03-14 17:50 ` [PATCH 4.4 34/50] gpu: ipu-v3: Do not bail out on missing optional port nodes Greg Kroah-Hartman
2016-03-14 17:50 ` [PATCH 4.4 35/50] x86/mm: Fix slow_virt_to_phys() for X86_PAE again Greg Kroah-Hartman
2016-03-14 17:50   ` Greg Kroah-Hartman
2016-03-14 17:50 ` [PATCH 4.4 39/50] Revert "drm/radeon/pm: adjust display configuration after powerstate" Greg Kroah-Hartman
2016-03-14 17:50 ` [PATCH 4.4 40/50] powerpc: Fix dedotify for binutils >= 2.26 Greg Kroah-Hartman
2016-03-14 17:50 ` [PATCH 4.4 41/50] powerpc/powernv: Add a kmsg_dumper that flushes console output on panic Greg Kroah-Hartman
2016-03-14 17:51 ` [PATCH 4.4 42/50] powerpc/powernv: Fix OPAL_CONSOLE_FLUSH prototype and usages Greg Kroah-Hartman
2016-03-14 17:51 ` [PATCH 4.4 43/50] userfaultfd: dont block on the last VM updates at exit time Greg Kroah-Hartman
2016-03-14 17:51 ` [PATCH 4.4 44/50] ovl: copy new uid/gid into overlayfs runtime inode Greg Kroah-Hartman
2016-03-14 17:51 ` [PATCH 4.4 45/50] ovl: fix getcwd() failure after unsuccessful rmdir Greg Kroah-Hartman
2016-03-14 17:51 ` [PATCH 4.4 46/50] MIPS: Fix build error when SMP is used without GIC Greg Kroah-Hartman
2016-03-14 17:51 ` [PATCH 4.4 47/50] MIPS: smp.c: Fix uninitialised temp_foreign_map Greg Kroah-Hartman
2016-03-14 17:51 ` [PATCH 4.4 48/50] block: dont optimize for non-cloned bio in bio_get_last_bvec() Greg Kroah-Hartman
2016-03-14 17:51 ` [PATCH 4.4 49/50] target: Drop incorrect ABORT_TASK put for completed commands Greg Kroah-Hartman
2016-03-14 17:51 ` [PATCH 4.4 50/50] ld-version: Fix awk regex compile failure Greg Kroah-Hartman
2016-03-14 23:12 ` [PATCH 4.4 00/50] 4.4.6-stable review Shuah Khan
2016-03-16 15:40   ` Greg Kroah-Hartman
2016-03-15  2:34 ` Guenter Roeck
2016-03-16 15:41   ` Greg Kroah-Hartman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20160314175017.597460053@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=chris.bainbridge@gmail.com \
    --cc=johannes.berg@intel.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.