From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
Chris Bainbridge <chris.bainbridge@gmail.com>,
Johannes Berg <johannes.berg@intel.com>
Subject: [PATCH 3.10 06/18] mac80211: fix use of uninitialised values in RX aggregation
Date: Mon, 14 Mar 2016 10:53:04 -0700 [thread overview]
Message-ID: <20160314175041.633717349@linuxfoundation.org> (raw)
In-Reply-To: <20160314175041.432810454@linuxfoundation.org>
3.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chris Bainbridge <chris.bainbridge@gmail.com>
commit f39ea2690bd61efec97622c48323f40ed6e16317 upstream.
Use kzalloc instead of kmalloc for struct tid_ampdu_rx to
initialize the "removed" field (all others are initialized
manually). That fixes:
UBSAN: Undefined behaviour in net/mac80211/rx.c:932:29
load of value 2 is not a valid value for type '_Bool'
CPU: 3 PID: 1134 Comm: kworker/u16:7 Not tainted 4.5.0-rc1+ #265
Workqueue: phy0 rt2x00usb_work_rxdone
0000000000000004 ffff880254a7ba50 ffffffff8181d866 0000000000000007
ffff880254a7ba78 ffff880254a7ba68 ffffffff8188422d ffffffff8379b500
ffff880254a7bab8 ffffffff81884747 0000000000000202 0000000348620032
Call Trace:
[<ffffffff8181d866>] dump_stack+0x45/0x5f
[<ffffffff8188422d>] ubsan_epilogue+0xd/0x40
[<ffffffff81884747>] __ubsan_handle_load_invalid_value+0x67/0x70
[<ffffffff82227b4d>] ieee80211_sta_reorder_release.isra.16+0x5ed/0x730
[<ffffffff8222ca14>] ieee80211_prepare_and_rx_handle+0xd04/0x1c00
[<ffffffff8222db03>] __ieee80211_rx_handle_packet+0x1f3/0x750
[<ffffffff8222e4a7>] ieee80211_rx_napi+0x447/0x990
While at it, convert to use sizeof(*tid_agg_rx) instead.
Fixes: 788211d81bfdf ("mac80211: fix RX A-MPDU session reorder timer deletion")
Signed-off-by: Chris Bainbridge <chris.bainbridge@gmail.com>
[reword commit message, use sizeof(*tid_agg_rx)]
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mac80211/agg-rx.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/mac80211/agg-rx.c
+++ b/net/mac80211/agg-rx.c
@@ -290,7 +290,7 @@ void ieee80211_process_addba_request(str
}
/* prepare A-MPDU MLME for Rx aggregation */
- tid_agg_rx = kmalloc(sizeof(struct tid_ampdu_rx), GFP_KERNEL);
+ tid_agg_rx = kzalloc(sizeof(*tid_agg_rx), GFP_KERNEL);
if (!tid_agg_rx)
goto end;
next prev parent reply other threads:[~2016-03-14 17:58 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-03-14 17:52 [PATCH 3.10 00/18] 3.10.101-stable review Greg Kroah-Hartman
2016-03-14 17:53 ` [PATCH 3.10 02/18] tracing: Fix check for cpu online when event is disabled Greg Kroah-Hartman
2016-03-14 17:53 ` [PATCH 3.10 03/18] ASoC: wm8994: Fix enum ctl accesses in a wrong type Greg Kroah-Hartman
2016-03-14 17:53 ` [PATCH 3.10 04/18] ASoC: wm8958: " Greg Kroah-Hartman
2016-03-14 17:53 ` [PATCH 3.10 05/18] wext: fix message delay/ordering Greg Kroah-Hartman
2016-03-14 17:53 ` Greg Kroah-Hartman [this message]
2016-03-14 17:53 ` [PATCH 3.10 07/18] mac80211: minstrel_ht: set default tx aggregation timeout to 0 Greg Kroah-Hartman
2016-03-14 17:53 ` [PATCH 3.10 08/18] powerpc: Fix dedotify for binutils >= 2.26 Greg Kroah-Hartman
2016-03-14 17:53 ` [PATCH 3.10 09/18] KVM: x86: move steal time initialization to vcpu entry time Greg Kroah-Hartman
2016-03-14 17:53 ` [PATCH 3.10 10/18] lib/ucs2_string: Add ucs2 -> utf8 helper functions Greg Kroah-Hartman
2016-03-14 17:53 ` [PATCH 3.10 11/18] efi: Use ucs2_as_utf8 in efivarfs instead of open coding a bad version Greg Kroah-Hartman
2016-03-14 17:53 ` [PATCH 3.10 12/18] efi: Do variable name validation tests in utf8 Greg Kroah-Hartman
2016-03-14 17:53 ` [PATCH 3.10 13/18] efi: Make our variable validation list include the guid Greg Kroah-Hartman
2016-03-14 17:53 ` [PATCH 3.10 14/18] efi: Make efivarfs entries immutable by default Greg Kroah-Hartman
2016-03-14 17:53 ` [PATCH 3.10 15/18] efi: Add pstore variables to the deletion whitelist Greg Kroah-Hartman
2016-03-14 17:53 ` [PATCH 3.10 16/18] lib/ucs2_string: Correct ucs2 -> utf8 conversion Greg Kroah-Hartman
2016-03-14 17:53 ` [PATCH 3.10 17/18] modules: fix longstanding /proc/kallsyms vs module insertion race Greg Kroah-Hartman
2016-03-14 17:53 ` [PATCH 3.10 18/18] Revert: "crypto: af_alg - Disallow bind/setkey/... after accept(2)" Greg Kroah-Hartman
2016-03-14 23:14 ` [PATCH 3.10 00/18] 3.10.101-stable review Shuah Khan
2016-03-15 2:37 ` Guenter Roeck
2016-03-16 3:08 ` Guenter Roeck
2016-03-16 4:09 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160314175041.633717349@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=chris.bainbridge@gmail.com \
--cc=johannes.berg@intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.