[PATCH 4.4 89/91] libertas: dont exit from lbs_ibss_join_existing() with RCU read lock held

13 Feb 2020

From: Nicolai Stange nstange@suse.de
[ Upstream commit c7bf1fb7ddca331780b9a733ae308737b39f1ad4 ]
Commit e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss
descriptor") introduced a bounds check on the number of supplied rates to
lbs_ibss_join_existing().
Unfortunately, it introduced a return path from within a RCU read side
critical section without a corresponding rcu_read_unlock(). Fix this.
Fixes: e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss descriptor")
Signed-off-by: Nicolai Stange nstange@suse.de
Signed-off-by: Kalle Valo kvalo@codeaurora.org
Signed-off-by: Sasha Levin sashal@kernel.org
---
 drivers/net/wireless/libertas/cfg.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/net/wireless/libertas/cfg.c b/drivers/net/wireless/libertas/cfg.c
index 0824697c3dca0..803684eed142c 100644
--- a/drivers/net/wireless/libertas/cfg.c
+++ b/drivers/net/wireless/libertas/cfg.c
@@ -1853,6 +1853,7 @@ static int lbs_ibss_join_existing(struct lbs_private *priv,
    	rates_max = rates_eid[1];
    	if (rates_max > MAX_RATES) {
    		lbs_deb_join("invalid rates");
+			rcu_read_unlock();
    		goto out;
    	}
    	rates = cmd.bss.rates;
-- 
2.20.1




    

2024

2023

2022

2021

2020

2019

2018

2017

[PATCH 4.4 89/91] libertas: dont exit from lbs_ibss_join_existing() with RCU read lock held