In commit 8020919a9b99 ("mac80211: Properly handle SKB with radiotap only"), buffers whose length is too short cause a WARN_ON(1) to be executed. This change exposed a fault in rtlwifi drivers, which is fixed by increasing the length of the affected buffer before it is sent to mac80211.
Cc: Stable stable@vger.kernel.org # v5.0+ Signed-off-by: Larry Finger Larry.Finger@lwfinger.net ---
Kalle,
Please send to v5.4.
Larry ---
drivers/net/wireless/realtek/rtlwifi/pci.c | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/drivers/net/wireless/realtek/rtlwifi/pci.c b/drivers/net/wireless/realtek/rtlwifi/pci.c index 6087ec7a90a6..bb5144b7c64f 100644 --- a/drivers/net/wireless/realtek/rtlwifi/pci.c +++ b/drivers/net/wireless/realtek/rtlwifi/pci.c @@ -692,7 +692,10 @@ static void _rtl_pci_rx_to_mac80211(struct ieee80211_hw *hw, dev_kfree_skb_any(skb); } else { struct sk_buff *uskb = NULL; + int len = skb->len;
+ if (unlikely(len <= FCS_LEN)) + len = FCS_LEN + 2; uskb = dev_alloc_skb(skb->len + 128); if (likely(uskb)) { memcpy(IEEE80211_SKB_RXCB(uskb), &rx_status,
Hi,
This patch doesn't appear to do anything? The increased length is not actually used, is a part of the patch missing?
ps: superficial reading, i am not hampered by any specific knowledge of this driver.
On 2019-10-19 21:02, Larry Finger wrote:
In commit 8020919a9b99 ("mac80211: Properly handle SKB with radiotap only"), buffers whose length is too short cause a WARN_ON(1) to be executed. This change exposed a fault in rtlwifi drivers, which is fixed by increasing the length of the affected buffer before it is sent to mac80211.
Cc: Stable stable@vger.kernel.org # v5.0+ Signed-off-by: Larry Finger Larry.Finger@lwfinger.net
Kalle,
Please send to v5.4.
Larry
drivers/net/wireless/realtek/rtlwifi/pci.c | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/drivers/net/wireless/realtek/rtlwifi/pci.c b/drivers/net/wireless/realtek/rtlwifi/pci.c index 6087ec7a90a6..bb5144b7c64f 100644 --- a/drivers/net/wireless/realtek/rtlwifi/pci.c +++ b/drivers/net/wireless/realtek/rtlwifi/pci.c @@ -692,7 +692,10 @@ static void _rtl_pci_rx_to_mac80211(struct ieee80211_hw *hw, dev_kfree_skb_any(skb); } else { struct sk_buff *uskb = NULL;
int len = skb->len;
if (unlikely(len <= FCS_LEN))len = FCS_LEN + 2;
On 10/19/19 5:23 PM, ian.schram wrote:
Hi,
This patch doesn't appear to do anything? The increased length is not actually used, is a part of the patch missing?
ps: superficial reading, i am not hampered by any specific knowledge of this driver.
On 2019-10-19 21:02, Larry Finger wrote:
In commit 8020919a9b99 ("mac80211: Properly handle SKB with radiotap only"), buffers whose length is too short cause a WARN_ON(1) to be executed. This change exposed a fault in rtlwifi drivers, which is fixed by increasing the length of the affected buffer before it is sent to mac80211.
Cc: Stable stable@vger.kernel.org # v5.0+ Signed-off-by: Larry Finger Larry.Finger@lwfinger.net
Kalle,
Please send to v5.4.
Larry
drivers/net/wireless/realtek/rtlwifi/pci.c | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/drivers/net/wireless/realtek/rtlwifi/pci.c b/drivers/net/wireless/realtek/rtlwifi/pci.c index 6087ec7a90a6..bb5144b7c64f 100644 --- a/drivers/net/wireless/realtek/rtlwifi/pci.c +++ b/drivers/net/wireless/realtek/rtlwifi/pci.c @@ -692,7 +692,10 @@ static void _rtl_pci_rx_to_mac80211(struct ieee80211_hw *hw, dev_kfree_skb_any(skb); } else { struct sk_buff *uskb = NULL; + int len = skb->len; + if (unlikely(len <= FCS_LEN)) + len = FCS_LEN + 2; uskb = dev_alloc_skb(skb->len + 128); if (likely(uskb)) { memcpy(IEEE80211_SKB_RXCB(uskb), &rx_status,
Ian,
Yes, I debugged using a different tree and missed one use of the new len. V2 submitted.
Thanks for noticing.
Larry
linux-stable-mirror@lists.linaro.org
-
ian.schram -
Larry Finger