Received: by 10.223.185.116 with SMTP id b49csp6373141wrg; Wed, 28 Feb 2018 08:21:02 -0800 (PST) X-Google-Smtp-Source: AG47ELsqVv9yXlp1QfgIbsJa7pABejGVsJxgCEtMb1LKc2KLJiaDh2tbij21OaSw30QAGZKxMxyS X-Received: by 2002:a17:902:678e:: with SMTP id g14-v6mr2122020plk.440.1519834862454; Wed, 28 Feb 2018 08:21:02 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519834862; cv=none; d=google.com; s=arc-20160816; b=WjNR+eVX6+j1/a24zhors6/ZXB9QAD7UATi9nqPxcVLIIU3aeJVjsKvXZETsI5+1o8 J4ny2U9B6uKynPSYmSjY9Uv7O6vJE9Xj+8gUOCq2mzm66i65j3iUjG3DYk6xatWR4JkL SWPVBFZD5ZjuSe1rXsysiFrq0hVhlgBBD5Jk95eEtd2aBGLFWQjVWl/kfEYEUdYw8Zf4 ++JIYGJzR5PWmUoYEGtcbtNi1oScSTNKrYzuZaLTtn+sxryHeMaRxJX7UDw+GdraJIrx I20oe58I/Xq1SvYfQxm7BFEHRjj7u1plPvTmA5ctjQMYuygpdmDh4Smz4TPfNZTctBG9 YwtA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition :arc-authentication-results; bh=vcT1ktBhZ4DPiB2J4HCovN1NuPYkVf1yT+dpVddR9wU=; b=ylgB3qn3KS3TrR0YGiN43QkLp/M87xB3EkwbdugG0hva/3tEiDf515uMJlHN5p4LSf ELDfSTeVRkbo17j14XxstPXxI8bhtbcPEbcU72CoS81oQtfnpZW7BK3cM0UDeA1Qvetd +bRSb709MXzTxUB1aAxZVvMSGqFZvpEdMxmu37pd7fpmiDTggj14qS1SbK42AeVYeLEf 8xTyYFoRyuMT5knj00hDuuoZpWz7Km8gq1qEb9T9clXUnNljUy/EPS/XdzyWdIskEfci blBsiOWQwfl/FwOjYs4ZYgBGWnvxDEuf0XwrOXxWvRmI+hONNI2oZRHkVRumAXNmb1p8 Rm0Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h67si1202225pgc.324.2018.02.28.08.20.47; Wed, 28 Feb 2018 08:21:02 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934949AbeB1QRn (ORCPT + 99 others); Wed, 28 Feb 2018 11:17:43 -0500 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:35261 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932298AbeB1QRk (ORCPT ); Wed, 28 Feb 2018 11:17:40 -0500 Received: from [2a02:8011:400e:2:6f00:88c8:c921:d332] (helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1er3Yp-0006XS-Lk; Wed, 28 Feb 2018 15:22:28 +0000 Received: from ben by deadeye with local (Exim 4.90_1) (envelope-from ) id 1er3Yj-0000GP-TQ; Wed, 28 Feb 2018 15:22:21 +0000 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, "Johannes Berg" , syzbot+8dd9051ff19940290931@syzkaller.appspotmail.com Date: Wed, 28 Feb 2018 15:20:18 +0000 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) Subject: [PATCH 3.16 206/254] mac80211_hwsim: validate number of different channels In-Reply-To: X-SA-Exim-Connect-IP: 2a02:8011:400e:2:6f00:88c8:c921:d332 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.55-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Johannes Berg commit 51a1aaa631c90223888d8beac4d649dc11d2ca55 upstream. When creating a new radio on the fly, hwsim allows this to be done with an arbitrary number of channels, but cfg80211 only supports a limited number of simultaneous channels, leading to a warning. Fix this by validating the number - this requires moving the define for the maximum out to a visible header file. Reported-by: syzbot+8dd9051ff19940290931@syzkaller.appspotmail.com Fixes: b59ec8dd4394 ("mac80211_hwsim: fix number of channels in interface combinations") Signed-off-by: Johannes Berg [bwh: Backported to 3.16: - Test chans intead of param.channels - GENL_SET_ERR_MSG() is not available - Adjust context] Signed-off-by: Ben Hutchings --- --- a/drivers/net/wireless/mac80211_hwsim.c +++ b/drivers/net/wireless/mac80211_hwsim.c @@ -2439,6 +2439,9 @@ static int hwsim_create_radio_nl(struct if (info->attrs[HWSIM_ATTR_CHANNELS]) chans = nla_get_u32(info->attrs[HWSIM_ATTR_CHANNELS]); + if (chans > CFG80211_MAX_NUM_DIFFERENT_CHANNELS) + return -EINVAL; + if (info->attrs[HWSIM_ATTR_USE_CHANCTX]) use_chanctx = true; else --- a/include/net/cfg80211.h +++ b/include/net/cfg80211.h @@ -716,6 +716,8 @@ struct cfg80211_csa_settings { u8 count; }; +#define CFG80211_MAX_NUM_DIFFERENT_CHANNELS 10 + /** * enum station_parameters_apply_mask - station parameter values to apply * @STATION_PARAM_APPLY_UAPSD: apply new uAPSD parameters (uapsd_queues, max_sp) --- a/net/wireless/core.h +++ b/net/wireless/core.h @@ -456,8 +456,6 @@ void cfg80211_leave(struct cfg80211_regi void cfg80211_stop_p2p_device(struct cfg80211_registered_device *rdev, struct wireless_dev *wdev); -#define CFG80211_MAX_NUM_DIFFERENT_CHANNELS 10 - #ifdef CONFIG_CFG80211_DEVELOPER_WARNINGS #define CFG80211_DEV_WARN_ON(cond) WARN_ON(cond) #else