Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp496864yba;
        Mon, 1 Apr 2019 10:28:40 -0700 (PDT)
X-Google-Smtp-Source: APXvYqwpaHIXx7MU+jwq5xJH9QDSRE1ARGMG36fWLdjyWHr5WUKc0vSLew2P7kWP/hsB8DuN4QEE
X-Received: by 2002:a17:902:2a2a:: with SMTP id i39mr24583246plb.211.1554139720318;
        Mon, 01 Apr 2019 10:28:40 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1554139720; cv=none;
        d=google.com; s=arc-20160816;
        b=f2+r56elHB3mjGLga1Y312fbtMl9dPOtqlFnk4Fo43ahq64QU2siGGsi0MhNaRFXVR
         nJDa/PTd/O6cyRL62MpLy50BX6NBcwgy2YSVqf4Oso++xQX23c6jgRHztgnbEtOwXjaw
         l4cPiDECizbRn6PdNVGEoA2EBClC+gR47WkDxrucGCbSY55JxkEA55jnIjS0dhGZk5fL
         X1JLjeQARxOZGJR+aIM6D+UUdt8cLXiK3WKV0SoaiCQ9aAffW8Za3FL27vVzEhkDv29u
         K7x5jfmG5I1d+wU9SdYfeJ7SBul2MTpIiPJk9tFI5yrY9TXKu5bvhgKNyEJwp1SGMq0d
         fosQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=ksI54dlQa0zAabthmqC3qJ+AFYbK+PWb7nuasVvn4/U=;
        b=JUF15TsaqZ6F6+rlUdNQRoAkXpcAAO3FZzQCtGW7e317Dc8jOHJpi44/nm9KJNyU+G
         torHKFaK5xqZ7M0ZLC7PSdxaxj5Z1xWM6ilgfoXJhmvVx8UGsnJ08LKREEuOD3zLKlHY
         /I3bgxWxxp0ruCYjzv17Q6onDBPNMN+VFO/QqDVKtOhM9nzRHfBdtnXV/fMnTlRXpstA
         ZWr30GZZjd74YXo4vhagJOtVoLyALZFK54Ia84DaVh4qP+Hesz70RyETarkait2UtJ1E
         kiffI7JTMm1FzamK+iFRXqYTlbcKwEck4qz0AjFLQ0XzudleOE4b+S6jL6qG+DIneo9M
         qJlg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b="lkqNBZ6/";
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id n86si9280177pfb.273.2019.04.01.10.28.24;
        Mon, 01 Apr 2019 10:28:40 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b="lkqNBZ6/";
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1732699AbfDAR1q (ORCPT <rfc822;radocaj.bane@gmail.com>
        + 99 others); Mon, 1 Apr 2019 13:27:46 -0400
Received: from mail.kernel.org ([198.145.29.99]:33110 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1732252AbfDAR1m (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 1 Apr 2019 13:27:42 -0400
Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 1C07F2063F;
        Mon,  1 Apr 2019 17:27:40 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1554139661;
        bh=9ho2BIPOAZ9w85tJgHiH9+fpSdRkJa5Jayxrw4tIlM4=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=lkqNBZ6/awDYxM3MnSMmRa9Rwo2jYKcPixNCpaO9zUAXNncnHdaS4GjPeIt5AuXiG
         vX/h526XRo/xHRA8h0LPEsBfrK3EzFQpPH/mwq53N+eh4xjywju3ECyeJvX0y6oZbL
         Su2dlgUkrQxTPmkNZusOI0orSsSxAkgRyE0tmP4I=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Johannes Berg <johannes.berg@intel.com>,
        Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.9 04/56] cfg80211: size various nl80211 messages correctly
Date:   Mon,  1 Apr 2019 19:02:20 +0200
Message-Id: <20190401170103.718175610@linuxfoundation.org>
X-Mailer: git-send-email 2.21.0
In-Reply-To: <20190401170103.398401360@linuxfoundation.org>
References: <20190401170103.398401360@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
X-Patchwork-Hint: ignore
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 4ef8c1c93f848e360754f10eb2e7134c872b6597 ]

Ilan reported that sometimes nl80211 messages weren't working if
the frames being transported got very large, which was really a
problem for userspace-to-kernel messages, but prompted me to look
at the code.

Upon review, I found various places where variable-length data is
transported in an nl80211 message but the message isn't allocated
taking that into account. This shouldn't cause any problems since
the frames aren't really that long, apart in one place where two
(possibly very long frames) might not fit.

Fix all the places (that I found) that get variable length data
from the driver and put it into a message to take the length of
the variable data into account. The 100 there is just a safe
constant for the remaining message overhead (it's usually around
50 for most messages.)

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/wireless/nl80211.c |   16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -12942,7 +12942,7 @@ static void nl80211_send_mlme_event(stru
 	struct sk_buff *msg;
 	void *hdr;
 
-	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
+	msg = nlmsg_new(100 + len, gfp);
 	if (!msg)
 		return;
 
@@ -13094,7 +13094,7 @@ void nl80211_send_connect_result(struct
 	struct sk_buff *msg;
 	void *hdr;
 
-	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
+	msg = nlmsg_new(100 + req_ie_len + resp_ie_len, gfp);
 	if (!msg)
 		return;
 
@@ -13136,7 +13136,7 @@ void nl80211_send_roamed(struct cfg80211
 	struct sk_buff *msg;
 	void *hdr;
 
-	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
+	msg = nlmsg_new(100 + req_ie_len + resp_ie_len, gfp);
 	if (!msg)
 		return;
 
@@ -13173,7 +13173,7 @@ void nl80211_send_disconnected(struct cf
 	struct sk_buff *msg;
 	void *hdr;
 
-	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
+	msg = nlmsg_new(100 + ie_len, GFP_KERNEL);
 	if (!msg)
 		return;
 
@@ -13249,7 +13249,7 @@ void cfg80211_notify_new_peer_candidate(
 
 	trace_cfg80211_notify_new_peer_candidate(dev, addr);
 
-	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
+	msg = nlmsg_new(100 + ie_len, gfp);
 	if (!msg)
 		return;
 
@@ -13620,7 +13620,7 @@ int nl80211_send_mgmt(struct cfg80211_re
 	struct sk_buff *msg;
 	void *hdr;
 
-	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
+	msg = nlmsg_new(100 + len, gfp);
 	if (!msg)
 		return -ENOMEM;
 
@@ -13664,7 +13664,7 @@ void cfg80211_mgmt_tx_status(struct wire
 
 	trace_cfg80211_mgmt_tx_status(wdev, cookie, ack);
 
-	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
+	msg = nlmsg_new(100 + len, gfp);
 	if (!msg)
 		return;
 
@@ -14473,7 +14473,7 @@ void cfg80211_ft_event(struct net_device
 	if (!ft_event->target_ap)
 		return;
 
-	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
+	msg = nlmsg_new(100 + ft_event->ric_ies_len, GFP_KERNEL);
 	if (!msg)
 		return;