Re: [PATCH 1/2] libertas: don't exit from lbs_ibss_join_existing() with RCU read lock held

From: Nicolai Stange
Date: Wed Jan 15 2020 - 01:21:40 EST

Next message: syzbot: "BUG: unable to handle kernel NULL pointer dereference in insert_char"
Previous message: syzbot: "KASAN: use-after-free Write in hci_sock_bind"
In reply to: Kalle Valo: "Re: [PATCH 1/2] libertas: don't exit from lbs_ibss_join_existing() with RCU read lock held"
Next in thread: Nicolai Stange: "[PATCH 2/2] libertas: make lbs_ibss_join_existing() return error code on rates overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Kalle Valo <kvalo@xxxxxxxxxxxxxx> writes:

> Nicolai Stange <nstange@xxxxxxx> writes:
>
>> Commit e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss
>> descriptor") introduced a bounds check on the number of supplied rates to
>> lbs_ibss_join_existing().
>>
>> Unfortunately, it introduced a return path from within a RCU read side
>> critical section without a corresponding rcu_read_unlock(). Fix this.
>>
>> Fixes: e5e884b42639 ("libertas: Fix two buffer overflows at parsing bss
>> descriptor")
>
> This should be in one line, I'll fix it during commit.

Thanks!

--
SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 NÃrnberg, Germany
(HRB 36809, AG NÃrnberg), GF: Felix ImendÃrffer

Next message: syzbot: "BUG: unable to handle kernel NULL pointer dereference in insert_char"
Previous message: syzbot: "KASAN: use-after-free Write in hci_sock_bind"
In reply to: Kalle Valo: "Re: [PATCH 1/2] libertas: don't exit from lbs_ibss_join_existing() with RCU read lock held"
Next in thread: Nicolai Stange: "[PATCH 2/2] libertas: make lbs_ibss_join_existing() return error code on rates overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]