| From c319d50bfcf678c2857038276d9fab3c6646f3bf Mon Sep 17 00:00:00 2001 |
| From: Johannes Berg <johannes.berg@intel.com> |
| Date: Tue, 30 Jul 2013 22:34:28 +0200 |
| Subject: nl80211: fix another nl80211_fam.attrbuf race |
| |
| From: Johannes Berg <johannes.berg@intel.com> |
| |
| commit c319d50bfcf678c2857038276d9fab3c6646f3bf upstream. |
| |
| This is similar to the race Linus had reported, but in this case |
| it's an older bug: nl80211_prepare_wdev_dump() uses the wiphy |
| index in cb->args[0] as it is and thus parses the message over |
| and over again instead of just once because 0 is the first valid |
| wiphy index. Similar code in nl80211_testmode_dump() correctly |
| offsets the wiphy_index by 1, do that here as well. |
| |
| Reported-by: Ben Hutchings <ben@decadent.org.uk> |
| Signed-off-by: Johannes Berg <johannes.berg@intel.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| net/wireless/nl80211.c | 6 ++++-- |
| 1 file changed, 4 insertions(+), 2 deletions(-) |
| |
| --- a/net/wireless/nl80211.c |
| +++ b/net/wireless/nl80211.c |
| @@ -471,10 +471,12 @@ static int nl80211_prepare_wdev_dump(str |
| goto out_unlock; |
| } |
| *rdev = wiphy_to_dev((*wdev)->wiphy); |
| - cb->args[0] = (*rdev)->wiphy_idx; |
| + /* 0 is the first index - add 1 to parse only once */ |
| + cb->args[0] = (*rdev)->wiphy_idx + 1; |
| cb->args[1] = (*wdev)->identifier; |
| } else { |
| - struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0]); |
| + /* subtract the 1 again here */ |
| + struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1); |
| struct wireless_dev *tmp; |
| |
| if (!wiphy) { |
