From patchwork Thu Apr 20 15:47:04 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: James Hughes <james.hughes@raspberrypi.org>
X-Patchwork-Id: 9690835
X-Patchwork-Delegate: kvalo@adurom.com
Return-Path: <linux-wireless-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	39AE460326 for <patchwork-linux-wireless@patchwork.kernel.org>;
	Thu, 20 Apr 2017 15:47:35 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7C7B41FF28
	for <patchwork-linux-wireless@patchwork.kernel.org>;
	Thu, 20 Apr 2017 15:47:16 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 6F7D7228C9; Thu, 20 Apr 2017 15:47:16 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 921861FF28
	for <patchwork-linux-wireless@patchwork.kernel.org>;
	Thu, 20 Apr 2017 15:47:14 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S970861AbdDTPrN (ORCPT
	<rfc822;patchwork-linux-wireless@patchwork.kernel.org>);
	Thu, 20 Apr 2017 11:47:13 -0400
Received: from mx07-00252a01.pphosted.com ([62.209.51.214]:12534 "EHLO
	mx07-00252a01.pphosted.com" rhost-flags-OK-OK-OK-OK)
	by vger.kernel.org with ESMTP id S970871AbdDTPrL (ORCPT
	<rfc822;linux-wireless@vger.kernel.org>);
	Thu, 20 Apr 2017 11:47:11 -0400
Received: from pps.filterd (m0102628.ppops.net [127.0.0.1])
	by mx07-00252a01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id
	v3KFgaKa023645
	for <linux-wireless@vger.kernel.org>; Thu, 20 Apr 2017 16:47:09 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=raspberrypi.org;
	h=from : to : cc : subject : date : message-id; s=pp;
	bh=KnmZdLUldNLpHI0ZvZaXNAH2/Jy5NB98FWL1jW1qjQ4=;
	b=m5SBWX0zpOUdThneKucLDf1GxDHe96eWslhIzjvkngfp5/JWzTmedp9d989J0n+gtVlv
	a+l/NZgX8Y5uu0XoI9EH1zMzAhVAm7Bkdce8cQlwtD7nYrXvustJOlHeATs7Oh4N8T03
	sa072InFIgBS+HaS5VVyDwyYIMLz6Io8ItAGy8R4P5E3yldS2N18dPx8uxsvKJzTVVJy
	fDCAnkd7vRVYiYegVwf56fmdKxpv5ygZ08ONsRDrtWCCvpYC1FwklirC5QWJgWL6GbAV
	o34SrbDD/wH5LS/eoNpdvvnvR73+ZmBQlIj3NHOlBMg/T0soU7z30gfPFEc7jmWox+us
	pQ==
Received: from mail-wr0-f200.google.com (mail-wr0-f200.google.com
	[209.85.128.200])
	by mx07-00252a01.pphosted.com with ESMTP id 29wqp2rvhm-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128
	verify=OK)
	for <linux-wireless@vger.kernel.org>; Thu, 20 Apr 2017 16:47:09 +0100
Received: by mail-wr0-f200.google.com with SMTP id 6so2642652wrt.20
	for <linux-wireless@vger.kernel.org>;
	Thu, 20 Apr 2017 08:47:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=raspberrypi-org.20150623.gappssmtp.com; s=20150623;
	h=from:to:cc:subject:date:message-id;
	bh=KnmZdLUldNLpHI0ZvZaXNAH2/Jy5NB98FWL1jW1qjQ4=;
	b=nv4N2o2s/TT40riNJFMYHYOftHHFgT4KT5uvgaJ5vgLgy42TObH/2NzKqfFXhhTzBg
	SHfkeNgyq2pP2/brUrt1oXzhgFT15y3kT/2Nr1hLlh3Rq2XDCq1/9ugCZVpmwPueqEft
	OaaS2mrissN92LznoXtXxWTlzDW8gpAaNqMy3IdDhtf7naM3i+mycgvrQOdANvQgu7IQ
	NAiBU3W/fAfaE1HAdwZfkvfygOdOlAYBu6jQ3OMuQq7QVFxQklRIijH07Zu0iBhm7Xlu
	qQR5nhs7MjulVh9/ZK/l+yJ3AAL3iCKhV7uT8oBIS2Hq7K6bp3k1barGbW2J/y0cBgUX
	GI3A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=KnmZdLUldNLpHI0ZvZaXNAH2/Jy5NB98FWL1jW1qjQ4=;
	b=MewbHGRViTvSiUUNZCRApHea1/05wppfKAg5x4kPx1Ot5G+brweG3LwDH6q0hTepnE
	8gHgB5Y4Mm66RxrA68MxgbIsHSPNdX/gBomb5/oy7QD3DAyhRRRKz4IrdAdIAm6cOYIB
	lXg5OQCuaseEOXw+gWuT/HjGP5qhXaKPrzNDHAIeYzo0m4xh9Y1XSRlVdEUZczk5gy9y
	zT9wNgFnr7ajRuKNyC/xC1XUj9Q6eKY1TWJKeGmQpfqsUGyuZSjCdeiPrLbHEq5OrtxM
	DjUf9myZmYMWqD2Emi2u0utseQ7J7vuM3K2bXcVexMZanPuYYmxqX7zEE/+MqDL0Miv8
	UZrQ==
X-Gm-Message-State: AN3rC/6u5QyHFhGY4CW6Z6rOXcB1klKI9ZW50yXrUsHFgqUP3nicsBVp
	c1Pz7uYkfqFY/gYTM3Yi22BnPvDpjqQbcxDtSySSi9xEfpgkrApvxvK5meSiHKnAMMxVY1Qhj3a
	2qLay08fS54trFvLaiA==
X-Received: by 10.28.18.135 with SMTP id 129mr3769651wms.54.1492703228893;
	Thu, 20 Apr 2017 08:47:08 -0700 (PDT)
X-Received: by 10.28.18.135 with SMTP id 129mr3769640wms.54.1492703228726;
	Thu, 20 Apr 2017 08:47:08 -0700 (PDT)
Received: from jamesh-VirtualBox ([217.33.127.173])
	by smtp.gmail.com with ESMTPSA id
	l132sm24190364wmd.10.2017.04.20.08.47.07
	(version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Thu, 20 Apr 2017 08:47:07 -0700 (PDT)
From: James Hughes <james.hughes@raspberrypi.org>
To: Arend van Spriel <arend.vanspriel@broadcom.com>,
	Franky Lin <franky.lin@broadcom.com>,
	Hante Meuleman <hante.meuleman@broadcom.com>,
	Kalle Valo <kvalo@codeaurora.org>, linux-wireless@vger.kernel.org
Cc: James Hughes <james.hughes@raspberrypi.org>
Subject: [PATCH] brcm80211: brcmfmac: Ensure header writes are on writable
	skb
Date: Thu, 20 Apr 2017 16:47:04 +0100
Message-Id: <20170420154704.32144-1-james.hughes@raspberrypi.org>
X-Mailer: git-send-email 2.9.3
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, ,
	definitions=2017-04-20_14:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam
	score=0 priorityscore=1501
	malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0
	clxscore=1015 lowpriorityscore=0 impostorscore=0 adultscore=0
	classifier=spam adjust=0 reason=mlx scancount=1
	engine=8.0.1-1703280000
	definitions=main-1704200125
Sender: linux-wireless-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

Driver was writing to skb header area without ensuring it was
writable i.e. uncloned.

Used skb_cow_header to ensure that header buffer is large enough
and is uncloned.

Detected when, in combination with the smsc85xx driver, both drivers
attempted to write different headers to the same header buffer.

Signed-off-by: James Hughes <james.hughes@raspberrypi.org>
---
 drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcdc.c | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcdc.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcdc.c
index 038a960..b9d7d08 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcdc.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcdc.c
@@ -249,14 +249,19 @@ brcmf_proto_bcdc_set_dcmd(struct brcmf_pub *drvr, int ifidx, uint cmd,
 	return ret;
 }
 
-static void
+static int
 brcmf_proto_bcdc_hdrpush(struct brcmf_pub *drvr, int ifidx, u8 offset,
 			 struct sk_buff *pktbuf)
 {
 	struct brcmf_proto_bcdc_header *h;
+	int err;
 
 	brcmf_dbg(BCDC, "Enter\n");
 
+	err = skb_cow_head(pktbuf, BCDC_HEADER_LEN);
+	if (err)
+		return err;
+
 	/* Push BDC header used to convey priority for buses that don't */
 	skb_push(pktbuf, BCDC_HEADER_LEN);
 
@@ -271,6 +276,8 @@ brcmf_proto_bcdc_hdrpush(struct brcmf_pub *drvr, int ifidx, u8 offset,
 	h->data_offset = offset;
 	BCDC_SET_IF_IDX(h, ifidx);
 	trace_brcmf_bcdchdr(pktbuf->data);
+
+	return 0;
 }
 
 static int
@@ -330,7 +337,11 @@ static int
 brcmf_proto_bcdc_txdata(struct brcmf_pub *drvr, int ifidx, u8 offset,
 			struct sk_buff *pktbuf)
 {
-	brcmf_proto_bcdc_hdrpush(drvr, ifidx, offset, pktbuf);
+	int err = brcmf_proto_bcdc_hdrpush(drvr, ifidx, offset, pktbuf);
+
+	if (err)
+		return err;
+
 	return brcmf_bus_txdata(drvr->bus_if, pktbuf);
 }