Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp2204752imm;
        Mon, 28 May 2018 03:55:05 -0700 (PDT)
X-Google-Smtp-Source: AB8JxZp7mFG8PyLNkpCFctWhk6LFOxRIIddGDBpSm+nNmFyGj+A9zompfJR5QVTTMpz7IFZAb5Mb
X-Received: by 2002:a17:902:6bc1:: with SMTP id m1-v6mr13130800plt.91.1527504905223;
        Mon, 28 May 2018 03:55:05 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1527504905; cv=none;
        d=google.com; s=arc-20160816;
        b=M7UG+GpobA82725aZC04HOKXhR7vW4Hdahq9xP8UMyglKRIMQIChYKXo7ym6CO6muZ
         a7zoAKgNvW3tEtrQjcNVg5x86niXm3aTk4eP+NwWrBYn12ALX4LCMI4D9klQ3b8guBgE
         2D0aeFnDnwbZ4tnB8+JImXELtkns9qxK7KeZ5SQERIZUaPREVn+2Y2lb5Rjp0KNyKIX4
         IeJ5BCjJIewxjOJAR3iJbzckeSHofXGH4wvLjUbWrCwmmeL7PMpg9/6GPJolANgU0K5M
         8+mKhywrIv1S/XMxUWx1whz5J/Dvvf+nOfSiacm8UB0q+SkVz6EXnfPSacs1wYCb7m9e
         bm9w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature
         :arc-authentication-results;
        bh=7wST1QhhIYmKgNoCemb89ieAwijtIXKgYPwr47NP+FY=;
        b=VBVtMHee3HyZ2lUrSoO6z7PcR1WyFwOjrHRMmIwj4JC7HpN8Cd3sStVhbhv39n73Ej
         r/xfMzhbzCU65UVX2iIBSsfr66RsHB+07LM2iPBoDgwKzQKIz7dm8AtTMWyRrEBPG+06
         WZCHvYdm1oEymvfNGDOB+uy9NTEpdhT6uS9HTe1Dhzyu4EKu8lD4agv+QIn26rcsj5Ey
         kraETlBbt6qdSLYkc1p4qY2TRAm4qmi56mhHYYFrjLndhY0V1CJIkep0S6ByBcE4HmV/
         HjOK33Qx3vXg2JlSweMwXLXtaF4GiLbwR90BvjGxlvTi2+pLPowux3J1Vmcyw711JLtE
         PZPg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=SwVMCe8G;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 64-v6si29747831pfl.309.2018.05.28.03.54.50;
        Mon, 28 May 2018 03:55:05 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=SwVMCe8G;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1164152AbeE1Kxc (ORCPT
        <rfc822;ArcheFireLinuxKernelMain@gmail.com> + 99 others);
        Mon, 28 May 2018 06:53:32 -0400
Received: from mail.kernel.org ([198.145.29.99]:42580 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1164144AbeE1Kx0 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 28 May 2018 06:53:26 -0400
Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id BEACD206B7;
        Mon, 28 May 2018 10:53:25 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1527504806;
        bh=vOSwK7zYulu+B+L5CY0uq7TPVnWGHg5j+M3uNcb6HEc=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=SwVMCe8GODLi3qHi1oMiIYARYzzKLSwzvrJ3v6sL6Jm+m/+uunzoiwbminYjPLT7L
         ykexcHkiyWvg/5U9P/DFvKXRBN/Mje6ttFy5oYlVbevB+Xu6Sm3D0n3qq2grBBe3rN
         SUY7XQvvQlSlV3iTJZXnU3vlkzAC3dqApwNoiF7w=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Avraham Stern <avraham.stern@intel.com>,
        Luca Coelho <luciano.coelho@intel.com>,
        Sasha Levin <alexander.levin@microsoft.com>
Subject: [PATCH 4.14 270/496] iwlwifi: mvm: fix array out of bounds reference
Date:   Mon, 28 May 2018 12:00:55 +0200
Message-Id: <20180528100331.236720365@linuxfoundation.org>
X-Mailer: git-send-email 2.17.0
In-Reply-To: <20180528100319.498712256@linuxfoundation.org>
References: <20180528100319.498712256@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Avraham Stern <avraham.stern@intel.com>

[ Upstream commit 4a6d2e525b43eba5870ea7e360f59aa65de00705 ]

When starting aggregation, the code checks the status of the queue
allocated to the aggregation tid, which might not yet be allocated
and thus the queue index may be invalid.
Fix this by reserving a new queue in case the queue id is invalid.

While at it, clean up some unreachable code (a condition that is
already handled earlier) and remove all the non-DQA comments since
non-DQA mode is no longer supported.

Fixes: cf961e16620f ("iwlwifi: mvm: support dqa-mode agg on non-shared queue")
Signed-off-by: Avraham Stern <avraham.stern@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/wireless/intel/iwlwifi/mvm/sta.c |   38 +++++++--------------------
 1 file changed, 11 insertions(+), 27 deletions(-)

--- a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c
@@ -2436,28 +2436,12 @@ int iwl_mvm_sta_tx_agg_start(struct iwl_
 
 	/*
 	 * Note the possible cases:
-	 *  1. In DQA mode with an enabled TXQ - TXQ needs to become agg'ed
-	 *  2. Non-DQA mode: the TXQ hasn't yet been enabled, so find a free
-	 *	one and mark it as reserved
-	 *  3. In DQA mode, but no traffic yet on this TID: same treatment as in
-	 *	non-DQA mode, since the TXQ hasn't yet been allocated
-	 * Don't support case 3 for new TX path as it is not expected to happen
-	 * and aggregation will be offloaded soon anyway
+	 *  1. An enabled TXQ - TXQ needs to become agg'ed
+	 *  2. The TXQ hasn't yet been enabled, so find a free one and mark
+	 *	it as reserved
 	 */
 	txq_id = mvmsta->tid_data[tid].txq_id;
-	if (iwl_mvm_has_new_tx_api(mvm)) {
-		if (txq_id == IWL_MVM_INVALID_QUEUE) {
-			ret = -ENXIO;
-			goto release_locks;
-		}
-	} else if (unlikely(mvm->queue_info[txq_id].status ==
-			    IWL_MVM_QUEUE_SHARED)) {
-		ret = -ENXIO;
-		IWL_DEBUG_TX_QUEUES(mvm,
-				    "Can't start tid %d agg on shared queue!\n",
-				    tid);
-		goto release_locks;
-	} else if (mvm->queue_info[txq_id].status != IWL_MVM_QUEUE_READY) {
+	if (txq_id == IWL_MVM_INVALID_QUEUE) {
 		txq_id = iwl_mvm_find_free_queue(mvm, mvmsta->sta_id,
 						 IWL_MVM_DQA_MIN_DATA_QUEUE,
 						 IWL_MVM_DQA_MAX_DATA_QUEUE);
@@ -2466,16 +2450,16 @@ int iwl_mvm_sta_tx_agg_start(struct iwl_
 			IWL_ERR(mvm, "Failed to allocate agg queue\n");
 			goto release_locks;
 		}
-		/*
-		 * TXQ shouldn't be in inactive mode for non-DQA, so getting
-		 * an inactive queue from iwl_mvm_find_free_queue() is
-		 * certainly a bug
-		 */
-		WARN_ON(mvm->queue_info[txq_id].status ==
-			IWL_MVM_QUEUE_INACTIVE);
 
 		/* TXQ hasn't yet been enabled, so mark it only as reserved */
 		mvm->queue_info[txq_id].status = IWL_MVM_QUEUE_RESERVED;
+	} else if (unlikely(mvm->queue_info[txq_id].status ==
+			    IWL_MVM_QUEUE_SHARED)) {
+		ret = -ENXIO;
+		IWL_DEBUG_TX_QUEUES(mvm,
+				    "Can't start tid %d agg on shared queue!\n",
+				    tid);
+		goto release_locks;
 	}
 
 	spin_unlock(&mvm->queue_info_lock);