Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp10520302ybi; Thu, 25 Jul 2019 00:48:31 -0700 (PDT) X-Google-Smtp-Source: APXvYqxwycha1TjMuBSgtbPnHblAAGVSCxkMjIMSEkMk5T52NRS7kncK8arfJ8L5KFe+FEJMkvx5 X-Received: by 2002:aa7:8711:: with SMTP id b17mr15546552pfo.234.1564040911617; Thu, 25 Jul 2019 00:48:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1564040911; cv=none; d=google.com; s=arc-20160816; b=s/VUWgvdOlxeGOH/y6bs9Fx12G38zOBL2RIkMq3o/JgycrnXehE3KwNmbRfSoTplyW TpVWaVmA7albIo5Ck6bNkBrtin7U7ttwjEFHZ9C2UB1u/oRcaRrVMzRTmTzPxm3K/Daj 3FaDoXK2qeUHwtnwSYafSXVtiQ9WEFOzGY0FLEYd4803aF4DhsCV+oIErgyP1iPzG3Ok eClIyXmFcG2OWneTzJRBjmQQAQZRG3MRfmi2o2v85H6pdhoXsybB3TpVJXyvAkPYpgGc glN5gRqDaPLsiR0qCJSqBdKRCCYAOU9Y9LSgpSXlYwGsPzCei51tSeT9s2vzKGu+C9Dx T/8A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=1/kAsLJK7AhfG1IDw2ecyPU2R1znyHoyKu0Adk+gzAw=; b=WkSZ4znLplRnDzdGzV6CeUk/gVm3RUMdcTGHi5haIjYjkTVGo66s0WQiaNTEeNQoRD 8idMLJTndbYhECDSouaRW4oscsO4CA9snHFhSv8BiZmKkhaxwlstKHgKC+PYTqA5t4yR DguZnXQpbcYCCA3+SWI6yn0bH68AGDQNsxGPl2f8Mjg938OVkfIh729BBa5T1HDjsVbe 86izUU82cMdb/fx1vkULPe7vVa51mGKkwuUGfu7OsoK/p/D9WLnapC3vYeITfoaysv+q +8nIt74iPY9w6tgB8R3TsfMzLxdXaaiqqoDtP8hCrmQIr7FczF6Y1/DSn2TXADIUhH2M 81sw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=XQn3nGUu; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a1si13814117pjs.58.2019.07.25.00.48.12; Thu, 25 Jul 2019 00:48:31 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=XQn3nGUu; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2405420AbfGXUB0 (ORCPT + 99 others); Wed, 24 Jul 2019 16:01:26 -0400 Received: from mail.kernel.org ([198.145.29.99]:50198 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2405143AbfGXUBY (ORCPT ); Wed, 24 Jul 2019 16:01:24 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 908B521738; Wed, 24 Jul 2019 20:01:23 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1563998484; bh=SsVjIke4UlVjkShmJ1TDaeCMaCptp8bMSWleLinyf08=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=XQn3nGUubSbcoteOSng0AfFs2iEAnPdEcUkbU4vKaFd05VlFElwQBkSvS9IyLGgyA i5z6K595/C3rt7CvXNjLxlV7CPVCAFoXcDb+vrgVHvvgz3aqZdIcwZLCSQas9Iw0UN bVC3BrDXa4THss7PAFb+W+1XLKPBb4EsJIsArKmc= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Wen Gong , Kalle Valo , Sasha Levin Subject: [PATCH 4.19 010/271] ath10k: add peer id check in ath10k_peer_find_by_id Date: Wed, 24 Jul 2019 21:17:59 +0200 Message-Id: <20190724191656.165123751@linuxfoundation.org> X-Mailer: git-send-email 2.22.0 In-Reply-To: <20190724191655.268628197@linuxfoundation.org> References: <20190724191655.268628197@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org [ Upstream commit 49ed34b835e231aa941257394716bc689bc98d9f ] For some SDIO chip, the peer id is 65535 for MPDU with error status, then test_bit will trigger buffer overflow for peer's memory, if kasan enabled, it will report error. Reason is when station is in disconnecting status, firmware do not delete the peer info since it not disconnected completely, meanwhile some AP will still send data packet to station, then hardware will receive the packet and send to firmware, firmware's logic will report peer id of 65535 for MPDU with error status. Add check for overflow the size of peer's peer_ids will avoid the buffer overflow access. Call trace of kasan: dump_backtrace+0x0/0x2ec show_stack+0x20/0x2c __dump_stack+0x20/0x28 dump_stack+0xc8/0xec print_address_description+0x74/0x240 kasan_report+0x250/0x26c __asan_report_load8_noabort+0x20/0x2c ath10k_peer_find_by_id+0x180/0x1e4 [ath10k_core] ath10k_htt_t2h_msg_handler+0x100c/0x2fd4 [ath10k_core] ath10k_htt_htc_t2h_msg_handler+0x20/0x34 [ath10k_core] ath10k_sdio_irq_handler+0xcc8/0x1678 [ath10k_sdio] process_sdio_pending_irqs+0xec/0x370 sdio_run_irqs+0x68/0xe4 sdio_irq_work+0x1c/0x28 process_one_work+0x3d8/0x8b0 worker_thread+0x508/0x7cc kthread+0x24c/0x264 ret_from_fork+0x10/0x18 Tested with QCA6174 SDIO with firmware WLAN.RMH.4.4.1-00007-QCARMSWP-1. Signed-off-by: Wen Gong Signed-off-by: Kalle Valo Signed-off-by: Sasha Levin --- drivers/net/wireless/ath/ath10k/txrx.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/net/wireless/ath/ath10k/txrx.c b/drivers/net/wireless/ath/ath10k/txrx.c index cda164f6e9f6..6f62ddc0494c 100644 --- a/drivers/net/wireless/ath/ath10k/txrx.c +++ b/drivers/net/wireless/ath/ath10k/txrx.c @@ -156,6 +156,9 @@ struct ath10k_peer *ath10k_peer_find_by_id(struct ath10k *ar, int peer_id) { struct ath10k_peer *peer; + if (peer_id >= BITS_PER_TYPE(peer->peer_ids)) + return NULL; + lockdep_assert_held(&ar->data_lock); list_for_each_entry(peer, &ar->peers, list) -- 2.20.1