Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp13475415ybl; Sun, 29 Dec 2019 12:48:38 -0800 (PST) X-Google-Smtp-Source: APXvYqzd0YXCvUfsPSnt/9oyyrvwkfwCLKTyo2ZWdn0U9DO6MNBACs6KJGr56pA2JQpEcd7AEB62 X-Received: by 2002:a9d:6196:: with SMTP id g22mr72939490otk.204.1577652518243; Sun, 29 Dec 2019 12:48:38 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1577652518; cv=none; d=google.com; s=arc-20160816; b=ZiNCUqfe8i5w/g3EEOM7VijZVQv/cu5C/mznqwD/v1+NByuhjey2cjFWKIfRHkv4JX 69nAznC/C0E+JBH2rF96TqXFJRmEiZnTuBewSFpzDGp+HRPrJnHVc3oPINgN+r3thbZS El/cMEYEEcGflZKfi5MbBXQsHqY3iS45VJFfZJWiivObaNekRECH92nXPAovagGCR6+N tbCB1GUwRkyi8be1cT3P1VjqV8qFtt1weRABcwT2+DhAK53Nu+kG/KNcC0bNB59OmFfF 1oD4vgb7Ckzpqj77gMoCSdf5yjpnmJVNFw+8mMGHgfup2d8iqR4T1P9YBfz0G3PWP7ot 7+hA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=F48IgPeWMLGLJw2+U+AEcjNICGIhA60Fu9IEwYJs1A8=; b=ncyf/eZmINyraBeucUreekAlD4sk2KbA6DmRrtJwIq8A8Dj3Xoa2vNu3P7FA/GSTQd nWcc6VKw/u53Hv/QJ1YoIbTdMbbQTLznxozB4SkvuQK/KNHHtGk/EUKTkQH6cv7yTsV2 P0EeuSIs4EYKHskEgUmts6juA582hr9wgUXKXNtxVMoYg4hqFBgrp2raOe2QVCM6sXnL vrG1Qv9sGosgeFI+Mu7KaB1Rfkw8lnVLBjZvS7az8z+lmtvs6gfNMcrvSLVBPnmkLvvj +HIYJUATOWE8r+h22wtotoxZRERrv6/r72oLNXf6vCaNlTIFcg9vAkXc99sMSBt2XhiD syag== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=vPb3x+Rc; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t142si16589342oih.242.2019.12.29.12.48.27; Sun, 29 Dec 2019 12:48:38 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=vPb3x+Rc; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732778AbfL2Ry6 (ORCPT + 99 others); Sun, 29 Dec 2019 12:54:58 -0500 Received: from mail.kernel.org ([198.145.29.99]:43214 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732494AbfL2Ry4 (ORCPT ); Sun, 29 Dec 2019 12:54:56 -0500 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id C3FC220718; Sun, 29 Dec 2019 17:54:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1577642096; bh=e0Jf8XfCt+ro6en0WD9ghdHlLEAs8kS8RebIWIpPM1Y=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=vPb3x+Rcewjk/+GCCXsEN24+PlQXEfcViHQUPnfK5KfY3FHcwZxIY8obLP8FraKF0 Pf93v27jGcAzijhrdT2rf2Bo5yNxHMEv3rq5nPCHes8jfK9HBVOcm2Rg1687mRAL+9 NEpfHksONuR/rV2UYRW6W+lkFS0/Cq60KdZWuscE= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Lorenzo Bianconi , Felix Fietkau , Sasha Levin Subject: [PATCH 5.4 341/434] mt76: fix possible out-of-bound access in mt7615_fill_txs/mt7603_fill_txs Date: Sun, 29 Dec 2019 18:26:34 +0100 Message-Id: <20191229172724.619423269@linuxfoundation.org> X-Mailer: git-send-email 2.24.1 In-Reply-To: <20191229172702.393141737@linuxfoundation.org> References: <20191229172702.393141737@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Lorenzo Bianconi [ Upstream commit e8b970c8e367e85fab9b8ac4f36080e5d653c38e ] Fix possible out-of-bound access of status rates array in mt7615_fill_txs/mt7603_fill_txs routines Fixes: c5211e997eca ("mt76: mt7603: rework and fix tx status reporting") Fixes: 4af81f02b49c ("mt76: mt7615: sync with mt7603 rate control changes") Signed-off-by: Lorenzo Bianconi Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin --- drivers/net/wireless/mediatek/mt76/mt7603/mac.c | 4 +++- drivers/net/wireless/mediatek/mt76/mt7615/mac.c | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/mediatek/mt76/mt7603/mac.c b/drivers/net/wireless/mediatek/mt76/mt7603/mac.c index c328192307c4..ff3f3d98b625 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7603/mac.c +++ b/drivers/net/wireless/mediatek/mt76/mt7603/mac.c @@ -1032,8 +1032,10 @@ mt7603_fill_txs(struct mt7603_dev *dev, struct mt7603_sta *sta, if (idx && (cur_rate->idx != info->status.rates[i].idx || cur_rate->flags != info->status.rates[i].flags)) { i++; - if (i == ARRAY_SIZE(info->status.rates)) + if (i == ARRAY_SIZE(info->status.rates)) { + i--; break; + } info->status.rates[i] = *cur_rate; info->status.rates[i].count = 0; diff --git a/drivers/net/wireless/mediatek/mt76/mt7615/mac.c b/drivers/net/wireless/mediatek/mt76/mt7615/mac.c index e07ce2c10013..111e38ff954a 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7615/mac.c +++ b/drivers/net/wireless/mediatek/mt76/mt7615/mac.c @@ -914,8 +914,10 @@ static bool mt7615_fill_txs(struct mt7615_dev *dev, struct mt7615_sta *sta, if (idx && (cur_rate->idx != info->status.rates[i].idx || cur_rate->flags != info->status.rates[i].flags)) { i++; - if (i == ARRAY_SIZE(info->status.rates)) + if (i == ARRAY_SIZE(info->status.rates)) { + i--; break; + } info->status.rates[i] = *cur_rate; info->status.rates[i].count = 0; -- 2.20.1