Received: by 2002:a05:6359:c8b:b0:c7:702f:21d4 with SMTP id go11csp2699288rwb; Mon, 19 Sep 2022 08:43:06 -0700 (PDT) X-Google-Smtp-Source: AMsMyM7/3k8FXe9ZCrlEKmTBZLe9z/2qOD6qNtCovv7EN+sgUB2LwIYq8Svp3znRmLkIqw2clM6X X-Received: by 2002:a17:907:97d1:b0:780:26c9:1499 with SMTP id js17-20020a17090797d100b0078026c91499mr12891085ejc.371.1663602186780; Mon, 19 Sep 2022 08:43:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1663602186; cv=none; d=google.com; s=arc-20160816; b=l8NeeAOktyruxdYIo+OnMZufw4uU1PT+z9HRATrzOPMgENZ9Ip1G/ue/xztGakIcNT hsve/iwyGGpOSRNIb3h2ZgmwimG97T2w79zx2H3otF6NJbP45NBHFJOCW42Dkjfy8x+B 0wytDdljh9MMBLUuyB0gjyuBylLHcp+uVXZzS0wQsGs8fOHnh73Y78GyORkbLlmxizNl 2uhWQXq2q5gUGGkcya4Od7i2bNitaS0ni0MEk4GtOxpnCQsrJ+rrQi6gZbWQZbeKMPRa KJldxv9eoFQ4Uos9KMDPRBW9ZsFQywjrZDY+gl5546Hyq4+XWa0AWVQq6I8DadNOxujF YMBg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :mime-version:in-reply-to:from:references:cc:to:subject:user-agent :date:message-id:dkim-signature; bh=QbBXbyo89wl9+cEf5DTzIeznN/nvWvVd2+qXfKdL9no=; b=WcYREd9wLQzLZOSMJAjMDHxAog30jtAiekjSZb28mxbFU1iA8oK+EzZDUowgecYtzQ KFKLU4oSDySHY0sLm3OFWfBpWb+uQ2rJS4hYmZjDV7jjkW3OrKdL+bRuY73KVEAQlSwY EblygTBc1L7eG+rQNdPXYhEslhkxTzV/+zAR/xhwzFmgsaR1wDySw+RELDxbTi7+sNao Aliu6dSkjaXRzbLV9+htg7kDfMN48nGfAFS7imA/fs7EggN746qbgO9+/+tbpyQInENy ULJI8JQxu7wNWyDq3f8YSHRA3Uwxn8HyVhRJE365lF00wXn6UQXgIGgV8q2aDg7d+mNP VS9Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@camlingroup.com header.s=mimecast20210310 header.b=QAqTQrr3; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id qa33-20020a17090786a100b0073d76d8af85si22314145ejc.231.2022.09.19.08.42.45; Mon, 19 Sep 2022 08:43:06 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@camlingroup.com header.s=mimecast20210310 header.b=QAqTQrr3; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229910AbiISP0A (ORCPT + 63 others); Mon, 19 Sep 2022 11:26:00 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55614 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229731AbiISPZh (ORCPT ); Mon, 19 Sep 2022 11:25:37 -0400 X-Greylist: delayed 367 seconds by postgrey-1.37 at lindbergh.monkeyblade.net; Mon, 19 Sep 2022 08:25:10 PDT Received: from eu-smtp-delivery-197.mimecast.com (eu-smtp-delivery-197.mimecast.com [185.58.85.197]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 102D210D1 for ; Mon, 19 Sep 2022 08:25:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=camlingroup.com; s=mimecast20210310; t=1663601108; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=QbBXbyo89wl9+cEf5DTzIeznN/nvWvVd2+qXfKdL9no=; b=QAqTQrr3fMuCtT5st3Y2wEGJQFnuoHbqSPqYq85ojCztSPZUSitlpcWOYWBgwnxXgQWN5E UU4YaBCixSJDD4CEtBzgRbP67JPAqo4dFMTJG1iVclgIvYHQkNyZ21hsPzutC8W5NixDmq Mk+EtdjCPcyjlZAMaxLsidwdGcJHqok= Received: from GBR01-LO2-obe.outbound.protection.outlook.com (mail-lo2gbr01lp2055.outbound.protection.outlook.com [104.47.21.55]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id uk-mta-209-Dxp44X7UMoiprr_Ymt17nQ-1; Mon, 19 Sep 2022 16:17:50 +0100 X-MC-Unique: Dxp44X7UMoiprr_Ymt17nQ-1 Received: from CWXP123MB4486.GBRP123.PROD.OUTLOOK.COM (2603:10a6:400:fa::9) by LO0P123MB7007.GBRP123.PROD.OUTLOOK.COM (2603:10a6:600:335::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5612.16; Mon, 19 Sep 2022 15:17:48 +0000 Received: from CWXP123MB4486.GBRP123.PROD.OUTLOOK.COM ([fe80::a837:10db:7103:8461]) by CWXP123MB4486.GBRP123.PROD.OUTLOOK.COM ([fe80::a837:10db:7103:8461%6]) with mapi id 15.20.5632.021; Mon, 19 Sep 2022 15:17:48 +0000 Message-ID: Date: Mon, 19 Sep 2022 17:17:47 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.11.0 Subject: Re: [PATCH] wifi: wfx: fix memory corruption by limiting max_rates to 4 To: Peter Seiderer , Lech Perczak CC: =?UTF-8?B?SsOpcsO0bWUgUG91aWxsZXI=?= , linux-wireless@vger.kernel.org, Kalle Valo , =?UTF-8?Q?Krzysztof_Drobi=c5=84ski?= , Johannes Berg References: <20220915131445.30600-1-lech.perczak@camlingroup.com> <8115258.T7Z3S40VBb@pc-42> <41f23be7-3385-e6cc-9c76-f88b1dd5ebd2@camlingroup.com> <20220915202157.6fff5ef8@gmx.net> From: Pawel Lenkow In-Reply-To: <20220915202157.6fff5ef8@gmx.net> X-ClientProxiedBy: LO2P265CA0479.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:a2::35) To CWXP123MB4486.GBRP123.PROD.OUTLOOK.COM (2603:10a6:400:fa::9) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CWXP123MB4486:EE_|LO0P123MB7007:EE_ X-MS-Office365-Filtering-Correlation-Id: 35b72117-592a-4b2c-1354-08da9a521cc5 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0 X-Microsoft-Antispam-Message-Info: nCyRc0IFNg4hZ1VTI00WAwFoU2lwkB3Ydey5GdSGX9eHE0gY6IL3dmA2k/BS8MFrt72FLv7ZmMKODKBPsVR1nV+SWiwaXL1UxakpR5uwic8rZ7A8kB7YJGKZ2CV9R55+sVHbackLLnNUAqMji/Q2tmLbMTf7iWlKlPmj+qtXgHrNGdLq+CUfcmn6kowg+0TxiIxrzXzFWzqcbeG1EpMKK5cpxXXww+tmht6zLH2ZVpQMWE6MDIYs/fnJ/p4BE7ntUQFsOE2K4Zu+T1dMiG/hynlkqJKVcOYHVVPiUIL90vN9kST3/O+VXCTJH0tcws7SdH4UTSJB3xu4JwqOMSNYyhXxmCyj29Fttq9+eelAk/xMNKqOJdWXVi5WKyq3GMSVi0xBivJPlPYLF8H6K2qyGRlr1wso4BRBGyAvxaJfCCIjgDoep3gj8g+ndC48pHpGj3vRAfSNvrmFFUwGwDNHd+dTHsP39MWsFCBTlmDsHODG2Qp/Fs36pWAed0VW3mfgjYLFMZg2U9oRn9b2I1UHTqdp6Pmumrh20KcNn9jPmr9BuQ4DDp5iu9ENnOTvKIl853IUa04fiFHcR53rXmeJM22GPkO0NVBXtlwe8iuCUFshqiEmI71QpvYyGTI1RvykfwzeB1j8xR5kkfkViJl8jgbIuQiM8swocHmBi8IluCS4tb2bIXD4naxcw1XFQ+Nm7+jnDT0AszXOi8soYVh9cZNVDN1pKQK9knjhDdHioQ/k7R0bOS7fjMXkYLi6CVjbJ7Y6UUlGf7bPm66tyzLQJPjCBbjO4AETSTvPpudNWQQBfXeQtWxaObKlxKsoYWforODtWOSQkUnLgesBHlXM7mLAZdsGYTzyZu869m0y5IKLAZOoPZ7TIsZP9F5iA402kqheOu8t6KIk0w8hQXZyKA== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CWXP123MB4486.GBRP123.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230022)(366004)(136003)(396003)(376002)(346002)(39850400004)(451199015)(6506007)(4326008)(66556008)(54906003)(31696002)(6636002)(478600001)(41300700001)(83380400001)(53546011)(966005)(2906002)(5660300002)(66946007)(38100700002)(31686004)(86362001)(110136005)(66476007)(38350700002)(66574015)(6512007)(186003)(26005)(8676002)(52116002)(44832011)(316002)(36756003)(2616005)(6486002)(8936002)(45980500001)(43740500002);DIR:OUT;SFP:1101 X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?hvvt/bnZMBnxXa20z/QPsFF98WaC77YoUL18dbz4pgOW4BarxvhE+t8mRPQT?= =?us-ascii?Q?Q/YHSemEla7Yf+RtKnzMLrKU7qIuUumwoJ3GqrqAVgn0CBbTNBcMNGKB8Yo+?= =?us-ascii?Q?AMdpjx8rzWwR2+9AOpvCZU9/5R8igcTebyI+k9YqcSRToazMW63QS2Jg3iHn?= =?us-ascii?Q?drSOloGbY+SxxE7DV2GoIn2arvmvyDccf5nVQ+Mg2CIV/wg8U0bfsd9SA+WP?= =?us-ascii?Q?B5TyoN/uoFocOIl6gnFr0PbCUnymUFKdPBqT/FxKO0Z+sh3OoRm0eS9Ug4Uq?= =?us-ascii?Q?qOj9zl+JMoyIUsXzp3kUrRd2RJWvwh7RIgjoiqnDprAiOy2hXd3Yn0tvPFSV?= =?us-ascii?Q?nbWuOqEW7O+lwuqBmWFjiEx9A6fQAV+L3arNyYrQvPrAcc9fAIuPSaQQM7mJ?= =?us-ascii?Q?GHv7AMWApG5W11arm3oOx/3Sju1bymcTlxRTQbQlGyU0pVHD1eb7QvQYEd+A?= =?us-ascii?Q?yD6FlN0fmRWRkYePJ7K9HVigs9Zu0S2VMN4RKt/vdruEmhouSYyfWzXGOzDZ?= =?us-ascii?Q?dBejZlSn76L9JACVHke//kbEv/+iMd42KOjzjw24qML678qNe3oSieQFgaF/?= =?us-ascii?Q?PDXhchukCJQ4DfSZNGlF+7VnMyXW12XgWbMjMbVTAlpxA9M3CKjZni4NcDnT?= =?us-ascii?Q?8scSCZmIpBkvTHtw74vpqZiWaj9+0eZZ/NaNivBH1wATsBiXeJAQn2gEcozX?= =?us-ascii?Q?koPHUQe+i/NxC2fZxir+fO1PB6/bXpkGpOsQQm34XEuGcT0YxRZ0FHhCuFcG?= =?us-ascii?Q?/clXF52q8dQOYx3wI9H6hljqLZCVj94yru86KsW1q1HcuBrZI8RKU0CC6wmE?= =?us-ascii?Q?r2UrgSKrkYwd8klC5VEy5lk5m51X3dY6rBr5A31nHlR6B2pVoOkoOrZvyq1+?= =?us-ascii?Q?Z8GzZzDpWiSkaZieyBK2jLNdpwhCi3N5+0GfSwlQimsBFBrz0mZ3mwGaFya2?= =?us-ascii?Q?uEycLrgBi6tLqSfEaeG0ZzJ7HAQHEQRBW/gLtwI3+OhDWuurrmaOSWRfI2t5?= =?us-ascii?Q?abzh8xhYtl+ZaXOwxeQc1eeRifnc2z9lo6C6ks66P6gb6An5BRWq/89YkVF2?= =?us-ascii?Q?EsAv9G8baDv9MvpYkwWnQQg0r1gw41jTNyfF3iv0ezHCwNVqfPUobuslaq/1?= =?us-ascii?Q?5gpSx1dywyuNZhzvEMLh8kBaEhd7PPHsfAlmBu8aLdWNJK8XsgHqk85yGNy4?= =?us-ascii?Q?7tdeEXdCxX7AumO+m1SvG4bAAy1jWYYylktb0NBnt3A7LP/h7mPeeWzMlMc0?= =?us-ascii?Q?dTUcoChOX0/ESXF8mbJTMZjjIaGOPwf7jBQj8Hnnx4KSjxAqELL3i4PalwKP?= =?us-ascii?Q?wFD+uReu8P5ewKJGHrfbuFulrTKLvvBKCDpObC9I8Thynvx6iw1Napim97s9?= =?us-ascii?Q?ailrlOGj+TYzOhyyteKZb3ftCS3koly84pwgQV9qJQAkYtFGBnF24jqfDWDO?= =?us-ascii?Q?ykvzdEGc9kGDiPAOypRft0ErjP71a2YGjD6b6XYsjAqT5HoXmKX+lrXrldnQ?= =?us-ascii?Q?wAMMrRwDbTUYN+9tVJxxCvEV0GXfVT0PtBWJF2sPD+qA72sy1GgfB/MUkgcD?= =?us-ascii?Q?Mt59AOsn8j9IBOZn5X9ozEGDAZfvFlXRAoeh3ZjrihqOPqY50eizVKLGgLFz?= =?us-ascii?Q?mA=3D=3D?= X-OriginatorOrg: camlingroup.com X-MS-Exchange-CrossTenant-Network-Message-Id: 35b72117-592a-4b2c-1354-08da9a521cc5 X-MS-Exchange-CrossTenant-AuthSource: CWXP123MB4486.GBRP123.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 Sep 2022 15:17:48.7801 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: fd4b1729-b18d-46d2-9ba0-2717b852b252 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: PRapAVOX53+9NQD4Ljn0IFz2i7zsoEeRYVyYxgeQQ8pSEMC0lLndid/sSPReDXtXjQKSJPi1vjINJLpvS2aBYmaCMjJVYByDDxdlkTngDTI= X-MS-Exchange-Transport-CrossTenantHeadersStamped: LO0P123MB7007 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: camlingroup.com Content-Language: en-US Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-3.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A,RCVD_IN_DNSWL_LOW, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org Hi! Thank you for your suggestions and comments.=20 We have submitted new patch here: https://patchwork.kernel.org/project/linux-wireless/patch/20220919150135.90= 785-1-lech.perczak@camlingroup.com/ On 15.09.2022 20:21, Peter Seiderer wrote: > Hello *, >=20 > On Thu, 15 Sep 2022 16:02:34 +0200, Lech Perczak wrote: >=20 >> Hi J=C3=A9r=C3=B4me, >> >> Answers inline. >> [Add Krzysztof in Cc:] >> >> W dniu 15.09.2022 o 15:39, J=C3=A9r=C3=B4me Pouiller pisze: >>> [Add Peter in Cc:] >>> >>> On Thursday 15 September 2022 15:14:45 CEST Lech Perczak wrote: >>>> From: Pawe=C5=82 Lenkow >>>> >>>> During our testing of WFM200 module over SDIO on i.MX6Q-based platform= , >>>> we discovered a memory corruption on the system, tracing back to the w= fx >>>> driver. Using kfence, it was possible to trace it back to the root >>>> cause, which is hw->max_rates set to 8 in wfx_init_common, >>>> while the maximum defined by IEEE80211_TX_TABLE_SIZE is 4. >>>> >>>> This causes array out-of-bounds writes during updates of the rate tabl= e, >>>> as seen below: >>>> >>>> BUG: KFENCE: memory corruption in kfree_rcu_work+0x320/0x36c >>>> >>>> Corrupted memory at 0xe0a4ffe0 [ 0x03 0x03 0x03 0x03 0x01 0x00 0x00 >>>> 0x02 0x02 0x02 0x09 0x00 0x21 0xbb 0xbb 0xbb ] (in kfence-#81): >>>> kfree_rcu_work+0x320/0x36c >>>> process_one_work+0x3ec/0x920 >>>> worker_thread+0x60/0x7a4 >>>> kthread+0x174/0x1b4 >>>> ret_from_fork+0x14/0x2c >>>> 0x0 >>>> >>>> kfence-#81: 0xe0a4ffc0-0xe0a4ffdf, size=3D32, cache=3Dkmalloc-64 >>>> >>>> allocated by task 297 on cpu 0 at 631.039555s: >>>> minstrel_ht_update_rates+0x38/0x2b0 [mac80211] >>>> rate_control_tx_status+0xb4/0x148 [mac80211] >>>> ieee80211_tx_status_ext+0x364/0x1030 [mac80211] >>>> ieee80211_tx_status+0xe0/0x118 [mac80211] >>>> ieee80211_tasklet_handler+0xb0/0xe0 [mac80211] >>>> tasklet_action_common.constprop.0+0x11c/0x148 >>>> __do_softirq+0x1a4/0x61c >>>> irq_exit+0xcc/0x104 >>>> call_with_stack+0x18/0x20 >>>> __irq_svc+0x80/0xb0 >>>> wq_worker_sleeping+0x10/0x100 >>>> wq_worker_sleeping+0x10/0x100 >>>> schedule+0x50/0xe0 >>>> schedule_timeout+0x2e0/0x474 >>>> wait_for_completion+0xdc/0x1ec >>>> mmc_wait_for_req_done+0xc4/0xf8 >>>> mmc_io_rw_extended+0x3b4/0x4ec >>>> sdio_io_rw_ext_helper+0x290/0x384 >>>> sdio_memcpy_toio+0x30/0x38 >>>> wfx_sdio_copy_to_io+0x88/0x108 [wfx] >>>> wfx_data_write+0x88/0x1f0 [wfx] >>>> bh_work+0x1c8/0xcc0 [wfx] >>>> process_one_work+0x3ec/0x920 >>>> worker_thread+0x60/0x7a4 >>>> kthread+0x174/0x1b4 >>>> ret_from_fork+0x14/0x2c 0x0 >>>> >>>> Limit hw->max_rates to not exceed IEEE80211_TX_RATE_TABLE_SIZE (4). >>>> >>>> To bring back previous value, the global table size limit needs to be >>>> increased beforehand in mac80211.h, or by limiting the iteration count >>>> in minstrel_ht_update_rates against IEEE80211_TX_RATE_TABLE_SIZE as >>>> well. >>>> >>>> Fixes: e16e7f0716a6 ("staging: wfx: instantiate mac80211 data") >>> >>> I think the issue has been introduced by ee0e16ab756a ("mac80211: >>> minstrel_ht: fill all requested rates"). >=20 > Ups, sorry for creating a regression (and many thanks for investigation).= .. >=20 >>> >>> >>>> Cc: J=C3=A9r=C3=B4me Pouiller >>>> Cc: Kalle Valo >>>> Link: https://urldefense.com/v3/__https://lore.kernel.org/all/12e5adcd= -8aed-f0f7-70cc-4fb7b656b829@camlingroup.com/__;!!N30Cs7Jr!ReVaYMRjWoJzG95K= RgrZTGAw0bmt5lnLLpRkt574SRvIoKLD2xl53YKUiLpN4PfXpjSLIQ9KvgVy9Wi4jeJE8axP9M4= Odgk$ > >>>> >>>> Signed-off-by: Pawe=C5=82 Lenkow >>>> Signed-off-by: Lech Perczak >>>> --- >>>> drivers/net/wireless/silabs/wfx/main.c | 2 +- >>>> 1 file changed, 1 insertion(+), 1 deletion(-) >>>> >>>> diff --git a/drivers/net/wireless/silabs/wfx/main.c b/drivers/net/wire= less/silabs/wfx/main.c >>>> index 84d82ddded56..7463fe4b5cae 100644 >>>> --- a/drivers/net/wireless/silabs/wfx/main.c >>>> +++ b/drivers/net/wireless/silabs/wfx/main.c >>>> @@ -273,7 +273,7 @@ struct wfx_dev *wfx_init_common(struct device *dev= , const struct wfx_platform_da >>>> hw->vif_data_size =3D sizeof(struct wfx_vif); >>>> hw->sta_data_size =3D sizeof(struct wfx_sta_priv); >>>> hw->queues =3D 4; >>>> - hw->max_rates =3D 8; >>>> + hw->max_rates =3D 4; >=20 > Quick grep for max_rates did show the same for: >=20 > drivers/net/wireless/st/cw1200/main.c: hw->max_rates =3D 8; >=20 >>>> hw->max_rate_tries =3D 8; >>>> hw->extra_tx_headroom =3D sizeof(struct wfx_hif_msg) + sizeof(struct w= fx_hif_req_tx) + >>>> 4 /* alignment */ + 8 /* TKIP IV */; >>> >=20 > Think the following suggested fix is the right way to go (and keep hw->ma= x_rates > value according to the hardware capabilities(?) of the wifi device)... >=20 >>> Do you think the fix should rather be: >>> >>> ------8<----------8<-------- >>> --- i/net/mac80211/rc80211_minstrel_ht.c >>> +++ w/net/mac80211/rc80211_minstrel_ht.c >>> @@ -1559,7 +1559,7 @@ minstrel_ht_update_rates(struct minstrel_priv *mp= , struct minstrel_ht_sta *mi) >>> minstrel_ht_set_rate(mp, mi, rates, i++, mi->max_tp_rate[0]); >>> >>> /* Fill up remaining, keep one entry for max_probe_rate */ >>> - for (; i < (mp->hw->max_rates - 1); i++) >>> + for (; i < min(mp->hw->max_rates, IEEE80211_TX_RATE_TABLE_SIZE) - 1; = i++) >>> minstrel_ht_set_rate(mp, mi, rates, i, mi->max_tp_rate[i]); >>> >=20 > Same change needed here: >=20 >>> if (i < mp->hw->max_rates) >=20 > if (i < min(mp->hw->max_rates, IEEE80211_TX_RATE_TABLE_SIZE)) >=20 >>> ------8<----------8<-------- >>> >> We thought about this as well - or about adding assertion to the functio= n which does the memory allocation, >> but there are more 4-element arrays in mac80211, handled under different= defines, which can be confusing. >> >> carl9170 driver has BUILD_BUG_ON to guard from that precisely - see: >> https://elixir.bootlin.com/linux/latest/source/drivers/net/wireless/ath/= carl9170/tx.c#L879 >> I think, that the second BUILD_BUG_ON could be moved to mac80211 core, s= o that it is checked always, >> not only when CARL9170 is enabled. >> >> I think both changes should be applied - or, alternatively, in minstrel_= ht_set_rate, we could use: >> BUG_ON(mp->hw->max_rates > IEEE80211_TX_RATE_TABLE_SIZE); >> to quickly catch misbehaving drivers in future. >=20 > Think with the suggested changes to minstrel_ht_set_rate no further asser= tion > is needed... >=20 > Regards, > Peter >=20 >> >> Since this concerns mac80211 core, let's add Johannes to the loop as wel= l. >>> >>> >>> -- >>> J=C3=A9r=C3=B4me Pouiller >>> >>> > ___ > This email originated from outside of Camlin Group. Do not click on links= or open attachments unless you are confident they are secure. If in doubt,= please raise a security incident via the following portal: Camlin Helpdesk= =E2=80=93 Report an Information Security Incident/Non-Conformance >=20