public inbox for linux-arm-kernel@lists.infradead.org 
 help / color / mirror / Atom feed

From: Sasha Levin <sashal@kernel•org>
To: linux-kernel@vger•kernel.org, stable@vger•kernel.org
Cc: Sasha Levin <sashal@kernel•org>,
	netdev@vger•kernel.org, linux-wireless@vger•kernel.org,
	linux-mediatek@lists•infradead.org,
	Lorenzo Bianconi <lorenzo@kernel•org>,
	linux-arm-kernel@lists•infradead.org,
	Felix Fietkau <nbd@nbd•name>
Subject: [PATCH AUTOSEL 5.4 324/350] mt76: fix possible out-of-bound access in mt7615_fill_txs/mt7603_fill_txs
Date: Tue, 10 Dec 2019 16:07:09 -0500	[thread overview]
Message-ID: <20191210210735.9077-285-sashal@kernel.org> (raw)
In-Reply-To: <20191210210735.9077-1-sashal@kernel.org>

From: Lorenzo Bianconi <lorenzo@kernel•org>

[ Upstream commit e8b970c8e367e85fab9b8ac4f36080e5d653c38e ]

Fix possible out-of-bound access of status rates array in
mt7615_fill_txs/mt7603_fill_txs routines

Fixes: c5211e997eca ("mt76: mt7603: rework and fix tx status reporting")
Fixes: 4af81f02b49c ("mt76: mt7615: sync with mt7603 rate control changes")
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel•org>
Signed-off-by: Felix Fietkau <nbd@nbd•name>
Signed-off-by: Sasha Levin <sashal@kernel•org>
---
 drivers/net/wireless/mediatek/mt76/mt7603/mac.c | 4 +++-
 drivers/net/wireless/mediatek/mt76/mt7615/mac.c | 4 +++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/drivers/net/wireless/mediatek/mt76/mt7603/mac.c b/drivers/net/wireless/mediatek/mt76/mt7603/mac.c
index c328192307c48..ff3f3d98b6252 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7603/mac.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7603/mac.c
@@ -1032,8 +1032,10 @@ mt7603_fill_txs(struct mt7603_dev *dev, struct mt7603_sta *sta,
 		if (idx && (cur_rate->idx != info->status.rates[i].idx ||
 			    cur_rate->flags != info->status.rates[i].flags)) {
 			i++;
-			if (i == ARRAY_SIZE(info->status.rates))
+			if (i == ARRAY_SIZE(info->status.rates)) {
+				i--;
 				break;
+			}
 
 			info->status.rates[i] = *cur_rate;
 			info->status.rates[i].count = 0;
diff --git a/drivers/net/wireless/mediatek/mt76/mt7615/mac.c b/drivers/net/wireless/mediatek/mt76/mt7615/mac.c
index e07ce2c100133..111e38ff954a2 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7615/mac.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7615/mac.c
@@ -914,8 +914,10 @@ static bool mt7615_fill_txs(struct mt7615_dev *dev, struct mt7615_sta *sta,
 		if (idx && (cur_rate->idx != info->status.rates[i].idx ||
 			    cur_rate->flags != info->status.rates[i].flags)) {
 			i++;
-			if (i == ARRAY_SIZE(info->status.rates))
+			if (i == ARRAY_SIZE(info->status.rates)) {
+				i--;
 				break;
+			}
 
 			info->status.rates[i] = *cur_rate;
 			info->status.rates[i].count = 0;
-- 
2.20.1


_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists•infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

next prev parent reply	other threads:[~2019-12-10 21:16 UTC|newest]

Thread overview: 29+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20191210210735.9077-1-sashal@kernel.org>
2019-12-10 21:02 ` [PATCH AUTOSEL 5.4 052/350] drm/sun4i: dsi: Fix TCON DRQ set bits Sasha Levin
2019-12-10 21:02 ` [PATCH AUTOSEL 5.4 068/350] media: meson/ao-cec: move cec_notifier_cec_adap_register after hw setup Sasha Levin
2019-12-10 21:03 ` [PATCH AUTOSEL 5.4 128/350] spi: pxa2xx: Set controller->max_transfer_size in dma mode Sasha Levin
2019-12-11 10:47   ` Mark Brown
2019-12-19 17:35     ` Sasha Levin
2019-12-10 21:04 ` [PATCH AUTOSEL 5.4 144/350] media: cedrus: Fix undefined shift with a SHIFT_AND_MASK_BITS macro Sasha Levin
2019-12-10 21:04 ` [PATCH AUTOSEL 5.4 145/350] media: aspeed: set hsync and vsync polarities to normal before starting mode detection Sasha Levin
2019-12-10 21:04 ` [PATCH AUTOSEL 5.4 151/350] media: imx7-mipi-csis: Add a check for devm_regulator_get Sasha Levin
2019-12-10 21:04 ` [PATCH AUTOSEL 5.4 152/350] media: aspeed: clear garbage interrupts Sasha Levin
2019-12-10 21:04 ` [PATCH AUTOSEL 5.4 159/350] arm64: psci: Reduce the waiting time for cpu_psci_cpu_kill() Sasha Levin
2019-12-10 21:05 ` [PATCH AUTOSEL 5.4 197/350] ASoC: SOF: imx: fix reverse CONFIG_SND_SOC_SOF_OF dependency Sasha Levin
2019-12-11 11:00   ` Mark Brown
2019-12-19 19:46     ` Sasha Levin
2019-12-10 21:05 ` [PATCH AUTOSEL 5.4 201/350] cpufreq: sun50i: Fix CPU speed bin detection Sasha Levin
2019-12-10 21:05 ` [PATCH AUTOSEL 5.4 205/350] media: staging/imx: Use a shorter name for driver Sasha Levin
2019-12-10 21:05 ` [PATCH AUTOSEL 5.4 206/350] nvmem: imx-ocotp: reset error status on probe Sasha Levin
2019-12-10 21:05 ` [PATCH AUTOSEL 5.4 219/350] perf cs-etm: Fix definition of macro TO_CS_QUEUE_NR Sasha Levin
2019-12-10 21:05 ` [PATCH AUTOSEL 5.4 228/350] perf tools: Fix cross compile for ARM64 Sasha Levin
2019-12-10 21:05 ` [PATCH AUTOSEL 5.4 247/350] media: exynos4-is: fix wrong mdev and v4l2 dev order in error path Sasha Levin
2019-12-10 21:05 ` [PATCH AUTOSEL 5.4 254/350] crypto: atmel - Fix authenc support when it is set to m Sasha Levin
2019-12-10 21:06 ` [PATCH AUTOSEL 5.4 258/350] media: cedrus: Use helpers to access capture queue Sasha Levin
2019-12-10 21:06 ` [PATCH AUTOSEL 5.4 264/350] spi: pxa2xx: Add missed security checks Sasha Levin
2019-12-10 21:06 ` [PATCH AUTOSEL 5.4 288/350] MIPS: ralink: enable PCI support only if driver for mt7621 SoC is selected Sasha Levin
2019-12-10 21:07 ` [PATCH AUTOSEL 5.4 316/350] int128: move __uint128_t compiler test to Kconfig Sasha Levin
2019-12-11 10:07   ` Ard Biesheuvel
2019-12-19 23:24     ` Sasha Levin
2019-12-10 21:07 ` Sasha Levin [this message]
2019-12-10 21:07 ` [PATCH AUTOSEL 5.4 329/350] crypto: sun4i-ss - Fix 64-bit size_t warnings Sasha Levin
2019-12-10 21:07 ` [PATCH AUTOSEL 5.4 331/350] crypto: sun4i-ss - Fix 64-bit size_t warnings on sun4i-ss-hash.c Sasha Levin

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:c328192307c4 dfblob:ff3f3d98b625 dfblob:e07ce2c10013
dfblob:111e38ff954a )
 OR (
bs:"[PATCH AUTOSEL 5.4 324/350] mt76: fix possible out-of-bound access in mt7615_fill_txs/mt7603_fill_txs" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20191210210735.9077-285-sashal@kernel.org \
    --to=sashal@kernel$(echo .)org \
    --cc=linux-arm-kernel@lists$(echo .)infradead.org \
    --cc=linux-kernel@vger$(echo .)kernel.org \
    --cc=linux-mediatek@lists$(echo .)infradead.org \
    --cc=linux-wireless@vger$(echo .)kernel.org \
    --cc=lorenzo@kernel$(echo .)org \
    --cc=nbd@nbd$(echo .)name \
    --cc=netdev@vger$(echo .)kernel.org \
    --cc=stable@vger$(echo .)kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox