Message ID | 20240704070811.4186543-3-quic_periyasa@quicinc.com (mailing list archive) |
---|---|
State | Accepted |
Commit | 69f253e46af98af17e3efa3e5dfa72fcb7d1983d |
Delegated to: | Kalle Valo |
Headers | show |
Series | wifi: ath: fix array out-of-bound access in SoC stats | expand |
On 7/4/2024 12:08 AM, Karthikeyan Periyasamy wrote: > Currently, the ath11k_soc_dp_stats::hal_reo_error array is defined with a > maximum size of DP_REO_DST_RING_MAX. However, the ath11k_dp_process_rx() > function access ath11k_soc_dp_stats::hal_reo_error using the REO > destination SRNG ring ID, which is incorrect. SRNG ring ID differ from > normal ring ID, and this usage leads to out-of-bounds array access. To fix > this issue, modify ath11k_dp_process_rx() to use the normal ring ID > directly instead of the SRNG ring ID to avoid out-of-bounds array access. > > Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1 > > Signed-off-by: Karthikeyan Periyasamy <quic_periyasa@quicinc.com> Acked-by: Jeff Johnson <quic_jjohnson@quicinc.com>
diff --git a/drivers/net/wireless/ath/ath11k/dp_rx.c b/drivers/net/wireless/ath/ath11k/dp_rx.c index 86485580dd89..c087d8a0f5b2 100644 --- a/drivers/net/wireless/ath/ath11k/dp_rx.c +++ b/drivers/net/wireless/ath/ath11k/dp_rx.c @@ -2697,7 +2697,7 @@ int ath11k_dp_process_rx(struct ath11k_base *ab, int ring_id, if (unlikely(push_reason != HAL_REO_DEST_RING_PUSH_REASON_ROUTING_INSTRUCTION)) { dev_kfree_skb_any(msdu); - ab->soc_stats.hal_reo_error[dp->reo_dst_ring[ring_id].ring_id]++; + ab->soc_stats.hal_reo_error[ring_id]++; continue; }
Currently, the ath11k_soc_dp_stats::hal_reo_error array is defined with a maximum size of DP_REO_DST_RING_MAX. However, the ath11k_dp_process_rx() function access ath11k_soc_dp_stats::hal_reo_error using the REO destination SRNG ring ID, which is incorrect. SRNG ring ID differ from normal ring ID, and this usage leads to out-of-bounds array access. To fix this issue, modify ath11k_dp_process_rx() to use the normal ring ID directly instead of the SRNG ring ID to avoid out-of-bounds array access. Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1 Signed-off-by: Karthikeyan Periyasamy <quic_periyasa@quicinc.com> --- drivers/net/wireless/ath/ath11k/dp_rx.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)