From: Kalle Valo <kvalo@qca.qualcomm.com>
To: Christian Lamparter <chunkeey@gmail.com>
Cc: Sebastian Gottschall <s.gottschall@dd-wrt.com>,
"linux-wireless@vger.kernel.org" <linux-wireless@vger.kernel.org>
Subject: Re: [PATCH] ath10k: fix recent bandwidth conversion bug
Date: Thu, 14 Dec 2017 13:21:27 +0000 [thread overview]
Message-ID: <877etpmomh.fsf@kamboji.qca.qualcomm.com> (raw)
In-Reply-To: <1882220.dvZB77Gu54@debian64> (Christian Lamparter's message of "Mon, 20 Nov 2017 18:05:00 +0100")
Christian Lamparter <chunkeey@gmail.com> writes:
> On Monday, November 20, 2017 11:57:21 AM CET Kalle Valo wrote:
>> Christian Lamparter <chunkeey@gmail.com> writes:
>>=20
>> > On Wednesday, November 1, 2017 9:37:53 PM CET Sebastian Gottschall wro=
te:
>> >> a additional array bounds check would be good
>> >
>> > Ah, about that:
>> >
>> > the bw variable in ath10k_htt_rx_h_rates() is extracted from info2
>> > in the following way [0]:
>> > | bw =3D info2 & 3;
>> >
>> > the txrate.bw variable in ath10k_update_per_peer_tx_stats() is set by =
[1]:
>> > | txrate.bw =3D ATH10K_HW_BW(peer_stats->flags);
>> >
>> > ATH10K_HW_BW is a macro defined as [2]:
>> > | #define ATH10K_HW_BW(flags) (((flags) >> 3) & 0x3)
>> >
>> > In both cases the bandwidth values already are limited to 0-3 by
>> > the "and 3" operation.
>>=20
>> Until someone changes that part of the code (and the firmware
>> interface). IMHO a switch is safer as there we don't have any risk of
>> out of bands access.
>
> The kbuild-bot/CI can catch this too.=20
>
> For example, it will look like this:
> drivers/net/wireless/ath/ath10k//htt_rx.c:710:52: warning: invalid
> access past the end of 'ath10k_bw_to_mac80211' (4 4)
Sure, but after reading about all these security vulnerabilities I have
become even more cautious and try to avoid all tricky stuff.
> BTW:
> Have you noticed:
>
> <https://github.com/lede-project/source/blob/master/package/kernel/mac802=
11/patches/319-ath10k-fix-recent-bandwidth-conversion-bug.patch>
>
> Is this really your signed-off-by or not?
I suspect that patch is taken from my pending branch.
> In any case, you - as the maintainer - can modify the patch as
> you see fit. So, please do so.
Ok, we'll send v2.
--=20
Kalle Valo=
next prev parent reply other threads:[~2017-12-14 13:21 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-01 20:01 [PATCH] ath10k: fix recent bandwidth conversion bug Christian Lamparter
2017-11-01 20:36 ` Sebastian Gottschall
2017-11-01 20:37 ` Sebastian Gottschall
2017-11-02 19:34 ` Christian Lamparter
2017-11-02 21:08 ` Sebastian Gottschall
2017-11-13 8:53 ` Johannes Berg
2017-11-20 11:57 ` Kalle Valo
2017-11-20 17:05 ` Christian Lamparter
2017-12-14 13:21 ` Kalle Valo [this message]
2018-03-01 11:52 ` Rafał Miłecki
2018-03-11 7:12 ` Kalle Valo
2018-03-11 21:01 ` Rafał Miłecki
2018-03-10 12:20 Anilkumar Kolli
2018-03-10 12:20 ` Anilkumar Kolli
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=877etpmomh.fsf@kamboji.qca.qualcomm.com \
--to=kvalo@qca.qualcomm.com \
--cc=chunkeey@gmail.com \
--cc=linux-wireless@vger.kernel.org \
--cc=s.gottschall@dd-wrt.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.