From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: "K.T.VIJAYAKUMAAR" <vijay.bvb@samsung.com>,
Kalle Valo <kvalo@codeaurora.org>,
Sasha Levin <sashal@kernel.org>,
ath10k@lists.infradead.org, linux-wireless@vger.kernel.org,
netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 4.19 092/205] ath10k: avoid possible memory access violation
Date: Fri, 8 Nov 2019 06:35:59 -0500 [thread overview]
Message-ID: <20191108113752.12502-92-sashal@kernel.org> (raw)
In-Reply-To: <20191108113752.12502-1-sashal@kernel.org>
From: "K.T.VIJAYAKUMAAR" <vijay.bvb@samsung.com>
[ Upstream commit 97c69a70dc2cecb2c3b96a66529e0082dabc2d2c ]
array "ctl_power_table" access index "pream" is initialized with -1 and
is raised as a static analysis tool issue.
[drivers\net\wireless\ath\ath10k\wmi.c:4719] ->
[drivers\net\wireless\ath\ath10k\wmi.c:4730]: (error) Array index -1 is
out of bounds.
Since the "pream" index for accessing ctl_power_table array is initialized
with -1, there is a chance of memory access violation for the cases below.
1) wmi_pdev_tpc_final_table_event change frequency is between 2483 and 5180
2) pream_idx is out of the enumeration ranges of wmi_tpc_pream_2ghz,
wmi_tpc_pream_5ghz
Signed-off-by: K.T.VIJAYAKUMAAR <vijay.bvb@samsung.com>
[kvalo@codeaurora.org: clean up the warning message]
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath10k/wmi.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/net/wireless/ath/ath10k/wmi.c b/drivers/net/wireless/ath/ath10k/wmi.c
index 9f31b9a108507..583147f00fa4e 100644
--- a/drivers/net/wireless/ath/ath10k/wmi.c
+++ b/drivers/net/wireless/ath/ath10k/wmi.c
@@ -4785,6 +4785,13 @@ ath10k_wmi_tpc_final_get_rate(struct ath10k *ar,
}
}
+ if (pream == -1) {
+ ath10k_warn(ar, "unknown wmi tpc final index and frequency: %u, %u\n",
+ pream_idx, __le32_to_cpu(ev->chan_freq));
+ tpc = 0;
+ goto out;
+ }
+
if (pream == 4)
tpc = min_t(u8, ev->rates_array[rate_idx],
ev->max_reg_allow_pow[ch]);
--
2.20.1
next prev parent reply other threads:[~2019-11-08 12:09 UTC|newest]
Thread overview: 52+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20191108113752.12502-1-sashal@kernel.org>
2019-11-08 11:34 ` [PATCH AUTOSEL 4.19 003/205] ath10k: fix kernel panic by moving pci flush after napi_disable Sasha Levin
2019-11-08 11:34 ` [PATCH AUTOSEL 4.19 021/205] cfg80211: Avoid regulatory restore when COUNTRY_IE_IGNORE is set Sasha Levin
2019-11-08 11:34 ` [PATCH AUTOSEL 4.19 023/205] ath10k: skip resetting rx filter for WCN3990 Sasha Levin
2019-11-08 11:34 ` [PATCH AUTOSEL 4.19 024/205] ath9k: fix tx99 with monitor mode interface Sasha Levin
2019-11-08 11:34 ` [PATCH AUTOSEL 4.19 025/205] wil6210: drop Rx multicast packets that are looped-back to STA Sasha Levin
2019-11-08 11:34 ` [PATCH AUTOSEL 4.19 026/205] wil6210: set edma variables only for Talyn-MB devices Sasha Levin
2019-11-08 11:34 ` [PATCH AUTOSEL 4.19 027/205] wil6210: prevent usage of tx ring 0 for eDMA Sasha Levin
2019-11-08 11:34 ` [PATCH AUTOSEL 4.19 028/205] wil6210: fix invalid memory access for rx_buff_mgmt debugfs Sasha Levin
2019-11-08 11:34 ` [PATCH AUTOSEL 4.19 029/205] ath10k: limit available channels via DT ieee80211-freq-limit Sasha Levin
2019-11-08 11:34 ` [PATCH AUTOSEL 4.19 030/205] ice: Update request resource command to latest specification Sasha Levin
2019-11-08 11:34 ` [PATCH AUTOSEL 4.19 031/205] ice: Prevent control queue operations during reset Sasha Levin
2019-11-08 11:35 ` [PATCH AUTOSEL 4.19 033/205] ice: Fix and update driver version string Sasha Levin
2019-11-08 11:35 ` [PATCH AUTOSEL 4.19 043/205] liquidio: fix race condition in instruction completion processing Sasha Levin
2019-11-08 11:35 ` [PATCH AUTOSEL 4.19 046/205] i40evf: Validate the number of queues a PF sends Sasha Levin
2019-11-08 11:35 ` [PATCH AUTOSEL 4.19 047/205] i40e: use correct length for strncpy Sasha Levin
2019-11-08 11:35 ` [PATCH AUTOSEL 4.19 048/205] i40evf: set IFF_UNICAST_FLT flag for the VF Sasha Levin
2019-11-08 11:35 ` [PATCH AUTOSEL 4.19 049/205] i40e: Check and correct speed values for link on open Sasha Levin
2019-11-08 11:35 ` [PATCH AUTOSEL 4.19 050/205] i40evf: Don't enable vlan stripping when rx offload is turned on Sasha Levin
2019-11-08 11:35 ` [PATCH AUTOSEL 4.19 051/205] i40e: hold the rtnl lock on clearing interrupt scheme Sasha Levin
2019-11-08 11:35 ` [PATCH AUTOSEL 4.19 052/205] i40evf: cancel workqueue sync for adminq when a VF is removed Sasha Levin
2019-11-08 11:35 ` [PATCH AUTOSEL 4.19 053/205] i40e: Prevent deleting MAC address from VF when set by PF Sasha Levin
2019-11-08 11:35 ` [PATCH AUTOSEL 4.19 056/205] iwlwifi: drop packets with bad status in CD Sasha Levin
2019-11-08 11:35 ` [PATCH AUTOSEL 4.19 057/205] iwlwifi: don't WARN on trying to dump dead firmware Sasha Levin
2019-11-08 11:35 ` [PATCH AUTOSEL 4.19 058/205] iwlwifi: mvm: avoid sending too many BARs Sasha Levin
2019-11-08 11:35 ` [PATCH AUTOSEL 4.19 064/205] rtl8187: Fix warning generated when strncpy() destination length matches the sixe argument Sasha Levin
2019-11-08 11:35 ` [PATCH AUTOSEL 4.19 065/205] mwifiex: do no submit URB in suspended state Sasha Levin
2019-11-08 11:35 ` [PATCH AUTOSEL 4.19 066/205] mwifex: free rx_cmd skb " Sasha Levin
2019-11-08 11:35 ` [PATCH AUTOSEL 4.19 067/205] brcmfmac: fix wrong strnchr usage Sasha Levin
2019-11-08 11:35 ` [PATCH AUTOSEL 4.19 068/205] mt76: Fix comparisons with invalid hardware key index Sasha Levin
2019-11-08 11:35 ` [PATCH AUTOSEL 4.19 071/205] net: hns3: Fix for multicast failure Sasha Levin
2019-11-08 11:35 ` [PATCH AUTOSEL 4.19 072/205] net: hns3: Fix error of checking used vlan id Sasha Levin
2019-11-08 11:35 ` [PATCH AUTOSEL 4.19 073/205] net: hns3: Fix for loopback selftest failed problem Sasha Levin
2019-11-08 11:35 ` [PATCH AUTOSEL 4.19 074/205] net: hns3: Change the dst mac addr of loopback packet Sasha Levin
2019-11-08 11:35 ` [PATCH AUTOSEL 4.19 075/205] net/mlx5: Fix atomic_mode enum values Sasha Levin
2019-11-08 11:35 ` [PATCH AUTOSEL 4.19 076/205] net: phy: mscc: read 'vsc8531,vddmac' as an u32 Sasha Levin
2019-11-08 11:35 ` [PATCH AUTOSEL 4.19 077/205] net: phy: mscc: read 'vsc8531, edge-slowdown' " Sasha Levin
2019-11-08 11:35 ` [PATCH AUTOSEL 4.19 086/205] mac80211: fix saving a few HE values Sasha Levin
2019-11-08 11:35 ` [PATCH AUTOSEL 4.19 087/205] cfg80211: validate wmm rule when setting Sasha Levin
2019-11-08 11:35 ` [PATCH AUTOSEL 4.19 089/205] net: lan78xx: Bail out if lan78xx_get_endpoints fails Sasha Levin
2019-11-08 11:35 ` [PATCH AUTOSEL 4.19 090/205] rtnetlink: move type calculation out of loop Sasha Levin
2019-11-08 11:35 ` Sasha Levin [this message]
2019-11-08 11:36 ` [PATCH AUTOSEL 4.19 094/205] ath10k: wmi: disable softirq's while calling ieee80211_rx Sasha Levin
2019-11-08 11:36 ` [PATCH AUTOSEL 4.19 113/205] failover: Fix error return code in net_failover_create Sasha Levin
2019-11-08 11:36 ` [PATCH AUTOSEL 4.19 127/205] ath9k: add back support for using active monitor interfaces for tx99 Sasha Levin
2019-11-08 11:37 ` [PATCH AUTOSEL 4.19 155/205] net: aquantia: fix hw_atl_utils_fw_upload_dwords Sasha Levin
2019-11-08 11:37 ` [PATCH AUTOSEL 4.19 162/205] net: bcmgenet: Fix speed selection for reverse MII Sasha Levin
2019-11-08 11:37 ` [PATCH AUTOSEL 4.19 171/205] MIPS: lantiq: Do not enable IRQs in dma open Sasha Levin
2019-11-08 11:37 ` [PATCH AUTOSEL 4.19 172/205] llc: avoid blocking in llc_sap_close() Sasha Levin
2019-11-08 11:37 ` [PATCH AUTOSEL 4.19 188/205] cxgb4: Fix endianness issue in t4_fwcache() Sasha Levin
2019-11-08 11:37 ` [PATCH AUTOSEL 4.19 198/205] ip_gre: fix parsing gre header in ipgre_err Sasha Levin
2019-11-08 11:37 ` [PATCH AUTOSEL 4.19 203/205] netfilter: nf_tables: avoid BUG_ON usage Sasha Levin
2019-11-08 11:37 ` [PATCH AUTOSEL 4.19 205/205] ath9k: Fix a locking bug in ath9k_add_interface() Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191108113752.12502-92-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=ath10k@lists.infradead.org \
--cc=kvalo@codeaurora.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=vijay.bvb@samsung.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).