iwlwifi: mvm: fix possible out-of-bounds read when accessing lq_info (514ea05b) · Commits · 戴 / test

drivers/net/wireless/intel/iwlwifi/mvm/rs.c

+20 −8

Original line number	Diff line number	Diff line
		@@ -1352,6 +1352,18 @@ static void rs_set_expected_tpt_table(struct iwl_lq_sta *lq_sta,
		tbl->expected_tpt = rs_get_expected_tpt_table(lq_sta, column, rate->bw);
		}

		/* rs uses two tables, one is active and the second is for searching better
		* configuration. This function, according to the index of the currently
		* active table returns the search table, which is located at the
		* index complementary to 1 according to the active table (active = 1,
		* search = 0 or active = 0, search = 1).
		* Since lq_info is an arary of size 2, make sure index cannot be out of bounds.
		*/
		static inline u8 rs_search_tbl(u8 active_tbl)
		{
		return (active_tbl ^ 1) & 1;
		}

		static s32 rs_get_best_rate(struct iwl_mvm *mvm,
		struct iwl_lq_sta *lq_sta,
		struct iwl_scale_tbl_info tbl, / "search" */
		@@ -1699,9 +1711,9 @@ static int rs_switch_to_column(struct iwl_mvm *mvm,
		struct ieee80211_sta *sta,
		enum rs_column col_id)
		{
		struct iwl_scale_tbl_info *tbl = &(lq_sta->lq_info[lq_sta->active_tbl]);
		struct iwl_scale_tbl_info *tbl = &lq_sta->lq_info[lq_sta->active_tbl];
		struct iwl_scale_tbl_info *search_tbl =
		&(lq_sta->lq_info[(1 - lq_sta->active_tbl)]);
		&lq_sta->lq_info[rs_search_tbl(lq_sta->active_tbl)];
		struct rs_rate *rate = &search_tbl->rate;
		const struct rs_tx_column *column = &rs_tx_columns[col_id];
		const struct rs_tx_column *curr_column = &rs_tx_columns[tbl->column];
		@@ -2109,7 +2121,7 @@ static void rs_rate_scale_perform(struct iwl_mvm *mvm,
		if (!lq_sta->search_better_tbl)
		active_tbl = lq_sta->active_tbl;
		else
		active_tbl = 1 - lq_sta->active_tbl;
		active_tbl = rs_search_tbl(lq_sta->active_tbl);

		tbl = &(lq_sta->lq_info[active_tbl]);
		rate = &tbl->rate;
		@@ -2333,7 +2345,7 @@ lq_update:
		/* If new "search" mode was selected, set up in uCode table */
		if (lq_sta->search_better_tbl) {
		/* Access the "search" table, clear its history. */
		tbl = &(lq_sta->lq_info[(1 - lq_sta->active_tbl)]);
		tbl = &lq_sta->lq_info[rs_search_tbl(lq_sta->active_tbl)];
		rs_rate_scale_clear_tbl_windows(mvm, tbl);

		/* Use new "search" start rate */
		@@ -2676,7 +2688,7 @@ static void rs_initialize_lq(struct iwl_mvm *mvm,
		if (!lq_sta->search_better_tbl)
		active_tbl = lq_sta->active_tbl;
		else
		active_tbl = 1 - lq_sta->active_tbl;
		active_tbl = rs_search_tbl(lq_sta->active_tbl);

		tbl = &(lq_sta->lq_info[active_tbl]);
		rate = &tbl->rate;
		@@ -3172,9 +3184,9 @@ static void __iwl_mvm_rs_tx_status(struct iwl_mvm *mvm,

		if (!lq_sta->search_better_tbl) {
		curr_tbl = &lq_sta->lq_info[lq_sta->active_tbl];
		other_tbl = &lq_sta->lq_info[1 - lq_sta->active_tbl];
		other_tbl = &lq_sta->lq_info[rs_search_tbl(lq_sta->active_tbl)];
		} else {
		curr_tbl = &lq_sta->lq_info[1 - lq_sta->active_tbl];
		curr_tbl = &lq_sta->lq_info[rs_search_tbl(lq_sta->active_tbl)];
		other_tbl = &lq_sta->lq_info[lq_sta->active_tbl];
		}

		@@ -3183,7 +3195,7 @@ static void __iwl_mvm_rs_tx_status(struct iwl_mvm *mvm,
		"Neither active nor search matches tx rate\n");
		tmp_tbl = &lq_sta->lq_info[lq_sta->active_tbl];
		rs_dump_rate(mvm, &tmp_tbl->rate, "ACTIVE");
		tmp_tbl = &lq_sta->lq_info[1 - lq_sta->active_tbl];
		tmp_tbl = &lq_sta->lq_info[rs_search_tbl(lq_sta->active_tbl)];
		rs_dump_rate(mvm, &tmp_tbl->rate, "SEARCH");
		rs_dump_rate(mvm, &lq_rate, "ACTUAL");

Admin message