From: Stanislaw Gruszka <stf_xl@wp.pl>
To: Fedor Pchelkin <pchelkin@ispras.ru>
Cc: Johannes Berg <johannes@sipsolutions.net>,
Alexei Safin <a.safin@rosa.ru>,
lvc-project@linuxtesting.org, netdev@vger.kernel.org,
Kalle Valo <kvalo@kernel.org>,
linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
"David S . Miller" <davem@davemloft.net>
Subject: Re: [PATCH] wifi: iwlegacy: Check rate_idx range after addition
Date: Sat, 17 May 2025 16:53:53 +0200 [thread overview]
Message-ID: <20250517145353.GA138457@wp.pl> (raw)
In-Reply-To: <hrpy3omokg5zvrqnchx4jvp26bvfgdrashkmrjonsyz5b64aaz@6d5kn7z7x73q>
Hi Fedor, thanks for review,
On Sat, May 17, 2025 at 03:21:03PM +0300, Fedor Pchelkin wrote:
> On Sat, 17. May 09:40, Stanislaw Gruszka wrote:
> > Move rate_idx range check after we add IL_FIRST_OFDM_RATE for it
> > for 5GHz band.
> >
> > Additionally use ">= RATE_COUNT" check instead of "> RATE_COUNT_LEGACY"
> > to avoid possible reviewers and static code analyzers confusion about
> > size of il_rate array.
> >
> > Reported-by: Fedor Pchelkin <pchelkin@ispras.ru>
> > Reported-by: Alexei Safin <a.safin@rosa.ru>
> > Signed-off-by: Stanislaw Gruszka <stf_xl@wp.pl>
> > ---
>
> Thank you for the patch, Stanislaw!
>
> Please see some comments below.
>
> > drivers/net/wireless/intel/iwlegacy/4965-mac.c | 15 +++++++++------
> > 1 file changed, 9 insertions(+), 6 deletions(-)
> >
> > diff --git a/drivers/net/wireless/intel/iwlegacy/4965-mac.c b/drivers/net/wireless/intel/iwlegacy/4965-mac.c
> > index dc8c408902e6..2294ea43b4c7 100644
> > --- a/drivers/net/wireless/intel/iwlegacy/4965-mac.c
> > +++ b/drivers/net/wireless/intel/iwlegacy/4965-mac.c
> > @@ -1567,16 +1567,19 @@ il4965_tx_cmd_build_rate(struct il_priv *il,
> > /**
> > * If the current TX rate stored in mac80211 has the MCS bit set, it's
> > * not really a TX rate. Thus, we use the lowest supported rate for
> > - * this band. Also use the lowest supported rate if the stored rate
> > - * idx is invalid.
> > + * this band.
> > */
> > rate_idx = info->control.rates[0].idx;
> > - if ((info->control.rates[0].flags & IEEE80211_TX_RC_MCS) || rate_idx < 0
> > - || rate_idx > RATE_COUNT_LEGACY)
> > + if (info->control.rates[0].flags & IEEE80211_TX_RC_MCS)
> > rate_idx = rate_lowest_index(&il->bands[info->band], sta);
> > - /* For 5 GHZ band, remap mac80211 rate indices into driver indices */
> > - if (info->band == NL80211_BAND_5GHZ)
> > + else if (info->band == NL80211_BAND_5GHZ)
>
> 5GHZ shouldn't be in 'else if' clause, I think. Is it mutually exclusive
> with IEEE80211_TX_RC_MCS ?
Right, this is wrong. I thought we can use index returned by
rate_lowest_index() but we still should add IL_FIRST_OFDM_RATE.
At least this is how is done now.
>
> > + /* For 5 GHZ band, remap mac80211 rate indices into driver indices */
> > rate_idx += IL_FIRST_OFDM_RATE;
> > +
> > + /* Use the lowest supported rate if the stored rate idx is invalid. */
> > + if (rate_idx < 0 || rate_idx >= RATE_COUNT)
>
> There is a check inside il4965_rs_get_rate():
>
> /* Check for invalid rates */
> if (rate_idx < 0 || rate_idx >= RATE_COUNT_LEGACY ||
> (sband->band == NL80211_BAND_5GHZ &&
> rate_idx < IL_FIRST_OFDM_RATE))
> rate_idx = rate_lowest_index(sband, sta);
>
> so RATE_COUNT_LEGACY (60M) is considered invalid there but is accepted
> here in il4965_tx_cmd_build_rate(). It looks strange, at least for the
> fresh reader as me..
Indeed this is strange. I'm not sure why those checks differ.
Anyway for the rate_idx in il4965_tx_cmd_build_rate()
for 5GHs I'll just add additional check like below:
if (info->band == NL80211_BAND_5GHZ) {
rate_idx += IL_FIRST_OFDM_RATE;
if (rate_idx > IL_LAST_OFDM_RATE);
rate_idx = IL_LAST_OFDM_RATE;
}
This patch should be dropped.
Regards
Stanislaw
next prev parent reply other threads:[~2025-05-17 14:53 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-24 18:52 [PATCH v2] iwlegacy: 4965: fix possible out-of-bounds access in il4965_tx_cmd_build_rate() Alexei Safin
2025-04-25 5:59 ` Ping-Ke Shih
2025-04-27 6:39 ` Stanislaw Gruszka
2025-04-29 17:15 ` Fedor Pchelkin
2025-04-29 21:40 ` Stanislaw Gruszka
2025-05-17 7:40 ` [PATCH] wifi: iwlegacy: Check rate_idx range after addition Stanislaw Gruszka
2025-05-17 12:21 ` Fedor Pchelkin
2025-05-17 14:53 ` Stanislaw Gruszka [this message]
2025-05-25 14:45 ` [PATCH v2] " Stanislaw Gruszka
2025-05-27 19:17 ` Fedor Pchelkin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250517145353.GA138457@wp.pl \
--to=stf_xl@wp.pl \
--cc=a.safin@rosa.ru \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=johannes@sipsolutions.net \
--cc=kuba@kernel.org \
--cc=kvalo@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=lvc-project@linuxtesting.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=pchelkin@ispras.ru \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.