From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wr1-f41.google.com (mail-wr1-f41.google.com [209.85.221.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1FCF13939B0 for ; Wed, 15 Apr 2026 22:23:46 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.41 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776291828; cv=none; b=RaDKvoafUBF197zJXVj2/gvkfvzK30ajJO4/vnFaafFQ37d1WGqPRlITQR0SHNcnsFU66b38Ojb9y/BtkqP2oD0HO5O6fY3Njmc9UMmm4ZTgcEMYFRxHmTYzcF0bZuoxuSlTOSVZkQFTTMNEHxXE0qSbwYluUdrL9rWsbzhVEgw= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776291828; c=relaxed/simple; bh=094hf+SxNKij/EcIVMTNsyylOlbCL96vuqQW3ZyI/cs=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=AS1G31rNxID75NqVlQffWCBbl39YAKsKSKIyrMhFQqHjC0Dnz84H34l9ZQfhxETa6+icKbgYlR2/0nEJYmJa7ywZ6+ME8XV61pBzAu4ktJDp1qXe1ZE+kvzdSq7ATErpIVoLF1tDkEwHSgzcvTRerG9fIBRzRkP12GqZA7LhQwo= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=oPUIMK0X; arc=none smtp.client-ip=209.85.221.41 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="oPUIMK0X" Received: by mail-wr1-f41.google.com with SMTP id ffacd0b85a97d-43d572f7437so4645062f8f.1 for ; Wed, 15 Apr 2026 15:23:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776291824; x=1776896624; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=amc2Ehb7SVgpc4uTqGRizbzqDHMttSTOcHk8LAOrPsU=; b=oPUIMK0XQZ7LEVU57dqoLVTKg0UCCW8ItpStISOYJV7Oa0k8fRPL9LSTYbeemFnaOq SpAe3mhjRrFtEsizJoFsuhG5kstyAPgB70h0JSBFHGyXBptag3T3J95+acAm3HoI+QaC 7wygSNU38iZeca2ccqxbY0hZr0jcY3mQhs6R1bCs6vF4gtnZveJg8r/Gti44HcZwNGiV dIMUyk9X3Co08xNMH73SjVboygVravnyB6kvmeWT2R+5/a1igM6qOgEd6kR7WxqZ0xhX nNY6wJukwo8JkEw6DvU87rt4eysKuyCenatTNZMFckst+S3uHoQaotk3z3c5Kt3pIu1O 38Mg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776291824; x=1776896624; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=amc2Ehb7SVgpc4uTqGRizbzqDHMttSTOcHk8LAOrPsU=; b=XHFH6J3pDiYGM3YLcMSPi7zyWPJDMVYkbBrSsgR21QTptje4A5Xt/Uf+ByFaG3o0Jb H9fL3gpNa41pIMxBhN/CWeNBBaPHYGsn/KuE1wml7JhZAyqYuAXH7jsFwUsCSDFmC7gh cBsHSYdJLkJzNpg3T3Hw2glQWFQ+X77VUUV7ArPtYt2uypP/Ls1MJSqOfLNDPfmrgCm8 mBjMDU3Xc9gyzOi4uWW8Ihi/of1pkZ7yU70sYSvOTj4TuFbaxM7d6PwZqle73G4QJNeO xDrTrkThLwE4Bi+/McVTNqSjtdsq7cOEHq05bOs2GeeVdK0nLusLIM6U5+VXNAroo8cr aX0w== X-Forwarded-Encrypted: i=1; AFNElJ+2h50AxTKnAVY5Gtc634vErYnU3rf9X78d+uqHeg9cgp66UiA+lzXzvLvamArwvEJWjDgW6RfZxWJK1tY=@vger.kernel.org X-Gm-Message-State: AOJu0Yxl89Hwt9F1/PtpdgBxv8sbuqn/t+smjv9kiZkBBx60mw5QXQNu AWQrTcCWlDbigqXSLM/uuMLkgnltvrRE18KgBsYUI9/S4Qt1IKa1iKRhMqRT2Nad9g== X-Gm-Gg: AeBDietwDVGjNNXSFtj+Xs5pSKvh9SREMLv7rMBpJ0KHvaHJvuKOb6yi3Af/rcGNRVS fdVpFQfxf0+Cx/0Jqen3ANqMnabOFEIajQNu9WoiX2FgWonricXqCBTPnHUCNx2UjJwJguAjB/u CZdnDBBQ59huwRJF7aoZM4Vc/LHKv0ykTzSz5d6odqGwK8qQfPmrCG3eDR+UaGXWH5iu4NeWrm6 S43p/tOSIzwcEIkdugBz+ow/wy/oVXkijZHA4EHAM99y+zxr2FW1H3hHVX/0yYP68GESOzTd+NE nwffrBnhqVWZJFLFuLdh5rqCwXR6RhWG7A5CZYul0f3sy1u9oM3FoQWsl7vqJVCvACfSmfQ02oT 03C1vyMxU6YASvAyFREw09pxPZchYir04DQhbGxoJIeQM4nyinLDM0mvjqBKIXSZNF9SJfs37/Z /+ib8= X-Received: by 2002:a5d:5d03:0:b0:43c:f5a0:4e56 with SMTP id ffacd0b85a97d-43d642d1d17mr34903443f8f.42.1776291824418; Wed, 15 Apr 2026 15:23:44 -0700 (PDT) Received: from debian.. ([2001:41d0:303:db6b::]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43ead3e00b3sm7803345f8f.27.2026.04.15.15.23.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 15 Apr 2026 15:23:43 -0700 (PDT) From: Tristan Madani To: Toke Hoiland-Jorgensen Cc: Johannes Berg , linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v2] wifi: ath9k: fix OOB access from firmware tx status queue ID Date: Wed, 15 Apr 2026 22:23:43 +0000 Message-ID: <20260415222343.1540564-1-tristmd@gmail.com> X-Mailer: git-send-email 2.47.3 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit From: Tristan Madani ath_tx_edma_tasklet() accesses sc->tx.txq[ts.qid] where ts.qid is a 4-bit hardware field (0-15), but the txq array only has ATH9K_NUM_TX_QUEUES (10) entries. A qid >= 10 causes an OOB array access. Add a bounds check on ts.qid before using it as an array index. Fixes: fce041beb03f ("ath9k: unify edma and non-edma tx code, improve tx fifo handling") Signed-off-by: Tristan Madani --- Note: v2 resubmission -- original sent via Gmail had HTML rendering issues. This version uses git send-email for plain-text formatting. drivers/net/wireless/ath/ath9k/xmit.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/net/wireless/ath/ath9k/xmit.c b/drivers/net/wireless/ath/ath9k/xmit.c index XXXXXXX..XXXXXXX 100644 --- a/drivers/net/wireless/ath/ath9k/xmit.c +++ b/drivers/net/wireless/ath/ath9k/xmit.c @@ -2755,6 +2755,11 @@ static void ath_tx_edma_tasklet(struct ath_softc *sc) continue; } + if (ts.qid >= ATH9K_NUM_TX_QUEUES) { + ath_dbg(common, XMIT, "invalid qid %d\n", ts.qid); + continue; + } + txq = &sc->tx.txq[ts.qid]; ath_txq_lock(sc, txq); -- 2.43.0