[PATCH 5.10 19/41] wifi: cfg80211: Fix bitrate calculation overflow for HE rates

public inbox for stable@vger.kernel.org
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	patches@lists.linux.dev,
	Veerendranath Jakkam <veerendranath.jakkam@oss.qualcomm.com>,
	Johannes Berg <johannes.berg@intel.com>,
	Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.10 19/41] wifi: cfg80211: Fix bitrate calculation overflow for HE rates
Date: Mon,  9 Feb 2026 15:24:40 +0100	[thread overview]
Message-ID: <20260209142257.503588651@linuxfoundation.org> (raw)
In-Reply-To: <20260209142256.797267956@linuxfoundation.org>

5.10-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Veerendranath Jakkam <veerendranath.jakkam@oss.qualcomm.com>

[ Upstream commit a3034bf0746d88a00cceda9541534a5721445a24 ]

An integer overflow occurs in cfg80211_calculate_bitrate_he() when
calculating bitrates for high throughput HE configurations.
For example, with 160 MHz bandwidth, HE-MCS 13, HE-NSS 4, and HE-GI 0,
the multiplication (result * rate->nss) overflows the 32-bit 'result'
variable before division by 8, leading to significantly underestimated
bitrate values.

The overflow occurs because the NSS multiplication operates on a 32-bit
integer that cannot accommodate intermediate values exceeding
4,294,967,295. When overflow happens, the value wraps around, producing
incorrect bitrates for high MCS and NSS combinations.

Fix this by utilizing the 64-bit 'tmp' variable for the NSS
multiplication and subsequent divisions via do_div(). This approach
preserves full precision throughout the entire calculation, with the
final value assigned to 'result' only after completing all operations.

Signed-off-by: Veerendranath Jakkam <veerendranath.jakkam@oss.qualcomm.com>
Link: https://patch.msgid.link/20260109-he_bitrate_overflow-v1-1-95575e466b6e@oss.qualcomm.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/wireless/util.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/net/wireless/util.c b/net/wireless/util.c
index 37719fc39f64d..29b8233d4a9c2 100644
--- a/net/wireless/util.c
+++ b/net/wireless/util.c
@@ -1389,12 +1389,14 @@ static u32 cfg80211_calculate_bitrate_he(struct rate_info *rate)
 	tmp = result;
 	tmp *= SCALE;
 	do_div(tmp, mcs_divisors[rate->mcs]);
-	result = tmp;

 	/* and take NSS, DCM into account */
-	result = (result * rate->nss) / 8;
+	tmp *= rate->nss;
+	do_div(tmp, 8);
 	if (rate->he_dcm)
-		result /= 2;
+		do_div(tmp, 2);
+
+	result = tmp;

 	return result / 10000;
 }
-- 
2.51.0

next prev parent reply	other threads:[~2026-02-09 14:51 UTC|newest]

Thread overview: 52+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-02-09 14:24 [PATCH 5.10 00/41] 5.10.250-rc1 review Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.10 01/41] rbd: check for EOD after exclusive lock is ensured to be held Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.10 02/41] ARM: 9468/1: fix memset64() on big-endian Greg Kroah-Hartman
2026-02-21 20:21   ` Ben Hutchings
2026-02-21 21:45     ` Matthew Wilcox
2026-02-09 14:24 ` [PATCH 5.10 03/41] KVM: Dont clobber irqfd routing type when deassigning irqfd Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.10 04/41] netfilter: nft_set_pipapo: clamp maximum map bucket size to INT_MAX Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.10 05/41] binderfs: fix ida_alloc_max() upper bound Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.10 06/41] wifi: mac80211: ocb: skip rx_no_sta when interface is not joined Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.10 07/41] wifi: wlcore: ensure skb headroom before skb_push Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.10 08/41] net: usb: sr9700: support devices with virtual driver CD Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.10 09/41] block,bfq: fix aux stat accumulation destination Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.10 10/41] HID: multitouch: add MT_QUIRK_STICKY_FINGERS to MT_CLS_VTL Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.10 11/41] HID: intel-ish-hid: Reset enum_devices_done before enumeration Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.10 12/41] ALSA: hda/realtek: add HP Laptop 15s-eq1xxx mute LED quirk Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.10 13/41] HID: quirks: Add another Chicony HP 5MP Cameras to hid_ignore_list Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.10 14/41] HID: Apply quirk HID_QUIRK_ALWAYS_POLL to Edifier QR30 (2d99:a101) Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.10 15/41] ring-buffer: Avoid softlockup in ring_buffer_resize() during memory free Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.10 16/41] wifi: mac80211: collect station statistics earlier when disconnect Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.10 17/41] ASoC: davinci-evm: Fix reference leak in davinci_evm_probe Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.10 18/41] ASoC: tlv320adcx140: Propagate error codes during probe Greg Kroah-Hartman
2026-02-09 14:24 ` Greg Kroah-Hartman [this message]
2026-02-09 14:24 ` [PATCH 5.10 20/41] scsi: target: iscsi: Fix use-after-free in iscsit_dec_session_usage_count() Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.10 21/41] scsi: target: iscsi: Fix use-after-free in iscsit_dec_conn_usage_count() Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.10 22/41] wifi: mac80211: dont increment crypto_tx_tailroom_needed_cnt twice Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.10 23/41] platform/x86: toshiba_haps: Fix memory leaks in add/remove routines Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.10 24/41] platform/x86: intel_telemetry: Fix PSS event register mask Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.10 25/41] net: liquidio: Initialize netdev pointer before queue setup Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.10 26/41] net: liquidio: Fix off-by-one error in PF setup_nic_devices() cleanup Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.10 27/41] net: liquidio: Fix off-by-one error in VF " Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.10 28/41] macvlan: fix error recovery in macvlan_common_newlink() Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.10 29/41] tipc: use kfree_sensitive() for session key material Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.10 30/41] hwmon: (occ) Mark occ_init_attribute() as __printf Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.10 31/41] nvmet-tcp: add an helper to free the cmd buffers Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.10 32/41] nvmet-tcp: fix memory leak when performing a controller reset Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.10 33/41] nvmet-tcp: fix regression in data_digest calculation Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.10 34/41] nvmet-tcp: dont map pages which cant come from HIGHMEM Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.10 35/41] nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.10 36/41] ASoC: amd: fix memory leak in acp3x pdm dma ops Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.10 37/41] platform/x86: intel_telemetry: Fix swapped arrays in PSS output Greg Kroah-Hartman
2026-02-09 14:24 ` [PATCH 5.10 38/41] gve: Fix stats report corruption on queue count change Greg Kroah-Hartman
2026-02-09 14:25 ` [PATCH 5.10 39/41] tracing: Fix ftrace event field alignments Greg Kroah-Hartman
2026-02-09 14:25 ` [PATCH 5.10 40/41] gve: Correct ethtool rx_dropped calculation Greg Kroah-Hartman
2026-02-09 14:25 ` [PATCH 5.10 41/41] nvmet-tcp: pass iov_len instead of sg->length to bvec_set_page() Greg Kroah-Hartman
2026-02-09 18:15 ` [PATCH 5.10 00/41] 5.10.250-rc1 review Brett A C Sheffield
2026-02-09 20:55 ` Jon Hunter
2026-02-10  3:01 ` Florian Fainelli
2026-02-10 12:52 ` Woody Suwalski
2026-02-10 13:25 ` Mark Brown
2026-02-11  7:26 ` Barry K. Nathan
2026-02-11  7:29 ` Barry K. Nathan
2026-02-11 11:00 ` Jeffrin Thalakkottoor

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:37719fc39f64 dfblob:29b8233d4a9c )
 OR (
bs:"[PATCH 5.10 19/41] wifi: cfg80211: Fix bitrate calculation overflow for HE rates" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260209142257.503588651@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=johannes.berg@intel.com \
    --cc=patches@lists.linux.dev \
    --cc=sashal@kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=veerendranath.jakkam@oss.qualcomm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox