* [PATCH] wifi: ath11k: fix potential buffer underflow in ath11k_hal_rx_msdu_list_get()
@ 2026-05-30 11:42 Dmitry Morgun
2026-07-03 6:45 ` Baochen Qiang
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Dmitry Morgun @ 2026-05-30 11:42 UTC (permalink / raw)
To: Jeff Johnson
Cc: Dmitry Morgun, linux-wireless, ath11k, linux-kernel, lvc-project, stable
When the first entry in msdu_details has a zero buffer address,
the code accesses msdu_details[i - 1] with i == 0, causing a
buffer underflow.
Fix similarly to ath12k_wifi7_hal_rx_msdu_list_get() by adding
a separate check for i == 0 before the main condition to prevent
the out-of-bounds access.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices")
Signed-off-by: Dmitry Morgun <d.morgun@ispras.ru>
---
drivers/net/wireless/ath/ath11k/dp_rx.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/net/wireless/ath/ath11k/dp_rx.c b/drivers/net/wireless/ath/ath11k/dp_rx.c
index 2a413e3a0..c9f520c2a 100644
--- a/drivers/net/wireless/ath/ath11k/dp_rx.c
+++ b/drivers/net/wireless/ath/ath11k/dp_rx.c
@@ -4565,6 +4565,9 @@ static void ath11k_hal_rx_msdu_list_get(struct ath11k *ar,
msdu_details = &msdu_link->msdu_link[0];
for (i = 0; i < HAL_RX_NUM_MSDU_DESC; i++) {
+ if (!i && FIELD_GET(BUFFER_ADDR_INFO0_ADDR,
+ msdu_details[i].buf_addr_info.info0) == 0)
+ break;
if (FIELD_GET(BUFFER_ADDR_INFO0_ADDR,
msdu_details[i].buf_addr_info.info0) == 0) {
msdu_desc_info = &msdu_details[i - 1].rx_msdu_info;
--
2.34.1
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] wifi: ath11k: fix potential buffer underflow in ath11k_hal_rx_msdu_list_get()
2026-05-30 11:42 [PATCH] wifi: ath11k: fix potential buffer underflow in ath11k_hal_rx_msdu_list_get() Dmitry Morgun
@ 2026-07-03 6:45 ` Baochen Qiang
2026-07-03 10:36 ` Rameshkumar Sundaram
2026-07-09 14:49 ` Jeff Johnson
2 siblings, 0 replies; 4+ messages in thread
From: Baochen Qiang @ 2026-07-03 6:45 UTC (permalink / raw)
To: Dmitry Morgun, Jeff Johnson
Cc: linux-wireless, ath11k, linux-kernel, lvc-project, stable
On 5/30/2026 7:42 PM, Dmitry Morgun wrote:
> When the first entry in msdu_details has a zero buffer address,
> the code accesses msdu_details[i - 1] with i == 0, causing a
> buffer underflow.
>
> Fix similarly to ath12k_wifi7_hal_rx_msdu_list_get() by adding
> a separate check for i == 0 before the main condition to prevent
> the out-of-bounds access.
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices")
> Signed-off-by: Dmitry Morgun <d.morgun@ispras.ru>
Reviewed-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] wifi: ath11k: fix potential buffer underflow in ath11k_hal_rx_msdu_list_get()
2026-05-30 11:42 [PATCH] wifi: ath11k: fix potential buffer underflow in ath11k_hal_rx_msdu_list_get() Dmitry Morgun
2026-07-03 6:45 ` Baochen Qiang
@ 2026-07-03 10:36 ` Rameshkumar Sundaram
2026-07-09 14:49 ` Jeff Johnson
2 siblings, 0 replies; 4+ messages in thread
From: Rameshkumar Sundaram @ 2026-07-03 10:36 UTC (permalink / raw)
To: Dmitry Morgun, Jeff Johnson
Cc: linux-wireless, ath11k, linux-kernel, lvc-project, stable
On 5/30/2026 5:12 PM, Dmitry Morgun wrote:
> When the first entry in msdu_details has a zero buffer address,
> the code accesses msdu_details[i - 1] with i == 0, causing a
> buffer underflow.
>
> Fix similarly to ath12k_wifi7_hal_rx_msdu_list_get() by adding
> a separate check for i == 0 before the main condition to prevent
> the out-of-bounds access.
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices")
> Signed-off-by: Dmitry Morgun <d.morgun@ispras.ru>
Reviewed-by: Rameshkumar Sundaram <rameshkumar.sundaram@oss.qualcomm.com>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] wifi: ath11k: fix potential buffer underflow in ath11k_hal_rx_msdu_list_get()
2026-05-30 11:42 [PATCH] wifi: ath11k: fix potential buffer underflow in ath11k_hal_rx_msdu_list_get() Dmitry Morgun
2026-07-03 6:45 ` Baochen Qiang
2026-07-03 10:36 ` Rameshkumar Sundaram
@ 2026-07-09 14:49 ` Jeff Johnson
2 siblings, 0 replies; 4+ messages in thread
From: Jeff Johnson @ 2026-07-09 14:49 UTC (permalink / raw)
To: Jeff Johnson, Dmitry Morgun
Cc: linux-wireless, ath11k, linux-kernel, lvc-project, stable
On Sat, 30 May 2026 11:42:52 +0000, Dmitry Morgun wrote:
> When the first entry in msdu_details has a zero buffer address,
> the code accesses msdu_details[i - 1] with i == 0, causing a
> buffer underflow.
>
> Fix similarly to ath12k_wifi7_hal_rx_msdu_list_get() by adding
> a separate check for i == 0 before the main condition to prevent
> the out-of-bounds access.
>
> [...]
Applied, thanks!
[1/1] wifi: ath11k: fix potential buffer underflow in ath11k_hal_rx_msdu_list_get()
commit: 7f11e70629650ff6ea140984e5ce188b775b2683
Best regards,
--
Jeff Johnson <jeff.johnson@oss.qualcomm.com>
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-07-09 14:49 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-05-30 11:42 [PATCH] wifi: ath11k: fix potential buffer underflow in ath11k_hal_rx_msdu_list_get() Dmitry Morgun
2026-07-03 6:45 ` Baochen Qiang
2026-07-03 10:36 ` Rameshkumar Sundaram
2026-07-09 14:49 ` Jeff Johnson
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox