From patchwork Fri Jan 29 08:35:12 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Konstantin Khlebnikov <koct9i@gmail.com>
X-Patchwork-Id: 575517
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id C12A4140C4B
	for <patchwork-incoming@ozlabs.org>;
	Fri, 29 Jan 2016 19:35:24 +1100 (AEDT)
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com header.b=AnMofA98;
	dkim-atps=neutral
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1754271AbcA2IfU (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Fri, 29 Jan 2016 03:35:20 -0500
Received: from mail-lb0-f170.google.com ([209.85.217.170]:34732 "EHLO
	mail-lb0-f170.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1753129AbcA2IfS (ORCPT
	<rfc822;netdev@vger.kernel.org>); Fri, 29 Jan 2016 03:35:18 -0500
Received: by mail-lb0-f170.google.com with SMTP id cl12so37052605lbc.1;
	Fri, 29 Jan 2016 00:35:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20120113;
	h=subject:from:to:cc:date:message-id:user-agent:mime-version
	:content-type:content-transfer-encoding;
	bh=bDfIB6W3oJr2y73VvmhtBPUdd4cgh7HZ++Me5KuRlag=;
	b=AnMofA98JXlPj5Qvr9joRsnzaYzj5lyDe367aD8zQw2JXHy4VJmImov9RBbHqQWEtv
	VW2ML0Jwfk4A83hfTmo0yxtd73JpTx5vLno9XPDax3llhg5+Y/LZFKKqZMAQWIYKg4Ub
	DlrznsbFTveX9LJ/xKbiurqKgHzfM0dob3sUz2m/MZUjGDA3DqiQQLsZ4KZKyLkR00zy
	jBiYuW7wYUSOZ4ZCx1uayTSKepBrhBFvKr8cpeg2PVT+z+GVMHY9nWhO82BGVUDFAV/9
	vscSRn1B99rPHIMBOptE+MHSilewouw3Eq9+pqCiZKOksvi8emQL0ajl9DJfRmZy1qlL
	8uvQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:subject:from:to:cc:date:message-id:user-agent
	:mime-version:content-type:content-transfer-encoding;
	bh=bDfIB6W3oJr2y73VvmhtBPUdd4cgh7HZ++Me5KuRlag=;
	b=YAgoQ77DNWO+cbRUBeKqBCnMivW3bpRVaaV4DABDYrTBcVAaipSF251rld7L5RH3fp
	F5AkowUKJdA8A+4jAfZFJK3ncEgi8acbiXXDJqTuqb3mSjnRabK9jf3+XG40rst4k5p1
	WMG/h7FJz0aycyRDPvTeMf4FJS1yvaDfOPlvVB5iSwHvF4SlgTBgbWVo5bzRMi9l30z/
	0Epz0uo6XnUoGd4llqsYhInSPuWAmzS2WqkIx/v/1BjTI5IQJba7KLU5PI1qnuF1QVWN
	IgVcS8otl0sqryC2VK0k+6g99Gp6zdSfpvcnYhgcsuIro7IsvNjLg0EcX3Oa5gzRIHGw
	GgVQ==
X-Gm-Message-State: 
 AG10YOSgVzc5Pp6wUbkNvnuz/Fj/7isSynusKv4h2PsRmm5pQeGvCDtRhbntc72d/FKZDA==
X-Received: by 10.112.144.38 with SMTP id sj6mr2845495lbb.104.1454056514907;
	Fri, 29 Jan 2016 00:35:14 -0800 (PST)
Received: from localhost (ppp79-139-147-94.pppoe.spdop.ru. [79.139.147.94])
	by smtp.gmail.com with ESMTPSA id
	rg10sm1967049lbb.11.2016.01.29.00.35.13
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Fri, 29 Jan 2016 00:35:14 -0800 (PST)
Subject: [PATCH] mac80211: minstrel_ht: fix out-of-bound in
	minstrel_ht_set_best_prob_rate
From: Konstantin Khlebnikov <koct9i@gmail.com>
To: Felix Fietkau <nbd@openwrt.org>, linux-wireless@vger.kernel.org,
	Johannes Berg <johannes@sipsolutions.net>
Cc: netdev@vger.kernel.org,
	Thomas Huehn <thomas@net.t-labs.tu-berlin.de>
Date: Fri, 29 Jan 2016 11:35:12 +0300
Message-ID: <145405651192.4948.10685647900939287282.stgit@zurg>
User-Agent: StGit/0.17.1-dirty
MIME-Version: 1.0
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

Patch fixes this splat

BUG: KASAN: slab-out-of-bounds in minstrel_ht_update_stats.isra.7+0x6e1/0x9e0
[mac80211] at addr ffff8800cee640f4 Read of size 4 by task swapper/3/0

Signed-off-by: Konstantin Khlebnikov <koct9i@gmail.com>
Link: http://lkml.kernel.org/r/CALYGNiNyJhSaVnE35qS6UCGaSb2Dx1_i5HcRavuOX14oTz2P+w@mail.gmail.com
Acked-by: Felix Fietkau <nbd@openwrt.org>
---
 net/mac80211/rc80211_minstrel_ht.c |    9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/net/mac80211/rc80211_minstrel_ht.c b/net/mac80211/rc80211_minstrel_ht.c
index 3928dbd24e25..93bf2b743e20 100644
--- a/net/mac80211/rc80211_minstrel_ht.c
+++ b/net/mac80211/rc80211_minstrel_ht.c
@@ -414,15 +414,16 @@ minstrel_ht_set_best_prob_rate(struct minstrel_ht_sta *mi, u16 index)
 	    (max_tp_group != MINSTREL_CCK_GROUP))
 		return;
 
+	max_gpr_group = mg->max_group_prob_rate / MCS_GROUP_RATES;
+	max_gpr_idx = mg->max_group_prob_rate % MCS_GROUP_RATES;
+	max_gpr_prob = mi->groups[max_gpr_group].rates[max_gpr_idx].prob_ewma;
+
 	if (mrs->prob_ewma > MINSTREL_FRAC(75, 100)) {
 		cur_tp_avg = minstrel_ht_get_tp_avg(mi, cur_group, cur_idx,
 						    mrs->prob_ewma);
 		if (cur_tp_avg > tmp_tp_avg)
 			mi->max_prob_rate = index;
 
-		max_gpr_group = mg->max_group_prob_rate / MCS_GROUP_RATES;
-		max_gpr_idx = mg->max_group_prob_rate %	MCS_GROUP_RATES;
-		max_gpr_prob = mi->groups[max_gpr_group].rates[max_gpr_idx].prob_ewma;
 		max_gpr_tp_avg = minstrel_ht_get_tp_avg(mi, max_gpr_group,
 							max_gpr_idx,
 							max_gpr_prob);
@@ -431,7 +432,7 @@ minstrel_ht_set_best_prob_rate(struct minstrel_ht_sta *mi, u16 index)
 	} else {
 		if (mrs->prob_ewma > tmp_prob)
 			mi->max_prob_rate = index;
-		if (mrs->prob_ewma > mg->rates[mg->max_group_prob_rate].prob_ewma)
+		if (mrs->prob_ewma > max_gpr_prob)
 			mg->max_group_prob_rate = index;
 	}
 }