Bob Copeland wrote: > The minstrel rate controller periodically looks up rate indexes in > a sampling table. When accessing a specific row and column, minstrel > correctly does a bounds check which, on the surface, appears to handle > the case where mi->n_rates < 2. However, mi->sample_idx is actually > defined as an unsigned, so the right hand side is taken to be a huge > positive number when negative, and the check will always fail. > > Consequently, the RC will overrun the array and cause random memory > corruption when communicating with a peer that has only a single rate. > The max value of mi->sample_idx is around 25 so casting to int should > have no ill effects. > > Without the change, uptime is a few minutes under load with an AP > that has a single hard-coded rate, and both the AP and STA could > potentially crash. With the change, both lasted 12 hours with a > steady load. > > Thanks to Ognjen Maric for providing the single-rate clue so I could > reproduce this. > > This fixes http://bugzilla.kernel.org/show_bug.cgi?id=12490 on the > regression list (also http://bugzilla.kernel.org/show_bug.cgi?id=13000). > > Cc: stable@xxxxxxxxxx > Reported-by: Sergey S. Kostyliov <rathamahata@xxxxxxxxx> > Reported-by: Ognjen Maric <ognjen.maric@xxxxxxxxx> > Signed-off-by: Bob Copeland <me@xxxxxxxxxxxxxxx> > --- > > John & Felix, the patch itself may be too subtle so feel free to do it a > different way. However this is as minimal as it gets so I hope it can > be applied quickly to stable, and mainline if not too late. How about changing the type of sample_idx to signed instead of casting it? It's just a cosmetic thing, so even if you leave at this you get my Acked-by: Felix Fietkau <nbd@xxxxxxxxxxx> - Felix -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
