Patch "wifi: mac80211: fix memory corruption in minstrel_ht_update_rates()" has been added to the 5.19-stable tree

[Sasha Levin <sashal@xxxxxxxxxx>]

This is a note to let you know that I've just added the patch titled

    wifi: mac80211: fix memory corruption in minstrel_ht_update_rates()

to the 5.19-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     wifi-mac80211-fix-memory-corruption-in-minstrel_ht_u.patch
and it can be found in the queue-5.19 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 9bc63d2369f273538f99d4ad380f3c8cf85b6e67
Author: Paweł Lenkow <pawel.lenkow@xxxxxxxxxxxxxxx>
Date:   Mon Sep 19 17:01:35 2022 +0200

    wifi: mac80211: fix memory corruption in minstrel_ht_update_rates()
    
    [ Upstream commit be92292b90bfdc31f332c962882b6d3ea0285fdf ]
    
    During our testing of WFM200 module over SDIO on i.MX6Q-based platform,
    we discovered a memory corruption on the system, tracing back to the wfx
    driver. Using kfence, it was possible to trace it back to the root
    cause, which is hw->max_rates set to 8 in wfx_init_common,
    while the maximum defined by IEEE80211_TX_TABLE_SIZE is 4.
    
    This causes array out-of-bounds writes during updates of the rate table,
    as seen below:
    
    BUG: KFENCE: memory corruption in kfree_rcu_work+0x320/0x36c
    
    Corrupted memory at 0xe0a4ffe0 [ 0x03 0x03 0x03 0x03 0x01 0x00 0x00
    0x02 0x02 0x02 0x09 0x00 0x21 0xbb 0xbb 0xbb ] (in kfence-#81):
    kfree_rcu_work+0x320/0x36c
    process_one_work+0x3ec/0x920
    worker_thread+0x60/0x7a4
    kthread+0x174/0x1b4
    ret_from_fork+0x14/0x2c
    0x0
    
    kfence-#81: 0xe0a4ffc0-0xe0a4ffdf, size=32, cache=kmalloc-64
    
    allocated by task 297 on cpu 0 at 631.039555s:
    minstrel_ht_update_rates+0x38/0x2b0 [mac80211]
    rate_control_tx_status+0xb4/0x148 [mac80211]
    ieee80211_tx_status_ext+0x364/0x1030 [mac80211]
    ieee80211_tx_status+0xe0/0x118 [mac80211]
    ieee80211_tasklet_handler+0xb0/0xe0 [mac80211]
    tasklet_action_common.constprop.0+0x11c/0x148
    __do_softirq+0x1a4/0x61c
    irq_exit+0xcc/0x104
    call_with_stack+0x18/0x20
    __irq_svc+0x80/0xb0
    wq_worker_sleeping+0x10/0x100
    wq_worker_sleeping+0x10/0x100
    schedule+0x50/0xe0
    schedule_timeout+0x2e0/0x474
    wait_for_completion+0xdc/0x1ec
    mmc_wait_for_req_done+0xc4/0xf8
    mmc_io_rw_extended+0x3b4/0x4ec
    sdio_io_rw_ext_helper+0x290/0x384
    sdio_memcpy_toio+0x30/0x38
    wfx_sdio_copy_to_io+0x88/0x108 [wfx]
    wfx_data_write+0x88/0x1f0 [wfx]
    bh_work+0x1c8/0xcc0 [wfx]
    process_one_work+0x3ec/0x920
    worker_thread+0x60/0x7a4
    kthread+0x174/0x1b4
    ret_from_fork+0x14/0x2c 0x0
    
    After discussion on the wireless mailing list it was clarified
    that the issue has been introduced by:
    commit ee0e16ab756a ("mac80211: minstrel_ht: fill all requested rates")
    and fix shall be in minstrel_ht_update_rates in rc80211_minstrel_ht.c.
    
    Fixes: ee0e16ab756a ("mac80211: minstrel_ht: fill all requested rates")
    Link: https://lore.kernel.org/all/12e5adcd-8aed-f0f7-70cc-4fb7b656b829@xxxxxxxxxxxxxxx/
    Link: https://lore.kernel.org/linux-wireless/20220915131445.30600-1-lech.perczak@xxxxxxxxxxxxxxx/
    Cc: Jérôme Pouiller <jerome.pouiller@xxxxxxxxxx>
    Cc: Johannes Berg <johannes@xxxxxxxxxxxxxxxx>
    Cc: Peter Seiderer <ps.report@xxxxxxx>
    Cc: Kalle Valo <kvalo@xxxxxxxxxx>
    Cc: Krzysztof Drobiński <krzysztof.drobinski@xxxxxxxxxxxxxxx>,
    Signed-off-by: Paweł Lenkow <pawel.lenkow@xxxxxxxxxxxxxxx>
    Signed-off-by: Lech Perczak <lech.perczak@xxxxxxxxxxxxxxx>
    Reviewed-by: Peter Seiderer <ps.report@xxxxxxx>
    Reviewed-by: Jérôme Pouiller <jerome.pouiller@xxxxxxxxxx>
    Acked-by: Felix Fietkau <nbd@xxxxxxxx>
    Signed-off-by: Johannes Berg <johannes.berg@xxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/mac80211/rc80211_minstrel_ht.c b/net/mac80211/rc80211_minstrel_ht.c
index 5f27e6746762..788a82f9c74d 100644
--- a/net/mac80211/rc80211_minstrel_ht.c
+++ b/net/mac80211/rc80211_minstrel_ht.c
@@ -10,6 +10,7 @@
 #include <linux/random.h>
 #include <linux/moduleparam.h>
 #include <linux/ieee80211.h>
+#include <linux/minmax.h>
 #include <net/mac80211.h>
 #include "rate.h"
 #include "sta_info.h"
@@ -1550,6 +1551,7 @@ minstrel_ht_update_rates(struct minstrel_priv *mp, struct minstrel_ht_sta *mi)
 {
 	struct ieee80211_sta_rates *rates;
 	int i = 0;
+	int max_rates = min_t(int, mp->hw->max_rates, IEEE80211_TX_RATE_TABLE_SIZE);
 
 	rates = kzalloc(sizeof(*rates), GFP_ATOMIC);
 	if (!rates)
@@ -1559,10 +1561,10 @@ minstrel_ht_update_rates(struct minstrel_priv *mp, struct minstrel_ht_sta *mi)
 	minstrel_ht_set_rate(mp, mi, rates, i++, mi->max_tp_rate[0]);
 
 	/* Fill up remaining, keep one entry for max_probe_rate */
-	for (; i < (mp->hw->max_rates - 1); i++)
+	for (; i < (max_rates - 1); i++)
 		minstrel_ht_set_rate(mp, mi, rates, i, mi->max_tp_rate[i]);
 
-	if (i < mp->hw->max_rates)
+	if (i < max_rates)
 		minstrel_ht_set_rate(mp, mi, rates, i++, mi->max_prob_rate);
 
 	if (i < IEEE80211_TX_RATE_TABLE_SIZE)