This is a note to let you know that I've just added the patch titled
wifi: wilc1000: use vmm_table as array in wilc struct
to the 6.5-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
wifi-wilc1000-use-vmm_table-as-array-in-wilc-struct.patch
and it can be found in the queue-6.5 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From 05ac1a198a63ad66bf5ae8b7321407c102d40ef3 Mon Sep 17 00:00:00 2001
From: Ajay Singh <ajay.kathat@xxxxxxxxxxxxx>
Date: Tue, 17 Oct 2023 10:43:38 +0200
Subject: wifi: wilc1000: use vmm_table as array in wilc struct
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
From: Ajay Singh <ajay.kathat@xxxxxxxxxxxxx>
commit 05ac1a198a63ad66bf5ae8b7321407c102d40ef3 upstream.
Enabling KASAN and running some iperf tests raises some memory issues with
vmm_table:
BUG: KASAN: slab-out-of-bounds in wilc_wlan_handle_txq+0x6ac/0xdb4
Write of size 4 at addr c3a61540 by task wlan0-tx/95
KASAN detects that we are writing data beyond range allocated to vmm_table.
There is indeed a mismatch between the size passed to allocator in
wilc_wlan_init, and the range of possible indexes used later: allocation
size is missing a multiplication by sizeof(u32)
Fixes: 40b717bfcefa ("wifi: wilc1000: fix DMA on stack objects")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Ajay Singh <ajay.kathat@xxxxxxxxxxxxx>
Signed-off-by: Alexis Lothoré <alexis.lothore@xxxxxxxxxxx>
Reviewed-by: Michael Walle <mwalle@xxxxxxxxxx>
Reviewed-by: Jeff Johnson <quic_jjohnson@xxxxxxxxxxx>
Signed-off-by: Kalle Valo <kvalo@xxxxxxxxxx>
Link: https://lore.kernel.org/r/20231017-wilc1000_tx_oops-v3-1-b2155f1f7bee@xxxxxxxxxxx
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
drivers/net/wireless/microchip/wilc1000/wlan.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/wireless/microchip/wilc1000/wlan.c
+++ b/drivers/net/wireless/microchip/wilc1000/wlan.c
@@ -1492,7 +1492,7 @@ int wilc_wlan_init(struct net_device *de
}
if (!wilc->vmm_table)
- wilc->vmm_table = kzalloc(WILC_VMM_TBL_SIZE, GFP_KERNEL);
+ wilc->vmm_table = kcalloc(WILC_VMM_TBL_SIZE, sizeof(u32), GFP_KERNEL);
if (!wilc->vmm_table) {
ret = -ENOBUFS;
Patches currently in stable-queue which might be from ajay.kathat@xxxxxxxxxxxxx are
queue-6.5/wifi-wilc1000-use-vmm_table-as-array-in-wilc-struct.patch
