Patch "wifi: rtw89: Fix array index mistake in rtw89_sta_info_get_iter()" has been added to the 6.1-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sat, 27 Jul 2024 10:57:53 -0400

This is a note to let you know that I've just added the patch titled

    wifi: rtw89: Fix array index mistake in rtw89_sta_info_get_iter()

to the 6.1-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     wifi-rtw89-fix-array-index-mistake-in-rtw89_sta_info.patch
and it can be found in the queue-6.1 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 522a70810be9ea523c8cb08bebf493f97e509011
Author: Aleksandr Mishin <amishin@xxxxxxxxxx>
Date:   Thu Jul 4 00:05:10 2024 +0300

    wifi: rtw89: Fix array index mistake in rtw89_sta_info_get_iter()
    
    [ Upstream commit 85099c7ce4f9e64c66aa397cd9a37473637ab891 ]
    
    In rtw89_sta_info_get_iter() 'status->he_gi' is compared to array size.
    But then 'rate->he_gi' is used as array index instead of 'status->he_gi'.
    This can lead to go beyond array boundaries in case of 'rate->he_gi' is
    not equal to 'status->he_gi' and is bigger than array size. Looks like
    "copy-paste" mistake.
    
    Fix this mistake by replacing 'rate->he_gi' with 'status->he_gi'.
    
    Found by Linux Verification Center (linuxtesting.org) with SVACE.
    
    Fixes: e3ec7017f6a2 ("rtw89: add Realtek 802.11ax driver")
    Signed-off-by: Aleksandr Mishin <amishin@xxxxxxxxxx>
    Signed-off-by: Ping-Ke Shih <pkshih@xxxxxxxxxxx>
    Link: https://patch.msgid.link/20240703210510.11089-1-amishin@xxxxxxxxxx
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/net/wireless/realtek/rtw89/debug.c b/drivers/net/wireless/realtek/rtw89/debug.c
index 3a8fe60d0bb7b..0e014d6afb842 100644
--- a/drivers/net/wireless/realtek/rtw89/debug.c
+++ b/drivers/net/wireless/realtek/rtw89/debug.c
@@ -2386,7 +2386,7 @@ static void rtw89_sta_info_get_iter(void *data, struct ieee80211_sta *sta)
 	case RX_ENC_HE:
 		seq_printf(m, "HE %dSS MCS-%d GI:%s", status->nss, status->rate_idx,
 			   status->he_gi <= NL80211_RATE_INFO_HE_GI_3_2 ?
-			   he_gi_str[rate->he_gi] : "N/A");
+			   he_gi_str[status->he_gi] : "N/A");
 		break;
 	}
 	seq_printf(m, "\t(hw_rate=0x%x)\n", rtwsta->rx_hw_rate);







