wifi: iwlwifi: mvm: avoid baid size integer overflow
stable inclusion from stable-v5.10.188 commit a956c3af70fad096654a06d9dceb4e5641e29f08 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I8KYFP Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=a956c3af70fad096654a06d9dceb4e5641e29f08 -------------------------------- [ Upstream commit 1a528ab1 ] Roee reported various hard-to-debug crashes with pings in EHT aggregation scenarios. Enabling KASAN showed that we access the BAID allocation out of bounds, and looking at the code a bit shows that since the reorder buffer entry (struct iwl_mvm_reorder_buf_entry) is 128 bytes if debug such as lockdep is enabled, then staring from an agg size 512 we overflow the size calculation, and allocate a much smaller structure than we should, causing slab corruption once we initialize this. Fix this by simply using u32 instead of u16. Reported-by:Roee Goldfiner <roee.h.goldfiner@intel.com> Signed-off-by:
Loading
Please sign in to comment