1. Patchew
  2. linux
  3. View series

[PATCH net] wifi: rtw89: Fix array index mistake in rtw89_sta_info_get_iter()

Aleksandr Mishin posted 1 patch 1 year, 7 months ago 
drivers/net/wireless/realtek/rtw89/debug.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
[PATCH net] wifi: rtw89: Fix array index mistake in rtw89_sta_info_get_iter()
Posted by Aleksandr Mishin 1 year, 7 months ago 
In rtw89_sta_info_get_iter() 'status->he_gi' is compared to array size.
But then 'rate->he_gi' is used as array index instead of 'status->he_gi'.
This can lead to go beyond array boundaries in case of 'rate->he_gi' is
not equal to 'status->he_gi' and is bigger than array size. Looks like
"copy-paste" mistake.

Fix this mistake by replacing 'rate->he_gi' with 'status->he_gi'.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: e3ec7017f6a2 ("rtw89: add Realtek 802.11ax driver")
Signed-off-by: Aleksandr Mishin <amishin@t-argos.ru>
---
 drivers/net/wireless/realtek/rtw89/debug.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/wireless/realtek/rtw89/debug.c b/drivers/net/wireless/realtek/rtw89/debug.c
index affffc4092ba..5b4077c9fd28 100644
--- a/drivers/net/wireless/realtek/rtw89/debug.c
+++ b/drivers/net/wireless/realtek/rtw89/debug.c
@@ -3531,7 +3531,7 @@ static void rtw89_sta_info_get_iter(void *data, struct ieee80211_sta *sta)
 	case RX_ENC_HE:
 		seq_printf(m, "HE %dSS MCS-%d GI:%s", status->nss, status->rate_idx,
 			   status->he_gi <= NL80211_RATE_INFO_HE_GI_3_2 ?
-			   he_gi_str[rate->he_gi] : "N/A");
+			   he_gi_str[status->he_gi] : "N/A");
 		break;
 	case RX_ENC_EHT:
 		seq_printf(m, "EHT %dSS MCS-%d GI:%s", status->nss, status->rate_idx,
-- 
2.30.2
Re: [PATCH net] wifi: rtw89: Fix array index mistake in rtw89_sta_info_get_iter()
Posted by Ping-Ke Shih 1 year, 7 months ago 
Aleksandr Mishin <amishin@t-argos.ru> wrote:

> In rtw89_sta_info_get_iter() 'status->he_gi' is compared to array size.
> But then 'rate->he_gi' is used as array index instead of 'status->he_gi'.
> This can lead to go beyond array boundaries in case of 'rate->he_gi' is
> not equal to 'status->he_gi' and is bigger than array size. Looks like
> "copy-paste" mistake.
> 
> Fix this mistake by replacing 'rate->he_gi' with 'status->he_gi'.
> 
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
> 
> Fixes: e3ec7017f6a2 ("rtw89: add Realtek 802.11ax driver")
> Signed-off-by: Aleksandr Mishin <amishin@t-argos.ru>

1 patch(es) applied to rtw-next branch of rtw.git, thanks.

85099c7ce4f9 wifi: rtw89: Fix array index mistake in rtw89_sta_info_get_iter()

---
https://github.com/pkshih/rtw.git
Re: [PATCH net] wifi: rtw89: Fix array index mistake in rtw89_sta_info_get_iter()
Posted by Kalle Valo 1 year, 7 months ago 
Aleksandr Mishin <amishin@t-argos.ru> writes:

> In rtw89_sta_info_get_iter() 'status->he_gi' is compared to array size.
> But then 'rate->he_gi' is used as array index instead of 'status->he_gi'.
> This can lead to go beyond array boundaries in case of 'rate->he_gi' is
> not equal to 'status->he_gi' and is bigger than array size. Looks like
> "copy-paste" mistake.
>
> Fix this mistake by replacing 'rate->he_gi' with 'status->he_gi'.
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Fixes: e3ec7017f6a2 ("rtw89: add Realtek 802.11ax driver")
> Signed-off-by: Aleksandr Mishin <amishin@t-argos.ru>

A reminder for maintainers: rtw89 patches go to Ping's rtw tree, not net
tree.

-- 
https://patchwork.kernel.org/project/linux-wireless/list/

https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.