From nobody Fri Apr 3 22:50:16 2026 Received: from cstnet.cn (smtp81.cstnet.cn [159.226.251.81]) (using TLSv1.2 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B31C02C187; Mon, 23 Mar 2026 08:03:43 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=159.226.251.81 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774253025; cv=none; b=oFEHsghboB8FM7i1DMP0/6KjTS3VQqsJeOSckfXBKA8WpKHtdCOy+Tfw3xCX32kcHVcDPJ17vGmCHDScvnf0MH7AzIuTv/sc+l9MVjNnz41mwIuvzir2DHw0B9M9yobht4XrntOy1ev+X9p2CwvGss8MJYuV7IxcvFHm63aIo/w= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774253025; c=relaxed/simple; bh=gM3vFeYn2iHVkMCHNh1N3reF4GdS14wrtOtfDXjnDVM=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=q2sUBt9MT7/o+7caIopNUC9+1ceRwBvhBc+l9u+N0/PEsdIvYjtbMHfOiulXbOk3rWAW2hPbFQAqvKJD+od3Oc9oAmz9+hyOv8qAT8qQbpq2hikwQTweU2Ud7NGxLnNtt0Loyeczvy39swBeAfaaExv7ecH1uND7RfP2RwaLVVA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=iscas.ac.cn; spf=pass smtp.mailfrom=iscas.ac.cn; arc=none smtp.client-ip=159.226.251.81 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=iscas.ac.cn Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=iscas.ac.cn Received: from localhost.localdomain (unknown [111.196.245.197]) by APP-03 (Coremail) with SMTP id rQCowABXO+LY88BpfiyHCw--.33331S2; Mon, 23 Mar 2026 16:03:37 +0800 (CST) From: Pengpeng Hou To: Michael Nemanov , Johannes Berg , linux-wireless@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Kees Cook , Abdun Nihaal , Pengpeng Hou Subject: [PATCH] wifi: wl1251: validate packet IDs before indexing tx_frames Date: Mon, 23 Mar 2026 16:03:36 +0800 Message-ID: <20260323080336.36906-1-pengpeng@iscas.ac.cn> X-Mailer: git-send-email 2.50.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-CM-TRANSID: rQCowABXO+LY88BpfiyHCw--.33331S2 X-Coremail-Antispam: 1UD129KBjvdXoW7GFykGryUZw4Utw43WF1xZrb_yoWfuwc_Cr WI93Z3Jw4Fy3sxGFy7CrW7ZrW0kry7XFyruFyIvF98ZFW5Z3y8tF15Zrn7J39rCrZ09rnr Ww1DXr47J3s0vjkaLaAFLSUrUUUUjb8apTn2vfkv8UJUUUU8Yxn0WfASr-VFAUDa7-sFnT 9fnUUIcSsGvfJTRUUUb48FF20E14v26r4j6ryUM7CY07I20VC2zVCF04k26cxKx2IYs7xG 6rWj6s0DM7CIcVAFz4kK6r106r15M28lY4IEw2IIxxk0rwA2F7IY1VAKz4vEj48ve4kI8w A2z4x0Y4vE2Ix0cI8IcVAFwI0_Xr0_Ar1l84ACjcxK6xIIjxv20xvEc7CjxVAFwI0_Gr0_ Cr1l84ACjcxK6I8E87Iv67AKxVW0oVCq3wA2z4x0Y4vEx4A2jsIEc7CjxVAFwI0_GcCE3s 1le2I262IYc4CY6c8Ij28IcVAaY2xG8wAqx4xG64xvF2IEw4CE5I8CrVC2j2WlYx0E2Ix0 cI8IcVAFwI0_JrI_JrylYx0Ex4A2jsIE14v26r4j6F4UMcvjeVCFs4IE7xkEbVWUJVW8Jw ACjcxG0xvY0x0EwIxGrwACjI8F5VA0II8E6IAqYI8I648v4I1lc7CjxVAaw2AFwI0_JF0_ Jw1l42xK82IYc2Ij64vIr41l4I8I3I0E4IkC6x0Yz7v_Jr0_Gr1lx2IqxVAqx4xG67AKxV WUJVWUGwC20s026x8GjcxK67AKxVWUGVWUWwC2zVAF1VAY17CE14v26r126r1DMIIYrxkI 7VAKI48JMIIF0xvE2Ix0cI8IcVAFwI0_Jr0_JF4lIxAIcVC0I7IYx2IY6xkF7I0E14v26r 1j6r4UMIIF0xvE42xK8VAvwI8IcIk0rVWUJVWUCwCI42IY6I8E87Iv67AKxVW8JVWxJwCI 42IY6I8E87Iv6xkF7I0E14v26r4UJVWxJrUvcSsGvfC2KfnxnUUI43ZEXa7VUjPx6UUUUU U== X-CM-SenderInfo: pshqw1xhqjqxpvfd2hldfou0/ Content-Type: text/plain; charset="utf-8" Signed-off-by: Pengpeng Hou --- drivers/net/wireless/ti/wl1251/tx.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/drivers/net/wireless/ti/wl1251/tx.c b/drivers/net/wireless/ti/= wl1251/tx.c index 2da8c0d5105b..4489aa77bb0f 100644 --- a/drivers/net/wireless/ti/wl1251/tx.c +++ b/drivers/net/wireless/ti/wl1251/tx.c @@ -402,12 +402,14 @@ static void wl1251_tx_packet_cb(struct wl1251 *wl, int hdrlen; u8 *frame; =20 - skb =3D wl->tx_frames[result->id]; - if (skb =3D=3D NULL) { - wl1251_error("SKB for packet %d is NULL", result->id); + if (unlikely(result->id >=3D ARRAY_SIZE(wl->tx_frames) || + wl->tx_frames[result->id] =3D=3D NULL)) { + wl1251_error("invalid packet id %u", result->id); return; } =20 + skb =3D wl->tx_frames[result->id]; + info =3D IEEE80211_SKB_CB(skb); =20 if (!(info->flags & IEEE80211_TX_CTL_NO_ACK) && --=20 2.50.1 (Apple Git-155)