From a593131d49bfed2672ba6d2e889d068bd1d7e38e Mon Sep 17 00:00:00 2001
From: Felix Fietkau <nbd@openwrt.org>
Date: Fri, 29 Jan 2016 14:23:23 +0000
Subject: mac80211: fix an out of bounds access issue in minstrel_ht

Signed-off-by: Felix Fietkau <nbd@openwrt.org>

git-svn-id: svn://svn.openwrt.org/openwrt/trunk@48550 3c298f89-4303-0410-b956-a3cf2f4a3e73
---
 ...nstrel_ht-fix-out-of-bound-in-minstrel_ht.patch | 45 ++++++++++++++++++++++
 1 file changed, 45 insertions(+)
 create mode 100644 package/kernel/mac80211/patches/317-mac80211-minstrel_ht-fix-out-of-bound-in-minstrel_ht.patch

diff --git a/package/kernel/mac80211/patches/317-mac80211-minstrel_ht-fix-out-of-bound-in-minstrel_ht.patch b/package/kernel/mac80211/patches/317-mac80211-minstrel_ht-fix-out-of-bound-in-minstrel_ht.patch
new file mode 100644
index 0000000000..5bf53b918c
--- /dev/null
+++ b/package/kernel/mac80211/patches/317-mac80211-minstrel_ht-fix-out-of-bound-in-minstrel_ht.patch
@@ -0,0 +1,45 @@
+From: Konstantin Khlebnikov <koct9i@gmail.com>
+Date: Fri, 29 Jan 2016 11:35:12 +0300
+Subject: [PATCH] mac80211: minstrel_ht: fix out-of-bound in
+ minstrel_ht_set_best_prob_rate
+
+Patch fixes this splat
+
+BUG: KASAN: slab-out-of-bounds in minstrel_ht_update_stats.isra.7+0x6e1/0x9e0
+[mac80211] at addr ffff8800cee640f4 Read of size 4 by task swapper/3/0
+
+Signed-off-by: Konstantin Khlebnikov <koct9i@gmail.com>
+Link: http://lkml.kernel.org/r/CALYGNiNyJhSaVnE35qS6UCGaSb2Dx1_i5HcRavuOX14oTz2P+w@mail.gmail.com
+---
+
+--- a/net/mac80211/rc80211_minstrel_ht.c
++++ b/net/mac80211/rc80211_minstrel_ht.c
+@@ -414,15 +414,16 @@ minstrel_ht_set_best_prob_rate(struct mi
+ 	    (max_tp_group != MINSTREL_CCK_GROUP))
+ 		return;
+ 
++	max_gpr_group = mg->max_group_prob_rate / MCS_GROUP_RATES;
++	max_gpr_idx = mg->max_group_prob_rate % MCS_GROUP_RATES;
++	max_gpr_prob = mi->groups[max_gpr_group].rates[max_gpr_idx].prob_ewma;
++
+ 	if (mrs->prob_ewma > MINSTREL_FRAC(75, 100)) {
+ 		cur_tp_avg = minstrel_ht_get_tp_avg(mi, cur_group, cur_idx,
+ 						    mrs->prob_ewma);
+ 		if (cur_tp_avg > tmp_tp_avg)
+ 			mi->max_prob_rate = index;
+ 
+-		max_gpr_group = mg->max_group_prob_rate / MCS_GROUP_RATES;
+-		max_gpr_idx = mg->max_group_prob_rate %	MCS_GROUP_RATES;
+-		max_gpr_prob = mi->groups[max_gpr_group].rates[max_gpr_idx].prob_ewma;
+ 		max_gpr_tp_avg = minstrel_ht_get_tp_avg(mi, max_gpr_group,
+ 							max_gpr_idx,
+ 							max_gpr_prob);
+@@ -431,7 +432,7 @@ minstrel_ht_set_best_prob_rate(struct mi
+ 	} else {
+ 		if (mrs->prob_ewma > tmp_prob)
+ 			mi->max_prob_rate = index;
+-		if (mrs->prob_ewma > mg->rates[mg->max_group_prob_rate].prob_ewma)
++		if (mrs->prob_ewma > max_gpr_prob)
+ 			mg->max_group_prob_rate = index;
+ 	}
+ }
-- 
cgit v1.2.3