[PATCH] wifi: ath11k: fix potential buffer underflow in ath11k_hal_rx_msdu_list_get()

Next message: Krzysztof Kozlowski: "Re: [PATCH] dt-bindings: mmc: sdhci-msm: Rename the binding to include 'qcom' prefix"
Previous message: Krzysztof Kozlowski: "Re: [PATCH 4/6] dt-bindings: soc: ti: ti,j721e-system-controller: Relax the bindings"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Dmitry Morgun

Date: Sat May 30 2026 - 07:43:26 EST

When the first entry in msdu_details has a zero buffer address,
the code accesses msdu_details[i - 1] with i == 0, causing a
buffer underflow.

Fix similarly to ath12k_wifi7_hal_rx_msdu_list_get() by adding
a separate check for i == 0 before the main condition to prevent
the out-of-bounds access.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices")
Signed-off-by: Dmitry Morgun <d.morgun@xxxxxxxxx>
---
drivers/net/wireless/ath/ath11k/dp_rx.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/drivers/net/wireless/ath/ath11k/dp_rx.c b/drivers/net/wireless/ath/ath11k/dp_rx.c
index 2a413e3a0..c9f520c2a 100644
--- a/drivers/net/wireless/ath/ath11k/dp_rx.c
+++ b/drivers/net/wireless/ath/ath11k/dp_rx.c
@@ -4565,6 +4565,9 @@ static void ath11k_hal_rx_msdu_list_get(struct ath11k *ar,
msdu_details = &msdu_link->msdu_link[0];

for (i = 0; i < HAL_RX_NUM_MSDU_DESC; i++) {
+ if (!i && FIELD_GET(BUFFER_ADDR_INFO0_ADDR,
+ msdu_details[i].buf_addr_info.info0) == 0)
+ break;
if (FIELD_GET(BUFFER_ADDR_INFO0_ADDR,
msdu_details[i].buf_addr_info.info0) == 0) {
msdu_desc_info = &msdu_details[i - 1].rx_msdu_info;
--
2.34.1