wifi: ath12k: Decrement TID on RX peer frag setup error handling

PlaidCat · PlaidCat · commit 793eed6618c7 · 2025-10-14T03:01:18.000-04:00
jira LE-4395 cve CVE-2025-39761 Rebuild_History Non-Buildable kernel-6.12.0-55.39.1.el10_0 commit-author Karthikeyan Kathirvel <quic_kathirve@quicinc.com> commit 7c0884f Currently, TID is not decremented before peer cleanup, during error handling path of ath12k_dp_rx_peer_frag_setup(). This could lead to out-of-bounds access in peer->rx_tid[]. Hence, add a decrement operation for TID, before peer cleanup to ensures proper cleanup and prevents out-of-bounds access issues when the RX peer frag setup fails. Found during code review. Compile tested only. Signed-off-by: Karthikeyan Kathirvel <quic_kathirve@quicinc.com> Signed-off-by: Sarika Sharma <quic_sarishar@quicinc.com> Reviewed-by: Vasanthakumar Thiagarajan <vasanthakumar.thiagarajan@oss.qualcomm.com> Link: https://patch.msgid.link/20250526034713.712592-1-quic_sarishar@quicinc.com Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com> (cherry picked from commit 7c0884f) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
diff --git a/drivers/net/wireless/ath/ath12k/dp.c b/drivers/net/wireless/ath/ath12k/dp.c
@@ -79,6 +79,7 @@ int ath12k_dp_peer_setup(struct ath12k *ar, int vdev_id, const u8 *addr)
 	ret = ath12k_dp_rx_peer_frag_setup(ar, addr, vdev_id);
 	if (ret) {
 		ath12k_warn(ab, "failed to setup rx defrag context\n");
+		tid--;
 		goto peer_clean;
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -79,6 +79,7 @@ int ath12k_dp_peer_setup(struct ath12k ar, int vdev_id, const u8 addr)`
`79`	`79`	`ret = ath12k_dp_rx_peer_frag_setup(ar, addr, vdev_id);`
`80`	`80`	`if (ret) {`
`81`	`81`	`ath12k_warn(ab, "failed to setup rx defrag context\n");`
	`82`	`+ tid--;`
`82`	`83`	`goto peer_clean;`
`83`	`84`	`}`
`84`	`85`