wifi: ath9k: fix OOB access from firmware tx status queue ID

ath_tx_edma_tasklet() accesses sc->tx.txq[ts.qid] where ts.qid is a
4-bit hardware field (0-15), but the txq array only has
ATH9K_NUM_TX_QUEUES (10) entries. A qid >= 10 causes an OOB array
access.

Add a bounds check on ts.qid before using it as an array index.

Fixes: fce041beb03f ("ath9k: unify edma and non-edma tx code, improve tx fifo handling")
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
Link: https://patch.msgid.link/20260415222343.1540564-1-tristmd@gmail.com
Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>

diff --git a/drivers/net/wireless/ath/ath9k/xmit.c b/drivers/net/wireless/ath/ath9k/xmit.c
index 4a0f465aa2fe5063f4141ad4ae0ff3f8c5b67ade..89d8b31787846bfe8ac59aaa1e39e3618578d5ad 100644 (file)
--- a/drivers/net/wireless/ath/ath9k/xmit.c
+++ b/drivers/net/wireless/ath/ath9k/xmit.c
@@ -2744,6 +2744,11 @@ void ath_tx_edma_tasklet(struct ath_softc *sc)
                        continue;
                }
 
+               if (ts.qid >= ATH9K_NUM_TX_QUEUES) {
+                       ath_dbg(common, XMIT, "invalid qid %d\n", ts.qid);
+                       continue;
+               }
+
                txq = &sc->tx.txq[ts.qid];
 
                ath_txq_lock(sc, txq);