* [PATCH] wifi: rtl8xxxu: tighten bounds checking in rtl8xxxu_read_efuse()
@ 2022-08-19 5:22 Dan Carpenter
2022-08-19 13:43 ` Jes Sorensen
2022-09-02 8:44 ` Kalle Valo
0 siblings, 2 replies; 3+ messages in thread
From: Dan Carpenter @ 2022-08-19 5:22 UTC (permalink / raw)
To: Jes Sorensen; +Cc: Kalle Valo, linux-wireless, kernel-janitors
There some bounds checking to ensure that "map_addr" is not out of
bounds before the start of the loop. But the checking needs to be
done as we iterate through the loop because "map_addr" gets larger as
we iterate.
Fixes: 26f1fad29ad9 ("New driver: rtl8xxxu (mac80211)")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
.../net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
index c66f0726b253..f3a107f19cf5 100644
--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
+++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
@@ -1878,13 +1878,6 @@ static int rtl8xxxu_read_efuse(struct rtl8xxxu_priv *priv)
/* We have 8 bits to indicate validity */
map_addr = offset * 8;
- if (map_addr >= EFUSE_MAP_LEN) {
- dev_warn(dev, "%s: Illegal map_addr (%04x), "
- "efuse corrupt!\n",
- __func__, map_addr);
- ret = -EINVAL;
- goto exit;
- }
for (i = 0; i < EFUSE_MAX_WORD_UNIT; i++) {
/* Check word enable condition in the section */
if (word_mask & BIT(i)) {
@@ -1895,6 +1888,13 @@ static int rtl8xxxu_read_efuse(struct rtl8xxxu_priv *priv)
ret = rtl8xxxu_read_efuse8(priv, efuse_addr++, &val8);
if (ret)
goto exit;
+ if (map_addr >= EFUSE_MAP_LEN - 1) {
+ dev_warn(dev, "%s: Illegal map_addr (%04x), "
+ "efuse corrupt!\n",
+ __func__, map_addr);
+ ret = -EINVAL;
+ goto exit;
+ }
priv->efuse_wifi.raw[map_addr++] = val8;
ret = rtl8xxxu_read_efuse8(priv, efuse_addr++, &val8);
--
2.35.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] wifi: rtl8xxxu: tighten bounds checking in rtl8xxxu_read_efuse()
2022-08-19 5:22 [PATCH] wifi: rtl8xxxu: tighten bounds checking in rtl8xxxu_read_efuse() Dan Carpenter
@ 2022-08-19 13:43 ` Jes Sorensen
2022-09-02 8:44 ` Kalle Valo
1 sibling, 0 replies; 3+ messages in thread
From: Jes Sorensen @ 2022-08-19 13:43 UTC (permalink / raw)
To: Dan Carpenter; +Cc: Kalle Valo, linux-wireless, kernel-janitors
On 8/19/22 01:22, Dan Carpenter wrote:
> There some bounds checking to ensure that "map_addr" is not out of
> bounds before the start of the loop. But the checking needs to be
> done as we iterate through the loop because "map_addr" gets larger as
> we iterate.
>
> Fixes: 26f1fad29ad9 ("New driver: rtl8xxxu (mac80211)")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> .../net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 14 +++++++-------
> 1 file changed, 7 insertions(+), 7 deletions(-)
Looks reasonable to me.
Acked-by: Jes Sorensen <Jes.Sorensen@gmail.com>
> diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
> index c66f0726b253..f3a107f19cf5 100644
> --- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
> +++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
> @@ -1878,13 +1878,6 @@ static int rtl8xxxu_read_efuse(struct rtl8xxxu_priv *priv)
>
> /* We have 8 bits to indicate validity */
> map_addr = offset * 8;
> - if (map_addr >= EFUSE_MAP_LEN) {
> - dev_warn(dev, "%s: Illegal map_addr (%04x), "
> - "efuse corrupt!\n",
> - __func__, map_addr);
> - ret = -EINVAL;
> - goto exit;
> - }
> for (i = 0; i < EFUSE_MAX_WORD_UNIT; i++) {
> /* Check word enable condition in the section */
> if (word_mask & BIT(i)) {
> @@ -1895,6 +1888,13 @@ static int rtl8xxxu_read_efuse(struct rtl8xxxu_priv *priv)
> ret = rtl8xxxu_read_efuse8(priv, efuse_addr++, &val8);
> if (ret)
> goto exit;
> + if (map_addr >= EFUSE_MAP_LEN - 1) {
> + dev_warn(dev, "%s: Illegal map_addr (%04x), "
> + "efuse corrupt!\n",
> + __func__, map_addr);
> + ret = -EINVAL;
> + goto exit;
> + }
> priv->efuse_wifi.raw[map_addr++] = val8;
>
> ret = rtl8xxxu_read_efuse8(priv, efuse_addr++, &val8);
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] wifi: rtl8xxxu: tighten bounds checking in rtl8xxxu_read_efuse()
2022-08-19 5:22 [PATCH] wifi: rtl8xxxu: tighten bounds checking in rtl8xxxu_read_efuse() Dan Carpenter
2022-08-19 13:43 ` Jes Sorensen
@ 2022-09-02 8:44 ` Kalle Valo
1 sibling, 0 replies; 3+ messages in thread
From: Kalle Valo @ 2022-09-02 8:44 UTC (permalink / raw)
To: Dan Carpenter; +Cc: Jes Sorensen, linux-wireless, kernel-janitors
Dan Carpenter <dan.carpenter@oracle.com> wrote:
> There some bounds checking to ensure that "map_addr" is not out of
> bounds before the start of the loop. But the checking needs to be
> done as we iterate through the loop because "map_addr" gets larger as
> we iterate.
>
> Fixes: 26f1fad29ad9 ("New driver: rtl8xxxu (mac80211)")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> Acked-by: Jes Sorensen <Jes.Sorensen@gmail.com>
Patch applied to wireless-next.git, thanks.
620d5eaeb905 wifi: rtl8xxxu: tighten bounds checking in rtl8xxxu_read_efuse()
--
https://patchwork.kernel.org/project/linux-wireless/patch/Yv8eGLdBslLAk3Ct@kili/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-09-02 8:45 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-08-19 5:22 [PATCH] wifi: rtl8xxxu: tighten bounds checking in rtl8xxxu_read_efuse() Dan Carpenter
2022-08-19 13:43 ` Jes Sorensen
2022-09-02 8:44 ` Kalle Valo
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.