From: Ryder Lee <ryder.lee@mediatek.com>
To: Ben Greear <greearb@candelatech.com>, Felix Fietkau <nbd@nbd.name>
Cc: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>,
Shayne Chen <shayne.chen@mediatek.com>,
Evelyn Tsai <evelyn.tsai@mediatek.com>,
<linux-wireless@vger.kernel.org>,
<linux-mediatek@lists.infradead.org>
Subject: Re: [PATCH v5 1/2] mt76: mt7915: fix hwmon temp sensor mem use-after-free
Date: Thu, 2 Sep 2021 02:06:49 +0800 [thread overview]
Message-ID: <32b9ac1244f38d20f89548b14aa8d2afb0fa779b.camel@mediatek.com> (raw)
In-Reply-To: <efe0cd18-b89a-0385-a271-d6c57fea08ca@candelatech.com>
On Wed, 2021-09-01 at 10:55 -0700, Ben Greear wrote:
> On 9/1/21 10:49 AM, Ryder Lee wrote:
> > From: Ben Greear <greearb@candelatech.com>
> >
> > Without this change, garbage is seen in the hwmon name and sensors
> > output
> > for mt7915 is garbled. It appears that the hwmon logic does not
> > make a
> > copy of the incoming string, but instead just copies a char* and
> > expects
> > it to never go away.
> >
> > Fixes: d6938251bb5b ("mt76: mt7915: add thermal sensor device
> > support")
> > Signed-off-by: Ben Greear <greearb@candelatech.com>
> > Signed-off-by: Ryder Lee <ryder.lee@mediatek.com>
> > ---
> > v5: Use devm_kstrdup on the wiphy name as suggested.
>
> I don't care a great deal either way, but phyname can change (which
> was original
> way to reproduce this corruption bug), so with this v5 change, then
> the hwmon 'id' could confusingly
> be 'phy0' while user has renamed the phy0 to wiphy0 or whatever.
>
> It won't break my usage either way, so if you are happy with this,
> then good
> enough for me.
I thought of this ... Considering the hwmon can't never know the
phyname once it got changed. We can only specifiy a static "mt7915-xxx"
to name it, or just use an initial phyname. Anyhow it's not the real
phyname you change actually.
> But, see below, there is spurious change...
>
>
> > v4: Simplify flow.
> > v3: Add 'fixes' tag to aid backports.
> > ---
> > drivers/net/wireless/mediatek/mt76/mt7915/init.c | 8 ++++----
> > drivers/net/wireless/mediatek/mt76/mt7915/mcu.c | 2 +-
> > 2 files changed, 5 insertions(+), 5 deletions(-)
> >
> > diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/init.c
> > b/drivers/net/wireless/mediatek/mt76/mt7915/init.c
> > index acc83e9f409b..78b9abbe63f3 100644
> > --- a/drivers/net/wireless/mediatek/mt76/mt7915/init.c
> > +++ b/drivers/net/wireless/mediatek/mt76/mt7915/init.c
> > @@ -160,9 +160,10 @@ static int mt7915_thermal_init(struct
> > mt7915_phy *phy)
> > struct wiphy *wiphy = phy->mt76->hw->wiphy;
> > struct thermal_cooling_device *cdev;
> > struct device *hwmon;
> > + const char *name;
> >
> > - cdev = thermal_cooling_device_register(wiphy_name(wiphy), phy,
> > - &mt7915_thermal_ops);
> > + name = devm_kstrdup(&wiphy->dev, wiphy_name(wiphy),
> > GFP_KERNEL);
> > + cdev = thermal_cooling_device_register(name, phy,
> > &mt7915_thermal_ops);
> > if (!IS_ERR(cdev)) {
> > if (sysfs_create_link(&wiphy->dev.kobj, &cdev-
> > >device.kobj,
> > "cooling_device") < 0)
> > @@ -174,8 +175,7 @@ static int mt7915_thermal_init(struct
> > mt7915_phy *phy)
> > if (!IS_REACHABLE(CONFIG_HWMON))
> > return 0;
> >
> > - hwmon = devm_hwmon_device_register_with_groups(&wiphy->dev,
> > - wiphy_name(wiphy
> > ), phy,
> > + hwmon = devm_hwmon_device_register_with_groups(&wiphy->dev,
> > name, phy,
> > mt7915_hwmon_gro
> > ups);
> > if (IS_ERR(hwmon))
> > return PTR_ERR(hwmon);
> > diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c
> > b/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c
> > index 932cf5a629db..219bb353b56d 100644
> > --- a/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c
> > +++ b/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c
> > @@ -1962,7 +1962,7 @@ mt7915_mcu_sta_bfer_tlv(struct mt7915_dev
> > *dev, struct sk_buff *skb,
> > else
> > return;
> >
> > - bf->bf_cap = BIT(!ebf && dev->ibf);
> > + bf->bf_cap = ebf ? ebf : dev->ibf << 1;
>
> And this should not be in this patch.
>
Oops. I messed patch up while merging to other series. Will fix.
Ryder
>
WARNING: multiple messages have this Message-ID (diff)
From: Ryder Lee <ryder.lee@mediatek.com>
To: Ben Greear <greearb@candelatech.com>, Felix Fietkau <nbd@nbd.name>
Cc: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>,
Shayne Chen <shayne.chen@mediatek.com>,
Evelyn Tsai <evelyn.tsai@mediatek.com>,
<linux-wireless@vger.kernel.org>,
<linux-mediatek@lists.infradead.org>
Subject: Re: [PATCH v5 1/2] mt76: mt7915: fix hwmon temp sensor mem use-after-free
Date: Thu, 2 Sep 2021 02:06:49 +0800 [thread overview]
Message-ID: <32b9ac1244f38d20f89548b14aa8d2afb0fa779b.camel@mediatek.com> (raw)
In-Reply-To: <efe0cd18-b89a-0385-a271-d6c57fea08ca@candelatech.com>
On Wed, 2021-09-01 at 10:55 -0700, Ben Greear wrote:
> On 9/1/21 10:49 AM, Ryder Lee wrote:
> > From: Ben Greear <greearb@candelatech.com>
> >
> > Without this change, garbage is seen in the hwmon name and sensors
> > output
> > for mt7915 is garbled. It appears that the hwmon logic does not
> > make a
> > copy of the incoming string, but instead just copies a char* and
> > expects
> > it to never go away.
> >
> > Fixes: d6938251bb5b ("mt76: mt7915: add thermal sensor device
> > support")
> > Signed-off-by: Ben Greear <greearb@candelatech.com>
> > Signed-off-by: Ryder Lee <ryder.lee@mediatek.com>
> > ---
> > v5: Use devm_kstrdup on the wiphy name as suggested.
>
> I don't care a great deal either way, but phyname can change (which
> was original
> way to reproduce this corruption bug), so with this v5 change, then
> the hwmon 'id' could confusingly
> be 'phy0' while user has renamed the phy0 to wiphy0 or whatever.
>
> It won't break my usage either way, so if you are happy with this,
> then good
> enough for me.
I thought of this ... Considering the hwmon can't never know the
phyname once it got changed. We can only specifiy a static "mt7915-xxx"
to name it, or just use an initial phyname. Anyhow it's not the real
phyname you change actually.
> But, see below, there is spurious change...
>
>
> > v4: Simplify flow.
> > v3: Add 'fixes' tag to aid backports.
> > ---
> > drivers/net/wireless/mediatek/mt76/mt7915/init.c | 8 ++++----
> > drivers/net/wireless/mediatek/mt76/mt7915/mcu.c | 2 +-
> > 2 files changed, 5 insertions(+), 5 deletions(-)
> >
> > diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/init.c
> > b/drivers/net/wireless/mediatek/mt76/mt7915/init.c
> > index acc83e9f409b..78b9abbe63f3 100644
> > --- a/drivers/net/wireless/mediatek/mt76/mt7915/init.c
> > +++ b/drivers/net/wireless/mediatek/mt76/mt7915/init.c
> > @@ -160,9 +160,10 @@ static int mt7915_thermal_init(struct
> > mt7915_phy *phy)
> > struct wiphy *wiphy = phy->mt76->hw->wiphy;
> > struct thermal_cooling_device *cdev;
> > struct device *hwmon;
> > + const char *name;
> >
> > - cdev = thermal_cooling_device_register(wiphy_name(wiphy), phy,
> > - &mt7915_thermal_ops);
> > + name = devm_kstrdup(&wiphy->dev, wiphy_name(wiphy),
> > GFP_KERNEL);
> > + cdev = thermal_cooling_device_register(name, phy,
> > &mt7915_thermal_ops);
> > if (!IS_ERR(cdev)) {
> > if (sysfs_create_link(&wiphy->dev.kobj, &cdev-
> > >device.kobj,
> > "cooling_device") < 0)
> > @@ -174,8 +175,7 @@ static int mt7915_thermal_init(struct
> > mt7915_phy *phy)
> > if (!IS_REACHABLE(CONFIG_HWMON))
> > return 0;
> >
> > - hwmon = devm_hwmon_device_register_with_groups(&wiphy->dev,
> > - wiphy_name(wiphy
> > ), phy,
> > + hwmon = devm_hwmon_device_register_with_groups(&wiphy->dev,
> > name, phy,
> > mt7915_hwmon_gro
> > ups);
> > if (IS_ERR(hwmon))
> > return PTR_ERR(hwmon);
> > diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c
> > b/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c
> > index 932cf5a629db..219bb353b56d 100644
> > --- a/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c
> > +++ b/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c
> > @@ -1962,7 +1962,7 @@ mt7915_mcu_sta_bfer_tlv(struct mt7915_dev
> > *dev, struct sk_buff *skb,
> > else
> > return;
> >
> > - bf->bf_cap = BIT(!ebf && dev->ibf);
> > + bf->bf_cap = ebf ? ebf : dev->ibf << 1;
>
> And this should not be in this patch.
>
Oops. I messed patch up while merging to other series. Will fix.
Ryder
>
_______________________________________________
Linux-mediatek mailing list
Linux-mediatek@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-mediatek
next prev parent reply other threads:[~2021-09-01 18:06 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-01 17:49 [PATCH v5 1/2] mt76: mt7915: fix hwmon temp sensor mem use-after-free Ryder Lee
2021-09-01 17:49 ` Ryder Lee
2021-09-01 17:49 ` [PATCH v5 2/2] mt76: mt7615: " Ryder Lee
2021-09-01 17:49 ` Ryder Lee
2021-09-01 17:55 ` [PATCH v5 1/2] mt76: mt7915: " Ben Greear
2021-09-01 17:55 ` Ben Greear
2021-09-01 18:06 ` Ryder Lee [this message]
2021-09-01 18:06 ` Ryder Lee
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=32b9ac1244f38d20f89548b14aa8d2afb0fa779b.camel@mediatek.com \
--to=ryder.lee@mediatek.com \
--cc=evelyn.tsai@mediatek.com \
--cc=greearb@candelatech.com \
--cc=linux-mediatek@lists.infradead.org \
--cc=linux-wireless@vger.kernel.org \
--cc=lorenzo.bianconi@redhat.com \
--cc=nbd@nbd.name \
--cc=shayne.chen@mediatek.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.