* [PATCH] mt76: mt7921s: fix possible kernel crash due to invalid Rx count
@ 2021-11-29 23:05 ` sean.wang
0 siblings, 0 replies; 2+ messages in thread
From: sean.wang @ 2021-11-29 23:05 UTC (permalink / raw)
To: nbd, lorenzo.bianconi
Cc: sean.wang, Soul.Huang, YN.Chen, Leon.Yen, Eric-SY.Chang,
Mark-YW.Chen, Deren.Wu, km.lin, robin.chiu, Eddie.Chen, ch.yeh,
posh.sun, ted.huang, Eric.Liang, Stella.Chang, Tom.Chou,
steve.lee, jsiuda, frankgor, jemele, abhishekpandit, shawnku,
linux-wireless, linux-mediatek
From: Sean Wang <sean.wang@mediatek.com>
Return the proper error code when out-of-range the Rx aggregation count
are reported from the hardware that would create the unreasonable extreme
large Rx buffer.
[ 100.873810] show_stack+0x20/0x2c
[ 100.873823] dump_stack+0xc4/0x140
[ 100.873839] bad_page+0x110/0x114
[ 100.873854] check_new_pages+0xf8/0xfc
[ 100.873869] rmqueue+0x5a0/0x640
[ 100.873884] get_page_from_freelist+0x124/0x20c
[ 100.873898] __alloc_pages_nodemask+0x114/0x2a4
[ 100.873918] mt76s_rx_run_queue+0xd4/0x2e4 [mt76_sdio 8280a88a0c8c9cf203f16e194f99ac293bdbb2f5]
[ 100.873938] mt76s_rx_handler+0xd4/0x2a0 [mt76_sdio 8280a88a0c8c9cf203f16e194f99ac293bdbb2f5]
[ 100.873957] mt76s_txrx_worker+0xac/0x17c [mt76_sdio 8280a88a0c8c9cf203f16e194f99ac293bdbb2f5]
[ 100.873977] mt7921s_txrx_worker+0x5c/0xd8 [mt7921s d0bdbc018082dbc8dc1407614be3c2e7bd64423b]
[ 100.874003] __mt76_worker_fn+0xe8/0x170 [mt76 b80af3483a8f9d48e916c12d8dbfaa0d3cd15337]
[ 100.874018] kthread+0x148/0x3ac
[ 100.874032] ret_from_fork+0x10/0x30
[ 100.874067] Kernel Offset: 0x1fe2000000 from 0xffffffc010000000
[ 100.874079] PHYS_OFFSET: 0xffffffe800000000
[ 100.874090] CPU features: 0x0240002,2188200c
Fixes: 48fab5bbef40 ("mt76: mt7921: introduce mt7921s support")
Signed-off-by: Sean Wang <sean.wang@mediatek.com>
---
drivers/net/wireless/mediatek/mt76/mt7921/sdio.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/sdio.c b/drivers/net/wireless/mediatek/mt76/mt7921/sdio.c
index 5c88b6b8d097..84be229a899d 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7921/sdio.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7921/sdio.c
@@ -62,6 +62,10 @@ static int mt7921s_parse_intr(struct mt76_dev *dev, struct mt76s_intr *intr)
if (err < 0)
return err;
+ if (irq_data->rx.num[0] > 16 ||
+ irq_data->rx.num[1] > 128)
+ return -EINVAL;
+
intr->isr = irq_data->isr;
intr->rec_mb = irq_data->rec_mb;
intr->tx.wtqcr = irq_data->tx.wtqcr;
--
2.25.1
_______________________________________________
Linux-mediatek mailing list
Linux-mediatek@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-mediatek
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [PATCH] mt76: mt7921s: fix possible kernel crash due to invalid Rx count
@ 2021-11-29 23:05 ` sean.wang
0 siblings, 0 replies; 2+ messages in thread
From: sean.wang @ 2021-11-29 23:05 UTC (permalink / raw)
To: nbd, lorenzo.bianconi
Cc: sean.wang, Soul.Huang, YN.Chen, Leon.Yen, Eric-SY.Chang,
Mark-YW.Chen, Deren.Wu, km.lin, robin.chiu, Eddie.Chen, ch.yeh,
posh.sun, ted.huang, Eric.Liang, Stella.Chang, Tom.Chou,
steve.lee, jsiuda, frankgor, jemele, abhishekpandit, shawnku,
linux-wireless, linux-mediatek
From: Sean Wang <sean.wang@mediatek.com>
Return the proper error code when out-of-range the Rx aggregation count
are reported from the hardware that would create the unreasonable extreme
large Rx buffer.
[ 100.873810] show_stack+0x20/0x2c
[ 100.873823] dump_stack+0xc4/0x140
[ 100.873839] bad_page+0x110/0x114
[ 100.873854] check_new_pages+0xf8/0xfc
[ 100.873869] rmqueue+0x5a0/0x640
[ 100.873884] get_page_from_freelist+0x124/0x20c
[ 100.873898] __alloc_pages_nodemask+0x114/0x2a4
[ 100.873918] mt76s_rx_run_queue+0xd4/0x2e4 [mt76_sdio 8280a88a0c8c9cf203f16e194f99ac293bdbb2f5]
[ 100.873938] mt76s_rx_handler+0xd4/0x2a0 [mt76_sdio 8280a88a0c8c9cf203f16e194f99ac293bdbb2f5]
[ 100.873957] mt76s_txrx_worker+0xac/0x17c [mt76_sdio 8280a88a0c8c9cf203f16e194f99ac293bdbb2f5]
[ 100.873977] mt7921s_txrx_worker+0x5c/0xd8 [mt7921s d0bdbc018082dbc8dc1407614be3c2e7bd64423b]
[ 100.874003] __mt76_worker_fn+0xe8/0x170 [mt76 b80af3483a8f9d48e916c12d8dbfaa0d3cd15337]
[ 100.874018] kthread+0x148/0x3ac
[ 100.874032] ret_from_fork+0x10/0x30
[ 100.874067] Kernel Offset: 0x1fe2000000 from 0xffffffc010000000
[ 100.874079] PHYS_OFFSET: 0xffffffe800000000
[ 100.874090] CPU features: 0x0240002,2188200c
Fixes: 48fab5bbef40 ("mt76: mt7921: introduce mt7921s support")
Signed-off-by: Sean Wang <sean.wang@mediatek.com>
---
drivers/net/wireless/mediatek/mt76/mt7921/sdio.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/sdio.c b/drivers/net/wireless/mediatek/mt76/mt7921/sdio.c
index 5c88b6b8d097..84be229a899d 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7921/sdio.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7921/sdio.c
@@ -62,6 +62,10 @@ static int mt7921s_parse_intr(struct mt76_dev *dev, struct mt76s_intr *intr)
if (err < 0)
return err;
+ if (irq_data->rx.num[0] > 16 ||
+ irq_data->rx.num[1] > 128)
+ return -EINVAL;
+
intr->isr = irq_data->isr;
intr->rec_mb = irq_data->rec_mb;
intr->tx.wtqcr = irq_data->tx.wtqcr;
--
2.25.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-11-29 23:06 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-11-29 23:05 [PATCH] mt76: mt7921s: fix possible kernel crash due to invalid Rx count sean.wang
2021-11-29 23:05 ` sean.wang
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.