linux-wireless.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Ryder Lee <ryder.lee@mediatek.com>
To: Ben Greear <greearb@candelatech.com>, Felix Fietkau <nbd@nbd.name>
Cc: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>,
	Shayne Chen <shayne.chen@mediatek.com>,
	Evelyn Tsai <evelyn.tsai@mediatek.com>,
	<linux-wireless@vger.kernel.org>,
	<linux-mediatek@lists.infradead.org>
Subject: Re: [PATCH v5 1/2] mt76: mt7915: fix hwmon temp sensor mem use-after-free
Date: Thu, 2 Sep 2021 02:06:49 +0800	[thread overview]
Message-ID: <32b9ac1244f38d20f89548b14aa8d2afb0fa779b.camel@mediatek.com> (raw)
In-Reply-To: <efe0cd18-b89a-0385-a271-d6c57fea08ca@candelatech.com>

On Wed, 2021-09-01 at 10:55 -0700, Ben Greear wrote:
> On 9/1/21 10:49 AM, Ryder Lee wrote:
> > From: Ben Greear <greearb@candelatech.com>
> > 
> > Without this change, garbage is seen in the hwmon name and sensors
> > output
> > for mt7915 is garbled. It appears that the hwmon logic does not
> > make a
> > copy of the incoming string, but instead just copies a char* and
> > expects
> > it to never go away.
> > 
> > Fixes: d6938251bb5b ("mt76: mt7915: add thermal sensor device
> > support")
> > Signed-off-by: Ben Greear <greearb@candelatech.com>
> > Signed-off-by: Ryder Lee <ryder.lee@mediatek.com>
> > ---
> > v5:  Use devm_kstrdup on the wiphy name as suggested.
> 
> I don't care a great deal either way, but phyname can change (which
> was original
> way to reproduce this corruption bug), so with this v5 change, then
> the hwmon 'id' could confusingly
> be 'phy0' while user has renamed the phy0 to wiphy0 or whatever.
> 
> It won't break my usage either way, so if you are happy with this,
> then good
> enough for me.

I thought of this ... Considering the hwmon can't never know the
phyname once it got changed. We can only specifiy a static "mt7915-xxx" 
to name it, or just use an initial phyname. Anyhow it's not the real
phyname you change actually.

> But, see below, there is spurious change...
> 
> 
> > v4:  Simplify flow.
> > v3:  Add 'fixes' tag to aid backports.
> > ---
> >   drivers/net/wireless/mediatek/mt76/mt7915/init.c | 8 ++++----
> >   drivers/net/wireless/mediatek/mt76/mt7915/mcu.c  | 2 +-
> >   2 files changed, 5 insertions(+), 5 deletions(-)
> > 
> > diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/init.c
> > b/drivers/net/wireless/mediatek/mt76/mt7915/init.c
> > index acc83e9f409b..78b9abbe63f3 100644
> > --- a/drivers/net/wireless/mediatek/mt76/mt7915/init.c
> > +++ b/drivers/net/wireless/mediatek/mt76/mt7915/init.c
> > @@ -160,9 +160,10 @@ static int mt7915_thermal_init(struct
> > mt7915_phy *phy)
> >   	struct wiphy *wiphy = phy->mt76->hw->wiphy;
> >   	struct thermal_cooling_device *cdev;
> >   	struct device *hwmon;
> > +	const char *name;
> >   
> > -	cdev = thermal_cooling_device_register(wiphy_name(wiphy), phy,
> > -					       &mt7915_thermal_ops);
> > +	name = devm_kstrdup(&wiphy->dev, wiphy_name(wiphy),
> > GFP_KERNEL);
> > +	cdev = thermal_cooling_device_register(name, phy,
> > &mt7915_thermal_ops);
> >   	if (!IS_ERR(cdev)) {
> >   		if (sysfs_create_link(&wiphy->dev.kobj, &cdev-
> > >device.kobj,
> >   				      "cooling_device") < 0)
> > @@ -174,8 +175,7 @@ static int mt7915_thermal_init(struct
> > mt7915_phy *phy)
> >   	if (!IS_REACHABLE(CONFIG_HWMON))
> >   		return 0;
> >   
> > -	hwmon = devm_hwmon_device_register_with_groups(&wiphy->dev,
> > -						       wiphy_name(wiphy
> > ), phy,
> > +	hwmon = devm_hwmon_device_register_with_groups(&wiphy->dev,
> > name, phy,
> >   						       mt7915_hwmon_gro
> > ups);
> >   	if (IS_ERR(hwmon))
> >   		return PTR_ERR(hwmon);
> > diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c
> > b/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c
> > index 932cf5a629db..219bb353b56d 100644
> > --- a/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c
> > +++ b/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c
> > @@ -1962,7 +1962,7 @@ mt7915_mcu_sta_bfer_tlv(struct mt7915_dev
> > *dev, struct sk_buff *skb,
> >   	else
> >   		return;
> >   
> > -	bf->bf_cap = BIT(!ebf && dev->ibf);
> > +	bf->bf_cap = ebf ? ebf : dev->ibf << 1;
> 
> And this should not be in this patch.
> 

Oops. I messed patch up while merging to other series. Will fix.

Ryder
> 

      reply	other threads:[~2021-09-01 18:06 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-09-01 17:49 [PATCH v5 1/2] mt76: mt7915: fix hwmon temp sensor mem use-after-free Ryder Lee
2021-09-01 17:49 ` [PATCH v5 2/2] mt76: mt7615: " Ryder Lee
2021-09-01 17:55 ` [PATCH v5 1/2] mt76: mt7915: " Ben Greear
2021-09-01 18:06   ` Ryder Lee [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=32b9ac1244f38d20f89548b14aa8d2afb0fa779b.camel@mediatek.com \
    --to=ryder.lee@mediatek.com \
    --cc=evelyn.tsai@mediatek.com \
    --cc=greearb@candelatech.com \
    --cc=linux-mediatek@lists.infradead.org \
    --cc=linux-wireless@vger.kernel.org \
    --cc=lorenzo.bianconi@redhat.com \
    --cc=nbd@nbd.name \
    --cc=shayne.chen@mediatek.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).