* [PATCH v2 1/3] wifi: mt76: mt7915: check return value before accessing free_block_num
@ 2022-12-03 21:33 Ryder Lee
2022-12-03 21:33 ` [PATCH v2 2/3] wifi: mt76: mt7996: " Ryder Lee
2022-12-03 21:33 ` [PATCH v2 3/3] wifi: mt76: mt7915: check the correctness of event data Ryder Lee
0 siblings, 2 replies; 3+ messages in thread
From: Ryder Lee @ 2022-12-03 21:33 UTC (permalink / raw)
To: Felix Fietkau, linux-wireless
Cc: Lorenzo Bianconi, Shayne Chen, Evelyn Tsai, linux-mediatek, Ryder Lee
Check return value of mt7915_mcu_get_eeprom_free_block() first before
accessing free_block_num.
Fixes: bbc1d4154ec1 ("mt76: mt7915: add default calibrated data support")
Signed-off-by: Ryder Lee <ryder.lee@mediatek.com>
---
change since v2 - check return value of mt7915_mcu_get_eeprom() as well.
---
.../wireless/mediatek/mt76/mt7915/eeprom.c | 19 ++++++++++++-------
.../net/wireless/mediatek/mt76/mt7915/mcu.c | 10 ++++++----
2 files changed, 18 insertions(+), 11 deletions(-)
diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/eeprom.c b/drivers/net/wireless/mediatek/mt76/mt7915/eeprom.c
index 59069fb86414..24efa280dd86 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7915/eeprom.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7915/eeprom.c
@@ -110,18 +110,23 @@ static int mt7915_eeprom_load(struct mt7915_dev *dev)
} else {
u8 free_block_num;
u32 block_num, i;
+ u32 eeprom_blk_size = MT7915_EEPROM_BLOCK_SIZE;
- mt7915_mcu_get_eeprom_free_block(dev, &free_block_num);
- /* efuse info not enough */
+ ret = mt7915_mcu_get_eeprom_free_block(dev, &free_block_num);
+ if (ret < 0)
+ return ret;
+
+ /* efuse info isn't enough */
if (free_block_num >= 29)
return -EINVAL;
/* read eeprom data from efuse */
- block_num = DIV_ROUND_UP(eeprom_size,
- MT7915_EEPROM_BLOCK_SIZE);
- for (i = 0; i < block_num; i++)
- mt7915_mcu_get_eeprom(dev,
- i * MT7915_EEPROM_BLOCK_SIZE);
+ block_num = DIV_ROUND_UP(eeprom_size, eeprom_blk_size);
+ for (i = 0; i < block_num; i++) {
+ ret = mt7915_mcu_get_eeprom(dev, i * eeprom_blk_size);
+ if (ret < 0)
+ return ret;
+ }
}
return mt7915_check_eeprom(dev);
diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c
index ca315af3905b..86ec767266cc 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c
@@ -2792,8 +2792,9 @@ int mt7915_mcu_get_eeprom(struct mt7915_dev *dev, u32 offset)
int ret;
u8 *buf;
- ret = mt76_mcu_send_and_get_msg(&dev->mt76, MCU_EXT_QUERY(EFUSE_ACCESS), &req,
- sizeof(req), true, &skb);
+ ret = mt76_mcu_send_and_get_msg(&dev->mt76,
+ MCU_EXT_QUERY(EFUSE_ACCESS),
+ &req, sizeof(req), true, &skb);
if (ret)
return ret;
@@ -2818,8 +2819,9 @@ int mt7915_mcu_get_eeprom_free_block(struct mt7915_dev *dev, u8 *block_num)
struct sk_buff *skb;
int ret;
- ret = mt76_mcu_send_and_get_msg(&dev->mt76, MCU_EXT_QUERY(EFUSE_FREE_BLOCK), &req,
- sizeof(req), true, &skb);
+ ret = mt76_mcu_send_and_get_msg(&dev->mt76,
+ MCU_EXT_QUERY(EFUSE_FREE_BLOCK),
+ &req, sizeof(req), true, &skb);
if (ret)
return ret;
--
2.18.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [PATCH v2 2/3] wifi: mt76: mt7996: check return value before accessing free_block_num
2022-12-03 21:33 [PATCH v2 1/3] wifi: mt76: mt7915: check return value before accessing free_block_num Ryder Lee
@ 2022-12-03 21:33 ` Ryder Lee
2022-12-03 21:33 ` [PATCH v2 3/3] wifi: mt76: mt7915: check the correctness of event data Ryder Lee
1 sibling, 0 replies; 3+ messages in thread
From: Ryder Lee @ 2022-12-03 21:33 UTC (permalink / raw)
To: Felix Fietkau, linux-wireless
Cc: Lorenzo Bianconi, Shayne Chen, Evelyn Tsai, linux-mediatek, Ryder Lee
Check return value of mt7996_mcu_get_eeprom_free_block() first before
accessing free_block_num.
Fixes: 98686cd21624 ("wifi: mt76: mt7996: add driver for MediaTek Wi-Fi 7 (802.11be) devices")
Signed-off-by: Ryder Lee <ryder.lee@mediatek.com>
---
change since v2 - check return value of mt7996_mcu_get_eeprom as well.
---
.../net/wireless/mediatek/mt76/mt7996/eeprom.c | 18 ++++++++++++------
.../net/wireless/mediatek/mt76/mt7996/mcu.c | 5 +++--
2 files changed, 15 insertions(+), 8 deletions(-)
diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/eeprom.c b/drivers/net/wireless/mediatek/mt76/mt7996/eeprom.c
index b9f62bedbc48..5d8e0353627e 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7996/eeprom.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7996/eeprom.c
@@ -65,17 +65,23 @@ static int mt7996_eeprom_load(struct mt7996_dev *dev)
} else {
u8 free_block_num;
u32 block_num, i;
+ u32 eeprom_blk_size = MT7996_EEPROM_BLOCK_SIZE;
- /* TODO: check free block event */
- mt7996_mcu_get_eeprom_free_block(dev, &free_block_num);
- /* efuse info not enough */
+ ret = mt7996_mcu_get_eeprom_free_block(dev, &free_block_num);
+ if (ret < 0)
+ return ret;
+
+ /* efuse info isn't enough */
if (free_block_num >= 59)
return -EINVAL;
/* read eeprom data from efuse */
- block_num = DIV_ROUND_UP(MT7996_EEPROM_SIZE, MT7996_EEPROM_BLOCK_SIZE);
- for (i = 0; i < block_num; i++)
- mt7996_mcu_get_eeprom(dev, i * MT7996_EEPROM_BLOCK_SIZE);
+ block_num = DIV_ROUND_UP(MT7996_EEPROM_SIZE, eeprom_blk_size);
+ for (i = 0; i < block_num; i++) {
+ ret = mt7996_mcu_get_eeprom(dev, i * eeprom_blk_size);
+ if (ret < 0)
+ return ret;
+ }
}
return mt7996_check_eeprom(dev);
diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c
index efb245c8ac84..da72684e4308 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c
@@ -2927,8 +2927,9 @@ int mt7996_mcu_get_eeprom(struct mt7996_dev *dev, u32 offset)
bool valid;
int ret;
- ret = mt76_mcu_send_and_get_msg(&dev->mt76, MCU_WM_UNI_CMD_QUERY(EFUSE_CTRL), &req,
- sizeof(req), true, &skb);
+ ret = mt76_mcu_send_and_get_msg(&dev->mt76,
+ MCU_WM_UNI_CMD_QUERY(EFUSE_CTRL),
+ &req, sizeof(req), true, &skb);
if (ret)
return ret;
--
2.18.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [PATCH v2 3/3] wifi: mt76: mt7915: check the correctness of event data
2022-12-03 21:33 [PATCH v2 1/3] wifi: mt76: mt7915: check return value before accessing free_block_num Ryder Lee
2022-12-03 21:33 ` [PATCH v2 2/3] wifi: mt76: mt7996: " Ryder Lee
@ 2022-12-03 21:33 ` Ryder Lee
1 sibling, 0 replies; 3+ messages in thread
From: Ryder Lee @ 2022-12-03 21:33 UTC (permalink / raw)
To: Felix Fietkau, linux-wireless
Cc: Lorenzo Bianconi, Shayne Chen, Evelyn Tsai, linux-mediatek, Ryder Lee
The mcu event might not be reliable, so check the correctness of data
before handling it.
Signed-off-by: Ryder Lee <ryder.lee@mediatek.com>
---
.../net/wireless/mediatek/mt76/mt7915/mcu.c | 21 +++++++++++++++----
1 file changed, 17 insertions(+), 4 deletions(-)
diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c
index 86ec767266cc..37a3c1f082d9 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c
@@ -232,8 +232,11 @@ mt7915_mcu_rx_csa_notify(struct mt7915_dev *dev, struct sk_buff *skb)
c = (struct mt7915_mcu_csa_notify *)skb->data;
+ if (c->band_idx > MT_BAND1)
+ return;
+
if ((c->band_idx && !dev->phy.mt76->band_idx) &&
- dev->mt76.phys[MT_BAND1])
+ dev->mt76.phys[MT_BAND1])
mphy = dev->mt76.phys[MT_BAND1];
ieee80211_iterate_active_interfaces_atomic(mphy->hw,
@@ -252,8 +255,11 @@ mt7915_mcu_rx_thermal_notify(struct mt7915_dev *dev, struct sk_buff *skb)
if (t->ctrl.ctrl_id != THERMAL_PROTECT_ENABLE)
return;
+ if (t->ctrl.band_idx > MT_BAND1)
+ return;
+
if ((t->ctrl.band_idx && !dev->phy.mt76->band_idx) &&
- dev->mt76.phys[MT_BAND1])
+ dev->mt76.phys[MT_BAND1])
mphy = dev->mt76.phys[MT_BAND1];
phy = (struct mt7915_phy *)mphy->priv;
@@ -268,8 +274,11 @@ mt7915_mcu_rx_radar_detected(struct mt7915_dev *dev, struct sk_buff *skb)
r = (struct mt7915_mcu_rdd_report *)skb->data;
+ if (r->band_idx > MT_BAND1)
+ return;
+
if ((r->band_idx && !dev->phy.mt76->band_idx) &&
- dev->mt76.phys[MT_BAND1])
+ dev->mt76.phys[MT_BAND1])
mphy = dev->mt76.phys[MT_BAND1];
if (r->band_idx == MT_RX_SEL2)
@@ -326,7 +335,11 @@ mt7915_mcu_rx_bcc_notify(struct mt7915_dev *dev, struct sk_buff *skb)
b = (struct mt7915_mcu_bcc_notify *)skb->data;
- if ((b->band_idx && !dev->phy.mt76->band_idx) && dev->mt76.phys[MT_BAND1])
+ if (b->band_idx > MT_BAND1)
+ return;
+
+ if ((b->band_idx && !dev->phy.mt76->band_idx) &&
+ dev->mt76.phys[MT_BAND1])
mphy = dev->mt76.phys[MT_BAND1];
ieee80211_iterate_active_interfaces_atomic(mphy->hw,
--
2.18.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-12-03 21:33 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-12-03 21:33 [PATCH v2 1/3] wifi: mt76: mt7915: check return value before accessing free_block_num Ryder Lee
2022-12-03 21:33 ` [PATCH v2 2/3] wifi: mt76: mt7996: " Ryder Lee
2022-12-03 21:33 ` [PATCH v2 3/3] wifi: mt76: mt7915: check the correctness of event data Ryder Lee
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).