linux-wireless.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH v4 1/2] mt76: mt7915: fix hwmon temp sensor mem use-after-free
@ 2021-07-31  2:17 Ryder Lee
  2021-07-31  2:17 ` [PATCH v4 2/2] mt76: mt7615: " Ryder Lee
  2021-08-13 10:15 ` [PATCH v4 1/2] mt76: mt7915: " Felix Fietkau
  0 siblings, 2 replies; 5+ messages in thread
From: Ryder Lee @ 2021-07-31  2:17 UTC (permalink / raw)
  To: Felix Fietkau
  Cc: Lorenzo Bianconi, Shayne Chen, Evelyn Tsai, linux-wireless,
	linux-mediatek, Ben Greear, Ryder Lee

From: Ben Greear <greearb@candelatech.com>

Without this change, garbage is seen in the hwmon name
and sensors output for mt7915 is garbled.

With the change:

mt7915-pci-1400
Adapter: PCI adapter
temp1:        +49.0°C

Fixes: d6938251bb5b (mt76: mt7915: add thermal sensor device support)
Signed-off-by: Ben Greear <greearb@candelatech.com>
Signed-off-by: Ryder Lee <ryder.lee@mediatek.com>
---
v4:  Simplify flow.
v3:  Add 'fixes' tag to aid backports.
---
 drivers/net/wireless/mediatek/mt76/mt7915/init.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/init.c b/drivers/net/wireless/mediatek/mt76/mt7915/init.c
index 77c7486d6a5c..a1b9e1b3f700 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7915/init.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7915/init.c
@@ -155,13 +155,13 @@ static void mt7915_unregister_thermal(struct mt7915_phy *phy)
 	thermal_cooling_device_unregister(phy->cdev);
 }
 
-static int mt7915_thermal_init(struct mt7915_phy *phy)
+static int mt7915_thermal_init(struct mt7915_phy *phy, const char *prefix)
 {
 	struct wiphy *wiphy = phy->mt76->hw->wiphy;
 	struct thermal_cooling_device *cdev;
 	struct device *hwmon;
 
-	cdev = thermal_cooling_device_register(wiphy_name(wiphy), phy,
+	cdev = thermal_cooling_device_register(prefix, phy,
 					       &mt7915_thermal_ops);
 	if (!IS_ERR(cdev)) {
 		if (sysfs_create_link(&wiphy->dev.kobj, &cdev->device.kobj,
@@ -175,7 +175,7 @@ static int mt7915_thermal_init(struct mt7915_phy *phy)
 		return 0;
 
 	hwmon = devm_hwmon_device_register_with_groups(&wiphy->dev,
-						       wiphy_name(wiphy), phy,
+						       prefix, phy,
 						       mt7915_hwmon_groups);
 	if (IS_ERR(hwmon))
 		return PTR_ERR(hwmon);
@@ -403,7 +403,7 @@ static int mt7915_register_ext_phy(struct mt7915_dev *dev)
 	if (ret)
 		goto error;
 
-	ret = mt7915_thermal_init(phy);
+	ret = mt7915_thermal_init(phy, KBUILD_MODNAME "-ext");
 	if (ret)
 		goto error;
 
@@ -853,7 +853,7 @@ int mt7915_register_device(struct mt7915_dev *dev)
 	if (ret)
 		return ret;
 
-	ret = mt7915_thermal_init(&dev->phy);
+	ret = mt7915_thermal_init(&dev->phy, KBUILD_MODNAME);
 	if (ret)
 		return ret;
 
-- 
2.29.2


^ permalink raw reply related	[flat|nested] 5+ messages in thread
* [PATCH v4 2/2] mt76: mt7615: fix hwmon temp sensor mem use-after-free
  2021-07-31  2:17 [PATCH v4 1/2] mt76: mt7915: fix hwmon temp sensor mem use-after-free Ryder Lee
@ 2021-07-31  2:17 ` Ryder Lee
  2021-08-13 10:15 ` [PATCH v4 1/2] mt76: mt7915: " Felix Fietkau
  1 sibling, 0 replies; 5+ messages in thread
From: Ryder Lee @ 2021-07-31  2:17 UTC (permalink / raw)
  To: Felix Fietkau
  Cc: Lorenzo Bianconi, Shayne Chen, Evelyn Tsai, linux-wireless,
	linux-mediatek, Ryder Lee

Without this change, garbage is seen in the hwmon name
and sensors output for mt7615 is garbled.

Fixes: 109e505ad944 (mt76: mt7615: add thermal sensor device support)
Signed-off-by: Ryder Lee <ryder.lee@mediatek.com>
---
 drivers/net/wireless/mediatek/mt76/mt7615/init.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/wireless/mediatek/mt76/mt7615/init.c b/drivers/net/wireless/mediatek/mt76/mt7615/init.c
index 05235a60d413..6e8feceb1ff2 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7615/init.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7615/init.c
@@ -54,7 +54,7 @@ int mt7615_thermal_init(struct mt7615_dev *dev)
 		return 0;
 
 	hwmon = devm_hwmon_device_register_with_groups(&wiphy->dev,
-						       wiphy_name(wiphy), dev,
+						       KBUILD_MODNAME, dev,
 						       mt7615_hwmon_groups);
 	if (IS_ERR(hwmon))
 		return PTR_ERR(hwmon);
-- 
2.29.2


^ permalink raw reply related	[flat|nested] 5+ messages in thread
* Re: [PATCH v4 1/2] mt76: mt7915: fix hwmon temp sensor mem use-after-free
  2021-07-31  2:17 [PATCH v4 1/2] mt76: mt7915: fix hwmon temp sensor mem use-after-free Ryder Lee
  2021-07-31  2:17 ` [PATCH v4 2/2] mt76: mt7615: " Ryder Lee
@ 2021-08-13 10:15 ` Felix Fietkau
  2021-08-13 13:54   ` Ben Greear
  1 sibling, 1 reply; 5+ messages in thread
From: Felix Fietkau @ 2021-08-13 10:15 UTC (permalink / raw)
  To: Ryder Lee
  Cc: Lorenzo Bianconi, Shayne Chen, Evelyn Tsai, linux-wireless,
	linux-mediatek, Ben Greear


On 2021-07-31 04:17, Ryder Lee wrote:
> From: Ben Greear <greearb@candelatech.com>
> 
> Without this change, garbage is seen in the hwmon name
> and sensors output for mt7915 is garbled.
Where does the use-after-free bug come from? It's not obvious to me why
using KBUILD_MODNAME instead of wiphy_name() fixes it.
I still think the phy name should probably be part of the prefix.

> With the change:
> 
> mt7915-pci-1400
> Adapter: PCI adapter
> temp1:        +49.0°C
> 
> Fixes: d6938251bb5b (mt76: mt7915: add thermal sensor device support)
The format is wrong (missing quotes), and the hash references a commit
that's not in any upstream tree.

- Felix

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [PATCH v4 1/2] mt76: mt7915: fix hwmon temp sensor mem use-after-free
  2021-08-13 10:15 ` [PATCH v4 1/2] mt76: mt7915: " Felix Fietkau
@ 2021-08-13 13:54   ` Ben Greear
  2021-08-13 14:08     ` Felix Fietkau
  0 siblings, 1 reply; 5+ messages in thread
From: Ben Greear @ 2021-08-13 13:54 UTC (permalink / raw)
  To: Felix Fietkau, Ryder Lee
  Cc: Lorenzo Bianconi, Shayne Chen, Evelyn Tsai, linux-wireless,
	linux-mediatek

On 8/13/21 3:15 AM, Felix Fietkau wrote:
> 
> On 2021-07-31 04:17, Ryder Lee wrote:
>> From: Ben Greear <greearb@candelatech.com>
>>
>> Without this change, garbage is seen in the hwmon name
>> and sensors output for mt7915 is garbled.
> Where does the use-after-free bug come from? It's not obvious to me why
> using KBUILD_MODNAME instead of wiphy_name() fixes it.
> I still think the phy name should probably be part of the prefix.

We rename phy devices as part of our normal operation, I think maybe
that helps trigger the bug.

It appears that the hwmon logic does not make a copy of the incoming string,
but instead just copies a char* and expects it to never go away.  But,
I did not actually verify that.

Thanks,
Ben

> 
>> With the change:
>>
>> mt7915-pci-1400
>> Adapter: PCI adapter
>> temp1:        +49.0°C
>>
>> Fixes: d6938251bb5b (mt76: mt7915: add thermal sensor device support)
> The format is wrong (missing quotes), and the hash references a commit
> that's not in any upstream tree.
> 
> - Felix
> 


-- 
Ben Greear <greearb@candelatech.com>
Candela Technologies Inc  http://www.candelatech.com

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [PATCH v4 1/2] mt76: mt7915: fix hwmon temp sensor mem use-after-free
  2021-08-13 13:54   ` Ben Greear
@ 2021-08-13 14:08     ` Felix Fietkau
  0 siblings, 0 replies; 5+ messages in thread
From: Felix Fietkau @ 2021-08-13 14:08 UTC (permalink / raw)
  To: Ben Greear, Ryder Lee
  Cc: Lorenzo Bianconi, Shayne Chen, Evelyn Tsai, linux-wireless,
	linux-mediatek

On 2021-08-13 15:54, Ben Greear wrote:
> On 8/13/21 3:15 AM, Felix Fietkau wrote:
>> 
>> On 2021-07-31 04:17, Ryder Lee wrote:
>>> From: Ben Greear <greearb@candelatech.com>
>>>
>>> Without this change, garbage is seen in the hwmon name
>>> and sensors output for mt7915 is garbled.
>> Where does the use-after-free bug come from? It's not obvious to me why
>> using KBUILD_MODNAME instead of wiphy_name() fixes it.
>> I still think the phy name should probably be part of the prefix.
> 
> We rename phy devices as part of our normal operation, I think maybe
> that helps trigger the bug.
> 
> It appears that the hwmon logic does not make a copy of the incoming string,
> but instead just copies a char* and expects it to never go away.  But,
> I did not actually verify that.
That makes sense. It seems that thermal copies the string internally,
but hwmon does not.
How about using devm_kstrdup on the wiphy name instead of using
KBUILD_MODNAME? If you really don't want to use the initial phy name,
there's also the option of using dev_name(dev->mt76.dev)

- Felix

^ permalink raw reply	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2021-08-13 14:08 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-07-31  2:17 [PATCH v4 1/2] mt76: mt7915: fix hwmon temp sensor mem use-after-free Ryder Lee
2021-07-31  2:17 ` [PATCH v4 2/2] mt76: mt7615: " Ryder Lee
2021-08-13 10:15 ` [PATCH v4 1/2] mt76: mt7915: " Felix Fietkau
2021-08-13 13:54   ` Ben Greear
2021-08-13 14:08     ` Felix Fietkau

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).