1. 09 Dec, 2022 4 commits
    • Ryder Lee's avatar
      wifi: mt76: mt7996: fix insecure data handling of mt7996_mcu_ie_countdown() · 5202b983
      Ryder Lee authored
      Coverity message:
      using tainted "hdr->band" variable as an index into an array "(*dev).mt76.phys".
      Reported-by: default avatarcoverity-bot <keescook+coverity-bot@chromium.org>
      Addresses-Coverity-ID: 1527797 ("Insecure data handling")
      Fixes: 98686cd2 ("wifi: mt76: mt7996: add driver for MediaTek Wi-Fi 7 (802.11be) devices")
      Signed-off-by: default avatarRyder Lee <ryder.lee@mediatek.com>
      Signed-off-by: default avatarFelix Fietkau <nbd@nbd.name>
      5202b983
    • Ryder Lee's avatar
      wifi: mt76: mt7915: fix mt7915_rate_txpower_get() resource leaks · 8b25301a
      Ryder Lee authored
      Coverity message: variable "buf" going out of scope leaks the storage.
      Reported-by: default avatarcoverity-bot <keescook+coverity-bot@chromium.org>
      Addresses-Coverity-ID: 1527799 ("Resource leaks")
      Fixes: e3296759 ("wifi: mt76: mt7915: enable per bandwidth power limit support")
      Signed-off-by: default avatarRyder Lee <ryder.lee@mediatek.com>
      Signed-off-by: default avatarFelix Fietkau <nbd@nbd.name>
      8b25301a
    • Deren Wu's avatar
      wifi: mt76: mt7921s: fix slab-out-of-bounds access in sdio host · aec4cf2e
      Deren Wu authored
      SDIO may need addtional 511 bytes to align bus operation. If the tailroom
      of this skb is not big enough, we would access invalid memory region.
      For low level operation, increase skb size to keep valid memory access in
      SDIO host.
      
      Error message:
      [69.951] BUG: KASAN: slab-out-of-bounds in sg_copy_buffer+0xe9/0x1a0
      [69.951] Read of size 64 at addr ffff88811c9cf000 by task kworker/u16:7/451
      [69.951] CPU: 4 PID: 451 Comm: kworker/u16:7 Tainted: G W  OE  6.1.0-rc5 #1
      [69.951] Workqueue: kvub300c vub300_cmndwork_thread [vub300]
      [69.951] Call Trace:
      [69.951]  <TASK>
      [69.952]  dump_stack_lvl+0x49/0x63
      [69.952]  print_report+0x171/0x4a8
      [69.952]  kasan_report+0xb4/0x130
      [69.952]  kasan_check_range+0x149/0x1e0
      [69.952]  memcpy+0x24/0x70
      [69.952]  sg_copy_buffer+0xe9/0x1a0
      [69.952]  sg_copy_to_buffer+0x12/0x20
      [69.952]  __command_write_data.isra.0+0x23c/0xbf0 [vub300]
      [69.952]  vub300_cmndwork_thread+0x17f3/0x58b0 [vub300]
      [69.952]  process_one_work+0x7ee/0x1320
      [69.952]  worker_thread+0x53c/0x1240
      [69.952]  kthread+0x2b8/0x370
      [69.952]  ret_from_fork+0x1f/0x30
      [69.952]  </TASK>
      
      [69.952] Allocated by task 854:
      [69.952]  kasan_save_stack+0x26/0x50
      [69.952]  kasan_set_track+0x25/0x30
      [69.952]  kasan_save_alloc_info+0x1b/0x30
      [69.952]  __kasan_kmalloc+0x87/0xa0
      [69.952]  __kmalloc_node_track_caller+0x63/0x150
      [69.952]  kmalloc_reserve+0x31/0xd0
      [69.952]  __alloc_skb+0xfc/0x2b0
      [69.952]  __mt76_mcu_msg_alloc+0xbf/0x230 [mt76]
      [69.952]  mt76_mcu_send_and_get_msg+0xab/0x110 [mt76]
      [69.952]  __mt76_mcu_send_firmware.cold+0x94/0x15d [mt76]
      [69.952]  mt76_connac_mcu_send_ram_firmware+0x415/0x54d [mt76_connac_lib]
      [69.952]  mt76_connac2_load_ram.cold+0x118/0x4bc [mt76_connac_lib]
      [69.952]  mt7921_run_firmware.cold+0x2e9/0x405 [mt7921_common]
      [69.952]  mt7921s_mcu_init+0x45/0x80 [mt7921s]
      [69.953]  mt7921_init_work+0xe1/0x2a0 [mt7921_common]
      [69.953]  process_one_work+0x7ee/0x1320
      [69.953]  worker_thread+0x53c/0x1240
      [69.953]  kthread+0x2b8/0x370
      [69.953]  ret_from_fork+0x1f/0x30
      [69.953] The buggy address belongs to the object at ffff88811c9ce800
                   which belongs to the cache kmalloc-2k of size 2048
      [69.953] The buggy address is located 0 bytes to the right of
                   2048-byte region [ffff88811c9ce800, ffff88811c9cf000)
      
      [69.953] Memory state around the buggy address:
      [69.953]  ffff88811c9cef00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [69.953]  ffff88811c9cef80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [69.953] >ffff88811c9cf000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      [69.953]                    ^
      [69.953]  ffff88811c9cf080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      [69.953]  ffff88811c9cf100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      
      Fixes: 764dee47 ("mt76: sdio: move common code in mt76_sdio module")
      Suggested-by: default avatarLorenzo Bianconi <lorenzo@kernel.org>
      Tested-by: default avatarYN Chen <YN.Chen@mediatek.com>
      Signed-off-by: default avatarDeren Wu <deren.wu@mediatek.com>
      Signed-off-by: default avatarFelix Fietkau <nbd@nbd.name>
      aec4cf2e
    • Wang Yufen's avatar
      wifi: mt76: mt7915: add missing of_node_put() · 18425d7d
      Wang Yufen authored
      Add missing of_node_put() after of_reserved_mem_lookup()
      
      Fixes: 99ad32a4 ("mt76: mt7915: add support for MT7986")
      Signed-off-by: default avatarWang Yufen <wangyufen@huawei.com>
      Signed-off-by: default avatarFelix Fietkau <nbd@nbd.name>
      18425d7d
  2. 08 Dec, 2022 33 commits
  3. 07 Dec, 2022 3 commits