Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp3701060pxb; Mon, 24 Jan 2022 15:46:05 -0800 (PST) X-Google-Smtp-Source: ABdhPJyGpWbJWd72+NY/styvS0mxTLxwKJU4Qd9vnb492ShqT5rwdYNVFVxKeA4Q0Jv/QHSxj+3n X-Received: by 2002:a17:90b:4109:: with SMTP id io9mr659699pjb.244.1643067965438; Mon, 24 Jan 2022 15:46:05 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1643067965; cv=none; d=google.com; s=arc-20160816; b=IisBvWquplmj0Friq99Kr2tfhrt9WI+iQGxvJwq7d1tHIt2UwHd4BER5GuBQ10Fe0o /8421UfNFclNelmmKsE448aKXV44ZAweDKcxtldKjRfxNSbek+KxZVYLKSlFSn3oyR6P 83y45SyIK0UEDPHyTQiUUTIfrWK/Wp2DaEL96D/2V9s6m/QPmVsreWi1ZIUJ26ciU4wj E3UVETKFebqNeKar8bffla8Bp9dGX9nmvI01aF2Aq2ln1SDrj5m1f0qV3kgwdXKfzXeS NBA3yrFvYjMCVfVp/4A3mHzwqqBIVx7OBpmAr/KMkNRXm2c4nCiZ6yap2MxatKNfyrKX mxJA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=MLChaNWT0DHSoqsyKUzn/nCZn7nUm913G56fOe07jUQ=; b=mhAgEtxGQgL3uYEzuG/N9lG5QWp7T/jWqxPcQg0yyCJiYYd++brneWmVSlcoEAJJBZ mgWbufzYCafVgS8VOseiwDf8ss+Cse24Dx9UbP5Zx30xdvEPIcI/tz0ZG2Qu7mjdCFFy 8WDDH8pg2zY0UeM7M2NrTdroHx9cRf2lvZ8qG4w7Ky00nz8OIkE62CpgQtsvzg0sqAws YekNVzd96M2Ja+JcQZToR6BLbBtYtIHwxfoCoRMFOyX8fDyIoxzP89rc3il4QjN+0dmG k0wOnL5Um59oMLVc+ljHnsQChRxtmO2oNkjtndd3u4A5zmLEfuLSm8WVBoHoPueC5lGN UNnw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="v5TDG/Ze"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id pg13si750574pjb.9.2022.01.24.15.45.53; Mon, 24 Jan 2022 15:46:05 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="v5TDG/Ze"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2360504AbiAXXgz (ORCPT + 99 others); Mon, 24 Jan 2022 18:36:55 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44290 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1382775AbiAXWxo (ORCPT ); Mon, 24 Jan 2022 17:53:44 -0500 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C7843C061A10; Mon, 24 Jan 2022 13:08:41 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 831A0B80FA3; Mon, 24 Jan 2022 21:08:40 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id AB209C340E5; Mon, 24 Jan 2022 21:08:38 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1643058519; bh=XVfbMr+0bam4xryzd7On8rKa6GlVOXgJT+vvJ89vSBA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=v5TDG/ZebXH84R+DJhR9it98WcAEmXCcn2wNwx3tQpKQZRmIjEdwna8pC0nvIfGu1 Q29ER5MxBQahmLlEblDWJNx1K5pWtQZ9zl5bM13gvXO/mNoysxTrpS2q9JqwwcN8cT dMejYdw0mbuY9jhmoTmKf5lCMCuhCxlxipqql8Bo= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Sean Wang , Felix Fietkau , Sasha Levin Subject: [PATCH 5.16 0316/1039] mt76: mt7921s: fix possible kernel crash due to invalid Rx count Date: Mon, 24 Jan 2022 19:35:05 +0100 Message-Id: <20220124184135.922658007@linuxfoundation.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20220124184125.121143506@linuxfoundation.org> References: <20220124184125.121143506@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Sean Wang [ Upstream commit 2b7f3574ca9a7ff4a6b4ec1ae4dfdfde481ac80b ] Return the proper error code when out-of-range the Rx aggregation count are reported from the hardware that would create the unreasonable extreme large Rx buffer. [ 100.873810] show_stack+0x20/0x2c [ 100.873823] dump_stack+0xc4/0x140 [ 100.873839] bad_page+0x110/0x114 [ 100.873854] check_new_pages+0xf8/0xfc [ 100.873869] rmqueue+0x5a0/0x640 [ 100.873884] get_page_from_freelist+0x124/0x20c [ 100.873898] __alloc_pages_nodemask+0x114/0x2a4 [ 100.873918] mt76s_rx_run_queue+0xd4/0x2e4 [mt76_sdio 8280a88a0c8c9cf203f16e194f99ac293bdbb2f5] [ 100.873938] mt76s_rx_handler+0xd4/0x2a0 [mt76_sdio 8280a88a0c8c9cf203f16e194f99ac293bdbb2f5] [ 100.873957] mt76s_txrx_worker+0xac/0x17c [mt76_sdio 8280a88a0c8c9cf203f16e194f99ac293bdbb2f5] [ 100.873977] mt7921s_txrx_worker+0x5c/0xd8 [mt7921s d0bdbc018082dbc8dc1407614be3c2e7bd64423b] [ 100.874003] __mt76_worker_fn+0xe8/0x170 [mt76 b80af3483a8f9d48e916c12d8dbfaa0d3cd15337] [ 100.874018] kthread+0x148/0x3ac [ 100.874032] ret_from_fork+0x10/0x30 [ 100.874067] Kernel Offset: 0x1fe2000000 from 0xffffffc010000000 [ 100.874079] PHYS_OFFSET: 0xffffffe800000000 [ 100.874090] CPU features: 0x0240002,2188200c Fixes: 48fab5bbef40 ("mt76: mt7921: introduce mt7921s support") Signed-off-by: Sean Wang Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin --- drivers/net/wireless/mediatek/mt76/mt7921/sdio.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/sdio.c b/drivers/net/wireless/mediatek/mt76/mt7921/sdio.c index 5c88b6b8d0979..84be229a899da 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7921/sdio.c +++ b/drivers/net/wireless/mediatek/mt76/mt7921/sdio.c @@ -62,6 +62,10 @@ static int mt7921s_parse_intr(struct mt76_dev *dev, struct mt76s_intr *intr) if (err < 0) return err; + if (irq_data->rx.num[0] > 16 || + irq_data->rx.num[1] > 128) + return -EINVAL; + intr->isr = irq_data->isr; intr->rec_mb = irq_data->rec_mb; intr->tx.wtqcr = irq_data->tx.wtqcr; -- 2.34.1