LinuxLists.cc - [PATCH v2] mt76: mt7915: fix potential overflow of eeprom page index

2021-07-20 02:57:38

Subject: [PATCH v2] mt76: mt7915: fix potential overflow of eeprom page index

If total eeprom size is divisible by per-page size, the i in for loop
will exceed max page index, which happens in our newer chipset.

Fixes: 26f18380e6ca ("mt76: mt7915: add support for flash mode")
Signed-off-by: Bo Jiao <[email protected]>
Signed-off-by: Shayne Chen <[email protected]>
Reported-by: kernel test robot <[email protected]>
---
v2: fix warning reported by kernel test robot

drivers/net/wireless/mediatek/mt76/mt7915/mcu.c:3407:22: warning: use
of logical '&&' with constant operand [-Wconstant-logical-operand]
if (i == total - 1 && MT7915_EEPROM_SIZE % PER_PAGE_SIZE)
^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
---
drivers/net/wireless/mediatek/mt76/mt7915/mcu.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c
index 91efa9b..69b6796 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c
@@ -3392,20 +3392,20 @@ int mt7915_mcu_set_chan_info(struct mt7915_phy *phy, int cmd)

static int mt7915_mcu_set_eeprom_flash(struct mt7915_dev *dev)
{
-#define TOTAL_PAGE_MASK GENMASK(7, 5)
+#define MAX_PAGE_IDX_MASK GENMASK(7, 5)
#define PAGE_IDX_MASK GENMASK(4, 2)
#define PER_PAGE_SIZE 0x400
struct mt7915_mcu_eeprom req = { .buffer_mode = EE_MODE_BUFFER };
- u8 total = MT7915_EEPROM_SIZE / PER_PAGE_SIZE;
+ u8 total = DIV_ROUND_UP(MT7915_EEPROM_SIZE, PER_PAGE_SIZE);
u8 *eep = (u8 *)dev->mt76.eeprom.data;
int eep_len;
int i;

- for (i = 0; i <= total; i++, eep += eep_len) {
+ for (i = 0; i < total; i++, eep += eep_len) {
struct sk_buff *skb;
int ret;

- if (i == total)
+ if (i == total - 1 && !!(MT7915_EEPROM_SIZE % PER_PAGE_SIZE))
eep_len = MT7915_EEPROM_SIZE % PER_PAGE_SIZE;
else
eep_len = PER_PAGE_SIZE;
@@ -3415,7 +3415,7 @@ static int mt7915_mcu_set_eeprom_flash(struct mt7915_dev *dev)
if (!skb)
return -ENOMEM;

- req.format = FIELD_PREP(TOTAL_PAGE_MASK, total) |
+ req.format = FIELD_PREP(MAX_PAGE_IDX_MASK, total - 1) |
FIELD_PREP(PAGE_IDX_MASK, i) | EE_FORMAT_WHOLE;
req.len = cpu_to_le16(eep_len);

--
2.25.1