Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp574193ybv;
        Thu, 20 Feb 2020 03:42:17 -0800 (PST)
X-Google-Smtp-Source: APXvYqww6Zc8zua1vbgky5O3DY0knKCwYIsiLHbuY7ae+i5axzU7OKbswSHaHmHSFy79/ISq0ZZM
X-Received: by 2002:aca:ebcb:: with SMTP id j194mr1673840oih.154.1582198937225;
        Thu, 20 Feb 2020 03:42:17 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1582198937; cv=none;
        d=google.com; s=arc-20160816;
        b=fur1OPxXFvuWB3KTSNTfmR/xTt1FRD/yBNftr8BonsWXgO3hKA/uImJhlN82FJzrFh
         Bhscm7xpFTwtGxz7A4sP+hPo1iVXi80OageG0iULnwJHi7kX3Cer0Mvi5vtxFMSiBwZ8
         Bhj3IN4+c4WF43NgBvC7poInSEBB9rjahfuCtocBTx1ekDzaqlY1a2x01ix1CQMWUJ5W
         jiRZ/D9mBnjhcYCPaIYOd3pz6obV5S5/Uw2y/2xaqMniRzqnM7G/LNmIxBV7t2+QIuzB
         avZF+eOURVNHilJkUVF17AzUlXB07WHP27IoYNiEUWtETp7Gu1MEWpMIZAeBVi80/jzG
         2zVg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from:dkim-signature;
        bh=QmGrF9CoFgVUhqNJ0kmrFs4wsbbx9jdjenAphQiCtk4=;
        b=qAsCtugbrM/s+GK/8MM+Yyr3xavzMzK3bZ90vMcR020kGaTAz4NDRbDkypV9KGiDRX
         vXM5UOP6gPEXT5uIO04ltB8fyVLYNAzspKn2DDs6JvcjHi6VZpRiqKFyA+Mnmd15Bd4N
         YVhd4/YvPK/e+8ZQHxHWBT+pOkhBDnps14TJ7PK0yP7N8G9Xvcu2IFzxYKBmiJjl+h1g
         07IZM8ehmPskcAEz+ypGDi9my0vbMltNzkt4C5jAgTKi4CVoHVus701llZtfHbzdk6AI
         L1HDZ9psupgUPETAnT2dxpWKNYjBYNzYdqXqcDr270gq9o4LKIwlWW5+pdHDf/bNX++g
         VvWg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail header.i=@nbd.name header.s=20160729 header.b=KyTEzFR0;
       spf=pass (google.com: best guess record for domain of linux-wireless-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org
Return-Path: <linux-wireless-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id h203si11389953oif.3.2020.02.20.03.41.52;
        Thu, 20 Feb 2020 03:42:17 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-wireless-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=fail header.i=@nbd.name header.s=20160729 header.b=KyTEzFR0;
       spf=pass (google.com: best guess record for domain of linux-wireless-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727285AbgBTLlm (ORCPT <rfc822;pgnet.dev@gmail.com> + 99 others);
        Thu, 20 Feb 2020 06:41:42 -0500
Received: from nbd.name ([46.4.11.11]:55068 "EHLO nbd.name"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726882AbgBTLlm (ORCPT <rfc822;linux-wireless@vger.kernel.org>);
        Thu, 20 Feb 2020 06:41:42 -0500
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nbd.name;
         s=20160729; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject
        :Cc:To:From:Sender:Reply-To:Content-Type:Content-ID:Content-Description:
        Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
        In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
        List-Post:List-Owner:List-Archive;
        bh=QmGrF9CoFgVUhqNJ0kmrFs4wsbbx9jdjenAphQiCtk4=; b=KyTEzFR0eIZU8BJkWkVttAE/K6
        jblo1l90aY4jYymoDG6rQ+Kse8KacbqeUj7yXiSqFtQBP7Dm1iSPaTHq/vh25rMLPV2jrYhZdPqqM
        jnzReGZ6eMkhnWYsDGLX4cL2YkihJzd/VOhLlSEmxIlJ9Xo/2hoKdH6lbLIKWbO4o32M=;
Received: from [80.255.7.124] (helo=maeck.local)
        by ds12 with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
        (Exim 4.89)
        (envelope-from <nbd@nbd.name>)
        id 1j4kD6-000544-KI; Thu, 20 Feb 2020 12:41:40 +0100
Received: by maeck.local (Postfix, from userid 501)
        id 9F2B87CE7105; Thu, 20 Feb 2020 12:41:39 +0100 (CET)
From:   Felix Fietkau <nbd@nbd.name>
To:     linux-wireless@vger.kernel.org
Cc:     kvalo@codeaurora.org, stable@vger.kernel.org
Subject: [PATCH 5.6] mt76: fix array overflow on receiving too many fragments for a packet
Date:   Thu, 20 Feb 2020 12:41:39 +0100
Message-Id: <20200220114139.46508-1-nbd@nbd.name>
X-Mailer: git-send-email 2.24.0
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: linux-wireless-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org

If the hardware receives an oversized packet with too many rx fragments,
skb_shinfo(skb)->frags can overflow and corrupt memory of adjacent pages.
This becomes especially visible if it corrupts the freelist pointer of
a slab page.

Cc: stable@vger.kernel.org
Signed-off-by: Felix Fietkau <nbd@nbd.name>
---
 drivers/net/wireless/mediatek/mt76/dma.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/drivers/net/wireless/mediatek/mt76/dma.c b/drivers/net/wireless/mediatek/mt76/dma.c
index 6173c80189ba..1847f55e199b 100644
--- a/drivers/net/wireless/mediatek/mt76/dma.c
+++ b/drivers/net/wireless/mediatek/mt76/dma.c
@@ -447,10 +447,13 @@ mt76_add_fragment(struct mt76_dev *dev, struct mt76_queue *q, void *data,
 	struct page *page = virt_to_head_page(data);
 	int offset = data - page_address(page);
 	struct sk_buff *skb = q->rx_head;
+	struct skb_shared_info *shinfo = skb_shinfo(skb);
 
-	offset += q->buf_offset;
-	skb_add_rx_frag(skb, skb_shinfo(skb)->nr_frags, page, offset, len,
-			q->buf_size);
+	if (shinfo->nr_frags < ARRAY_SIZE(shinfo->frags)) {
+		offset += q->buf_offset;
+		skb_add_rx_frag(skb, shinfo->nr_frags, page, offset, len,
+				q->buf_size);
+	}
 
 	if (more)
 		return;
-- 
2.24.0