Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp574193ybv; Thu, 20 Feb 2020 03:42:17 -0800 (PST) X-Google-Smtp-Source: APXvYqww6Zc8zua1vbgky5O3DY0knKCwYIsiLHbuY7ae+i5axzU7OKbswSHaHmHSFy79/ISq0ZZM X-Received: by 2002:aca:ebcb:: with SMTP id j194mr1673840oih.154.1582198937225; Thu, 20 Feb 2020 03:42:17 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1582198937; cv=none; d=google.com; s=arc-20160816; b=fur1OPxXFvuWB3KTSNTfmR/xTt1FRD/yBNftr8BonsWXgO3hKA/uImJhlN82FJzrFh Bhscm7xpFTwtGxz7A4sP+hPo1iVXi80OageG0iULnwJHi7kX3Cer0Mvi5vtxFMSiBwZ8 Bhj3IN4+c4WF43NgBvC7poInSEBB9rjahfuCtocBTx1ekDzaqlY1a2x01ix1CQMWUJ5W jiRZ/D9mBnjhcYCPaIYOd3pz6obV5S5/Uw2y/2xaqMniRzqnM7G/LNmIxBV7t2+QIuzB avZF+eOURVNHilJkUVF17AzUlXB07WHP27IoYNiEUWtETp7Gu1MEWpMIZAeBVi80/jzG 2zVg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=QmGrF9CoFgVUhqNJ0kmrFs4wsbbx9jdjenAphQiCtk4=; b=qAsCtugbrM/s+GK/8MM+Yyr3xavzMzK3bZ90vMcR020kGaTAz4NDRbDkypV9KGiDRX vXM5UOP6gPEXT5uIO04ltB8fyVLYNAzspKn2DDs6JvcjHi6VZpRiqKFyA+Mnmd15Bd4N YVhd4/YvPK/e+8ZQHxHWBT+pOkhBDnps14TJ7PK0yP7N8G9Xvcu2IFzxYKBmiJjl+h1g 07IZM8ehmPskcAEz+ypGDi9my0vbMltNzkt4C5jAgTKi4CVoHVus701llZtfHbzdk6AI L1HDZ9psupgUPETAnT2dxpWKNYjBYNzYdqXqcDr270gq9o4LKIwlWW5+pdHDf/bNX++g VvWg== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@nbd.name header.s=20160729 header.b=KyTEzFR0; spf=pass (google.com: best guess record for domain of linux-wireless-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h203si11389953oif.3.2020.02.20.03.41.52; Thu, 20 Feb 2020 03:42:17 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-wireless-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@nbd.name header.s=20160729 header.b=KyTEzFR0; spf=pass (google.com: best guess record for domain of linux-wireless-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727285AbgBTLlm (ORCPT + 99 others); Thu, 20 Feb 2020 06:41:42 -0500 Received: from nbd.name ([46.4.11.11]:55068 "EHLO nbd.name" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726882AbgBTLlm (ORCPT ); Thu, 20 Feb 2020 06:41:42 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nbd.name; s=20160729; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject :Cc:To:From:Sender:Reply-To:Content-Type:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=QmGrF9CoFgVUhqNJ0kmrFs4wsbbx9jdjenAphQiCtk4=; b=KyTEzFR0eIZU8BJkWkVttAE/K6 jblo1l90aY4jYymoDG6rQ+Kse8KacbqeUj7yXiSqFtQBP7Dm1iSPaTHq/vh25rMLPV2jrYhZdPqqM jnzReGZ6eMkhnWYsDGLX4cL2YkihJzd/VOhLlSEmxIlJ9Xo/2hoKdH6lbLIKWbO4o32M=; Received: from [80.255.7.124] (helo=maeck.local) by ds12 with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1j4kD6-000544-KI; Thu, 20 Feb 2020 12:41:40 +0100 Received: by maeck.local (Postfix, from userid 501) id 9F2B87CE7105; Thu, 20 Feb 2020 12:41:39 +0100 (CET) From: Felix Fietkau To: linux-wireless@vger.kernel.org Cc: kvalo@codeaurora.org, stable@vger.kernel.org Subject: [PATCH 5.6] mt76: fix array overflow on receiving too many fragments for a packet Date: Thu, 20 Feb 2020 12:41:39 +0100 Message-Id: <20200220114139.46508-1-nbd@nbd.name> X-Mailer: git-send-email 2.24.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org If the hardware receives an oversized packet with too many rx fragments, skb_shinfo(skb)->frags can overflow and corrupt memory of adjacent pages. This becomes especially visible if it corrupts the freelist pointer of a slab page. Cc: stable@vger.kernel.org Signed-off-by: Felix Fietkau --- drivers/net/wireless/mediatek/mt76/dma.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/drivers/net/wireless/mediatek/mt76/dma.c b/drivers/net/wireless/mediatek/mt76/dma.c index 6173c80189ba..1847f55e199b 100644 --- a/drivers/net/wireless/mediatek/mt76/dma.c +++ b/drivers/net/wireless/mediatek/mt76/dma.c @@ -447,10 +447,13 @@ mt76_add_fragment(struct mt76_dev *dev, struct mt76_queue *q, void *data, struct page *page = virt_to_head_page(data); int offset = data - page_address(page); struct sk_buff *skb = q->rx_head; + struct skb_shared_info *shinfo = skb_shinfo(skb); - offset += q->buf_offset; - skb_add_rx_frag(skb, skb_shinfo(skb)->nr_frags, page, offset, len, - q->buf_size); + if (shinfo->nr_frags < ARRAY_SIZE(shinfo->frags)) { + offset += q->buf_offset; + skb_add_rx_frag(skb, shinfo->nr_frags, page, offset, len, + q->buf_size); + } if (more) return; -- 2.24.0