Received: by 2002:a05:6a10:f3d0:0:0:0:0 with SMTP id a16csp728063pxv; Thu, 24 Jun 2021 19:14:48 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwSV3QY2MPL8TVPwojpPvrvB9zToR4xkhBaxeez2DPvYEPyvTyV9LBsa1t3+hUO8ElTC0I5 X-Received: by 2002:a17:906:58d4:: with SMTP id e20mr8352483ejs.461.1624587288693; Thu, 24 Jun 2021 19:14:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1624587288; cv=none; d=google.com; s=arc-20160816; b=D68Z9kI+7XzmCIaJt2EYyrTGT4hL28PqWtdCI3HGOROAJk2U/SnBcne7V1neQCNiUc oc6G4b0Qcah2qgX4Sv12r1qhwjSQqWsuMSIkQLeNDpx6CRJRmCXsjGa+lwolgx2rUKTE c0zWyUH4Q8c4l3gecVLnvLfFGlmHF6Hai2NzuDeAnwj37IYpQpRt1R0YOwY62tkpOHIJ QCZWsraVBq6Qgb81mUwyA8j1eIkCB+x5AxcZufM5d8G3mJdGYB1IC1EU6qhjDMRZY+Or Y6bQRhMqBS6+OL19raYBYecjkiAy9NYVdcobaALWA9F/UyCweMUyW/GMH9+ns/2nqafQ YqZg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:message-id:date:subject:cc:to:from; bh=uKes4Do/5frcsI7ssTHHESSbPRCvtkc5z7SXiqUWBKI=; b=PHV1sm0p5w3O+6hXvI6uBPpzX/Tx3wmzfDNQMo2eYyqsX4GIbbgNzWqM0VvvpKWoCK xlGZ6ofqqLFPKiqMlHs1P8nTJErw1tmKZQPaHnAZpw6T+Q/2eOudPde4L5EJUeyMmBYD SnqwjMAU+Z2hJb50jvAm/Cf3AMK1oTs/wX2yO7ho0YZHeg6wt7Hmhes8c9r04Lgo2cWJ ZWDtj7hnfxhiUwYnb6pLOgOWSH8nx+xQZi4OdiRIvBkeEC/eUpx5YJGfIcqI9hF7sSic OdwuYwU0GWquSlB/8Ul/A9hDRgq2NgVFxKEj5dsNjT5kost/IKl00nSnyPjiNFhjyA5X aq8Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=mediatek.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id t23si5348873ejs.156.2021.06.24.19.14.20; Thu, 24 Jun 2021 19:14:48 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=mediatek.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232966AbhFYCQZ (ORCPT + 99 others); Thu, 24 Jun 2021 22:16:25 -0400 Received: from mailgw01.mediatek.com ([60.244.123.138]:50074 "EHLO mailgw01.mediatek.com" rhost-flags-OK-FAIL-OK-FAIL) by vger.kernel.org with ESMTP id S232917AbhFYCQY (ORCPT ); Thu, 24 Jun 2021 22:16:24 -0400 X-UUID: 920f182bad42481693b4644af74b2946-20210625 X-UUID: 920f182bad42481693b4644af74b2946-20210625 Received: from mtkcas06.mediatek.inc [(172.21.101.30)] by mailgw01.mediatek.com (envelope-from ) (Generic MTA with TLSv1.2 ECDHE-RSA-AES256-SHA384 256/256) with ESMTP id 1553465030; Fri, 25 Jun 2021 10:14:02 +0800 Received: from mtkcas11.mediatek.inc (172.21.101.40) by mtkmbs06n1.mediatek.inc (172.21.101.129) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Fri, 25 Jun 2021 10:14:01 +0800 Received: from mtksdccf07.mediatek.inc (172.21.84.99) by mtkcas11.mediatek.inc (172.21.101.73) with Microsoft SMTP Server id 15.0.1497.2 via Frontend Transport; Fri, 25 Jun 2021 10:14:01 +0800 From: Shayne Chen To: Felix Fietkau CC: linux-wireless , Lorenzo Bianconi , Ryder Lee , Evelyn Tsai , linux-mediatek , Shayne Chen , Bo Jiao Subject: [PATCH] mt76: mt7915: fix potential overflow of eeprom page index Date: Fri, 25 Jun 2021 10:12:21 +0800 Message-ID: <20210625021221.10171-1-shayne.chen@mediatek.com> X-Mailer: git-send-email 2.18.0 MIME-Version: 1.0 Content-Type: text/plain X-MTK: N Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org If total eeprom size is divisible by per-page size, the i in for loop will exceed max page index, which happens in our newer chipset. Fixes: 26f18380e6ca ("mt76: mt7915: add support for flash mode") Signed-off-by: Bo Jiao Signed-off-by: Shayne Chen --- drivers/net/wireless/mediatek/mt76/mt7915/mcu.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c index c4e3ac2..0509953 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c +++ b/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c @@ -3392,20 +3392,20 @@ int mt7915_mcu_set_chan_info(struct mt7915_phy *phy, int cmd) static int mt7915_mcu_set_eeprom_flash(struct mt7915_dev *dev) { -#define TOTAL_PAGE_MASK GENMASK(7, 5) +#define MAX_PAGE_IDX_MASK GENMASK(7, 5) #define PAGE_IDX_MASK GENMASK(4, 2) #define PER_PAGE_SIZE 0x400 struct mt7915_mcu_eeprom req = { .buffer_mode = EE_MODE_BUFFER }; - u8 total = MT7915_EEPROM_SIZE / PER_PAGE_SIZE; + u8 total = DIV_ROUND_UP(MT7915_EEPROM_SIZE, PER_PAGE_SIZE); u8 *eep = (u8 *)dev->mt76.eeprom.data; int eep_len; int i; - for (i = 0; i <= total; i++, eep += eep_len) { + for (i = 0; i < total; i++, eep += eep_len) { struct sk_buff *skb; int ret; - if (i == total) + if (i == total - 1 && MT7915_EEPROM_SIZE % PER_PAGE_SIZE) eep_len = MT7915_EEPROM_SIZE % PER_PAGE_SIZE; else eep_len = PER_PAGE_SIZE; @@ -3415,7 +3415,7 @@ static int mt7915_mcu_set_eeprom_flash(struct mt7915_dev *dev) if (!skb) return -ENOMEM; - req.format = FIELD_PREP(TOTAL_PAGE_MASK, total) | + req.format = FIELD_PREP(MAX_PAGE_IDX_MASK, total - 1) | FIELD_PREP(PAGE_IDX_MASK, i) | EE_FORMAT_WHOLE; req.len = cpu_to_le16(eep_len); -- 2.18.0