drivers/net/wireless/mediatek/mt76/mt7615/mac.c | 3 +++ 1 file changed, 3 insertions(+)
vzalloc may fails, dump might be null and will cause
illegal address access later.
Signed-off-by: Kang Chen <void0red@gmail.com>
---
drivers/net/wireless/mediatek/mt76/mt7615/mac.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/net/wireless/mediatek/mt76/mt7615/mac.c b/drivers/net/wireless/mediatek/mt76/mt7615/mac.c
index a95602473..73d84c301 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7615/mac.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7615/mac.c
@@ -2367,6 +2367,9 @@ void mt7615_coredump_work(struct work_struct *work)
}
dump = vzalloc(MT76_CONNAC_COREDUMP_SZ);
+ if (!dump)
+ return;
+
data = dump;
while (true) {
--
2.34.1
> vzalloc may fails, dump might be null and will cause > illegal address access later. can you please add a Fixes tag? Regards, Lorenzo > > Signed-off-by: Kang Chen <void0red@gmail.com> > --- > drivers/net/wireless/mediatek/mt76/mt7615/mac.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/drivers/net/wireless/mediatek/mt76/mt7615/mac.c b/drivers/net/wireless/mediatek/mt76/mt7615/mac.c > index a95602473..73d84c301 100644 > --- a/drivers/net/wireless/mediatek/mt76/mt7615/mac.c > +++ b/drivers/net/wireless/mediatek/mt76/mt7615/mac.c > @@ -2367,6 +2367,9 @@ void mt7615_coredump_work(struct work_struct *work) > } > > dump = vzalloc(MT76_CONNAC_COREDUMP_SZ); > + if (!dump) > + return; > + > data = dump; > > while (true) { > -- > 2.34.1 >
From: Kang Chen <void0red@gmail.com>
vzalloc may fails, dump might be null and will cause
illegal address access later.
Fixes: d2bf7959d9c0 ("mt76: mt7663: introduce coredump support")
Signed-off-by: Kang Chen <void0red@gmail.com>
---
v2 -> v1: add Fixes tag
drivers/net/wireless/mediatek/mt76/mt7615/mac.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/net/wireless/mediatek/mt76/mt7615/mac.c b/drivers/net/wireless/mediatek/mt76/mt7615/mac.c
index a95602473..73d84c301 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7615/mac.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7615/mac.c
@@ -2367,6 +2367,9 @@ void mt7615_coredump_work(struct work_struct *work)
}
dump = vzalloc(MT76_CONNAC_COREDUMP_SZ);
+ if (!dump)
+ return;
+
data = dump;
while (true) {
--
2.34.1
> From: Kang Chen <void0red@gmail.com> > > vzalloc may fails, dump might be null and will cause > illegal address access later. > > Fixes: d2bf7959d9c0 ("mt76: mt7663: introduce coredump support") > Signed-off-by: Kang Chen <void0red@gmail.com> > --- > v2 -> v1: add Fixes tag > > drivers/net/wireless/mediatek/mt76/mt7615/mac.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/drivers/net/wireless/mediatek/mt76/mt7615/mac.c b/drivers/net/wireless/mediatek/mt76/mt7615/mac.c > index a95602473..73d84c301 100644 > --- a/drivers/net/wireless/mediatek/mt76/mt7615/mac.c > +++ b/drivers/net/wireless/mediatek/mt76/mt7615/mac.c > @@ -2367,6 +2367,9 @@ void mt7615_coredump_work(struct work_struct *work) > } > > dump = vzalloc(MT76_CONNAC_COREDUMP_SZ); > + if (!dump) > + return; > + > data = dump; > > while (true) { > -- > 2.34.1 > revieweing the code I guess the right approach would be the one used in mt7921_coredump_work(): - free pending skbs - not run dev_coredumpv() What do you think? Regards, Lorenzo
Hi, Lorenzo Thanks for your suggestions. I totally agree with you. Best regards, Kang Chen On Mon, Feb 27, 2023 at 10:07 PM Lorenzo Bianconi <lorenzo.bianconi@redhat.com> wrote: > > > From: Kang Chen <void0red@gmail.com> > > > > vzalloc may fails, dump might be null and will cause > > illegal address access later. > > > > Fixes: d2bf7959d9c0 ("mt76: mt7663: introduce coredump support") > > Signed-off-by: Kang Chen <void0red@gmail.com> > > --- > > v2 -> v1: add Fixes tag > > > > drivers/net/wireless/mediatek/mt76/mt7615/mac.c | 3 +++ > > 1 file changed, 3 insertions(+) > > > > diff --git a/drivers/net/wireless/mediatek/mt76/mt7615/mac.c b/drivers/net/wireless/mediatek/mt76/mt7615/mac.c > > index a95602473..73d84c301 100644 > > --- a/drivers/net/wireless/mediatek/mt76/mt7615/mac.c > > +++ b/drivers/net/wireless/mediatek/mt76/mt7615/mac.c > > @@ -2367,6 +2367,9 @@ void mt7615_coredump_work(struct work_struct *work) > > } > > > > dump = vzalloc(MT76_CONNAC_COREDUMP_SZ); > > + if (!dump) > > + return; > > + > > data = dump; > > > > while (true) { > > -- > > 2.34.1 > > > > revieweing the code I guess the right approach would be the one used in > mt7921_coredump_work(): > - free pending skbs > - not run dev_coredumpv() > > What do you think? > > Regards, > Lorenzo
From: Kang Chen <void0red@gmail.com>
vzalloc may fails, dump might be null and will cause
illegal address access later.
Link: https://lore.kernel.org/all/Y%2Fy5Asxw3T3m4jCw@lore-desk
Fixes: d2bf7959d9c0 ("mt76: mt7663: introduce coredump support")
Signed-off-by: Kang Chen <void0red@gmail.com>
---
v3 -> v2: fix bugs
v2 -> v1: add Fixes tag
drivers/net/wireless/mediatek/mt76/mt7615/mac.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/drivers/net/wireless/mediatek/mt76/mt7615/mac.c b/drivers/net/wireless/mediatek/mt76/mt7615/mac.c
index a95602473..796768011 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7615/mac.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7615/mac.c
@@ -2380,7 +2380,7 @@ void mt7615_coredump_work(struct work_struct *work)
break;
skb_pull(skb, sizeof(struct mt7615_mcu_rxd));
- if (data + skb->len - dump > MT76_CONNAC_COREDUMP_SZ) {
+ if (!dump || data + skb->len - dump > MT76_CONNAC_COREDUMP_SZ) {
dev_kfree_skb(skb);
continue;
}
@@ -2390,6 +2390,8 @@ void mt7615_coredump_work(struct work_struct *work)
dev_kfree_skb(skb);
}
- dev_coredumpv(dev->mt76.dev, dump, MT76_CONNAC_COREDUMP_SZ,
- GFP_KERNEL);
+
+ if (dump)
+ dev_coredumpv(dev->mt76.dev, dump, MT76_CONNAC_COREDUMP_SZ,
+ GFP_KERNEL);
}
--
2.34.1
On Mon, Feb 27, 2023 at 10:48:23PM +0800, void0red wrote: > From: Kang Chen <void0red@gmail.com> > > vzalloc may fails, dump might be null and will cause > illegal address access later. > > Link: https://lore.kernel.org/all/Y%2Fy5Asxw3T3m4jCw@lore-desk > Fixes: d2bf7959d9c0 ("mt76: mt7663: introduce coredump support") > Signed-off-by: Kang Chen <void0red@gmail.com> Reviewed-by: Simon Horman <simon.horman@corigine.com>
© 2016 - 2024 Red Hat, Inc.