From patchwork Mon Dec 3 12:24:13 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Felix Fietkau X-Patchwork-Id: 10709453 X-Patchwork-Delegate: kvalo@adurom.com Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id E697518A7 for ; Mon, 3 Dec 2018 12:24:19 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D85322A346 for ; Mon, 3 Dec 2018 12:24:19 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id CC6592B32B; Mon, 3 Dec 2018 12:24:19 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.7 required=2.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8425D2AE22 for ; Mon, 3 Dec 2018 12:24:19 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726458AbeLCMZH (ORCPT ); Mon, 3 Dec 2018 07:25:07 -0500 Received: from nbd.name ([46.4.11.11]:51622 "EHLO nbd.name" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726416AbeLCMZH (ORCPT ); Mon, 3 Dec 2018 07:25:07 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nbd.name; s=20160729; h=Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc: MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=2qxjmdyFSCgf5+okDYpKrVFSvJViasxIw58Aa2d5UWs=; b=aJ4qRJ6BP6ZqcYZpSWhfSzki2+ g0XObtWVuz1pxoWTXbTSEwizMoCGxZc+3tRHuh5W+RIKIrmVQIrW4HB6rCnK92c7nY2Q5tIB9muq9 JNxqFXVzVtqzEyNtLwqPSaBjxWh58pMXIswGOKUOYtUgys2u9x4p08mYMJw0fl06jgcw=; Received: by maeck.lan (Postfix, from userid 501) id 79623480F7A8; Mon, 3 Dec 2018 13:24:15 +0100 (CET) From: Felix Fietkau To: linux-wireless@vger.kernel.org Subject: [PATCH 1/3] mt76: add size check for additional rx fragments Date: Mon, 3 Dec 2018 13:24:13 +0100 Message-Id: <20181203122415.22387-1-nbd@nbd.name> X-Mailer: git-send-email 2.17.0 Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP So far the code only validates the buffer size of the first skb. Extend this check to cover additional fragments as well, in case the size is corrupted during a DMA reset. Signed-off-by: Felix Fietkau --- drivers/net/wireless/mediatek/mt76/dma.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/drivers/net/wireless/mediatek/mt76/dma.c b/drivers/net/wireless/mediatek/mt76/dma.c index e2ba26378575..710a77fccf63 100644 --- a/drivers/net/wireless/mediatek/mt76/dma.c +++ b/drivers/net/wireless/mediatek/mt76/dma.c @@ -430,6 +430,14 @@ mt76_dma_rx_process(struct mt76_dev *dev, struct mt76_queue *q, int budget) if (!data) break; + if (q->buf_size < len + q->buf_offset) { + dev_kfree_skb(q->rx_head); + q->rx_head = NULL; + + skb_free_frag(data); + continue; + } + if (q->rx_head) { mt76_add_fragment(dev, q, data, len, more); continue;