Message ID | 20210323214737.53254-1-nbd@nbd.name (mailing list archive) |
---|---|
State | Accepted |
Delegated to: | Felix Fietkau |
Headers | show |
Series | [5.12] mt76: fix potential DMA mapping leak | expand |
Felix Fietkau <nbd@nbd.name> wrote: > With buf uninitialized in mt76_dma_tx_queue_skb_raw, its field skip_unmap > could potentially inherit a non-zero value from stack garbage. > If this happens, it will cause DMA mappings for MCU command frames to not be > unmapped after completion > > Fixes: 27d5c528a7ca ("mt76: fix double DMA unmap of the first buffer on 7615/7915") > Cc: stable@vger.kernel.org > Signed-off-by: Felix Fietkau <nbd@nbd.name> Sorry, I missed this and I suspect it's now too late for v5.12. Felix, can you instead take this to your tree so that we can get this to v5.13? I assigned this to you on patchwork.
On 2021-04-11 10:47, Kalle Valo wrote: > Felix Fietkau <nbd@nbd.name> wrote: > >> With buf uninitialized in mt76_dma_tx_queue_skb_raw, its field skip_unmap >> could potentially inherit a non-zero value from stack garbage. >> If this happens, it will cause DMA mappings for MCU command frames to not be >> unmapped after completion >> >> Fixes: 27d5c528a7ca ("mt76: fix double DMA unmap of the first buffer on 7615/7915") >> Cc: stable@vger.kernel.org >> Signed-off-by: Felix Fietkau <nbd@nbd.name> > > Sorry, I missed this and I suspect it's now too late for v5.12. Felix, can you > instead take this to your tree so that we can get this to v5.13? I assigned > this to you on patchwork. Will do. I plan on sending an updated pull request today. - Felix
diff --git a/drivers/net/wireless/mediatek/mt76/dma.c b/drivers/net/wireless/mediatek/mt76/dma.c index 2f27c43ad76d..7196fa9047e6 100644 --- a/drivers/net/wireless/mediatek/mt76/dma.c +++ b/drivers/net/wireless/mediatek/mt76/dma.c @@ -309,7 +309,7 @@ static int mt76_dma_tx_queue_skb_raw(struct mt76_dev *dev, struct mt76_queue *q, struct sk_buff *skb, u32 tx_info) { - struct mt76_queue_buf buf; + struct mt76_queue_buf buf = {}; dma_addr_t addr; if (q->queued + 1 >= q->ndesc - 1)
With buf uninitialized in mt76_dma_tx_queue_skb_raw, its field skip_unmap could potentially inherit a non-zero value from stack garbage. If this happens, it will cause DMA mappings for MCU command frames to not be unmapped after completion Fixes: 27d5c528a7ca ("mt76: fix double DMA unmap of the first buffer on 7615/7915") Cc: stable@vger.kernel.org Signed-off-by: Felix Fietkau <nbd@nbd.name> --- drivers/net/wireless/mediatek/mt76/dma.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)