projects / platform / kernel / linux-rpi.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: d091771)
wifi: rtl8xxxu: tighten bounds checking in rtl8xxxu_read_efuse()
authorDan Carpenter <dan.carpenter@oracle.com>
Fri, 19 Aug 2022 05:22:32 +0000 (08:22 +0300)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Wed, 26 Oct 2022 10:34:41 +0000 (12:34 +0200)
[ Upstream commit 620d5eaeb9059636864bda83ca1c68c20ede34a5 ]

There some bounds checking to ensure that "map_addr" is not out of
bounds before the start of the loop.  But the checking needs to be
done as we iterate through the loop because "map_addr" gets larger as
we iterate.

Fixes: 26f1fad29ad9 ("New driver: rtl8xxxu (mac80211)")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Jes Sorensen <Jes.Sorensen@gmail.com>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/Yv8eGLdBslLAk3Ct@kili
Signed-off-by: Sasha Levin <sashal@kernel.org>
drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c patch | blob | history

diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
index 774341b..30a2e93 100644 (file)
--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
+++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
@@ -1874,13 +1874,6 @@ static int rtl8xxxu_read_efuse(struct rtl8xxxu_priv *priv)
 
                /* We have 8 bits to indicate validity */
                map_addr = offset * 8;
-               if (map_addr >= EFUSE_MAP_LEN) {
-                       dev_warn(dev, "%s: Illegal map_addr (%04x), "
-                                "efuse corrupt!\n",
-                                __func__, map_addr);
-                       ret = -EINVAL;
-                       goto exit;
-               }
                for (i = 0; i < EFUSE_MAX_WORD_UNIT; i++) {
                        /* Check word enable condition in the section */
                        if (word_mask & BIT(i)) {
@@ -1891,6 +1884,13 @@ static int rtl8xxxu_read_efuse(struct rtl8xxxu_priv *priv)
                        ret = rtl8xxxu_read_efuse8(priv, efuse_addr++, &val8);
                        if (ret)
                                goto exit;
+                       if (map_addr >= EFUSE_MAP_LEN - 1) {
+                               dev_warn(dev, "%s: Illegal map_addr (%04x), "
+                                        "efuse corrupt!\n",
+                                        __func__, map_addr);
+                               ret = -EINVAL;
+                               goto exit;
+                       }
                        priv->efuse_wifi.raw[map_addr++] = val8;
 
                        ret = rtl8xxxu_read_efuse8(priv, efuse_addr++, &val8);
Domain: System / Kernel;