Patch "wifi: rtl8xxxu: tighten bounds checking in rtl8xxxu_read_efuse()" has been added to the 4.19-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 16 Oct 2022 23:52:15 -0400

This is a note to let you know that I've just added the patch titled

    wifi: rtl8xxxu: tighten bounds checking in rtl8xxxu_read_efuse()

to the 4.19-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     wifi-rtl8xxxu-tighten-bounds-checking-in-rtl8xxxu_re.patch
and it can be found in the queue-4.19 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit a1937925bfb637f225cf675addb47d8d414454d3
Author: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Date:   Fri Aug 19 08:22:32 2022 +0300

    wifi: rtl8xxxu: tighten bounds checking in rtl8xxxu_read_efuse()
    
    [ Upstream commit 620d5eaeb9059636864bda83ca1c68c20ede34a5 ]
    
    There some bounds checking to ensure that "map_addr" is not out of
    bounds before the start of the loop.  But the checking needs to be
    done as we iterate through the loop because "map_addr" gets larger as
    we iterate.
    
    Fixes: 26f1fad29ad9 ("New driver: rtl8xxxu (mac80211)")
    Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
    Acked-by: Jes Sorensen <Jes.Sorensen@xxxxxxxxx>
    Signed-off-by: Kalle Valo <kvalo@xxxxxxxxxx>
    Link: https://lore.kernel.org/r/Yv8eGLdBslLAk3Ct@kili
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
index b80cff96dea1..dd345ed1a717 100644
--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
+++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
@@ -1879,13 +1879,6 @@ static int rtl8xxxu_read_efuse(struct rtl8xxxu_priv *priv)
 
 		/* We have 8 bits to indicate validity */
 		map_addr = offset * 8;
-		if (map_addr >= EFUSE_MAP_LEN) {
-			dev_warn(dev, "%s: Illegal map_addr (%04x), "
-				 "efuse corrupt!\n",
-				 __func__, map_addr);
-			ret = -EINVAL;
-			goto exit;
-		}
 		for (i = 0; i < EFUSE_MAX_WORD_UNIT; i++) {
 			/* Check word enable condition in the section */
 			if (word_mask & BIT(i)) {
@@ -1896,6 +1889,13 @@ static int rtl8xxxu_read_efuse(struct rtl8xxxu_priv *priv)
 			ret = rtl8xxxu_read_efuse8(priv, efuse_addr++, &val8);
 			if (ret)
 				goto exit;
+			if (map_addr >= EFUSE_MAP_LEN - 1) {
+				dev_warn(dev, "%s: Illegal map_addr (%04x), "
+					 "efuse corrupt!\n",
+					 __func__, map_addr);
+				ret = -EINVAL;
+				goto exit;
+			}
 			priv->efuse_wifi.raw[map_addr++] = val8;
 
 			ret = rtl8xxxu_read_efuse8(priv, efuse_addr++, &val8);






