diff mbox series

[v4,1/2] mt76: mt7915: fix hwmon temp sensor mem use-after-free

Message ID 9f5b0cf6c4296d3a9e78a95516cf26d1db4baba9.1627696765.git.ryder.lee@mediatek.com (mailing list archive)
State New, archived
Headers show
Series [v4,1/2] mt76: mt7915: fix hwmon temp sensor mem use-after-free | expand

Commit Message

Ryder Lee July 31, 2021, 2:17 a.m. UTC
From: Ben Greear <greearb@candelatech.com>

Without this change, garbage is seen in the hwmon name
and sensors output for mt7915 is garbled.

With the change:

mt7915-pci-1400
Adapter: PCI adapter
temp1:        +49.0°C

Fixes: d6938251bb5b (mt76: mt7915: add thermal sensor device support)
Signed-off-by: Ben Greear <greearb@candelatech.com>
Signed-off-by: Ryder Lee <ryder.lee@mediatek.com>
---
v4:  Simplify flow.
v3:  Add 'fixes' tag to aid backports.
---
 drivers/net/wireless/mediatek/mt76/mt7915/init.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

Comments

Felix Fietkau Aug. 13, 2021, 10:15 a.m. UTC | #1
On 2021-07-31 04:17, Ryder Lee wrote:
> From: Ben Greear <greearb@candelatech.com>
> 
> Without this change, garbage is seen in the hwmon name
> and sensors output for mt7915 is garbled.
Where does the use-after-free bug come from? It's not obvious to me why
using KBUILD_MODNAME instead of wiphy_name() fixes it.
I still think the phy name should probably be part of the prefix.

> With the change:
> 
> mt7915-pci-1400
> Adapter: PCI adapter
> temp1:        +49.0°C
> 
> Fixes: d6938251bb5b (mt76: mt7915: add thermal sensor device support)
The format is wrong (missing quotes), and the hash references a commit
that's not in any upstream tree.

- Felix
Ben Greear Aug. 13, 2021, 1:54 p.m. UTC | #2
On 8/13/21 3:15 AM, Felix Fietkau wrote:
> 
> On 2021-07-31 04:17, Ryder Lee wrote:
>> From: Ben Greear <greearb@candelatech.com>
>>
>> Without this change, garbage is seen in the hwmon name
>> and sensors output for mt7915 is garbled.
> Where does the use-after-free bug come from? It's not obvious to me why
> using KBUILD_MODNAME instead of wiphy_name() fixes it.
> I still think the phy name should probably be part of the prefix.

We rename phy devices as part of our normal operation, I think maybe
that helps trigger the bug.

It appears that the hwmon logic does not make a copy of the incoming string,
but instead just copies a char* and expects it to never go away.  But,
I did not actually verify that.

Thanks,
Ben

> 
>> With the change:
>>
>> mt7915-pci-1400
>> Adapter: PCI adapter
>> temp1:        +49.0°C
>>
>> Fixes: d6938251bb5b (mt76: mt7915: add thermal sensor device support)
> The format is wrong (missing quotes), and the hash references a commit
> that's not in any upstream tree.
> 
> - Felix
>
Felix Fietkau Aug. 13, 2021, 2:08 p.m. UTC | #3
On 2021-08-13 15:54, Ben Greear wrote:
> On 8/13/21 3:15 AM, Felix Fietkau wrote:
>> 
>> On 2021-07-31 04:17, Ryder Lee wrote:
>>> From: Ben Greear <greearb@candelatech.com>
>>>
>>> Without this change, garbage is seen in the hwmon name
>>> and sensors output for mt7915 is garbled.
>> Where does the use-after-free bug come from? It's not obvious to me why
>> using KBUILD_MODNAME instead of wiphy_name() fixes it.
>> I still think the phy name should probably be part of the prefix.
> 
> We rename phy devices as part of our normal operation, I think maybe
> that helps trigger the bug.
> 
> It appears that the hwmon logic does not make a copy of the incoming string,
> but instead just copies a char* and expects it to never go away.  But,
> I did not actually verify that.
That makes sense. It seems that thermal copies the string internally,
but hwmon does not.
How about using devm_kstrdup on the wiphy name instead of using
KBUILD_MODNAME? If you really don't want to use the initial phy name,
there's also the option of using dev_name(dev->mt76.dev)

- Felix
diff mbox series

Patch

diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/init.c b/drivers/net/wireless/mediatek/mt76/mt7915/init.c
index 77c7486d6a5c..a1b9e1b3f700 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7915/init.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7915/init.c
@@ -155,13 +155,13 @@  static void mt7915_unregister_thermal(struct mt7915_phy *phy)
 	thermal_cooling_device_unregister(phy->cdev);
 }
 
-static int mt7915_thermal_init(struct mt7915_phy *phy)
+static int mt7915_thermal_init(struct mt7915_phy *phy, const char *prefix)
 {
 	struct wiphy *wiphy = phy->mt76->hw->wiphy;
 	struct thermal_cooling_device *cdev;
 	struct device *hwmon;
 
-	cdev = thermal_cooling_device_register(wiphy_name(wiphy), phy,
+	cdev = thermal_cooling_device_register(prefix, phy,
 					       &mt7915_thermal_ops);
 	if (!IS_ERR(cdev)) {
 		if (sysfs_create_link(&wiphy->dev.kobj, &cdev->device.kobj,
@@ -175,7 +175,7 @@  static int mt7915_thermal_init(struct mt7915_phy *phy)
 		return 0;
 
 	hwmon = devm_hwmon_device_register_with_groups(&wiphy->dev,
-						       wiphy_name(wiphy), phy,
+						       prefix, phy,
 						       mt7915_hwmon_groups);
 	if (IS_ERR(hwmon))
 		return PTR_ERR(hwmon);
@@ -403,7 +403,7 @@  static int mt7915_register_ext_phy(struct mt7915_dev *dev)
 	if (ret)
 		goto error;
 
-	ret = mt7915_thermal_init(phy);
+	ret = mt7915_thermal_init(phy, KBUILD_MODNAME "-ext");
 	if (ret)
 		goto error;
 
@@ -853,7 +853,7 @@  int mt7915_register_device(struct mt7915_dev *dev)
 	if (ret)
 		return ret;
 
-	ret = mt7915_thermal_init(&dev->phy);
+	ret = mt7915_thermal_init(&dev->phy, KBUILD_MODNAME);
 	if (ret)
 		return ret;