From: kernel test robot <lkp@intel.com>
To: kbuild@lists.01.org
Subject: drivers/net/wireless/ath/ath9k/htc_hst.c:344 ath9k_htc_txcompletion_cb() warn: potential spectre issue 'htc_handle->endpoint' (local cap)
Date: Fri, 01 Jan 2021 09:44:45 +0800 [thread overview]
Message-ID: <202101010940.VCvt9MIW-lkp@intel.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 4503 bytes --]
CC: kbuild-all(a)lists.01.org
CC: linux-kernel(a)vger.kernel.org
TO: Dan Carpenter <error27@gmail.com>
CC: Kalle Valo <kvalo@codeaurora.org>
tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
head: f6e1ea19649216156576aeafa784e3b4cee45549
commit: 2705cd7558e718a7240c64eb0afb2edad5f8c190 ath9k: Fix potential out of bounds in ath9k_htc_txcompletion_cb()
date: 5 months ago
:::::: branch date: 30 hours ago
:::::: commit date: 5 months ago
config: i386-randconfig-m021-20201231 (attached as .config)
compiler: gcc-9 (Debian 9.3.0-15) 9.3.0
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
New smatch warnings:
drivers/net/wireless/ath/ath9k/htc_hst.c:344 ath9k_htc_txcompletion_cb() warn: potential spectre issue 'htc_handle->endpoint' [r] (local cap)
Old smatch warnings:
drivers/net/wireless/ath/ath9k/htc_hst.c:459 ath9k_htc_rx_msg() warn: potential spectre issue 'htc_handle->endpoint' [r] (local cap)
vim +344 drivers/net/wireless/ath/ath9k/htc_hst.c
fb9987d0f748c98 Sujith 2010-03-17 321
fb9987d0f748c98 Sujith 2010-03-17 322 void ath9k_htc_txcompletion_cb(struct htc_target *htc_handle,
fb9987d0f748c98 Sujith 2010-03-17 323 struct sk_buff *skb, bool txok)
fb9987d0f748c98 Sujith 2010-03-17 324 {
fb9987d0f748c98 Sujith 2010-03-17 325 struct htc_endpoint *endpoint;
0fa35a5836df2b8 Ming Lei 2010-04-13 326 struct htc_frame_hdr *htc_hdr = NULL;
fb9987d0f748c98 Sujith 2010-03-17 327
fb9987d0f748c98 Sujith 2010-03-17 328 if (htc_handle->htc_flags & HTC_OP_CONFIG_PIPE_CREDITS) {
fb9987d0f748c98 Sujith 2010-03-17 329 complete(&htc_handle->cmd_wait);
fb9987d0f748c98 Sujith 2010-03-17 330 htc_handle->htc_flags &= ~HTC_OP_CONFIG_PIPE_CREDITS;
f984d94c500c790 Sujith 2010-04-06 331 goto ret;
fb9987d0f748c98 Sujith 2010-03-17 332 }
fb9987d0f748c98 Sujith 2010-03-17 333
fb9987d0f748c98 Sujith 2010-03-17 334 if (htc_handle->htc_flags & HTC_OP_START_WAIT) {
fb9987d0f748c98 Sujith 2010-03-17 335 complete(&htc_handle->cmd_wait);
fb9987d0f748c98 Sujith 2010-03-17 336 htc_handle->htc_flags &= ~HTC_OP_START_WAIT;
f984d94c500c790 Sujith 2010-04-06 337 goto ret;
fb9987d0f748c98 Sujith 2010-03-17 338 }
fb9987d0f748c98 Sujith 2010-03-17 339
fb9987d0f748c98 Sujith 2010-03-17 340 if (skb) {
fb9987d0f748c98 Sujith 2010-03-17 341 htc_hdr = (struct htc_frame_hdr *) skb->data;
2705cd7558e718a Dan Carpenter 2020-08-13 342 if (htc_hdr->endpoint_id >= ARRAY_SIZE(htc_handle->endpoint))
2705cd7558e718a Dan Carpenter 2020-08-13 343 goto ret;
fb9987d0f748c98 Sujith 2010-03-17 @344 endpoint = &htc_handle->endpoint[htc_hdr->endpoint_id];
fb9987d0f748c98 Sujith 2010-03-17 345 skb_pull(skb, sizeof(struct htc_frame_hdr));
fb9987d0f748c98 Sujith 2010-03-17 346
fb9987d0f748c98 Sujith 2010-03-17 347 if (endpoint->ep_callbacks.tx) {
f66890724fb3131 Sujith 2010-04-23 348 endpoint->ep_callbacks.tx(endpoint->ep_callbacks.priv,
f66890724fb3131 Sujith 2010-04-23 349 skb, htc_hdr->endpoint_id,
f66890724fb3131 Sujith 2010-04-23 350 txok);
0981c3b24ef664f Sujith Manoharan 2013-01-09 351 } else {
0981c3b24ef664f Sujith Manoharan 2013-01-09 352 kfree_skb(skb);
fb9987d0f748c98 Sujith 2010-03-17 353 }
fb9987d0f748c98 Sujith 2010-03-17 354 }
f984d94c500c790 Sujith 2010-04-06 355
f984d94c500c790 Sujith 2010-04-06 356 return;
f984d94c500c790 Sujith 2010-04-06 357 ret:
0fa35a5836df2b8 Ming Lei 2010-04-13 358 kfree_skb(skb);
fb9987d0f748c98 Sujith 2010-03-17 359 }
fb9987d0f748c98 Sujith 2010-03-17 360
:::::: The code at line 344 was first introduced by commit
:::::: fb9987d0f748c983bb795a86f47522313f701a08 ath9k_htc: Support for AR9271 chipset.
:::::: TO: Sujith <Sujith.Manoharan@atheros.com>
:::::: CC: John W. Linville <linville@tuxdriver.com>
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all(a)lists.01.org
[-- Attachment #2: config.gz --]
[-- Type: application/gzip, Size: 34122 bytes --]
reply other threads:[~2021-01-01 1:44 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202101010940.VCvt9MIW-lkp@intel.com \
--to=lkp@intel.com \
--cc=kbuild@lists.01.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.