From: kernel test robot <lkp@intel.com>
To: oe-kbuild@lists.linux.dev
Cc: lkp@intel.com, Dan Carpenter <error27@gmail.com>
Subject: net/wireless/scan.c:367 cfg80211_gen_new_ie() warn: potential spectre issue 'sub->data' [r]
Date: Sun, 17 Sep 2023 22:49:59 +0800 [thread overview]
Message-ID: <202309172255.IJ46mosc-lkp@intel.com> (raw)
BCC: lkp@intel.com
CC: oe-kbuild-all@lists.linux.dev
CC: linux-kernel@vger.kernel.org
TO: Benjamin Berg <benjamin.berg@intel.com>
CC: Johannes Berg <johannes.berg@intel.com>
CC: Gregory Greenman <gregory.greenman@intel.com>
tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
head: f0b0d403eabbe135d8dbb40ad5e41018947d336c
commit: dfd9aa3e7a456d57b18021d66472ab7ff8373ab7 wifi: cfg80211: rewrite merging of inherited elements
date: 3 months ago
:::::: branch date: 16 hours ago
:::::: commit date: 3 months ago
config: x86_64-randconfig-161-20230917 (https://download.01.org/0day-ci/archive/20230917/202309172255.IJ46mosc-lkp@intel.com/config)
compiler: gcc-12 (Debian 12.2.0-14) 12.2.0
reproduce: (https://download.01.org/0day-ci/archive/20230917/202309172255.IJ46mosc-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Reported-by: Dan Carpenter <error27@gmail.com>
| Closes: https://lore.kernel.org/r/202309172255.IJ46mosc-lkp@intel.com/
New smatch warnings:
net/wireless/scan.c:367 cfg80211_gen_new_ie() warn: potential spectre issue 'sub->data' [r]
net/wireless/scan.c:391 cfg80211_gen_new_ie() warn: possible spectre second half. 'ext_id'
Old smatch warnings:
net/wireless/scan.c:400 cfg80211_gen_new_ie() warn: possible spectre second half. 'ext_id'
vim +367 net/wireless/scan.c
f7dacfb11475ba Sara Sharon 2019-03-15 299
dfd9aa3e7a456d Benjamin Berg 2023-06-16 300 static size_t cfg80211_gen_new_ie(const u8 *ie, size_t ielen,
dfd9aa3e7a456d Benjamin Berg 2023-06-16 301 const u8 *subie, size_t subie_len,
dfd9aa3e7a456d Benjamin Berg 2023-06-16 302 u8 *new_ie, size_t new_ie_len)
dfd9aa3e7a456d Benjamin Berg 2023-06-16 303 {
dfd9aa3e7a456d Benjamin Berg 2023-06-16 304 const struct element *non_inherit_elem, *parent, *sub;
dfd9aa3e7a456d Benjamin Berg 2023-06-16 305 u8 *pos = new_ie;
dfd9aa3e7a456d Benjamin Berg 2023-06-16 306 u8 id, ext_id;
dfd9aa3e7a456d Benjamin Berg 2023-06-16 307 unsigned int match_len;
dfd9aa3e7a456d Benjamin Berg 2023-06-16 308
dfd9aa3e7a456d Benjamin Berg 2023-06-16 309 non_inherit_elem = cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE,
dfd9aa3e7a456d Benjamin Berg 2023-06-16 310 subie, subie_len);
dfd9aa3e7a456d Benjamin Berg 2023-06-16 311
dfd9aa3e7a456d Benjamin Berg 2023-06-16 312 /* We copy the elements one by one from the parent to the generated
dfd9aa3e7a456d Benjamin Berg 2023-06-16 313 * elements.
dfd9aa3e7a456d Benjamin Berg 2023-06-16 314 * If they are not inherited (included in subie or in the non
dfd9aa3e7a456d Benjamin Berg 2023-06-16 315 * inheritance element), then we copy all occurrences the first time
dfd9aa3e7a456d Benjamin Berg 2023-06-16 316 * we see this element type.
0b8fb8235be8be Peng Xu 2019-01-21 317 */
dfd9aa3e7a456d Benjamin Berg 2023-06-16 318 for_each_element(parent, ie, ielen) {
dfd9aa3e7a456d Benjamin Berg 2023-06-16 319 if (parent->id == WLAN_EID_FRAGMENT)
dfd9aa3e7a456d Benjamin Berg 2023-06-16 320 continue;
0b8fb8235be8be Peng Xu 2019-01-21 321
dfd9aa3e7a456d Benjamin Berg 2023-06-16 322 if (parent->id == WLAN_EID_EXTENSION) {
dfd9aa3e7a456d Benjamin Berg 2023-06-16 323 if (parent->datalen < 1)
0b8fb8235be8be Peng Xu 2019-01-21 324 continue;
dfd9aa3e7a456d Benjamin Berg 2023-06-16 325
dfd9aa3e7a456d Benjamin Berg 2023-06-16 326 id = WLAN_EID_EXTENSION;
dfd9aa3e7a456d Benjamin Berg 2023-06-16 327 ext_id = parent->data[0];
dfd9aa3e7a456d Benjamin Berg 2023-06-16 328 match_len = 1;
dfd9aa3e7a456d Benjamin Berg 2023-06-16 329 } else {
dfd9aa3e7a456d Benjamin Berg 2023-06-16 330 id = parent->id;
dfd9aa3e7a456d Benjamin Berg 2023-06-16 331 match_len = 0;
0b8fb8235be8be Peng Xu 2019-01-21 332 }
0b8fb8235be8be Peng Xu 2019-01-21 333
dfd9aa3e7a456d Benjamin Berg 2023-06-16 334 /* Find first occurrence in subie */
dfd9aa3e7a456d Benjamin Berg 2023-06-16 335 sub = cfg80211_find_elem_match(id, subie, subie_len,
dfd9aa3e7a456d Benjamin Berg 2023-06-16 336 &ext_id, match_len, 0);
c17fe043a3b792 Sara Sharon 2019-01-29 337
dfd9aa3e7a456d Benjamin Berg 2023-06-16 338 /* Copy from parent if not in subie and inherited */
dfd9aa3e7a456d Benjamin Berg 2023-06-16 339 if (!sub &&
dfd9aa3e7a456d Benjamin Berg 2023-06-16 340 cfg80211_is_element_inherited(parent, non_inherit_elem)) {
dfd9aa3e7a456d Benjamin Berg 2023-06-16 341 if (!cfg80211_copy_elem_with_frags(parent,
dfd9aa3e7a456d Benjamin Berg 2023-06-16 342 ie, ielen,
dfd9aa3e7a456d Benjamin Berg 2023-06-16 343 &pos, new_ie,
dfd9aa3e7a456d Benjamin Berg 2023-06-16 344 new_ie_len))
dfd9aa3e7a456d Benjamin Berg 2023-06-16 345 return 0;
f7dacfb11475ba Sara Sharon 2019-03-15 346
dfd9aa3e7a456d Benjamin Berg 2023-06-16 347 continue;
0b8fb8235be8be Peng Xu 2019-01-21 348 }
dfd9aa3e7a456d Benjamin Berg 2023-06-16 349
dfd9aa3e7a456d Benjamin Berg 2023-06-16 350 /* Already copied if an earlier element had the same type */
dfd9aa3e7a456d Benjamin Berg 2023-06-16 351 if (cfg80211_find_elem_match(id, ie, (u8 *)parent - ie,
dfd9aa3e7a456d Benjamin Berg 2023-06-16 352 &ext_id, match_len, 0))
dfd9aa3e7a456d Benjamin Berg 2023-06-16 353 continue;
dfd9aa3e7a456d Benjamin Berg 2023-06-16 354
dfd9aa3e7a456d Benjamin Berg 2023-06-16 355 /* Not inheriting, copy all similar elements from subie */
dfd9aa3e7a456d Benjamin Berg 2023-06-16 356 while (sub) {
dfd9aa3e7a456d Benjamin Berg 2023-06-16 357 if (!cfg80211_copy_elem_with_frags(sub,
dfd9aa3e7a456d Benjamin Berg 2023-06-16 358 subie, subie_len,
dfd9aa3e7a456d Benjamin Berg 2023-06-16 359 &pos, new_ie,
dfd9aa3e7a456d Benjamin Berg 2023-06-16 360 new_ie_len))
dfd9aa3e7a456d Benjamin Berg 2023-06-16 361 return 0;
dfd9aa3e7a456d Benjamin Berg 2023-06-16 362
dfd9aa3e7a456d Benjamin Berg 2023-06-16 363 sub = cfg80211_find_elem_match(id,
dfd9aa3e7a456d Benjamin Berg 2023-06-16 364 sub->data + sub->datalen,
dfd9aa3e7a456d Benjamin Berg 2023-06-16 365 subie_len + subie -
dfd9aa3e7a456d Benjamin Berg 2023-06-16 366 (sub->data +
dfd9aa3e7a456d Benjamin Berg 2023-06-16 @367 sub->datalen),
dfd9aa3e7a456d Benjamin Berg 2023-06-16 368 &ext_id, match_len, 0);
0b8fb8235be8be Peng Xu 2019-01-21 369 }
0b8fb8235be8be Peng Xu 2019-01-21 370 }
0b8fb8235be8be Peng Xu 2019-01-21 371
dfd9aa3e7a456d Benjamin Berg 2023-06-16 372 /* The above misses elements that are included in subie but not in the
dfd9aa3e7a456d Benjamin Berg 2023-06-16 373 * parent, so do a pass over subie and append those.
dfd9aa3e7a456d Benjamin Berg 2023-06-16 374 * Skip the non-tx BSSID caps and non-inheritance element.
dfd9aa3e7a456d Benjamin Berg 2023-06-16 375 */
dfd9aa3e7a456d Benjamin Berg 2023-06-16 376 for_each_element(sub, subie, subie_len) {
dfd9aa3e7a456d Benjamin Berg 2023-06-16 377 if (sub->id == WLAN_EID_NON_TX_BSSID_CAP)
dfd9aa3e7a456d Benjamin Berg 2023-06-16 378 continue;
dfd9aa3e7a456d Benjamin Berg 2023-06-16 379
dfd9aa3e7a456d Benjamin Berg 2023-06-16 380 if (sub->id == WLAN_EID_FRAGMENT)
dfd9aa3e7a456d Benjamin Berg 2023-06-16 381 continue;
0b8fb8235be8be Peng Xu 2019-01-21 382
dfd9aa3e7a456d Benjamin Berg 2023-06-16 383 if (sub->id == WLAN_EID_EXTENSION) {
dfd9aa3e7a456d Benjamin Berg 2023-06-16 384 if (sub->datalen < 1)
dfd9aa3e7a456d Benjamin Berg 2023-06-16 385 continue;
dfd9aa3e7a456d Benjamin Berg 2023-06-16 386
dfd9aa3e7a456d Benjamin Berg 2023-06-16 387 id = WLAN_EID_EXTENSION;
dfd9aa3e7a456d Benjamin Berg 2023-06-16 388 ext_id = sub->data[0];
dfd9aa3e7a456d Benjamin Berg 2023-06-16 389 match_len = 1;
dfd9aa3e7a456d Benjamin Berg 2023-06-16 390
dfd9aa3e7a456d Benjamin Berg 2023-06-16 @391 if (ext_id == WLAN_EID_EXT_NON_INHERITANCE)
dfd9aa3e7a456d Benjamin Berg 2023-06-16 392 continue;
dfd9aa3e7a456d Benjamin Berg 2023-06-16 393 } else {
dfd9aa3e7a456d Benjamin Berg 2023-06-16 394 id = sub->id;
dfd9aa3e7a456d Benjamin Berg 2023-06-16 395 match_len = 0;
0b8fb8235be8be Peng Xu 2019-01-21 396 }
0b8fb8235be8be Peng Xu 2019-01-21 397
dfd9aa3e7a456d Benjamin Berg 2023-06-16 398 /* Processed if one was included in the parent */
dfd9aa3e7a456d Benjamin Berg 2023-06-16 399 if (cfg80211_find_elem_match(id, ie, ielen,
dfd9aa3e7a456d Benjamin Berg 2023-06-16 400 &ext_id, match_len, 0))
dfd9aa3e7a456d Benjamin Berg 2023-06-16 401 continue;
dfd9aa3e7a456d Benjamin Berg 2023-06-16 402
dfd9aa3e7a456d Benjamin Berg 2023-06-16 403 if (!cfg80211_copy_elem_with_frags(sub, subie, subie_len,
dfd9aa3e7a456d Benjamin Berg 2023-06-16 404 &pos, new_ie, new_ie_len))
dfd9aa3e7a456d Benjamin Berg 2023-06-16 405 return 0;
0b8fb8235be8be Peng Xu 2019-01-21 406 }
0b8fb8235be8be Peng Xu 2019-01-21 407
0b8fb8235be8be Peng Xu 2019-01-21 408 return pos - new_ie;
0b8fb8235be8be Peng Xu 2019-01-21 409 }
0b8fb8235be8be Peng Xu 2019-01-21 410
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
reply other threads:[~2023-09-17 14:50 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202309172255.IJ46mosc-lkp@intel.com \
--to=lkp@intel.com \
--cc=error27@gmail.com \
--cc=oe-kbuild@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.