From: Stanislaw Gruszka <stf_xl@wp.pl>
To: Ben Hutchings <ben@decadent.org.uk>
Cc: linux-wireless@vger.kernel.org,
"Martin-Éric Racine" <martin-eric.racine@iki.fi>,
"Brandon Nielsen" <nielsenb@jetfuse.net>
Subject: Re: [PATCH] wifi: iwlegacy: Fix "field-spanning write" warning in il_enqueue_hcmd()
Date: Thu, 12 Sep 2024 10:39:59 +0200 [thread overview]
Message-ID: <20240912083959.GA132706@wp.pl> (raw)
In-Reply-To: <ZuIhQRi/791vlUhE@decadent.org.uk>
On Thu, Sep 12, 2024 at 01:01:21AM +0200, Ben Hutchings wrote:
> iwlegacy uses command buffers with a payload size of 320
> bytes (default) or 4092 bytes (huge). The struct il_device_cmd type
> describes the default buffers and there is no separate type describing
> the huge buffers.
>
> The il_enqueue_hcmd() function works with both default and huge
> buffers, and has a memcpy() to the buffer payload. The size of
> this copy may exceed 320 bytes when using a huge buffer, which
> now results in a run-time warning:
>
> memcpy: detected field-spanning write (size 1014) of single field "&out_cmd->cmd.payload" at drivers/net/wireless/intel/iwlegacy/common.c:3170 (size 320)
>
> To fix this:
>
> - Define a new struct type for huge buffers, with a correctly sized
> payload field
> - When using a huge buffer in il_enqueue_hcmd(), cast the command
> buffer pointer to that type when looking up the payload field
>
> Reported-by: Martin-Éric Racine <martin-eric.racine@iki.fi>
> References: https://bugs.debian.org/1062421
> References: https://bugzilla.kernel.org/show_bug.cgi?id=219124
> Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
> Fixes: 54d9469bc515 ("fortify: Add run-time WARN for cross-field memcpy()")
> Tested-by: Martin-Éric Racine <martin-eric.racine@iki.fi>
> Tested-by: Brandon Nielsen <nielsenb@jetfuse.net>
I proposed diffrent fix for this here:
https://lore.kernel.org/linux-wireless/20240520073210.GA693073@wp.pl/
but never get feedback if it works on real HW.
So I prefer this one, sice it was tested.
Acked-by: Stanislaw Gruszka <stf_xl@wp.pl>
Martin-Éric and Brandon, could you plase also test patch from
https://lore.kernel.org/linux-wireless/Zr2gxERA3RL3EwRe@elsanto/
if it does not break the driver?
Thanks
Stanislaw
> ---
> drivers/net/wireless/intel/iwlegacy/common.c | 13 ++++++++++++-
> drivers/net/wireless/intel/iwlegacy/common.h | 12 ++++++++++++
> 2 files changed, 24 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/net/wireless/intel/iwlegacy/common.c b/drivers/net/wireless/intel/iwlegacy/common.c
> index 9d33a66a49b5..4616293ec0cf 100644
> --- a/drivers/net/wireless/intel/iwlegacy/common.c
> +++ b/drivers/net/wireless/intel/iwlegacy/common.c
> @@ -3122,6 +3122,7 @@ il_enqueue_hcmd(struct il_priv *il, struct il_host_cmd *cmd)
> struct il_cmd_meta *out_meta;
> dma_addr_t phys_addr;
> unsigned long flags;
> + u8 *out_payload;
> u32 idx;
> u16 fix_size;
>
> @@ -3157,6 +3158,16 @@ il_enqueue_hcmd(struct il_priv *il, struct il_host_cmd *cmd)
> out_cmd = txq->cmd[idx];
> out_meta = &txq->meta[idx];
>
> + /* The payload is in the same place in regular and huge
> + * command buffers, but we need to let the compiler know when
> + * we're using a larger payload buffer to avoid "field-
> + * spanning write" warnings at run-time for huge commands.
> + */
> + if (cmd->flags & CMD_SIZE_HUGE)
> + out_payload = ((struct il_device_cmd_huge *)out_cmd)->cmd.payload;
> + else
> + out_payload = out_cmd->cmd.payload;
> +
> if (WARN_ON(out_meta->flags & CMD_MAPPED)) {
> spin_unlock_irqrestore(&il->hcmd_lock, flags);
> return -ENOSPC;
> @@ -3170,7 +3181,7 @@ il_enqueue_hcmd(struct il_priv *il, struct il_host_cmd *cmd)
> out_meta->callback = cmd->callback;
>
> out_cmd->hdr.cmd = cmd->id;
> - memcpy(&out_cmd->cmd.payload, cmd->data, cmd->len);
> + memcpy(out_payload, cmd->data, cmd->len);
>
> /* At this point, the out_cmd now has all of the incoming cmd
> * information */
> diff --git a/drivers/net/wireless/intel/iwlegacy/common.h b/drivers/net/wireless/intel/iwlegacy/common.h
> index 69687fcf963f..027dae5619a3 100644
> --- a/drivers/net/wireless/intel/iwlegacy/common.h
> +++ b/drivers/net/wireless/intel/iwlegacy/common.h
> @@ -560,6 +560,18 @@ struct il_device_cmd {
>
> #define TFD_MAX_PAYLOAD_SIZE (sizeof(struct il_device_cmd))
>
> +/**
> + * struct il_device_cmd_huge
> + *
> + * For use when sending huge commands.
> + */
> +struct il_device_cmd_huge {
> + struct il_cmd_header hdr; /* uCode API */
> + union {
> + u8 payload[IL_MAX_CMD_SIZE - sizeof(struct il_cmd_header)];
> + } __packed cmd;
> +} __packed;
> +
> struct il_host_cmd {
> const void *data;
> unsigned long reply_page;
next prev parent reply other threads:[~2024-09-12 9:40 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-09-11 23:01 [PATCH] wifi: iwlegacy: Fix "field-spanning write" warning in il_enqueue_hcmd() Ben Hutchings
2024-09-12 8:39 ` Stanislaw Gruszka [this message]
2024-09-12 17:30 ` Brandon Nielsen
2024-09-13 6:43 ` Stanislaw Gruszka
2024-09-15 8:07 ` Martin-Éric Racine
2024-09-18 13:45 ` Kalle Valo
2024-09-19 8:28 ` Stanislaw Gruszka
2024-09-19 8:40 ` Kalle Valo
2024-09-19 8:46 ` Kalle Valo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240912083959.GA132706@wp.pl \
--to=stf_xl@wp.pl \
--cc=ben@decadent.org.uk \
--cc=linux-wireless@vger.kernel.org \
--cc=martin-eric.racine@iki.fi \
--cc=nielsenb@jetfuse.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.