From: kernel test robot <lkp@intel.com>
To: oe-kbuild@lists.linux.dev
Cc: lkp@intel.com, Dan Carpenter <error27@gmail.com>
Subject: drivers/net/wireless/intel/iwlwifi/fw/regulatory.c:286 iwl_fill_ppag_table() error: buffer overflow 'gain' 11 <= 21
Date: Fri, 13 Dec 2024 20:24:56 +0800 [thread overview]
Message-ID: <202412132004.HrilL50h-lkp@intel.com> (raw)
BCC: lkp@intel.com
CC: oe-kbuild-all@lists.linux.dev
CC: linux-kernel@vger.kernel.org
TO: Miri Korenblit <miriam.rachel.korenblit@intel.com>
CC: Johannes Berg <johannes.berg@intel.com>
CC: Gregory Greenman <gregory.greenman@intel.com>
tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
head: f932fb9b40749d1c9a539d89bb3e288c077aafe5
commit: 09059c6764a8870ff7515c2d78ecbea7fbcffc23 wifi: iwlwifi: prepare for reading PPAG table from UEFI
date: 11 months ago
:::::: branch date: 11 hours ago
:::::: commit date: 11 months ago
config: x86_64-randconfig-161-20241213 (https://download.01.org/0day-ci/archive/20241213/202412132004.HrilL50h-lkp@intel.com/config)
compiler: gcc-12 (Debian 12.2.0-14) 12.2.0
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Reported-by: Dan Carpenter <error27@gmail.com>
| Closes: https://lore.kernel.org/r/202412132004.HrilL50h-lkp@intel.com/
New smatch warnings:
drivers/net/wireless/intel/iwlwifi/fw/regulatory.c:286 iwl_fill_ppag_table() error: buffer overflow 'gain' 11 <= 21
Old smatch warnings:
drivers/net/wireless/intel/iwlwifi/fw/regulatory.c:288 iwl_fill_ppag_table() error: buffer overflow 'gain' 11 <= 21
vim +/gain +286 drivers/net/wireless/intel/iwlwifi/fw/regulatory.c
09059c6764a8870 Miri Korenblit 2024-01-31 208
09059c6764a8870 Miri Korenblit 2024-01-31 209 int iwl_fill_ppag_table(struct iwl_fw_runtime *fwrt,
09059c6764a8870 Miri Korenblit 2024-01-31 210 union iwl_ppag_table_cmd *cmd, int *cmd_size)
09059c6764a8870 Miri Korenblit 2024-01-31 211 {
09059c6764a8870 Miri Korenblit 2024-01-31 212 u8 cmd_ver;
09059c6764a8870 Miri Korenblit 2024-01-31 213 int i, j, num_sub_bands;
09059c6764a8870 Miri Korenblit 2024-01-31 214 s8 *gain;
09059c6764a8870 Miri Korenblit 2024-01-31 215
09059c6764a8870 Miri Korenblit 2024-01-31 216 /* many firmware images for JF lie about this */
09059c6764a8870 Miri Korenblit 2024-01-31 217 if (CSR_HW_RFID_TYPE(fwrt->trans->hw_rf_id) ==
09059c6764a8870 Miri Korenblit 2024-01-31 218 CSR_HW_RFID_TYPE(CSR_HW_RF_ID_TYPE_JF))
09059c6764a8870 Miri Korenblit 2024-01-31 219 return -EOPNOTSUPP;
09059c6764a8870 Miri Korenblit 2024-01-31 220
09059c6764a8870 Miri Korenblit 2024-01-31 221 if (!fw_has_capa(&fwrt->fw->ucode_capa, IWL_UCODE_TLV_CAPA_SET_PPAG)) {
09059c6764a8870 Miri Korenblit 2024-01-31 222 IWL_DEBUG_RADIO(fwrt,
09059c6764a8870 Miri Korenblit 2024-01-31 223 "PPAG capability not supported by FW, command not sent.\n");
09059c6764a8870 Miri Korenblit 2024-01-31 224 return -EINVAL;
09059c6764a8870 Miri Korenblit 2024-01-31 225 }
09059c6764a8870 Miri Korenblit 2024-01-31 226
09059c6764a8870 Miri Korenblit 2024-01-31 227 cmd_ver = iwl_fw_lookup_cmd_ver(fwrt->fw,
09059c6764a8870 Miri Korenblit 2024-01-31 228 WIDE_ID(PHY_OPS_GROUP,
09059c6764a8870 Miri Korenblit 2024-01-31 229 PER_PLATFORM_ANT_GAIN_CMD),
09059c6764a8870 Miri Korenblit 2024-01-31 230 IWL_FW_CMD_VER_UNKNOWN);
09059c6764a8870 Miri Korenblit 2024-01-31 231 if (!fwrt->ppag_table_valid || (cmd_ver <= 3 && !fwrt->ppag_flags)) {
09059c6764a8870 Miri Korenblit 2024-01-31 232 IWL_DEBUG_RADIO(fwrt, "PPAG not enabled, command not sent.\n");
09059c6764a8870 Miri Korenblit 2024-01-31 233 return -EINVAL;
09059c6764a8870 Miri Korenblit 2024-01-31 234 }
09059c6764a8870 Miri Korenblit 2024-01-31 235
09059c6764a8870 Miri Korenblit 2024-01-31 236 /* The 'flags' field is the same in v1 and in v2 so we can just
09059c6764a8870 Miri Korenblit 2024-01-31 237 * use v1 to access it.
09059c6764a8870 Miri Korenblit 2024-01-31 238 */
09059c6764a8870 Miri Korenblit 2024-01-31 239 cmd->v1.flags = cpu_to_le32(fwrt->ppag_flags);
09059c6764a8870 Miri Korenblit 2024-01-31 240
09059c6764a8870 Miri Korenblit 2024-01-31 241 IWL_DEBUG_RADIO(fwrt, "PPAG cmd ver is %d\n", cmd_ver);
09059c6764a8870 Miri Korenblit 2024-01-31 242 if (cmd_ver == 1) {
09059c6764a8870 Miri Korenblit 2024-01-31 243 num_sub_bands = IWL_NUM_SUB_BANDS_V1;
09059c6764a8870 Miri Korenblit 2024-01-31 244 gain = cmd->v1.gain[0];
09059c6764a8870 Miri Korenblit 2024-01-31 245 *cmd_size = sizeof(cmd->v1);
09059c6764a8870 Miri Korenblit 2024-01-31 246 if (fwrt->ppag_ver == 1 || fwrt->ppag_ver == 2) {
09059c6764a8870 Miri Korenblit 2024-01-31 247 /* in this case FW supports revision 0 */
09059c6764a8870 Miri Korenblit 2024-01-31 248 IWL_DEBUG_RADIO(fwrt,
09059c6764a8870 Miri Korenblit 2024-01-31 249 "PPAG table rev is %d, send truncated table\n",
09059c6764a8870 Miri Korenblit 2024-01-31 250 fwrt->ppag_ver);
09059c6764a8870 Miri Korenblit 2024-01-31 251 }
09059c6764a8870 Miri Korenblit 2024-01-31 252 } else if (cmd_ver >= 2 && cmd_ver <= 4) {
09059c6764a8870 Miri Korenblit 2024-01-31 253 num_sub_bands = IWL_NUM_SUB_BANDS_V2;
09059c6764a8870 Miri Korenblit 2024-01-31 254 gain = cmd->v2.gain[0];
09059c6764a8870 Miri Korenblit 2024-01-31 255 *cmd_size = sizeof(cmd->v2);
09059c6764a8870 Miri Korenblit 2024-01-31 256 if (fwrt->ppag_ver == 0) {
09059c6764a8870 Miri Korenblit 2024-01-31 257 /* in this case FW supports revisions 1 or 2 */
09059c6764a8870 Miri Korenblit 2024-01-31 258 IWL_DEBUG_RADIO(fwrt,
09059c6764a8870 Miri Korenblit 2024-01-31 259 "PPAG table rev is 0, send padded table\n");
09059c6764a8870 Miri Korenblit 2024-01-31 260 }
09059c6764a8870 Miri Korenblit 2024-01-31 261 } else {
09059c6764a8870 Miri Korenblit 2024-01-31 262 IWL_DEBUG_RADIO(fwrt, "Unsupported PPAG command version\n");
09059c6764a8870 Miri Korenblit 2024-01-31 263 return -EINVAL;
09059c6764a8870 Miri Korenblit 2024-01-31 264 }
09059c6764a8870 Miri Korenblit 2024-01-31 265
09059c6764a8870 Miri Korenblit 2024-01-31 266 /* ppag mode */
09059c6764a8870 Miri Korenblit 2024-01-31 267 IWL_DEBUG_RADIO(fwrt,
09059c6764a8870 Miri Korenblit 2024-01-31 268 "PPAG MODE bits were read from bios: %d\n",
09059c6764a8870 Miri Korenblit 2024-01-31 269 cmd->v1.flags);
09059c6764a8870 Miri Korenblit 2024-01-31 270 if ((cmd_ver == 1 &&
09059c6764a8870 Miri Korenblit 2024-01-31 271 !fw_has_capa(&fwrt->fw->ucode_capa,
09059c6764a8870 Miri Korenblit 2024-01-31 272 IWL_UCODE_TLV_CAPA_PPAG_CHINA_BIOS_SUPPORT)) ||
09059c6764a8870 Miri Korenblit 2024-01-31 273 (cmd_ver == 2 && fwrt->ppag_ver == 2)) {
09059c6764a8870 Miri Korenblit 2024-01-31 274 cmd->v1.flags &= cpu_to_le32(IWL_PPAG_ETSI_MASK);
09059c6764a8870 Miri Korenblit 2024-01-31 275 IWL_DEBUG_RADIO(fwrt, "masking ppag China bit\n");
09059c6764a8870 Miri Korenblit 2024-01-31 276 } else {
09059c6764a8870 Miri Korenblit 2024-01-31 277 IWL_DEBUG_RADIO(fwrt, "isn't masking ppag China bit\n");
09059c6764a8870 Miri Korenblit 2024-01-31 278 }
09059c6764a8870 Miri Korenblit 2024-01-31 279
09059c6764a8870 Miri Korenblit 2024-01-31 280 IWL_DEBUG_RADIO(fwrt,
09059c6764a8870 Miri Korenblit 2024-01-31 281 "PPAG MODE bits going to be sent: %d\n",
09059c6764a8870 Miri Korenblit 2024-01-31 282 cmd->v1.flags);
09059c6764a8870 Miri Korenblit 2024-01-31 283
09059c6764a8870 Miri Korenblit 2024-01-31 284 for (i = 0; i < IWL_NUM_CHAIN_LIMITS; i++) {
09059c6764a8870 Miri Korenblit 2024-01-31 285 for (j = 0; j < num_sub_bands; j++) {
09059c6764a8870 Miri Korenblit 2024-01-31 @286 gain[i * num_sub_bands + j] =
09059c6764a8870 Miri Korenblit 2024-01-31 287 fwrt->ppag_chains[i].subbands[j];
09059c6764a8870 Miri Korenblit 2024-01-31 288 IWL_DEBUG_RADIO(fwrt,
09059c6764a8870 Miri Korenblit 2024-01-31 289 "PPAG table: chain[%d] band[%d]: gain = %d\n",
09059c6764a8870 Miri Korenblit 2024-01-31 290 i, j, gain[i * num_sub_bands + j]);
09059c6764a8870 Miri Korenblit 2024-01-31 291 }
09059c6764a8870 Miri Korenblit 2024-01-31 292 }
09059c6764a8870 Miri Korenblit 2024-01-31 293
09059c6764a8870 Miri Korenblit 2024-01-31 294 return 0;
09059c6764a8870 Miri Korenblit 2024-01-31 295 }
09059c6764a8870 Miri Korenblit 2024-01-31 296 IWL_EXPORT_SYMBOL(iwl_fill_ppag_table);
09059c6764a8870 Miri Korenblit 2024-01-31 297
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
next reply other threads:[~2024-12-13 12:25 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-12-13 12:24 kernel test robot [this message]
-- strict thread matches above, loose matches on Subject: below --
2024-11-17 10:07 drivers/net/wireless/intel/iwlwifi/fw/regulatory.c:286 iwl_fill_ppag_table() error: buffer overflow 'gain' 11 <= 21 kernel test robot
2024-10-27 3:45 kernel test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202412132004.HrilL50h-lkp@intel.com \
--to=lkp@intel.com \
--cc=error27@gmail.com \
--cc=oe-kbuild@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.