From: kernel test robot <lkp@intel.com>
To: oe-kbuild@lists.linux.dev
Cc: lkp@intel.com, Dan Carpenter <error27@gmail.com>
Subject: drivers/net/wireless/ath/wcn36xx/smd.c:1988 wcn36xx_smd_send_beacon() warn: potential spectre issue 'msg_body.beacon' [r]
Date: Wed, 24 Dec 2025 09:04:22 +0800 [thread overview]
Message-ID: <202512240945.s16QxOuf-lkp@intel.com> (raw)
BCC: lkp@intel.com
CC: oe-kbuild-all@lists.linux.dev
CC: linux-kernel@vger.kernel.org
TO: Kees Cook <kees@kernel.org>
CC: Nathan Chancellor <nathan@kernel.org>
tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
head: b927546677c876e26eba308550207c2ddf812a43
commit: d70da12453ac3797e0c54884305ccc894e8c817b hardening: Enable i386 FORTIFY_SOURCE on Clang 16+
date: 10 months ago
:::::: branch date: 31 hours ago
:::::: commit date: 10 months ago
config: i386-randconfig-r072-20251224 (https://download.01.org/0day-ci/archive/20251224/202512240945.s16QxOuf-lkp@intel.com/config)
compiler: clang version 20.1.8 (https://github.com/llvm/llvm-project 87f0227cb60147a26a1eeb4fb06e3b505e9c7261)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Reported-by: Dan Carpenter <error27@gmail.com>
| Closes: https://lore.kernel.org/r/202512240945.s16QxOuf-lkp@intel.com/
New smatch warnings:
drivers/net/wireless/ath/wcn36xx/smd.c:1988 wcn36xx_smd_send_beacon() warn: potential spectre issue 'msg_body.beacon' [r]
Old smatch warnings:
drivers/net/wireless/ath/wcn36xx/smd.c:521 wcn36xx_smd_load_nv() error: we previously assumed 'wcn->nv' could be null (see line 512)
drivers/net/wireless/ath/wcn36xx/smd.c:569 wcn36xx_smd_load_nv() warn: 'wcn->nv' from request_firmware() not released on lines: 569.
vim +1988 drivers/net/wireless/ath/wcn36xx/smd.c
8e84c25821698b Eugene Krasnikov 2013-10-08 1948
8e84c25821698b Eugene Krasnikov 2013-10-08 1949 int wcn36xx_smd_send_beacon(struct wcn36xx *wcn, struct ieee80211_vif *vif,
8e84c25821698b Eugene Krasnikov 2013-10-08 1950 struct sk_buff *skb_beacon, u16 tim_off,
8e84c25821698b Eugene Krasnikov 2013-10-08 1951 u16 p2p_off)
8e84c25821698b Eugene Krasnikov 2013-10-08 1952 {
8e84c25821698b Eugene Krasnikov 2013-10-08 1953 struct wcn36xx_hal_send_beacon_req_msg msg_body;
f0eea2772a6baf Daniel Mack 2018-06-29 1954 int ret, pad, pvm_len;
8e84c25821698b Eugene Krasnikov 2013-10-08 1955
8e84c25821698b Eugene Krasnikov 2013-10-08 1956 mutex_lock(&wcn->hal_mutex);
8e84c25821698b Eugene Krasnikov 2013-10-08 1957 INIT_HAL_MSG(msg_body, WCN36XX_HAL_SEND_BEACON_REQ);
8e84c25821698b Eugene Krasnikov 2013-10-08 1958
91c3eeba45e13a Pontus Fuchs 2016-04-18 1959 pvm_len = skb_beacon->data[tim_off + 1] - 3;
91c3eeba45e13a Pontus Fuchs 2016-04-18 1960 pad = TIM_MIN_PVM_SIZE - pvm_len;
8e84c25821698b Eugene Krasnikov 2013-10-08 1961
91c3eeba45e13a Pontus Fuchs 2016-04-18 1962 /* Padding is irrelevant to mesh mode since tim_off is always 0. */
91c3eeba45e13a Pontus Fuchs 2016-04-18 1963 if (vif->type == NL80211_IFTYPE_MESH_POINT)
91c3eeba45e13a Pontus Fuchs 2016-04-18 1964 pad = 0;
91c3eeba45e13a Pontus Fuchs 2016-04-18 1965
91c3eeba45e13a Pontus Fuchs 2016-04-18 1966 msg_body.beacon_length = skb_beacon->len + pad;
25d217d6e07234 Pontus Fuchs 2016-04-18 1967 /* TODO need to find out why + 6 is needed */
25d217d6e07234 Pontus Fuchs 2016-04-18 1968 msg_body.beacon_length6 = msg_body.beacon_length + 6;
8e84c25821698b Eugene Krasnikov 2013-10-08 1969
25d217d6e07234 Pontus Fuchs 2016-04-18 1970 if (msg_body.beacon_length > BEACON_TEMPLATE_SIZE) {
d7809bd9eae67b Colin Ian King 2020-01-23 1971 wcn36xx_err("Beacon is too big: beacon size=%d\n",
8e84c25821698b Eugene Krasnikov 2013-10-08 1972 msg_body.beacon_length);
95b48c2cdae764 Dan Carpenter 2013-11-08 1973 ret = -ENOMEM;
95b48c2cdae764 Dan Carpenter 2013-11-08 1974 goto out;
8e84c25821698b Eugene Krasnikov 2013-10-08 1975 }
25d217d6e07234 Pontus Fuchs 2016-04-18 1976 memcpy(msg_body.beacon, skb_beacon->data, skb_beacon->len);
8e84c25821698b Eugene Krasnikov 2013-10-08 1977 memcpy(msg_body.bssid, vif->addr, ETH_ALEN);
8e84c25821698b Eugene Krasnikov 2013-10-08 1978
91c3eeba45e13a Pontus Fuchs 2016-04-18 1979 if (pad > 0) {
91c3eeba45e13a Pontus Fuchs 2016-04-18 1980 /*
91c3eeba45e13a Pontus Fuchs 2016-04-18 1981 * The wcn36xx FW has a fixed size for the PVM in the TIM. If
91c3eeba45e13a Pontus Fuchs 2016-04-18 1982 * given the beacon template from mac80211 with a PVM shorter
91c3eeba45e13a Pontus Fuchs 2016-04-18 1983 * than the FW expectes it will overwrite the data after the
91c3eeba45e13a Pontus Fuchs 2016-04-18 1984 * TIM.
91c3eeba45e13a Pontus Fuchs 2016-04-18 1985 */
91c3eeba45e13a Pontus Fuchs 2016-04-18 1986 wcn36xx_dbg(WCN36XX_DBG_HAL, "Pad TIM PVM. %d bytes at %d\n",
91c3eeba45e13a Pontus Fuchs 2016-04-18 1987 pad, pvm_len);
91c3eeba45e13a Pontus Fuchs 2016-04-18 @1988 memmove(&msg_body.beacon[tim_off + 5 + pvm_len + pad],
91c3eeba45e13a Pontus Fuchs 2016-04-18 1989 &msg_body.beacon[tim_off + 5 + pvm_len],
91c3eeba45e13a Pontus Fuchs 2016-04-18 1990 skb_beacon->len - (tim_off + 5 + pvm_len));
91c3eeba45e13a Pontus Fuchs 2016-04-18 1991 memset(&msg_body.beacon[tim_off + 5 + pvm_len], 0, pad);
91c3eeba45e13a Pontus Fuchs 2016-04-18 1992 msg_body.beacon[tim_off + 1] += pad;
91c3eeba45e13a Pontus Fuchs 2016-04-18 1993 }
91c3eeba45e13a Pontus Fuchs 2016-04-18 1994
8e84c25821698b Eugene Krasnikov 2013-10-08 1995 /* TODO need to find out why this is needed? */
fa643ae2ce4e75 Chun-Yeow Yeoh 2013-12-06 1996 if (vif->type == NL80211_IFTYPE_MESH_POINT)
fa643ae2ce4e75 Chun-Yeow Yeoh 2013-12-06 1997 /* mesh beacon don't need this, so push further down */
fa643ae2ce4e75 Chun-Yeow Yeoh 2013-12-06 1998 msg_body.tim_ie_offset = 256;
fa643ae2ce4e75 Chun-Yeow Yeoh 2013-12-06 1999 else
8e84c25821698b Eugene Krasnikov 2013-10-08 2000 msg_body.tim_ie_offset = tim_off+4;
8e84c25821698b Eugene Krasnikov 2013-10-08 2001 msg_body.p2p_ie_offset = p2p_off;
8e84c25821698b Eugene Krasnikov 2013-10-08 2002 PREPARE_HAL_BUF(wcn->hal_buf, msg_body);
8e84c25821698b Eugene Krasnikov 2013-10-08 2003
8e84c25821698b Eugene Krasnikov 2013-10-08 2004 wcn36xx_dbg(WCN36XX_DBG_HAL,
8e84c25821698b Eugene Krasnikov 2013-10-08 2005 "hal send beacon beacon_length %d\n",
8e84c25821698b Eugene Krasnikov 2013-10-08 2006 msg_body.beacon_length);
8e84c25821698b Eugene Krasnikov 2013-10-08 2007
8e84c25821698b Eugene Krasnikov 2013-10-08 2008 ret = wcn36xx_smd_send_and_wait(wcn, msg_body.header.len);
8e84c25821698b Eugene Krasnikov 2013-10-08 2009 if (ret) {
8e84c25821698b Eugene Krasnikov 2013-10-08 2010 wcn36xx_err("Sending hal_send_beacon failed\n");
8e84c25821698b Eugene Krasnikov 2013-10-08 2011 goto out;
8e84c25821698b Eugene Krasnikov 2013-10-08 2012 }
8e84c25821698b Eugene Krasnikov 2013-10-08 2013 ret = wcn36xx_smd_rsp_status_check(wcn->hal_buf, wcn->hal_rsp_len);
8e84c25821698b Eugene Krasnikov 2013-10-08 2014 if (ret) {
8e84c25821698b Eugene Krasnikov 2013-10-08 2015 wcn36xx_err("hal_send_beacon response failed err=%d\n", ret);
8e84c25821698b Eugene Krasnikov 2013-10-08 2016 goto out;
8e84c25821698b Eugene Krasnikov 2013-10-08 2017 }
8e84c25821698b Eugene Krasnikov 2013-10-08 2018 out:
8e84c25821698b Eugene Krasnikov 2013-10-08 2019 mutex_unlock(&wcn->hal_mutex);
8e84c25821698b Eugene Krasnikov 2013-10-08 2020 return ret;
8e84c25821698b Eugene Krasnikov 2013-10-08 2021 }
8e84c25821698b Eugene Krasnikov 2013-10-08 2022
:::::: The code at line 1988 was first introduced by commit
:::::: 91c3eeba45e13ab7edfb50610df8672d52809394 wcn36xx: Pad TIM PVM if needed
:::::: TO: Pontus Fuchs <pontus.fuchs@gmail.com>
:::::: CC: Kalle Valo <kvalo@qca.qualcomm.com>
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
next reply other threads:[~2025-12-24 1:05 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-24 1:04 kernel test robot [this message]
2026-01-05 11:31 ` drivers/net/wireless/ath/wcn36xx/smd.c:1988 wcn36xx_smd_send_beacon() warn: potential spectre issue 'msg_body.beacon' [r] Dan Carpenter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202512240945.s16QxOuf-lkp@intel.com \
--to=lkp@intel.com \
--cc=error27@gmail.com \
--cc=oe-kbuild@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.