From: kernel test robot <lkp@intel.com>
To: oe-kbuild@lists.linux.dev
Cc: lkp@intel.com, Dan Carpenter <error27@gmail.com>
Subject: [axboe:rw_iter 51/525] net/mac80211/debugfs.c:109 aqm_write() warn: potential spectre issue 'buf' [w]
Date: Sat, 28 Mar 2026 17:54:53 +0800 [thread overview]
Message-ID: <202603281706.3CSDII39-lkp@intel.com> (raw)
BCC: lkp@intel.com
CC: oe-kbuild-all@lists.linux.dev
TO: Jens Axboe <axboe@kernel.dk>
tree: https://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux.git rw_iter
head: a20631c136551e49bcb2cb9c229e2b7c826a6aa6
commit: 9660c1d6968417e54a2a0719f058a7e5e2e53595 [51/525] net: mac80211: convert to read/write iterators
:::::: branch date: 18 hours ago
:::::: commit date: 2 days ago
config: parisc-randconfig-r071-20260328 (https://download.01.org/0day-ci/archive/20260328/202603281706.3CSDII39-lkp@intel.com/config)
compiler: hppa-linux-gcc (GCC) 15.2.0
smatch: v0.5.0-9004-gb810ac53
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Reported-by: Dan Carpenter <error27@gmail.com>
| Closes: https://lore.kernel.org/r/202603281706.3CSDII39-lkp@intel.com/
New smatch warnings:
net/mac80211/debugfs.c:109 aqm_write() warn: potential spectre issue 'buf' [w]
net/mac80211/debugfs.c:160 airtime_flags_write() warn: potential spectre issue 'buf' [w]
net/mac80211/debugfs.c:240 aql_txq_limit_write() warn: potential spectre issue 'buf' [w]
net/mac80211/debugfs.c:348 force_tx_status_write() warn: potential spectre issue 'buf' [w]
Old smatch warnings:
net/mac80211/debugfs.c:250 aql_txq_limit_write() warn: potential spectre issue 'local->aql_txq_limit_low' [r] (local cap)
net/mac80211/debugfs.c:251 aql_txq_limit_write() warn: potential spectre issue 'local->aql_txq_limit_high' [r] (local cap)
net/mac80211/debugfs.c:260 aql_txq_limit_write() warn: possible spectre second half. 'q_limit_low_old'
net/mac80211/debugfs.c:261 aql_txq_limit_write() warn: possible spectre second half. 'q_limit_high_old'
net/mac80211/debugfs.c:262 aql_txq_limit_write() warn: potential spectre issue 'sta->airtime' [w] (local cap)
vim +/buf +109 net/mac80211/debugfs.c
9399b86c0e9a05 Michal Kazior 2016-05-19 95
9660c1d6968417 Jens Axboe 2024-04-10 96 static ssize_t aqm_write(struct kiocb *iocb, struct iov_iter *from)
9399b86c0e9a05 Michal Kazior 2016-05-19 97 {
9660c1d6968417 Jens Axboe 2024-04-10 98 struct ieee80211_local *local = iocb->ki_filp->private_data;
9660c1d6968417 Jens Axboe 2024-04-10 99 size_t count = iov_iter_count(from);
9399b86c0e9a05 Michal Kazior 2016-05-19 100 char buf[100];
9399b86c0e9a05 Michal Kazior 2016-05-19 101
6020d534fa012b Shayne Chen 2021-01-12 102 if (count >= sizeof(buf))
9399b86c0e9a05 Michal Kazior 2016-05-19 103 return -EINVAL;
9399b86c0e9a05 Michal Kazior 2016-05-19 104
9660c1d6968417 Jens Axboe 2024-04-10 105 if (!copy_from_iter_full(buf, count, from))
9399b86c0e9a05 Michal Kazior 2016-05-19 106 return -EFAULT;
9399b86c0e9a05 Michal Kazior 2016-05-19 107
6020d534fa012b Shayne Chen 2021-01-12 108 if (count && buf[count - 1] == '\n')
6020d534fa012b Shayne Chen 2021-01-12 @109 buf[count - 1] = '\0';
6020d534fa012b Shayne Chen 2021-01-12 110 else
6020d534fa012b Shayne Chen 2021-01-12 111 buf[count] = '\0';
9399b86c0e9a05 Michal Kazior 2016-05-19 112
9399b86c0e9a05 Michal Kazior 2016-05-19 113 if (sscanf(buf, "fq_limit %u", &local->fq.limit) == 1)
9399b86c0e9a05 Michal Kazior 2016-05-19 114 return count;
2a4e675d887bb3 Toke Høiland-Jørgensen 2016-09-23 115 else if (sscanf(buf, "fq_memory_limit %u", &local->fq.memory_limit) == 1)
2a4e675d887bb3 Toke Høiland-Jørgensen 2016-09-23 116 return count;
9399b86c0e9a05 Michal Kazior 2016-05-19 117 else if (sscanf(buf, "fq_quantum %u", &local->fq.quantum) == 1)
9399b86c0e9a05 Michal Kazior 2016-05-19 118 return count;
9399b86c0e9a05 Michal Kazior 2016-05-19 119
9399b86c0e9a05 Michal Kazior 2016-05-19 120 return -EINVAL;
9399b86c0e9a05 Michal Kazior 2016-05-19 121 }
9399b86c0e9a05 Michal Kazior 2016-05-19 122
31cb94f71c1ba1 Johannes Berg 2024-10-22 123 static const struct debugfs_short_fops aqm_ops = {
9660c1d6968417 Jens Axboe 2024-04-10 124 .write_iter = aqm_write,
9660c1d6968417 Jens Axboe 2024-04-10 125 .read_iter = aqm_read,
9399b86c0e9a05 Michal Kazior 2016-05-19 126 .llseek = default_llseek,
9399b86c0e9a05 Michal Kazior 2016-05-19 127 };
9399b86c0e9a05 Michal Kazior 2016-05-19 128
9660c1d6968417 Jens Axboe 2024-04-10 129 static ssize_t airtime_flags_read(struct kiocb *iocb, struct iov_iter *to)
e322c07f837116 Lorenzo Bianconi 2019-11-27 130 {
9660c1d6968417 Jens Axboe 2024-04-10 131 struct ieee80211_local *local = iocb->ki_filp->private_data;
e322c07f837116 Lorenzo Bianconi 2019-11-27 132 char buf[128] = {}, *pos, *end;
e322c07f837116 Lorenzo Bianconi 2019-11-27 133
e322c07f837116 Lorenzo Bianconi 2019-11-27 134 pos = buf;
e322c07f837116 Lorenzo Bianconi 2019-11-27 135 end = pos + sizeof(buf) - 1;
e322c07f837116 Lorenzo Bianconi 2019-11-27 136
e322c07f837116 Lorenzo Bianconi 2019-11-27 137 if (local->airtime_flags & AIRTIME_USE_TX)
e322c07f837116 Lorenzo Bianconi 2019-11-27 138 pos += scnprintf(pos, end - pos, "AIRTIME_TX\t(%lx)\n",
e322c07f837116 Lorenzo Bianconi 2019-11-27 139 AIRTIME_USE_TX);
e322c07f837116 Lorenzo Bianconi 2019-11-27 140 if (local->airtime_flags & AIRTIME_USE_RX)
e322c07f837116 Lorenzo Bianconi 2019-11-27 141 pos += scnprintf(pos, end - pos, "AIRTIME_RX\t(%lx)\n",
e322c07f837116 Lorenzo Bianconi 2019-11-27 142 AIRTIME_USE_RX);
e322c07f837116 Lorenzo Bianconi 2019-11-27 143
9660c1d6968417 Jens Axboe 2024-04-10 144 return simple_copy_to_iter(buf, &iocb->ki_pos, strlen(buf), to);
e322c07f837116 Lorenzo Bianconi 2019-11-27 145 }
e322c07f837116 Lorenzo Bianconi 2019-11-27 146
9660c1d6968417 Jens Axboe 2024-04-10 147 static ssize_t airtime_flags_write(struct kiocb *iocb, struct iov_iter *from)
e322c07f837116 Lorenzo Bianconi 2019-11-27 148 {
9660c1d6968417 Jens Axboe 2024-04-10 149 struct ieee80211_local *local = iocb->ki_filp->private_data;
9660c1d6968417 Jens Axboe 2024-04-10 150 size_t count = iov_iter_count(from);
e322c07f837116 Lorenzo Bianconi 2019-11-27 151 char buf[16];
e322c07f837116 Lorenzo Bianconi 2019-11-27 152
6020d534fa012b Shayne Chen 2021-01-12 153 if (count >= sizeof(buf))
e322c07f837116 Lorenzo Bianconi 2019-11-27 154 return -EINVAL;
e322c07f837116 Lorenzo Bianconi 2019-11-27 155
9660c1d6968417 Jens Axboe 2024-04-10 156 if (!copy_from_iter_full(buf, count, from))
e322c07f837116 Lorenzo Bianconi 2019-11-27 157 return -EFAULT;
e322c07f837116 Lorenzo Bianconi 2019-11-27 158
6020d534fa012b Shayne Chen 2021-01-12 159 if (count && buf[count - 1] == '\n')
6020d534fa012b Shayne Chen 2021-01-12 @160 buf[count - 1] = '\0';
6020d534fa012b Shayne Chen 2021-01-12 161 else
6020d534fa012b Shayne Chen 2021-01-12 162 buf[count] = '\0';
e322c07f837116 Lorenzo Bianconi 2019-11-27 163
e322c07f837116 Lorenzo Bianconi 2019-11-27 164 if (kstrtou16(buf, 0, &local->airtime_flags))
e322c07f837116 Lorenzo Bianconi 2019-11-27 165 return -EINVAL;
e322c07f837116 Lorenzo Bianconi 2019-11-27 166
e322c07f837116 Lorenzo Bianconi 2019-11-27 167 return count;
e322c07f837116 Lorenzo Bianconi 2019-11-27 168 }
e322c07f837116 Lorenzo Bianconi 2019-11-27 169
31cb94f71c1ba1 Johannes Berg 2024-10-22 170 static const struct debugfs_short_fops airtime_flags_ops = {
9660c1d6968417 Jens Axboe 2024-04-10 171 .write_iter = airtime_flags_write,
9660c1d6968417 Jens Axboe 2024-04-10 172 .read_iter = airtime_flags_read,
e322c07f837116 Lorenzo Bianconi 2019-11-27 173 .llseek = default_llseek,
e322c07f837116 Lorenzo Bianconi 2019-11-27 174 };
e322c07f837116 Lorenzo Bianconi 2019-11-27 175
9660c1d6968417 Jens Axboe 2024-04-10 176 static ssize_t aql_pending_read(struct kiocb *iocb, struct iov_iter *to)
3db2c5604f39e3 Felix Fietkau 2022-06-25 177 {
9660c1d6968417 Jens Axboe 2024-04-10 178 struct ieee80211_local *local = iocb->ki_filp->private_data;
3db2c5604f39e3 Felix Fietkau 2022-06-25 179 char buf[400];
3db2c5604f39e3 Felix Fietkau 2022-06-25 180 int len = 0;
3db2c5604f39e3 Felix Fietkau 2022-06-25 181
3db2c5604f39e3 Felix Fietkau 2022-06-25 182 len = scnprintf(buf, sizeof(buf),
3db2c5604f39e3 Felix Fietkau 2022-06-25 183 "AC AQL pending\n"
3db2c5604f39e3 Felix Fietkau 2022-06-25 184 "VO %u us\n"
3db2c5604f39e3 Felix Fietkau 2022-06-25 185 "VI %u us\n"
3db2c5604f39e3 Felix Fietkau 2022-06-25 186 "BE %u us\n"
3db2c5604f39e3 Felix Fietkau 2022-06-25 187 "BK %u us\n"
3db2c5604f39e3 Felix Fietkau 2022-06-25 188 "total %u us\n",
3db2c5604f39e3 Felix Fietkau 2022-06-25 189 atomic_read(&local->aql_ac_pending_airtime[IEEE80211_AC_VO]),
3db2c5604f39e3 Felix Fietkau 2022-06-25 190 atomic_read(&local->aql_ac_pending_airtime[IEEE80211_AC_VI]),
3db2c5604f39e3 Felix Fietkau 2022-06-25 191 atomic_read(&local->aql_ac_pending_airtime[IEEE80211_AC_BE]),
3db2c5604f39e3 Felix Fietkau 2022-06-25 192 atomic_read(&local->aql_ac_pending_airtime[IEEE80211_AC_BK]),
3db2c5604f39e3 Felix Fietkau 2022-06-25 193 atomic_read(&local->aql_total_pending_airtime));
9660c1d6968417 Jens Axboe 2024-04-10 194 return simple_copy_to_iter(buf, &iocb->ki_pos, len, to);
3db2c5604f39e3 Felix Fietkau 2022-06-25 195 }
3db2c5604f39e3 Felix Fietkau 2022-06-25 196
31cb94f71c1ba1 Johannes Berg 2024-10-22 197 static const struct debugfs_short_fops aql_pending_ops = {
9660c1d6968417 Jens Axboe 2024-04-10 198 .read_iter = aql_pending_read,
3db2c5604f39e3 Felix Fietkau 2022-06-25 199 .llseek = default_llseek,
3db2c5604f39e3 Felix Fietkau 2022-06-25 200 };
3db2c5604f39e3 Felix Fietkau 2022-06-25 201
9660c1d6968417 Jens Axboe 2024-04-10 202 static ssize_t aql_txq_limit_read(struct kiocb *iocb, struct iov_iter *to)
3ace10f5b5ad94 Kan Yan 2019-11-18 203 {
9660c1d6968417 Jens Axboe 2024-04-10 204 struct ieee80211_local *local = iocb->ki_filp->private_data;
3ace10f5b5ad94 Kan Yan 2019-11-18 205 char buf[400];
3ace10f5b5ad94 Kan Yan 2019-11-18 206 int len = 0;
3ace10f5b5ad94 Kan Yan 2019-11-18 207
3ace10f5b5ad94 Kan Yan 2019-11-18 208 len = scnprintf(buf, sizeof(buf),
3ace10f5b5ad94 Kan Yan 2019-11-18 209 "AC AQL limit low AQL limit high\n"
3ace10f5b5ad94 Kan Yan 2019-11-18 210 "VO %u %u\n"
3ace10f5b5ad94 Kan Yan 2019-11-18 211 "VI %u %u\n"
3ace10f5b5ad94 Kan Yan 2019-11-18 212 "BE %u %u\n"
3ace10f5b5ad94 Kan Yan 2019-11-18 213 "BK %u %u\n",
942741dabcb432 Felix Fietkau 2022-06-25 214 local->aql_txq_limit_low[IEEE80211_AC_VO],
942741dabcb432 Felix Fietkau 2022-06-25 215 local->aql_txq_limit_high[IEEE80211_AC_VO],
942741dabcb432 Felix Fietkau 2022-06-25 216 local->aql_txq_limit_low[IEEE80211_AC_VI],
942741dabcb432 Felix Fietkau 2022-06-25 217 local->aql_txq_limit_high[IEEE80211_AC_VI],
942741dabcb432 Felix Fietkau 2022-06-25 218 local->aql_txq_limit_low[IEEE80211_AC_BE],
942741dabcb432 Felix Fietkau 2022-06-25 219 local->aql_txq_limit_high[IEEE80211_AC_BE],
942741dabcb432 Felix Fietkau 2022-06-25 220 local->aql_txq_limit_low[IEEE80211_AC_BK],
942741dabcb432 Felix Fietkau 2022-06-25 221 local->aql_txq_limit_high[IEEE80211_AC_BK]);
9660c1d6968417 Jens Axboe 2024-04-10 222 return simple_copy_to_iter(buf, &iocb->ki_pos, len, to);
3ace10f5b5ad94 Kan Yan 2019-11-18 223 }
3ace10f5b5ad94 Kan Yan 2019-11-18 224
9660c1d6968417 Jens Axboe 2024-04-10 225 static ssize_t aql_txq_limit_write(struct kiocb *iocb, struct iov_iter *from)
3ace10f5b5ad94 Kan Yan 2019-11-18 226 {
9660c1d6968417 Jens Axboe 2024-04-10 227 struct ieee80211_local *local = iocb->ki_filp->private_data;
9660c1d6968417 Jens Axboe 2024-04-10 228 size_t count = iov_iter_count(from);
3ace10f5b5ad94 Kan Yan 2019-11-18 229 char buf[100];
3ace10f5b5ad94 Kan Yan 2019-11-18 230 u32 ac, q_limit_low, q_limit_high, q_limit_low_old, q_limit_high_old;
3ace10f5b5ad94 Kan Yan 2019-11-18 231 struct sta_info *sta;
3ace10f5b5ad94 Kan Yan 2019-11-18 232
6020d534fa012b Shayne Chen 2021-01-12 233 if (count >= sizeof(buf))
3ace10f5b5ad94 Kan Yan 2019-11-18 234 return -EINVAL;
3ace10f5b5ad94 Kan Yan 2019-11-18 235
9660c1d6968417 Jens Axboe 2024-04-10 236 if (!copy_from_iter_full(buf, count, from))
3ace10f5b5ad94 Kan Yan 2019-11-18 237 return -EFAULT;
3ace10f5b5ad94 Kan Yan 2019-11-18 238
6020d534fa012b Shayne Chen 2021-01-12 239 if (count && buf[count - 1] == '\n')
6020d534fa012b Shayne Chen 2021-01-12 @240 buf[count - 1] = '\0';
6020d534fa012b Shayne Chen 2021-01-12 241 else
6020d534fa012b Shayne Chen 2021-01-12 242 buf[count] = '\0';
3ace10f5b5ad94 Kan Yan 2019-11-18 243
3ace10f5b5ad94 Kan Yan 2019-11-18 244 if (sscanf(buf, "%u %u %u", &ac, &q_limit_low, &q_limit_high) != 3)
3ace10f5b5ad94 Kan Yan 2019-11-18 245 return -EINVAL;
3ace10f5b5ad94 Kan Yan 2019-11-18 246
3ace10f5b5ad94 Kan Yan 2019-11-18 247 if (ac >= IEEE80211_NUM_ACS)
3ace10f5b5ad94 Kan Yan 2019-11-18 248 return -EINVAL;
3ace10f5b5ad94 Kan Yan 2019-11-18 249
942741dabcb432 Felix Fietkau 2022-06-25 250 q_limit_low_old = local->aql_txq_limit_low[ac];
942741dabcb432 Felix Fietkau 2022-06-25 251 q_limit_high_old = local->aql_txq_limit_high[ac];
3ace10f5b5ad94 Kan Yan 2019-11-18 252
8e66f6c6738e5b Johannes Berg 2024-11-22 253 guard(wiphy)(local->hw.wiphy);
8e66f6c6738e5b Johannes Berg 2024-11-22 254
942741dabcb432 Felix Fietkau 2022-06-25 255 local->aql_txq_limit_low[ac] = q_limit_low;
942741dabcb432 Felix Fietkau 2022-06-25 256 local->aql_txq_limit_high[ac] = q_limit_high;
3ace10f5b5ad94 Kan Yan 2019-11-18 257
3ace10f5b5ad94 Kan Yan 2019-11-18 258 list_for_each_entry(sta, &local->sta_list, list) {
3ace10f5b5ad94 Kan Yan 2019-11-18 259 /* If a sta has customized queue limits, keep it */
3ace10f5b5ad94 Kan Yan 2019-11-18 260 if (sta->airtime[ac].aql_limit_low == q_limit_low_old &&
3ace10f5b5ad94 Kan Yan 2019-11-18 261 sta->airtime[ac].aql_limit_high == q_limit_high_old) {
3ace10f5b5ad94 Kan Yan 2019-11-18 262 sta->airtime[ac].aql_limit_low = q_limit_low;
3ace10f5b5ad94 Kan Yan 2019-11-18 263 sta->airtime[ac].aql_limit_high = q_limit_high;
3ace10f5b5ad94 Kan Yan 2019-11-18 264 }
3ace10f5b5ad94 Kan Yan 2019-11-18 265 }
4d3acf4311a040 Johannes Berg 2023-08-28 266
3ace10f5b5ad94 Kan Yan 2019-11-18 267 return count;
3ace10f5b5ad94 Kan Yan 2019-11-18 268 }
3ace10f5b5ad94 Kan Yan 2019-11-18 269
:::::: The code at line 109 was first introduced by commit
:::::: 6020d534fa012b80c6d13811dc4d2dfedca2e403 mac80211: fix incorrect strlen of .write in debugfs
:::::: TO: Shayne Chen <shayne.chen@mediatek.com>
:::::: CC: Johannes Berg <johannes.berg@intel.com>
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
reply other threads:[~2026-03-28 9:55 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202603281706.3CSDII39-lkp@intel.com \
--to=lkp@intel.com \
--cc=error27@gmail.com \
--cc=oe-kbuild@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.