From: Kalle Valo <kvalo@kernel.org>
To: Petr Tesarik <petrtesarik@huaweicloud.com>
Cc: Arend van Spriel <aspriel@gmail.com>,
Franky Lin <franky.lin@broadcom.com>,
Hante Meuleman <hante.meuleman@broadcom.com>,
Chi-hsien Lin <chi-hsien.lin@infineon.com>,
Ian Lin <ian.lin@infineon.com>,
Wright Feng <wright.feng@cypress.com>,
Hector Martin <marcan@marcan.st>,
Prasanna Kerekoppa <prasanna.kerekoppa@cypress.com>,
Hans de Goede <hdegoede@redhat.com>,
Ramesh Rangavittal <ramesh.rangavittal@infineon.com>,
Linus Walleij <linus.walleij@linaro.org>,
Kees Cook <keescook@chromium.org>,
"Gustavo A. R. Silva" <gustavoars@kernel.org>,
Ryohei Kondo <ryohei.kondo@cypress.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
"Jason A. Donenfeld" <Jason@zx2c4.com>,
"Darrick J. Wong" <djwong@kernel.org>,
Jason Gunthorpe <jgg@ziepe.ca>,
Brian Henriquez <brian.henriquez@cypress.com>,
linux-wireless@vger.kernel.org (open list:BROADCOM BRCM80211
IEEE802.11n WIRELESS DRIVER),
brcm80211-dev-list.pdl@broadcom.com (open list:BROADCOM
BRCM80211 IEEE802.11n WIRELESS DRIVER),
SHA-cyfmac-dev-list@infineon.com (open list:BROADCOM BRCM80211
IEEE802.11n WIRELESS DRIVER),
linux-kernel@vger.kernel.org (open list),
Roberto Sassu <roberto.sassu@huaweicloud.com>,
petr@tesarici.cz
Subject: Re: [PATCH v1 3/3] wifi: brcm80211: change channel_list to a flexible array
Date: Tue, 01 Aug 2023 20:37:31 +0300 [thread overview]
Message-ID: <87pm46wtno.fsf@kernel.org> (raw)
In-Reply-To: <c18a31a293fb5ba5d7a845c4b5052516ff724a9f.1690904067.git.petr.tesarik.ext@huawei.com> (Petr Tesarik's message of "Tue, 1 Aug 2023 17:36:42 +0200")
Petr Tesarik <petrtesarik@huaweicloud.com> writes:
> From: Petr Tesarik <petr.tesarik.ext@huawei.com>
>
> The channel list is in fact a flexible array, but it has a length of 1 to
> make sure there is enough room for the special chanspec -1 when the struct
> is allocated on stack to abort a scan.
>
> Move the single array member to newly declared struct brcmf_scan_abort_le
> and struct brcmf_scan_abort_v2_le and make channel_list in struct
> brcmf_scan_params_le and struct brcmf_scan_params_v2_le a flexible array.
>
> This fixes this annoying (though harmless) warning when the kernel is built
> with CONFIG_FORTIFY_SOURCE=y:
>
> ------------[ cut here ]------------
> memcpy: detected field-spanning write (size 76) of single field
> "¶ms_le->channel_list[0]" at
> drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c:1072 (size
> 2)
> WARNING: CPU: 2 PID: 991 at
> drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c:1072
> brcmf_scan_params_v2_to_v1+0xd4/0x118 [brcmfmac]
> Modules linked in: qrtr(E) algif_hash(E) aes_neon_bs(E)
> aes_neon_blk(E) algif_skcipher(E) af_alg(E) bnep(E) brcmfmac_wcc(E)
> bcm2835_v4l2(CE) bcm2835_mmal_vchiq(CE) videobuf2_vmalloc(E)
> videobuf2_memops(E) videobuf2_v4l2(E) videodev(E) hci_uart(E)
> btsdio(E) videobuf2_common(E) btbcm(E) mc(E) snd_bcm2835(CE)
> bluetooth(E) snd_pcm(E) brcmfmac(E) snd_timer(E) cpufreq_dt(E) snd(E)
> soundcore(E) cfg80211(E) ecdh_generic(E) brcmutil(E)
> raspberrypi_cpufreq(E) rfkill(E) vchiq(CE) bcm2711_thermal(E)
> leds_gpio(E) fuse(E) efi_pstore(E) dmi_sysfs(E) ip_tables(E)
> x_tables(E) rpcsec_gss_krb5(E) auth_rpcgss(E) nfsv4(E) dns_resolver(E)
> nfs(E) lockd(E) grace(E) fscache(E) netfs(E) af_packet(E) mmc_block(E)
> xhci_pci(E) xhci_pci_renesas(E) xhci_hcd(E) usbcore(E) usb_common(E)
> clk_raspberrypi(E) gpio_raspberrypi_exp(E) bcm2835_dma(E)
> crct10dif_ce(E) virt_dma(E) pcie_brcmstb(E) sdhci_iproc(E)
> gpio_regulator(E) sdhci_pltfm(E) sdhci(E) mmc_core(E) fixed(E)
> nvmem_rmem(E) sunrpc(E) sg(E) dm_multipath(E) dm_mod(E) efivarfs(E)
> Unloaded tainted modules: aes_ce_cipher(E):1
> CPU: 2 PID: 991 Comm: wpa_supplicant Tainted: G C E
> 6.5.0-rc4-dynswiotlb+ #27 2ec0961165cc91fdbec101d9d43b3331ba4f0927
> Hardware name: Unknown Unknown Product/Unknown Product, BIOS 2023.04 04/01/2023
> pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
> pc : brcmf_scan_params_v2_to_v1+0xd4/0x118 [brcmfmac]
> lr : brcmf_scan_params_v2_to_v1+0xd4/0x118 [brcmfmac]
> sp : ffff8000829ab590
> x29: ffff8000829ab590 x28: 0000000000000000 x27: 0000000000000001
> x26: ffff000105e7e0a4 x25: ffff00010a0bcb48 x24: ffff000101e03800
> x23: ffff000105ec8920 x22: ffff000106332980 x21: ffff00010a0bc0c0
> x20: ffff00010a0bcb90 x19: ffff00010a0bc108 x18: ffffffffffffffff
> x17: 0000000000000000 x16: 0000000000000000 x15: 616f72622f737365
> x14: 6c657269772f7465 x13: 616d666d6372622f x12: 31313230386d6372
> x11: 00000000ffffdfff x10: ffff800081ad3328 x9 : ffff800080130694
> x8 : 000000000002ffe8 x7 : c0000000ffffdfff x6 : 00000000000affa8
> x5 : ffff0001fef75e00 x4 : 0000000000000000 x3 : 0000000000000027
> x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff00010aa0e000
> Call trace:
> brcmf_scan_params_v2_to_v1+0xd4/0x118 [brcmfmac
> 38c4a81a3b85b4aff1650c67f95f20bc542d60c1]
> brcmf_run_escan+0x148/0x1a0 [brcmfmac 38c4a81a3b85b4aff1650c67f95f20bc542d60c1]
> brcmf_do_escan+0x74/0xe0 [brcmfmac 38c4a81a3b85b4aff1650c67f95f20bc542d60c1]
> brcmf_cfg80211_scan+0xcc/0x298 [brcmfmac 38c4a81a3b85b4aff1650c67f95f20bc542d60c1]
> rdev_scan+0x38/0x158 [cfg80211 8907673111c49ec56be88af3d38994cc1cf54cb8]
> cfg80211_scan+0x134/0x178 [cfg80211 8907673111c49ec56be88af3d38994cc1cf54cb8]
> nl80211_trigger_scan+0x3e8/0x768 [cfg80211 8907673111c49ec56be88af3d38994cc1cf54cb8]
> genl_family_rcv_msg_doit.isra.0+0xc0/0x130
> genl_rcv_msg+0x1e4/0x278
> netlink_rcv_skb+0x64/0x138
> genl_rcv+0x40/0x60
> netlink_unicast+0x1cc/0x2d8
> netlink_sendmsg+0x1d4/0x448
> sock_sendmsg+0x64/0xc0
> ____sys_sendmsg+0x260/0x2e0
> ___sys_sendmsg+0x88/0xf0
> __sys_sendmsg+0x70/0xd8
> __arm64_sys_sendmsg+0x2c/0x40
> invoke_syscall+0x78/0x100
> el0_svc_common.constprop.0+0x100/0x130
> do_el0_svc+0x40/0xa8
> el0_svc+0x34/0x138
> el0t_64_sync_handler+0x120/0x130
> el0t_64_sync+0x1a8/0x1b0
> ---[ end trace 0000000000000000 ]---
>
> Signed-off-by: Petr Tesarik <petr.tesarik.ext@huawei.com>
Is this the same issue as Hans patch fixes?
https://patchwork.kernel.org/project/linux-wireless/patch/20230729140500.27892-1-hdegoede@redhat.com/
--
https://patchwork.kernel.org/project/linux-wireless/list/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
next prev parent reply other threads:[~2023-08-01 17:37 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-01 15:36 [PATCH v1 0/3] wifi: brcm80211: avoid memcpy warning when CONFIG_FORTIFY_SOURCE=y Petr Tesarik
2023-08-01 15:36 ` [PATCH v1 1/3] wifi: brcm80211: drop struct brcmf_p2p_scan_le Petr Tesarik
2023-08-01 17:57 ` Petr Tesarik
2023-08-02 0:08 ` Franky Lin
2023-08-02 6:30 ` Petr Tesařík
2023-08-01 15:36 ` [PATCH v1 2/3] wifi: brcm80211: separate abort scan param prepare from actual scan Petr Tesarik
2023-08-01 15:36 ` [PATCH v1 3/3] wifi: brcm80211: change channel_list to a flexible array Petr Tesarik
2023-08-01 17:30 ` Kees Cook
2023-08-01 17:37 ` Kalle Valo [this message]
2023-08-01 17:55 ` Petr Tesarik
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87pm46wtno.fsf@kernel.org \
--to=kvalo@kernel.org \
--cc=Jason@zx2c4.com \
--cc=SHA-cyfmac-dev-list@infineon.com \
--cc=aspriel@gmail.com \
--cc=brcm80211-dev-list.pdl@broadcom.com \
--cc=brian.henriquez@cypress.com \
--cc=chi-hsien.lin@infineon.com \
--cc=djwong@kernel.org \
--cc=franky.lin@broadcom.com \
--cc=gregkh@linuxfoundation.org \
--cc=gustavoars@kernel.org \
--cc=hante.meuleman@broadcom.com \
--cc=hdegoede@redhat.com \
--cc=ian.lin@infineon.com \
--cc=jgg@ziepe.ca \
--cc=keescook@chromium.org \
--cc=linus.walleij@linaro.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=marcan@marcan.st \
--cc=petr@tesarici.cz \
--cc=petrtesarik@huaweicloud.com \
--cc=prasanna.kerekoppa@cypress.com \
--cc=ramesh.rangavittal@infineon.com \
--cc=roberto.sassu@huaweicloud.com \
--cc=ryohei.kondo@cypress.com \
--cc=wright.feng@cypress.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.