From: Simon Horman <simon.horman@corigine.com>
To: "Alexey V. Vissarionov" <gremlin@altlinux.org>
Cc: "Arend van Spriel" <aspriel@gmail.com>,
"Franky Lin" <franky.lin@broadcom.com>,
"Hante Meuleman" <hante.meuleman@broadcom.com>,
"Kalle Valo" <kvalo@kernel.org>,
"David S. Miller" <davem@davemloft.net>,
"Eric Dumazet" <edumazet@google.com>,
"Jakub Kicinski" <kuba@kernel.org>,
"Paolo Abeni" <pabeni@redhat.com>,
"Alvin Šipraga" <alsi@bang-olufsen.dk>,
"Chi-hsien Lin" <chi-hsien.lin@cypress.com>,
"Ahmad Fatoum" <a.fatoum@pengutronix.de>,
"Wataru Gohda" <wataru.gohda@cypress.com>,
"Sebastian Andrzej Siewior" <bigeasy@linutronix.de>,
"Wolfram Sang" <wsa+renesas@sang-engineering.com>,
"Pieter-Paul Giesberts" <pieter-paul.giesberts@broadcom.com>,
linux-wireless@vger.kernel.org,
brcm80211-dev-list.pdl@broadcom.com,
SHA-cyfmac-dev-list@infineon.com, netdev@vger.kernel.org,
lvc-project@linuxtesting.org
Subject: Re: [PATCH] wifi: brcmfmac: Fix allocation size
Date: Tue, 17 Jan 2023 12:13:06 +0100 [thread overview]
Message-ID: <Y8aCwr0BEi6zZEwO@corigine.com> (raw)
In-Reply-To: <20230117104508.GB12547@altlinux.org>
On Tue, Jan 17, 2023 at 01:45:08PM +0300, Alexey V. Vissarionov wrote:
> The "pkt" is a pointer to struct sk_buff, so it's just 4 or 8
> bytes, while the structure itself is much bigger.
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Fixes: bbd1f932e7c45ef1 ("brcmfmac: cleanup ampdu-rx host reorder code")
> Signed-off-by: Alexey V. Vissarionov <gremlin@altlinux.org>
>
> diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c
> index 36af81975855c525..0d283456da331464 100644
> --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c
> +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c
> @@ -1711,7 +1711,7 @@ void brcmf_fws_rxreorder(struct brcmf_if *ifp, struct sk_buff *pkt)
> buf_size = sizeof(*rfi);
> max_idx = reorder_data[BRCMF_RXREORDER_MAXIDX_OFFSET];
>
> - buf_size += (max_idx + 1) * sizeof(pkt);
> + buf_size += (max_idx + 1) * sizeof(struct sk_buff);
>
> /* allocate space for flow reorder info */
> brcmf_dbg(INFO, "flow-%d: start, maxidx %d\n",
Hi Alexey,
This is followed by:
rfi = kzalloc(buf_size, GFP_ATOMIC);
...
rfi->pktslots = (struct sk_buff **)(rfi + 1);
The type of rfi is struct brcmf_ampdu_rx_reorder, which looks like this:
struct brcmf_ampdu_rx_reorder {
struct sk_buff **pktslots;
...
};
And it looks to me that pkt is used as an array of (struct sk_buff *).
So in all, it seems to me that the current code is correct.
Is there a particular code that leads you to think otherwise?
Kind regards,
Simon
next prev parent reply other threads:[~2023-01-17 11:14 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-17 10:45 [PATCH] wifi: brcmfmac: Fix allocation size Alexey V. Vissarionov
2023-01-17 11:05 ` Kalle Valo
2023-01-17 11:21 ` Alexey V. Vissarionov
2023-01-18 3:59 ` Kalle Valo
2023-01-17 11:13 ` Simon Horman [this message]
2023-01-17 11:54 ` Alexey V. Vissarionov
2023-01-17 13:56 ` Arend van Spriel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Y8aCwr0BEi6zZEwO@corigine.com \
--to=simon.horman@corigine.com \
--cc=SHA-cyfmac-dev-list@infineon.com \
--cc=a.fatoum@pengutronix.de \
--cc=alsi@bang-olufsen.dk \
--cc=aspriel@gmail.com \
--cc=bigeasy@linutronix.de \
--cc=brcm80211-dev-list.pdl@broadcom.com \
--cc=chi-hsien.lin@cypress.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=franky.lin@broadcom.com \
--cc=gremlin@altlinux.org \
--cc=hante.meuleman@broadcom.com \
--cc=kuba@kernel.org \
--cc=kvalo@kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=lvc-project@linuxtesting.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=pieter-paul.giesberts@broadcom.com \
--cc=wataru.gohda@cypress.com \
--cc=wsa+renesas@sang-engineering.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.