From: Petr Tesarik <petrtesarik@huaweicloud.com>
To: Arend van Spriel <aspriel@gmail.com>,
Franky Lin <franky.lin@broadcom.com>,
Hante Meuleman <hante.meuleman@broadcom.com>,
Kalle Valo <kvalo@kernel.org>,
Chi-hsien Lin <chi-hsien.lin@infineon.com>,
Ian Lin <ian.lin@infineon.com>,
Wright Feng <wright.feng@cypress.com>,
Hector Martin <marcan@marcan.st>,
Prasanna Kerekoppa <prasanna.kerekoppa@cypress.com>,
Hans de Goede <hdegoede@redhat.com>,
Ramesh Rangavittal <ramesh.rangavittal@infineon.com>,
Linus Walleij <linus.walleij@linaro.org>,
Kees Cook <keescook@chromium.org>,
"Gustavo A. R. Silva" <gustavoars@kernel.org>,
Ryohei Kondo <ryohei.kondo@cypress.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
"Jason A. Donenfeld" <Jason@zx2c4.com>,
"Darrick J. Wong" <djwong@kernel.org>,
Jason Gunthorpe <jgg@ziepe.ca>,
Brian Henriquez <brian.henriquez@cypress.com>,
linux-wireless@vger.kernel.org (open list:BROADCOM BRCM80211
IEEE802.11n WIRELESS DRIVER),
brcm80211-dev-list.pdl@broadcom.com (open list:BROADCOM
BRCM80211 IEEE802.11n WIRELESS DRIVER),
SHA-cyfmac-dev-list@infineon.com (open list:BROADCOM BRCM80211
IEEE802.11n WIRELESS DRIVER),
linux-kernel@vger.kernel.org (open list)
Cc: Roberto Sassu <roberto.sassu@huaweicloud.com>, petr@tesarici.cz
Subject: [PATCH v1 0/3] wifi: brcm80211: avoid memcpy warning when CONFIG_FORTIFY_SOURCE=y
Date: Tue, 1 Aug 2023 17:36:39 +0200 [thread overview]
Message-ID: <cover.1690904067.git.petr.tesarik.ext@huawei.com> (raw)
From: Petr Tesarik <petr.tesarik.ext@huawei.com>
When built with CONFIG_FORTIFY_SOURCE=y, the brcmfmac module triggers a
memcpy() warning like this:
------------[ cut here ]------------
memcpy: detected field-spanning write (size 76) of single field "¶ms_le->channel_list[0]" at drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c:1072 (size 2)
WARNING: CPU: 2 PID: 991 at drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c:1072 brcmf_scan_params_v2_to_v1+0xd4/0x118 [brcmfmac]
Modules linked in: qrtr(E) algif_hash(E) aes_neon_bs(E) aes_neon_blk(E) algif_skcipher(E) af_alg(E) bnep(E) brcmfmac_wcc(E) bcm2835_v4l2(CE) bcm2835_mmal_vchiq(CE) videobuf2_vmalloc(E) videobuf2_memops(E) videobuf2_v4l2(E) videodev(E) hci_uart(E) btsdio(E) videobuf2_common(E) btbcm(E) mc(E) snd_bcm2835(CE) bluetooth(E) snd_pcm(E) brcmfmac(E) snd_timer(E) cpufreq_dt(E) snd(E) soundcore(E) cfg80211(E) ecdh_generic(E) brcmutil(E) raspberrypi_cpufreq(E) rfkill(E) vchiq(CE) bcm2711_thermal(E) leds_gpio(E) fuse(E) efi_pstore(E) dmi_sysfs(E) ip_tables(E) x_tables(E) rpcsec_gss_krb5(E) auth_rpcgss(E) nfsv4(E) dns_resolver(E) nfs(E) lockd(E) grace(E) fscache(E) netfs(E) af_packet(E) mmc_block(E) xhci_pci(E) xhci_pci_renesas(E) xhci_hcd(E) usbcore(E) usb_common(E) clk_raspberrypi(E) gpio_raspberrypi_exp(E) bcm2835_dma(E) crct10dif_ce(E) virt_dma(E) pcie_brcmstb(E) sdhci_iproc(E) gpio_regulator(E) sdhci_pltfm(E) sdhci(E) mmc_core(E) fixed(E) nvmem_rmem(E) sunrpc(E) sg(E) dm_multipath(E) dm_mod(E) efivarfs(E)
Unloaded tainted modules: aes_ce_cipher(E):1
CPU: 2 PID: 991 Comm: wpa_supplicant Tainted: G C E 6.5.0-rc4-dynswiotlb+ #27 2ec0961165cc91fdbec101d9d43b3331ba4f0927
Hardware name: Unknown Unknown Product/Unknown Product, BIOS 2023.04 04/01/2023
pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : brcmf_scan_params_v2_to_v1+0xd4/0x118 [brcmfmac]
lr : brcmf_scan_params_v2_to_v1+0xd4/0x118 [brcmfmac]
sp : ffff8000829ab590
x29: ffff8000829ab590 x28: 0000000000000000 x27: 0000000000000001
x26: ffff000105e7e0a4 x25: ffff00010a0bcb48 x24: ffff000101e03800
x23: ffff000105ec8920 x22: ffff000106332980 x21: ffff00010a0bc0c0
x20: ffff00010a0bcb90 x19: ffff00010a0bc108 x18: ffffffffffffffff
x17: 0000000000000000 x16: 0000000000000000 x15: 616f72622f737365
x14: 6c657269772f7465 x13: 616d666d6372622f x12: 31313230386d6372
x11: 00000000ffffdfff x10: ffff800081ad3328 x9 : ffff800080130694
x8 : 000000000002ffe8 x7 : c0000000ffffdfff x6 : 00000000000affa8
x5 : ffff0001fef75e00 x4 : 0000000000000000 x3 : 0000000000000027
x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff00010aa0e000
Call trace:
brcmf_scan_params_v2_to_v1+0xd4/0x118 [brcmfmac 38c4a81a3b85b4aff1650c67f95f20bc542d60c1]
brcmf_run_escan+0x148/0x1a0 [brcmfmac 38c4a81a3b85b4aff1650c67f95f20bc542d60c1]
brcmf_do_escan+0x74/0xe0 [brcmfmac 38c4a81a3b85b4aff1650c67f95f20bc542d60c1]
brcmf_cfg80211_scan+0xcc/0x298 [brcmfmac 38c4a81a3b85b4aff1650c67f95f20bc542d60c1]
rdev_scan+0x38/0x158 [cfg80211 8907673111c49ec56be88af3d38994cc1cf54cb8]
cfg80211_scan+0x134/0x178 [cfg80211 8907673111c49ec56be88af3d38994cc1cf54cb8]
nl80211_trigger_scan+0x3e8/0x768 [cfg80211 8907673111c49ec56be88af3d38994cc1cf54cb8]
genl_family_rcv_msg_doit.isra.0+0xc0/0x130
genl_rcv_msg+0x1e4/0x278
netlink_rcv_skb+0x64/0x138
genl_rcv+0x40/0x60
netlink_unicast+0x1cc/0x2d8
netlink_sendmsg+0x1d4/0x448
sock_sendmsg+0x64/0xc0
____sys_sendmsg+0x260/0x2e0
___sys_sendmsg+0x88/0xf0
__sys_sendmsg+0x70/0xd8
__arm64_sys_sendmsg+0x2c/0x40
invoke_syscall+0x78/0x100
el0_svc_common.constprop.0+0x100/0x130
do_el0_svc+0x40/0xa8
el0_svc+0x34/0x138
el0t_64_sync_handler+0x120/0x130
el0t_64_sync+0x1a8/0x1b0
---[ end trace 0000000000000000 ]---
This is in fact a false positive, but the data structures can be improved
to make the checker happy.
Tested on a Raspberry Pi 4 by running scans in a loop while activating and
deactivating the wireless connection in parallel to cause scan aborts.
Petr Tesarik (3):
wifi: brcm80211: drop struct brcmf_p2p_scan_le
wifi: brcm80211: separate abort scan param prepare from actual scan
wifi: brcm80211: change channel_list to a flexible array
.../broadcom/brcm80211/brcmfmac/cfg80211.c | 67 ++++++++++---------
.../broadcom/brcm80211/brcmfmac/fwil_types.h | 14 +++-
.../broadcom/brcm80211/brcmfmac/p2p.c | 38 +++--------
3 files changed, 57 insertions(+), 62 deletions(-)
--
2.25.1
next reply other threads:[~2023-08-01 15:37 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-01 15:36 Petr Tesarik [this message]
2023-08-01 15:36 ` [PATCH v1 1/3] wifi: brcm80211: drop struct brcmf_p2p_scan_le Petr Tesarik
2023-08-01 17:57 ` Petr Tesarik
2023-08-02 0:08 ` Franky Lin
2023-08-02 6:30 ` Petr Tesařík
2023-08-01 15:36 ` [PATCH v1 2/3] wifi: brcm80211: separate abort scan param prepare from actual scan Petr Tesarik
2023-08-01 15:36 ` [PATCH v1 3/3] wifi: brcm80211: change channel_list to a flexible array Petr Tesarik
2023-08-01 17:30 ` Kees Cook
2023-08-01 17:37 ` Kalle Valo
2023-08-01 17:55 ` Petr Tesarik
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cover.1690904067.git.petr.tesarik.ext@huawei.com \
--to=petrtesarik@huaweicloud.com \
--cc=Jason@zx2c4.com \
--cc=SHA-cyfmac-dev-list@infineon.com \
--cc=aspriel@gmail.com \
--cc=brcm80211-dev-list.pdl@broadcom.com \
--cc=brian.henriquez@cypress.com \
--cc=chi-hsien.lin@infineon.com \
--cc=djwong@kernel.org \
--cc=franky.lin@broadcom.com \
--cc=gregkh@linuxfoundation.org \
--cc=gustavoars@kernel.org \
--cc=hante.meuleman@broadcom.com \
--cc=hdegoede@redhat.com \
--cc=ian.lin@infineon.com \
--cc=jgg@ziepe.ca \
--cc=keescook@chromium.org \
--cc=kvalo@kernel.org \
--cc=linus.walleij@linaro.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=marcan@marcan.st \
--cc=petr@tesarici.cz \
--cc=prasanna.kerekoppa@cypress.com \
--cc=ramesh.rangavittal@infineon.com \
--cc=roberto.sassu@huaweicloud.com \
--cc=ryohei.kondo@cypress.com \
--cc=wright.feng@cypress.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.