[bug report] net: wwan: Add Qualcomm BAM-DMUX WWAN network driver

Linux ARM-MSM sub-architecture
 help / color / mirror / Atom feed

* [bug report] net: wwan: Add Qualcomm BAM-DMUX WWAN network driver
       [not found] <caa37f28-a2e8-4e0a-a9ce-a365ce805e4b@stanley.mountain>
@ 2026-02-06 13:38 ` Dan Carpenter
  2026-02-06 15:12   ` Stephan Gerhold
  2026-02-06 13:39 ` [bug report] phy: qcom: qmp-usbc: Add QCS615 USB/DP PHY config and DP mode support Dan Carpenter
  2026-02-06 13:39 ` [bug report] media: iris: gen1: Destroy internal buffers after FW releases Dan Carpenter
  2 siblings, 1 reply; 7+ messages in thread
From: Dan Carpenter @ 2026-02-06 13:38 UTC (permalink / raw)
  To: Stephan Gerhold; +Cc: Johannes Berg, netdev, linux-arm-msm, linux-kernel

[ Smatch checking is paused while we raise funding.  #SadFace
  https://lore.kernel.org/all/aTaiGSbWZ9DJaGo7@stanley.mountain/ -dan ]

Hello Stephan Gerhold,

Commit 21a0ffd9b38c ("net: wwan: Add Qualcomm BAM-DMUX WWAN network
driver") from Nov 27, 2021 (linux-next), leads to the following
Smatch static checker warning:

	drivers/net/wwan/qcom_bam_dmux.c:505 bam_dmux_cmd_data()
	error: buffer overflow 'dmux->netdevs' 8 <= 255 user_rl='0-255' uncapped

drivers/net/wwan/qcom_bam_dmux.c
    500 static void bam_dmux_cmd_data(struct bam_dmux_skb_dma *skb_dma)
    501 {
    502         struct bam_dmux *dmux = skb_dma->dmux;
    503         struct sk_buff *skb = skb_dma->skb;
    504         struct bam_dmux_hdr *hdr = (struct bam_dmux_hdr *)skb->data;
--> 505         struct net_device *netdev = dmux->netdevs[hdr->ch];
                                                          ^^^^^^^
Smatch thinks skb->data is untrusted.  This is the rx path.

    506 
    507         if (!netdev || !netif_running(netdev)) {
    508                 dev_warn(dmux->dev, "Data for inactive channel %u\n", hdr->ch);
    509                 return;
    510         }
    511 

regards,
dan carpenter

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [bug report] net: wwan: Add Qualcomm BAM-DMUX WWAN network driver
  2026-02-06 13:38 ` [bug report] net: wwan: Add Qualcomm BAM-DMUX WWAN network driver Dan Carpenter
@ 2026-02-06 15:12   ` Stephan Gerhold
  2026-02-06 15:23     ` Dan Carpenter
  0 siblings, 1 reply; 7+ messages in thread
From: Stephan Gerhold @ 2026-02-06 15:12 UTC (permalink / raw)
  To: Dan Carpenter
  Cc: Stephan Gerhold, Johannes Berg, netdev, linux-arm-msm,
	linux-kernel

Hi Dan,

On Fri, Feb 06, 2026 at 04:38:30PM +0300, Dan Carpenter wrote:
> [ Smatch checking is paused while we raise funding.  #SadFace
>   https://lore.kernel.org/all/aTaiGSbWZ9DJaGo7@stanley.mountain/ -dan ]
> 
> Hello Stephan Gerhold,
> 
> Commit 21a0ffd9b38c ("net: wwan: Add Qualcomm BAM-DMUX WWAN network
> driver") from Nov 27, 2021 (linux-next), leads to the following
> Smatch static checker warning:
> 
> 	drivers/net/wwan/qcom_bam_dmux.c:505 bam_dmux_cmd_data()
> 	error: buffer overflow 'dmux->netdevs' 8 <= 255 user_rl='0-255' uncapped
> 
> drivers/net/wwan/qcom_bam_dmux.c
>     500 static void bam_dmux_cmd_data(struct bam_dmux_skb_dma *skb_dma)
>     501 {
>     502         struct bam_dmux *dmux = skb_dma->dmux;
>     503         struct sk_buff *skb = skb_dma->skb;
>     504         struct bam_dmux_hdr *hdr = (struct bam_dmux_hdr *)skb->data;
> --> 505         struct net_device *netdev = dmux->netdevs[hdr->ch];
>                                                           ^^^^^^^
> Smatch thinks skb->data is untrusted.  This is the rx path.
> 

Thanks a lot for the report!

I believe this is not a problem in practice, since there is an existing
check for this in bam_dmux_rx_callback() (which is the only function
that calls bam_dmux_cmd_data()):

	if (hdr->ch >= BAM_DMUX_NUM_CH) {
		dev_dbg(dmux->dev, "Unsupported channel: %u\n", hdr->ch);
		goto out;
	}

	switch (hdr->cmd) {
	case BAM_DMUX_CMD_DATA:
		bam_dmux_cmd_data(skb_dma);
		break;

Is that something Smatch should be able to detect?

Thanks,
Stephan

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [bug report] net: wwan: Add Qualcomm BAM-DMUX WWAN network driver
  2026-02-06 15:12   ` Stephan Gerhold
@ 2026-02-06 15:23     ` Dan Carpenter
  0 siblings, 0 replies; 7+ messages in thread
From: Dan Carpenter @ 2026-02-06 15:23 UTC (permalink / raw)
  To: Stephan Gerhold
  Cc: Stephan Gerhold, Johannes Berg, netdev, linux-arm-msm,
	linux-kernel

On Fri, Feb 06, 2026 at 04:12:17PM +0100, Stephan Gerhold wrote:
> Hi Dan,
> 
> On Fri, Feb 06, 2026 at 04:38:30PM +0300, Dan Carpenter wrote:
> > [ Smatch checking is paused while we raise funding.  #SadFace
> >   https://lore.kernel.org/all/aTaiGSbWZ9DJaGo7@stanley.mountain/ -dan ]
> > 
> > Hello Stephan Gerhold,
> > 
> > Commit 21a0ffd9b38c ("net: wwan: Add Qualcomm BAM-DMUX WWAN network
> > driver") from Nov 27, 2021 (linux-next), leads to the following
> > Smatch static checker warning:
> > 
> > 	drivers/net/wwan/qcom_bam_dmux.c:505 bam_dmux_cmd_data()
> > 	error: buffer overflow 'dmux->netdevs' 8 <= 255 user_rl='0-255' uncapped
> > 
> > drivers/net/wwan/qcom_bam_dmux.c
> >     500 static void bam_dmux_cmd_data(struct bam_dmux_skb_dma *skb_dma)
> >     501 {
> >     502         struct bam_dmux *dmux = skb_dma->dmux;
> >     503         struct sk_buff *skb = skb_dma->skb;
> >     504         struct bam_dmux_hdr *hdr = (struct bam_dmux_hdr *)skb->data;
> > --> 505         struct net_device *netdev = dmux->netdevs[hdr->ch];
> >                                                           ^^^^^^^
> > Smatch thinks skb->data is untrusted.  This is the rx path.
> > 
> 
> Thanks a lot for the report!
> 
> I believe this is not a problem in practice, since there is an existing
> check for this in bam_dmux_rx_callback() (which is the only function
> that calls bam_dmux_cmd_data()):
> 
> 	if (hdr->ch >= BAM_DMUX_NUM_CH) {
> 		dev_dbg(dmux->dev, "Unsupported channel: %u\n", hdr->ch);
> 		goto out;
> 	}
> 
> 	switch (hdr->cmd) {
> 	case BAM_DMUX_CMD_DATA:
> 		bam_dmux_cmd_data(skb_dma);
> 		break;
> 
> Is that something Smatch should be able to detect?
> 

Ah, you are right.  Thanks.

The problem is that skb->data is a buffer of u8 data.  Smatch does cross
function analysis, but it treats a buffer like that as opaque data.

Btw, I see that this code is actually from five years ago so I don't know
why it's showing up as a warning now.  :/  Sorry about that.

regards,
dan carpenter

^ permalink raw reply	[flat|nested] 7+ messages in thread

* [bug report] phy: qcom: qmp-usbc: Add QCS615 USB/DP PHY config and DP mode support
       [not found] <caa37f28-a2e8-4e0a-a9ce-a365ce805e4b@stanley.mountain>
  2026-02-06 13:38 ` [bug report] net: wwan: Add Qualcomm BAM-DMUX WWAN network driver Dan Carpenter
@ 2026-02-06 13:39 ` Dan Carpenter
  2026-02-17 15:27   ` Konrad Dybcio
  2026-02-06 13:39 ` [bug report] media: iris: gen1: Destroy internal buffers after FW releases Dan Carpenter
  2 siblings, 1 reply; 7+ messages in thread
From: Dan Carpenter @ 2026-02-06 13:39 UTC (permalink / raw)
  To: Xiangxu Yin; +Cc: Neil Armstrong, linux-arm-msm, linux-phy, linux-kernel

[ Smatch checking is paused while we raise funding.  #SadFace
  https://lore.kernel.org/all/aTaiGSbWZ9DJaGo7@stanley.mountain/ -dan ]

Hello Xiangxu Yin,

Commit 81791c45c8e0 ("phy: qcom: qmp-usbc: Add QCS615 USB/DP PHY
config and DP mode support") from Dec 15, 2025 (linux-next), leads to
the following Smatch static checker warning:

	drivers/phy/qualcomm/phy-qcom-qmp-usbc.c:803 qmp_v2_configure_dp_swing()
	index hardmax out of bounds '(*cfg->swing_tbl)[v_level]' size=4 max='4' rl='0-4'

drivers/phy/qualcomm/phy-qcom-qmp-usbc.c
    777 static int qmp_v2_configure_dp_swing(struct qmp_usbc *qmp)
    778 {
    779         const struct qmp_phy_cfg *cfg = qmp->cfg;
    780         const struct phy_configure_opts_dp *dp_opts = &qmp->dp_opts;
    781         void __iomem *tx = qmp->dp_tx;
    782         void __iomem *tx2 = qmp->dp_tx2;
    783         unsigned int v_level = 0, p_level = 0;
    784         u8 voltage_swing_cfg, pre_emphasis_cfg;
    785         int i;
    786 
    787         if (dp_opts->lanes > 4) {
    788                 dev_err(qmp->dev, "Invalid lane_num(%d)\n", dp_opts->lanes);
    789                 return -EINVAL;
    790         }
    791 
    792         for (i = 0; i < dp_opts->lanes; i++) {
    793                 v_level = max(v_level, dp_opts->voltage[i]);
    794                 p_level = max(p_level, dp_opts->pre[i]);
    795         }
    796 
    797         if (v_level > 4 || p_level > 4) {

These should be >= 4 instead of >.

    798                 dev_err(qmp->dev, "Invalid v(%d) | p(%d) level)\n",
    799                         v_level, p_level);
    800                 return -EINVAL;
    801         }
    802 
--> 803         voltage_swing_cfg = (*cfg->swing_tbl)[v_level][p_level];
                                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
This is a 4x4 array.

    804         pre_emphasis_cfg = (*cfg->pre_emphasis_tbl)[v_level][p_level];
    805 
    806         voltage_swing_cfg |= DP_PHY_TXn_TX_DRV_LVL_MUX_EN;
    807         pre_emphasis_cfg |= DP_PHY_TXn_TX_EMP_POST1_LVL_MUX_EN;
    808 
    809         if (voltage_swing_cfg == 0xff && pre_emphasis_cfg == 0xff)
    810                 return -EINVAL;
    811 
    812         writel(voltage_swing_cfg, tx + QSERDES_V2_TX_TX_DRV_LVL);
    813         writel(pre_emphasis_cfg, tx + QSERDES_V2_TX_TX_EMP_POST1_LVL);
    814         writel(voltage_swing_cfg, tx2 + QSERDES_V2_TX_TX_DRV_LVL);
    815         writel(pre_emphasis_cfg, tx2 + QSERDES_V2_TX_TX_EMP_POST1_LVL);
    816 
    817         return 0;
    818 }

regards,
dan carpenter

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [bug report] phy: qcom: qmp-usbc: Add QCS615 USB/DP PHY config and DP mode support
  2026-02-06 13:39 ` [bug report] phy: qcom: qmp-usbc: Add QCS615 USB/DP PHY config and DP mode support Dan Carpenter
@ 2026-02-17 15:27   ` Konrad Dybcio
  2026-02-27  5:11     ` Xiangxu Yin
  0 siblings, 1 reply; 7+ messages in thread
From: Konrad Dybcio @ 2026-02-17 15:27 UTC (permalink / raw)
  To: Dan Carpenter, Xiangxu Yin
  Cc: Neil Armstrong, linux-arm-msm, linux-phy, linux-kernel,
	Dmitry Baryshkov

On 2/6/26 2:39 PM, Dan Carpenter wrote:
> [ Smatch checking is paused while we raise funding.  #SadFace
>   https://lore.kernel.org/all/aTaiGSbWZ9DJaGo7@stanley.mountain/ -dan ]
> 
> Hello Xiangxu Yin,
> 
> Commit 81791c45c8e0 ("phy: qcom: qmp-usbc: Add QCS615 USB/DP PHY
> config and DP mode support") from Dec 15, 2025 (linux-next), leads to
> the following Smatch static checker warning:
> 
> 	drivers/phy/qualcomm/phy-qcom-qmp-usbc.c:803 qmp_v2_configure_dp_swing()
> 	index hardmax out of bounds '(*cfg->swing_tbl)[v_level]' size=4 max='4' rl='0-4'
> 
> drivers/phy/qualcomm/phy-qcom-qmp-usbc.c
>     777 static int qmp_v2_configure_dp_swing(struct qmp_usbc *qmp)
>     778 {
>     779         const struct qmp_phy_cfg *cfg = qmp->cfg;
>     780         const struct phy_configure_opts_dp *dp_opts = &qmp->dp_opts;
>     781         void __iomem *tx = qmp->dp_tx;
>     782         void __iomem *tx2 = qmp->dp_tx2;
>     783         unsigned int v_level = 0, p_level = 0;
>     784         u8 voltage_swing_cfg, pre_emphasis_cfg;
>     785         int i;
>     786 
>     787         if (dp_opts->lanes > 4) {
>     788                 dev_err(qmp->dev, "Invalid lane_num(%d)\n", dp_opts->lanes);
>     789                 return -EINVAL;
>     790         }
>     791 
>     792         for (i = 0; i < dp_opts->lanes; i++) {
>     793                 v_level = max(v_level, dp_opts->voltage[i]);
>     794                 p_level = max(p_level, dp_opts->pre[i]);
>     795         }
>     796 
>     797         if (v_level > 4 || p_level > 4) {
> 
> These should be >= 4 instead of >.
> 
>     798                 dev_err(qmp->dev, "Invalid v(%d) | p(%d) level)\n",
>     799                         v_level, p_level);
>     800                 return -EINVAL;
>     801         }
>     802 
> --> 803         voltage_swing_cfg = (*cfg->swing_tbl)[v_level][p_level];
>                                     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> This is a 4x4 array.

Thanks Dan for the report

Xiangxu, are you planning to send a patch to address that?

Konrad

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [bug report] phy: qcom: qmp-usbc: Add QCS615 USB/DP PHY config and DP mode support
  2026-02-17 15:27   ` Konrad Dybcio
@ 2026-02-27  5:11     ` Xiangxu Yin
  0 siblings, 0 replies; 7+ messages in thread
From: Xiangxu Yin @ 2026-02-27  5:11 UTC (permalink / raw)
  To: Konrad Dybcio, Dan Carpenter
  Cc: Neil Armstrong, linux-arm-msm, linux-phy, linux-kernel,
	Dmitry Baryshkov, li.liu


On 2/17/2026 11:27 PM, Konrad Dybcio wrote:
> On 2/6/26 2:39 PM, Dan Carpenter wrote:
>> [ Smatch checking is paused while we raise funding.  #SadFace
>>   https://lore.kernel.org/all/aTaiGSbWZ9DJaGo7@stanley.mountain/ -dan ]
>>
>> Hello Xiangxu Yin,
>>
>> Commit 81791c45c8e0 ("phy: qcom: qmp-usbc: Add QCS615 USB/DP PHY
>> config and DP mode support") from Dec 15, 2025 (linux-next), leads to
>> the following Smatch static checker warning:
>>
>> 	drivers/phy/qualcomm/phy-qcom-qmp-usbc.c:803 qmp_v2_configure_dp_swing()
>> 	index hardmax out of bounds '(*cfg->swing_tbl)[v_level]' size=4 max='4' rl='0-4'
>>
>> drivers/phy/qualcomm/phy-qcom-qmp-usbc.c
>>     777 static int qmp_v2_configure_dp_swing(struct qmp_usbc *qmp)
>>     778 {
>>     779         const struct qmp_phy_cfg *cfg = qmp->cfg;
>>     780         const struct phy_configure_opts_dp *dp_opts = &qmp->dp_opts;
>>     781         void __iomem *tx = qmp->dp_tx;
>>     782         void __iomem *tx2 = qmp->dp_tx2;
>>     783         unsigned int v_level = 0, p_level = 0;
>>     784         u8 voltage_swing_cfg, pre_emphasis_cfg;
>>     785         int i;
>>     786 
>>     787         if (dp_opts->lanes > 4) {
>>     788                 dev_err(qmp->dev, "Invalid lane_num(%d)\n", dp_opts->lanes);
>>     789                 return -EINVAL;
>>     790         }
>>     791 
>>     792         for (i = 0; i < dp_opts->lanes; i++) {
>>     793                 v_level = max(v_level, dp_opts->voltage[i]);
>>     794                 p_level = max(p_level, dp_opts->pre[i]);
>>     795         }
>>     796 
>>     797         if (v_level > 4 || p_level > 4) {
>>
>> These should be >= 4 instead of >.
>>
>>     798                 dev_err(qmp->dev, "Invalid v(%d) | p(%d) level)\n",
>>     799                         v_level, p_level);
>>     800                 return -EINVAL;
>>     801         }
>>     802 
>> --> 803         voltage_swing_cfg = (*cfg->swing_tbl)[v_level][p_level];
>>                                     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>> This is a 4x4 array.
> Thanks Dan for the report
>
> Xiangxu, are you planning to send a patch to address that?
>
> Konrad


Thanks for the notice, Dan & Konrad.

I just got back from a long leave and will submit the relevant patches as soon as possible.




^ permalink raw reply	[flat|nested] 7+ messages in thread

* [bug report] media: iris: gen1: Destroy internal buffers after FW releases
       [not found] <caa37f28-a2e8-4e0a-a9ce-a365ce805e4b@stanley.mountain>
  2026-02-06 13:38 ` [bug report] net: wwan: Add Qualcomm BAM-DMUX WWAN network driver Dan Carpenter
  2026-02-06 13:39 ` [bug report] phy: qcom: qmp-usbc: Add QCS615 USB/DP PHY config and DP mode support Dan Carpenter
@ 2026-02-06 13:39 ` Dan Carpenter
  2 siblings, 0 replies; 7+ messages in thread
From: Dan Carpenter @ 2026-02-06 13:39 UTC (permalink / raw)
  To: Dikshita Agarwal; +Cc: Abhinav Kumar, linux-media, linux-arm-msm, linux-kernel

[ Smatch checking is paused while we raise funding.  #SadFace
  https://lore.kernel.org/all/aTaiGSbWZ9DJaGo7@stanley.mountain/ -dan ]

Hello Dikshita Agarwal,

Commit 1dabf00ee206 ("media: iris: gen1: Destroy internal buffers
after FW releases") from Dec 29, 2025 (linux-next), leads to the
following Smatch static checker warning:

	drivers/media/platform/qcom/iris/iris_buffer.c:588 iris_release_internal_buffers()
	error: dereferencing freed memory 'buffer' (line 585)

drivers/media/platform/qcom/iris/iris_buffer.c
    572 static int iris_release_internal_buffers(struct iris_inst *inst,
    573                                          enum iris_buffer_type buffer_type)
    574 {
    575         const struct iris_hfi_command_ops *hfi_ops = inst->core->hfi_ops;
    576         struct iris_buffers *buffers = &inst->buffers[buffer_type];
    577         struct iris_buffer *buffer, *next;
    578         int ret;
    579 
    580         list_for_each_entry_safe(buffer, next, &buffers->list, list) {
    581                 if (buffer->attr & BUF_ATTR_PENDING_RELEASE)
    582                         continue;
    583                 if (!(buffer->attr & BUF_ATTR_QUEUED))
    584                         continue;
    585                 ret = hfi_ops->session_release_buf(inst, buffer);

The commit adds a free of buffer to ->session_release_buf().

    586                 if (ret)
    587                         return ret;
--> 588                 buffer->attr |= BUF_ATTR_PENDING_RELEASE;
                        ^^^^^^^^^^^^
Use after free.

    589         }
    590 
    591         return 0;
    592 }

regards,
dan carpenter

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2026-02-27  5:11 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <caa37f28-a2e8-4e0a-a9ce-a365ce805e4b@stanley.mountain>
2026-02-06 13:38 ` [bug report] net: wwan: Add Qualcomm BAM-DMUX WWAN network driver Dan Carpenter
2026-02-06 15:12   ` Stephan Gerhold
2026-02-06 15:23     ` Dan Carpenter
2026-02-06 13:39 ` [bug report] phy: qcom: qmp-usbc: Add QCS615 USB/DP PHY config and DP mode support Dan Carpenter
2026-02-17 15:27   ` Konrad Dybcio
2026-02-27  5:11     ` Xiangxu Yin
2026-02-06 13:39 ` [bug report] media: iris: gen1: Destroy internal buffers after FW releases Dan Carpenter

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox