From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
To: Kees Cook <kees@kernel.org>,
Miri Korenblit <miriam.rachel.korenblit@intel.com>
Cc: Kalle Valo <kvalo@kernel.org>,
Johannes Berg <johannes.berg@intel.com>,
"Gustavo A . R . Silva" <gustavoars@kernel.org>,
Luca Coelho <luciano.coelho@intel.com>,
Gregory Greenman <gregory.greenman@intel.com>,
Yedidya Benshimol <yedidya.ben.shimol@intel.com>,
Haim Dreyfuss <haim.dreyfuss@intel.com>,
linux-wireless@vger.kernel.org,
Shaul Triebitz <shaul.triebitz@intel.com>,
Benjamin Berg <benjamin.berg@intel.com>,
Dmitry Antipov <dmantipov@yandex.ru>,
linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org
Subject: Re: [PATCH] wifi: iwlwifi: mvm: Fix __counted_by usage in cfg80211_wowlan_nd_*
Date: Wed, 19 Jun 2024 15:22:09 -0600 [thread overview]
Message-ID: <202aeef9-ba5b-400b-8341-bc07fb394a19@embeddedor.com> (raw)
In-Reply-To: <20240619211233.work.355-kees@kernel.org>
On 19/06/24 23:12, Kees Cook wrote:
> Both struct cfg80211_wowlan_nd_match and struct cfg80211_wowlan_nd_info
> pre-allocate space for channels and matches, but then may end up using
> fewer that the full allocation. Shrink the associated counter
> (n_channels and n_matches) after counting the results. This avoids
> compile-time (and run-time) warnings from __counted_by. (The counter
> member needs to be updated _before_ accessing the array index.)
>
> Seen with coming GCC 15:
>
> drivers/net/wireless/intel/iwlwifi/mvm/d3.c: In function 'iwl_mvm_query_set_freqs':
> drivers/net/wireless/intel/iwlwifi/mvm/d3.c:2877:66: warning: operation on 'match->n_channels' may be undefined [-Wsequence-point]
> 2877 | match->channels[match->n_channels++] =
> | ~~~~~~~~~~~~~~~~~^~
> drivers/net/wireless/intel/iwlwifi/mvm/d3.c:2885:66: warning: operation on 'match->n_channels' may be undefined [-Wsequence-point]
> 2885 | match->channels[match->n_channels++] =
> | ~~~~~~~~~~~~~~~~~^~
> drivers/net/wireless/intel/iwlwifi/mvm/d3.c: In function 'iwl_mvm_query_netdetect_reasons':
> drivers/net/wireless/intel/iwlwifi/mvm/d3.c:2982:58: warning: operation on 'net_detect->n_matches' may be undefined [-Wsequence-point]
> 2982 | net_detect->matches[net_detect->n_matches++] = match;
> | ~~~~~~~~~~~~~~~~~~~~~^~
>
Nice catch! :)
> Fixes: aa4ec06c455d ("wifi: cfg80211: use __counted_by where appropriate")
> Signed-off-by: Kees Cook <kees@kernel.org>
Reviewed-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Thanks
--
Gustavo
> ---
> Cc: Miri Korenblit <miriam.rachel.korenblit@intel.com>
> Cc: Kalle Valo <kvalo@kernel.org>
> Cc: Johannes Berg <johannes.berg@intel.com>
> Cc: Gustavo A. R. Silva <gustavoars@kernel.org>
> Cc: Luca Coelho <luciano.coelho@intel.com>
> Cc: Gregory Greenman <gregory.greenman@intel.com>
> Cc: Yedidya Benshimol <yedidya.ben.shimol@intel.com>
> Cc: Haim Dreyfuss <haim.dreyfuss@intel.com>
> Cc: linux-wireless@vger.kernel.org
> ---
> drivers/net/wireless/intel/iwlwifi/mvm/d3.c | 14 +++++++++++---
> 1 file changed, 11 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/d3.c b/drivers/net/wireless/intel/iwlwifi/mvm/d3.c
> index 54f4acbbd05b..9cd03ea4680d 100644
> --- a/drivers/net/wireless/intel/iwlwifi/mvm/d3.c
> +++ b/drivers/net/wireless/intel/iwlwifi/mvm/d3.c
> @@ -2866,6 +2866,7 @@ static void iwl_mvm_query_set_freqs(struct iwl_mvm *mvm,
> int idx)
> {
> int i;
> + int n_channels = 0;
>
> if (fw_has_api(&mvm->fw->ucode_capa,
> IWL_UCODE_TLV_API_SCAN_OFFLOAD_CHANS)) {
> @@ -2874,7 +2875,7 @@ static void iwl_mvm_query_set_freqs(struct iwl_mvm *mvm,
>
> for (i = 0; i < SCAN_OFFLOAD_MATCHING_CHANNELS_LEN * 8; i++)
> if (matches[idx].matching_channels[i / 8] & (BIT(i % 8)))
> - match->channels[match->n_channels++] =
> + match->channels[n_channels++] =
> mvm->nd_channels[i]->center_freq;
> } else {
> struct iwl_scan_offload_profile_match_v1 *matches =
> @@ -2882,9 +2883,11 @@ static void iwl_mvm_query_set_freqs(struct iwl_mvm *mvm,
>
> for (i = 0; i < SCAN_OFFLOAD_MATCHING_CHANNELS_LEN_V1 * 8; i++)
> if (matches[idx].matching_channels[i / 8] & (BIT(i % 8)))
> - match->channels[match->n_channels++] =
> + match->channels[n_channels++] =
> mvm->nd_channels[i]->center_freq;
> }
> + /* We may have ended up with fewer channels than we allocated. */
> + match->n_channels = n_channels;
> }
>
> /**
> @@ -2965,6 +2968,8 @@ static void iwl_mvm_query_netdetect_reasons(struct iwl_mvm *mvm,
> GFP_KERNEL);
> if (!net_detect || !n_matches)
> goto out_report_nd;
> + net_detect->n_matches = n_matches;
> + n_matches = 0;
>
> for_each_set_bit(i, &matched_profiles, mvm->n_nd_match_sets) {
> struct cfg80211_wowlan_nd_match *match;
> @@ -2978,8 +2983,9 @@ static void iwl_mvm_query_netdetect_reasons(struct iwl_mvm *mvm,
> GFP_KERNEL);
> if (!match)
> goto out_report_nd;
> + match->n_channels = n_channels;
>
> - net_detect->matches[net_detect->n_matches++] = match;
> + net_detect->matches[n_matches++] = match;
>
> /* We inverted the order of the SSIDs in the scan
> * request, so invert the index here.
> @@ -2994,6 +3000,8 @@ static void iwl_mvm_query_netdetect_reasons(struct iwl_mvm *mvm,
>
> iwl_mvm_query_set_freqs(mvm, d3_data->nd_results, match, i);
> }
> + /* We may have fewer matches than we allocated. */
> + net_detect->n_matches = n_matches;
>
> out_report_nd:
> wakeup.net_detect = net_detect;
next prev parent reply other threads:[~2024-06-19 21:22 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-06-19 21:12 [PATCH] wifi: iwlwifi: mvm: Fix __counted_by usage in cfg80211_wowlan_nd_* Kees Cook
2024-06-19 21:22 ` Gustavo A. R. Silva [this message]
2024-06-20 17:06 ` Christophe JAILLET
2024-06-20 18:02 ` Gustavo A. R. Silva
2024-06-20 18:08 ` Gustavo A. R. Silva
2024-06-20 18:53 ` Christophe JAILLET
2024-06-20 19:02 ` Gustavo A. R. Silva
2024-11-17 11:04 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202aeef9-ba5b-400b-8341-bc07fb394a19@embeddedor.com \
--to=gustavo@embeddedor.com \
--cc=benjamin.berg@intel.com \
--cc=dmantipov@yandex.ru \
--cc=gregory.greenman@intel.com \
--cc=gustavoars@kernel.org \
--cc=haim.dreyfuss@intel.com \
--cc=johannes.berg@intel.com \
--cc=kees@kernel.org \
--cc=kvalo@kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=luciano.coelho@intel.com \
--cc=miriam.rachel.korenblit@intel.com \
--cc=shaul.triebitz@intel.com \
--cc=yedidya.ben.shimol@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).