From: Dan Carpenter <dan.carpenter@oracle.com>
To: brian@cozybit.com
Cc: linux-wireless@vger.kernel.org
Subject: re: mwl8k: differentiate between WMM queues and AMPDU queues
Date: Thu, 5 Dec 2013 13:34:48 +0300 [thread overview]
Message-ID: <20131205103448.GA3091@elgon.mountain> (raw)
Hello Brian Cavagnolo,
The patch e600707b021e: "mwl8k: differentiate between WMM queues and
AMPDU queues" from Mar 17, 2011, leads to the following
static checker warning: "drivers/net/wireless/mwl8k.c:2456
mwl8k_cmd_get_hw_spec_sta()
error: buffer overflow 'cmd->tx_queue_ptrs' 4 <= 11"
drivers/net/wireless/mwl8k.c
98 #define MWL8K_RX_QUEUES 1
99 #define MWL8K_TX_WMM_QUEUES 4
100 #define MWL8K_MAX_AMPDU_QUEUES 8
101 #define MWL8K_MAX_TX_QUEUES (MWL8K_TX_WMM_QUEUES + MWL8K_MAX_AMPDU_QUEUES)
102 #define mwl8k_tx_queues(priv) (MWL8K_TX_WMM_QUEUES + (priv)->num_ampdu_queues)
103
In theory mwl8k_tx_queues() is 4-12 as we can see below.
2539 priv->ap_macids_supported = 0x000000ff;
2540 priv->sta_macids_supported = 0x00000100;
2541 priv->num_ampdu_queues = le32_to_cpu(cmd->num_of_ampdu_queues);
2542 if (priv->num_ampdu_queues > MWL8K_MAX_AMPDU_QUEUES) {
2543 wiphy_warn(hw->wiphy, "fw reported %d ampdu queues"
2544 " but we only support %d.\n",
2545 priv->num_ampdu_queues,
2546 MWL8K_MAX_AMPDU_QUEUES);
2547 priv->num_ampdu_queues = MWL8K_MAX_AMPDU_QUEUES;
2548 }
->num_ampdu_queues can go up to 8.
2454 cmd->num_tx_queues = cpu_to_le32(mwl8k_tx_queues(priv));
2455 for (i = 0; i < mwl8k_tx_queues(priv); i++)
2456 cmd->tx_queue_ptrs[i] = cpu_to_le32(priv->txq[i].txd_dma);
This code is super confusing because it is copied almost verbatim in two
places. It took me a long time to figure that out. Anyway,
->tx_queue_ptrs[] is an array with 4 elements. If ->num_ampdu_queues is
anything besides zero then we are corrupting memory. It's entirely
possible that ->num_ampdu_queues is zero here but I got a headache
trying to sort out the duplicate copies of this code.
A cleaner way to write this would be:
for (i = 0; i < MWL8K_TX_WMM_QUEUES; i++)
or
for (i = 0; i < ARRAY_SIZE(cmd->tx_queue_ptrs); i++)
That we don't have to follow all the callers and verify that adding
->num_ampdu_queues is a no-op.
priv->txq[] is 12 element array.
2457 cmd->num_tx_desc_per_queue = cpu_to_le32(MWL8K_TX_DESCS);
2458 cmd->total_rxd = cpu_to_le32(MWL8K_RX_DESCS);
regards,
dan carpenter
reply other threads:[~2013-12-05 10:34 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20131205103448.GA3091@elgon.mountain \
--to=dan.carpenter@oracle.com \
--cc=brian@cozybit.com \
--cc=linux-wireless@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox