From: kernel test robot <lkp@intel.com>
To: Zong-Zhe Yang <kevin_yang@realtek.com>
Cc: kbuild-all@lists.01.org, linux-kernel@vger.kernel.org,
Kalle Valo <kvalo@codeaurora.org>,
Yan-Hsuan Chuang <yhchuang@realtek.com>
Subject: drivers/net/wireless/realtek/rtw88/phy.c:641 rtw_phy_linear_2_db() error: buffer overflow 8 <= 8 (assuming for loop doesn't break)
Date: Wed, 12 Aug 2020 19:49:37 +0800 [thread overview]
Message-ID: <202008121934.Bwkips73%lkp@intel.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 4637 bytes --]
Hi Zong-Zhe,
First bad commit (maybe != root cause):
tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
head: fb893de323e2d39f7a1f6df425703a2edbdf56ea
commit: ba0fbe236fb8a7b992e82d6eafb03a600f5eba43 rtw88: extract: make 8822c an individual kernel module
date: 3 months ago
config: parisc-randconfig-m031-20200811 (attached as .config)
compiler: hppa-linux-gcc (GCC) 9.3.0
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
smatch warnings:
drivers/net/wireless/realtek/rtw88/phy.c:641 rtw_phy_linear_2_db() error: buffer overflow 'db_invert_table[i]' 8 <= 8 (assuming for loop doesn't break)
vim +641 drivers/net/wireless/realtek/rtw88/phy.c
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 599
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 600 static u8 rtw_phy_linear_2_db(u64 linear)
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 601 {
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 602 u8 i;
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 603 u8 j;
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 604 u32 dB;
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 605
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 606 if (linear >= db_invert_table[11][7])
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 607 return 96; /* maximum 96 dB */
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 608
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 609 for (i = 0; i < 12; i++) {
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 610 if (i <= 2 && (linear << FRAC_BITS) <= db_invert_table[i][7])
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 611 break;
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 612 else if (i > 2 && linear <= db_invert_table[i][7])
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 613 break;
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 614 }
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 615
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 616 for (j = 0; j < 8; j++) {
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 617 if (i <= 2 && (linear << FRAC_BITS) <= db_invert_table[i][j])
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 618 break;
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 619 else if (i > 2 && linear <= db_invert_table[i][j])
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 620 break;
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 621 }
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 622
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 623 if (j == 0 && i == 0)
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 624 goto end;
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 625
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 626 if (j == 0) {
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 627 if (i != 3) {
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 628 if (db_invert_table[i][0] - linear >
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 629 linear - db_invert_table[i - 1][7]) {
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 630 i = i - 1;
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 631 j = 7;
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 632 }
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 633 } else {
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 634 if (db_invert_table[3][0] - linear >
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 635 linear - db_invert_table[2][7]) {
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 636 i = 2;
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 637 j = 7;
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 638 }
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 639 }
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 640 } else {
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 @641 if (db_invert_table[i][j] - linear >
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 642 linear - db_invert_table[i][j - 1]) {
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 643 j = j - 1;
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 644 }
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 645 }
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 646 end:
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 647 dB = (i << 3) + j + 1;
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 648
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 649 return dB;
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 650 }
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 651
:::::: The code at line 641 was first introduced by commit
:::::: e3037485c68ec1a299ff41160d8fedbd4abc29b9 rtw88: new Realtek 802.11ac driver
:::::: TO: Yan-Hsuan Chuang <yhchuang@realtek.com>
:::::: CC: Kalle Valo <kvalo@codeaurora.org>
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
[-- Attachment #2: .config.gz --]
[-- Type: application/gzip, Size: 30567 bytes --]
reply other threads:[~2020-08-12 11:51 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202008121934.Bwkips73%lkp@intel.com \
--to=lkp@intel.com \
--cc=kbuild-all@lists.01.org \
--cc=kevin_yang@realtek.com \
--cc=kvalo@codeaurora.org \
--cc=linux-kernel@vger.kernel.org \
--cc=yhchuang@realtek.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox