From: kernel test robot <lkp@intel.com>
To: oe-kbuild@lists.linux.dev
Cc: lkp@intel.com, Dan Carpenter <error27@gmail.com>
Subject: [axboe:rw_iter 51/525] net/mac80211/debugfs.c:109 aqm_write() warn: potential spectre issue 'buf' [w]
Date: Sat, 28 Mar 2026 17:54:53 +0800 [thread overview]
Message-ID: <202603281706.3CSDII39-lkp@intel.com> (raw)
BCC: lkp@intel.com
CC: oe-kbuild-all@lists.linux.dev
TO: Jens Axboe <axboe@kernel.dk>
tree: https://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux.git rw_iter
head: a20631c136551e49bcb2cb9c229e2b7c826a6aa6
commit: 9660c1d6968417e54a2a0719f058a7e5e2e53595 [51/525] net: mac80211: convert to read/write iterators
:::::: branch date: 18 hours ago
:::::: commit date: 2 days ago
config: parisc-randconfig-r071-20260328 (https://download.01.org/0day-ci/archive/20260328/202603281706.3CSDII39-lkp@intel.com/config)
compiler: hppa-linux-gcc (GCC) 15.2.0
smatch: v0.5.0-9004-gb810ac53
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Reported-by: Dan Carpenter <error27@gmail.com>
| Closes: https://lore.kernel.org/r/202603281706.3CSDII39-lkp@intel.com/
New smatch warnings:
net/mac80211/debugfs.c:109 aqm_write() warn: potential spectre issue 'buf' [w]
net/mac80211/debugfs.c:160 airtime_flags_write() warn: potential spectre issue 'buf' [w]
net/mac80211/debugfs.c:240 aql_txq_limit_write() warn: potential spectre issue 'buf' [w]
net/mac80211/debugfs.c:348 force_tx_status_write() warn: potential spectre issue 'buf' [w]
Old smatch warnings:
net/mac80211/debugfs.c:250 aql_txq_limit_write() warn: potential spectre issue 'local->aql_txq_limit_low' [r] (local cap)
net/mac80211/debugfs.c:251 aql_txq_limit_write() warn: potential spectre issue 'local->aql_txq_limit_high' [r] (local cap)
net/mac80211/debugfs.c:260 aql_txq_limit_write() warn: possible spectre second half. 'q_limit_low_old'
net/mac80211/debugfs.c:261 aql_txq_limit_write() warn: possible spectre second half. 'q_limit_high_old'
net/mac80211/debugfs.c:262 aql_txq_limit_write() warn: potential spectre issue 'sta->airtime' [w] (local cap)
vim +/buf +109 net/mac80211/debugfs.c
9399b86c0e9a05 Michal Kazior 2016-05-19 95
9660c1d6968417 Jens Axboe 2024-04-10 96 static ssize_t aqm_write(struct kiocb *iocb, struct iov_iter *from)
9399b86c0e9a05 Michal Kazior 2016-05-19 97 {
9660c1d6968417 Jens Axboe 2024-04-10 98 struct ieee80211_local *local = iocb->ki_filp->private_data;
9660c1d6968417 Jens Axboe 2024-04-10 99 size_t count = iov_iter_count(from);
9399b86c0e9a05 Michal Kazior 2016-05-19 100 char buf[100];
9399b86c0e9a05 Michal Kazior 2016-05-19 101
6020d534fa012b Shayne Chen 2021-01-12 102 if (count >= sizeof(buf))
9399b86c0e9a05 Michal Kazior 2016-05-19 103 return -EINVAL;
9399b86c0e9a05 Michal Kazior 2016-05-19 104
9660c1d6968417 Jens Axboe 2024-04-10 105 if (!copy_from_iter_full(buf, count, from))
9399b86c0e9a05 Michal Kazior 2016-05-19 106 return -EFAULT;
9399b86c0e9a05 Michal Kazior 2016-05-19 107
6020d534fa012b Shayne Chen 2021-01-12 108 if (count && buf[count - 1] == '\n')
6020d534fa012b Shayne Chen 2021-01-12 @109 buf[count - 1] = '\0';
6020d534fa012b Shayne Chen 2021-01-12 110 else
6020d534fa012b Shayne Chen 2021-01-12 111 buf[count] = '\0';
9399b86c0e9a05 Michal Kazior 2016-05-19 112
9399b86c0e9a05 Michal Kazior 2016-05-19 113 if (sscanf(buf, "fq_limit %u", &local->fq.limit) == 1)
9399b86c0e9a05 Michal Kazior 2016-05-19 114 return count;
2a4e675d887bb3 Toke Høiland-Jørgensen 2016-09-23 115 else if (sscanf(buf, "fq_memory_limit %u", &local->fq.memory_limit) == 1)
2a4e675d887bb3 Toke Høiland-Jørgensen 2016-09-23 116 return count;
9399b86c0e9a05 Michal Kazior 2016-05-19 117 else if (sscanf(buf, "fq_quantum %u", &local->fq.quantum) == 1)
9399b86c0e9a05 Michal Kazior 2016-05-19 118 return count;
9399b86c0e9a05 Michal Kazior 2016-05-19 119
9399b86c0e9a05 Michal Kazior 2016-05-19 120 return -EINVAL;
9399b86c0e9a05 Michal Kazior 2016-05-19 121 }
9399b86c0e9a05 Michal Kazior 2016-05-19 122
31cb94f71c1ba1 Johannes Berg 2024-10-22 123 static const struct debugfs_short_fops aqm_ops = {
9660c1d6968417 Jens Axboe 2024-04-10 124 .write_iter = aqm_write,
9660c1d6968417 Jens Axboe 2024-04-10 125 .read_iter = aqm_read,
9399b86c0e9a05 Michal Kazior 2016-05-19 126 .llseek = default_llseek,
9399b86c0e9a05 Michal Kazior 2016-05-19 127 };
9399b86c0e9a05 Michal Kazior 2016-05-19 128
9660c1d6968417 Jens Axboe 2024-04-10 129 static ssize_t airtime_flags_read(struct kiocb *iocb, struct iov_iter *to)
e322c07f837116 Lorenzo Bianconi 2019-11-27 130 {
9660c1d6968417 Jens Axboe 2024-04-10 131 struct ieee80211_local *local = iocb->ki_filp->private_data;
e322c07f837116 Lorenzo Bianconi 2019-11-27 132 char buf[128] = {}, *pos, *end;
e322c07f837116 Lorenzo Bianconi 2019-11-27 133
e322c07f837116 Lorenzo Bianconi 2019-11-27 134 pos = buf;
e322c07f837116 Lorenzo Bianconi 2019-11-27 135 end = pos + sizeof(buf) - 1;
e322c07f837116 Lorenzo Bianconi 2019-11-27 136
e322c07f837116 Lorenzo Bianconi 2019-11-27 137 if (local->airtime_flags & AIRTIME_USE_TX)
e322c07f837116 Lorenzo Bianconi 2019-11-27 138 pos += scnprintf(pos, end - pos, "AIRTIME_TX\t(%lx)\n",
e322c07f837116 Lorenzo Bianconi 2019-11-27 139 AIRTIME_USE_TX);
e322c07f837116 Lorenzo Bianconi 2019-11-27 140 if (local->airtime_flags & AIRTIME_USE_RX)
e322c07f837116 Lorenzo Bianconi 2019-11-27 141 pos += scnprintf(pos, end - pos, "AIRTIME_RX\t(%lx)\n",
e322c07f837116 Lorenzo Bianconi 2019-11-27 142 AIRTIME_USE_RX);
e322c07f837116 Lorenzo Bianconi 2019-11-27 143
9660c1d6968417 Jens Axboe 2024-04-10 144 return simple_copy_to_iter(buf, &iocb->ki_pos, strlen(buf), to);
e322c07f837116 Lorenzo Bianconi 2019-11-27 145 }
e322c07f837116 Lorenzo Bianconi 2019-11-27 146
9660c1d6968417 Jens Axboe 2024-04-10 147 static ssize_t airtime_flags_write(struct kiocb *iocb, struct iov_iter *from)
e322c07f837116 Lorenzo Bianconi 2019-11-27 148 {
9660c1d6968417 Jens Axboe 2024-04-10 149 struct ieee80211_local *local = iocb->ki_filp->private_data;
9660c1d6968417 Jens Axboe 2024-04-10 150 size_t count = iov_iter_count(from);
e322c07f837116 Lorenzo Bianconi 2019-11-27 151 char buf[16];
e322c07f837116 Lorenzo Bianconi 2019-11-27 152
6020d534fa012b Shayne Chen 2021-01-12 153 if (count >= sizeof(buf))
e322c07f837116 Lorenzo Bianconi 2019-11-27 154 return -EINVAL;
e322c07f837116 Lorenzo Bianconi 2019-11-27 155
9660c1d6968417 Jens Axboe 2024-04-10 156 if (!copy_from_iter_full(buf, count, from))
e322c07f837116 Lorenzo Bianconi 2019-11-27 157 return -EFAULT;
e322c07f837116 Lorenzo Bianconi 2019-11-27 158
6020d534fa012b Shayne Chen 2021-01-12 159 if (count && buf[count - 1] == '\n')
6020d534fa012b Shayne Chen 2021-01-12 @160 buf[count - 1] = '\0';
6020d534fa012b Shayne Chen 2021-01-12 161 else
6020d534fa012b Shayne Chen 2021-01-12 162 buf[count] = '\0';
e322c07f837116 Lorenzo Bianconi 2019-11-27 163
e322c07f837116 Lorenzo Bianconi 2019-11-27 164 if (kstrtou16(buf, 0, &local->airtime_flags))
e322c07f837116 Lorenzo Bianconi 2019-11-27 165 return -EINVAL;
e322c07f837116 Lorenzo Bianconi 2019-11-27 166
e322c07f837116 Lorenzo Bianconi 2019-11-27 167 return count;
e322c07f837116 Lorenzo Bianconi 2019-11-27 168 }
e322c07f837116 Lorenzo Bianconi 2019-11-27 169
31cb94f71c1ba1 Johannes Berg 2024-10-22 170 static const struct debugfs_short_fops airtime_flags_ops = {
9660c1d6968417 Jens Axboe 2024-04-10 171 .write_iter = airtime_flags_write,
9660c1d6968417 Jens Axboe 2024-04-10 172 .read_iter = airtime_flags_read,
e322c07f837116 Lorenzo Bianconi 2019-11-27 173 .llseek = default_llseek,
e322c07f837116 Lorenzo Bianconi 2019-11-27 174 };
e322c07f837116 Lorenzo Bianconi 2019-11-27 175
9660c1d6968417 Jens Axboe 2024-04-10 176 static ssize_t aql_pending_read(struct kiocb *iocb, struct iov_iter *to)
3db2c5604f39e3 Felix Fietkau 2022-06-25 177 {
9660c1d6968417 Jens Axboe 2024-04-10 178 struct ieee80211_local *local = iocb->ki_filp->private_data;
3db2c5604f39e3 Felix Fietkau 2022-06-25 179 char buf[400];
3db2c5604f39e3 Felix Fietkau 2022-06-25 180 int len = 0;
3db2c5604f39e3 Felix Fietkau 2022-06-25 181
3db2c5604f39e3 Felix Fietkau 2022-06-25 182 len = scnprintf(buf, sizeof(buf),
3db2c5604f39e3 Felix Fietkau 2022-06-25 183 "AC AQL pending\n"
3db2c5604f39e3 Felix Fietkau 2022-06-25 184 "VO %u us\n"
3db2c5604f39e3 Felix Fietkau 2022-06-25 185 "VI %u us\n"
3db2c5604f39e3 Felix Fietkau 2022-06-25 186 "BE %u us\n"
3db2c5604f39e3 Felix Fietkau 2022-06-25 187 "BK %u us\n"
3db2c5604f39e3 Felix Fietkau 2022-06-25 188 "total %u us\n",
3db2c5604f39e3 Felix Fietkau 2022-06-25 189 atomic_read(&local->aql_ac_pending_airtime[IEEE80211_AC_VO]),
3db2c5604f39e3 Felix Fietkau 2022-06-25 190 atomic_read(&local->aql_ac_pending_airtime[IEEE80211_AC_VI]),
3db2c5604f39e3 Felix Fietkau 2022-06-25 191 atomic_read(&local->aql_ac_pending_airtime[IEEE80211_AC_BE]),
3db2c5604f39e3 Felix Fietkau 2022-06-25 192 atomic_read(&local->aql_ac_pending_airtime[IEEE80211_AC_BK]),
3db2c5604f39e3 Felix Fietkau 2022-06-25 193 atomic_read(&local->aql_total_pending_airtime));
9660c1d6968417 Jens Axboe 2024-04-10 194 return simple_copy_to_iter(buf, &iocb->ki_pos, len, to);
3db2c5604f39e3 Felix Fietkau 2022-06-25 195 }
3db2c5604f39e3 Felix Fietkau 2022-06-25 196
31cb94f71c1ba1 Johannes Berg 2024-10-22 197 static const struct debugfs_short_fops aql_pending_ops = {
9660c1d6968417 Jens Axboe 2024-04-10 198 .read_iter = aql_pending_read,
3db2c5604f39e3 Felix Fietkau 2022-06-25 199 .llseek = default_llseek,
3db2c5604f39e3 Felix Fietkau 2022-06-25 200 };
3db2c5604f39e3 Felix Fietkau 2022-06-25 201
9660c1d6968417 Jens Axboe 2024-04-10 202 static ssize_t aql_txq_limit_read(struct kiocb *iocb, struct iov_iter *to)
3ace10f5b5ad94 Kan Yan 2019-11-18 203 {
9660c1d6968417 Jens Axboe 2024-04-10 204 struct ieee80211_local *local = iocb->ki_filp->private_data;
3ace10f5b5ad94 Kan Yan 2019-11-18 205 char buf[400];
3ace10f5b5ad94 Kan Yan 2019-11-18 206 int len = 0;
3ace10f5b5ad94 Kan Yan 2019-11-18 207
3ace10f5b5ad94 Kan Yan 2019-11-18 208 len = scnprintf(buf, sizeof(buf),
3ace10f5b5ad94 Kan Yan 2019-11-18 209 "AC AQL limit low AQL limit high\n"
3ace10f5b5ad94 Kan Yan 2019-11-18 210 "VO %u %u\n"
3ace10f5b5ad94 Kan Yan 2019-11-18 211 "VI %u %u\n"
3ace10f5b5ad94 Kan Yan 2019-11-18 212 "BE %u %u\n"
3ace10f5b5ad94 Kan Yan 2019-11-18 213 "BK %u %u\n",
942741dabcb432 Felix Fietkau 2022-06-25 214 local->aql_txq_limit_low[IEEE80211_AC_VO],
942741dabcb432 Felix Fietkau 2022-06-25 215 local->aql_txq_limit_high[IEEE80211_AC_VO],
942741dabcb432 Felix Fietkau 2022-06-25 216 local->aql_txq_limit_low[IEEE80211_AC_VI],
942741dabcb432 Felix Fietkau 2022-06-25 217 local->aql_txq_limit_high[IEEE80211_AC_VI],
942741dabcb432 Felix Fietkau 2022-06-25 218 local->aql_txq_limit_low[IEEE80211_AC_BE],
942741dabcb432 Felix Fietkau 2022-06-25 219 local->aql_txq_limit_high[IEEE80211_AC_BE],
942741dabcb432 Felix Fietkau 2022-06-25 220 local->aql_txq_limit_low[IEEE80211_AC_BK],
942741dabcb432 Felix Fietkau 2022-06-25 221 local->aql_txq_limit_high[IEEE80211_AC_BK]);
9660c1d6968417 Jens Axboe 2024-04-10 222 return simple_copy_to_iter(buf, &iocb->ki_pos, len, to);
3ace10f5b5ad94 Kan Yan 2019-11-18 223 }
3ace10f5b5ad94 Kan Yan 2019-11-18 224
9660c1d6968417 Jens Axboe 2024-04-10 225 static ssize_t aql_txq_limit_write(struct kiocb *iocb, struct iov_iter *from)
3ace10f5b5ad94 Kan Yan 2019-11-18 226 {
9660c1d6968417 Jens Axboe 2024-04-10 227 struct ieee80211_local *local = iocb->ki_filp->private_data;
9660c1d6968417 Jens Axboe 2024-04-10 228 size_t count = iov_iter_count(from);
3ace10f5b5ad94 Kan Yan 2019-11-18 229 char buf[100];
3ace10f5b5ad94 Kan Yan 2019-11-18 230 u32 ac, q_limit_low, q_limit_high, q_limit_low_old, q_limit_high_old;
3ace10f5b5ad94 Kan Yan 2019-11-18 231 struct sta_info *sta;
3ace10f5b5ad94 Kan Yan 2019-11-18 232
6020d534fa012b Shayne Chen 2021-01-12 233 if (count >= sizeof(buf))
3ace10f5b5ad94 Kan Yan 2019-11-18 234 return -EINVAL;
3ace10f5b5ad94 Kan Yan 2019-11-18 235
9660c1d6968417 Jens Axboe 2024-04-10 236 if (!copy_from_iter_full(buf, count, from))
3ace10f5b5ad94 Kan Yan 2019-11-18 237 return -EFAULT;
3ace10f5b5ad94 Kan Yan 2019-11-18 238
6020d534fa012b Shayne Chen 2021-01-12 239 if (count && buf[count - 1] == '\n')
6020d534fa012b Shayne Chen 2021-01-12 @240 buf[count - 1] = '\0';
6020d534fa012b Shayne Chen 2021-01-12 241 else
6020d534fa012b Shayne Chen 2021-01-12 242 buf[count] = '\0';
3ace10f5b5ad94 Kan Yan 2019-11-18 243
3ace10f5b5ad94 Kan Yan 2019-11-18 244 if (sscanf(buf, "%u %u %u", &ac, &q_limit_low, &q_limit_high) != 3)
3ace10f5b5ad94 Kan Yan 2019-11-18 245 return -EINVAL;
3ace10f5b5ad94 Kan Yan 2019-11-18 246
3ace10f5b5ad94 Kan Yan 2019-11-18 247 if (ac >= IEEE80211_NUM_ACS)
3ace10f5b5ad94 Kan Yan 2019-11-18 248 return -EINVAL;
3ace10f5b5ad94 Kan Yan 2019-11-18 249
942741dabcb432 Felix Fietkau 2022-06-25 250 q_limit_low_old = local->aql_txq_limit_low[ac];
942741dabcb432 Felix Fietkau 2022-06-25 251 q_limit_high_old = local->aql_txq_limit_high[ac];
3ace10f5b5ad94 Kan Yan 2019-11-18 252
8e66f6c6738e5b Johannes Berg 2024-11-22 253 guard(wiphy)(local->hw.wiphy);
8e66f6c6738e5b Johannes Berg 2024-11-22 254
942741dabcb432 Felix Fietkau 2022-06-25 255 local->aql_txq_limit_low[ac] = q_limit_low;
942741dabcb432 Felix Fietkau 2022-06-25 256 local->aql_txq_limit_high[ac] = q_limit_high;
3ace10f5b5ad94 Kan Yan 2019-11-18 257
3ace10f5b5ad94 Kan Yan 2019-11-18 258 list_for_each_entry(sta, &local->sta_list, list) {
3ace10f5b5ad94 Kan Yan 2019-11-18 259 /* If a sta has customized queue limits, keep it */
3ace10f5b5ad94 Kan Yan 2019-11-18 260 if (sta->airtime[ac].aql_limit_low == q_limit_low_old &&
3ace10f5b5ad94 Kan Yan 2019-11-18 261 sta->airtime[ac].aql_limit_high == q_limit_high_old) {
3ace10f5b5ad94 Kan Yan 2019-11-18 262 sta->airtime[ac].aql_limit_low = q_limit_low;
3ace10f5b5ad94 Kan Yan 2019-11-18 263 sta->airtime[ac].aql_limit_high = q_limit_high;
3ace10f5b5ad94 Kan Yan 2019-11-18 264 }
3ace10f5b5ad94 Kan Yan 2019-11-18 265 }
4d3acf4311a040 Johannes Berg 2023-08-28 266
3ace10f5b5ad94 Kan Yan 2019-11-18 267 return count;
3ace10f5b5ad94 Kan Yan 2019-11-18 268 }
3ace10f5b5ad94 Kan Yan 2019-11-18 269
:::::: The code at line 109 was first introduced by commit
:::::: 6020d534fa012b80c6d13811dc4d2dfedca2e403 mac80211: fix incorrect strlen of .write in debugfs
:::::: TO: Shayne Chen <shayne.chen@mediatek.com>
:::::: CC: Johannes Berg <johannes.berg@intel.com>
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
reply other threads:[~2026-03-28 9:55 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202603281706.3CSDII39-lkp@intel.com \
--to=lkp@intel.com \
--cc=error27@gmail.com \
--cc=oe-kbuild@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox