From patchwork Thu Jun 29 08:51:00 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dmitry Antipov X-Patchwork-Id: 697904 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6E3CFC0015E for ; Thu, 29 Jun 2023 08:52:43 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232191AbjF2Iwm (ORCPT ); Thu, 29 Jun 2023 04:52:42 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56504 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232170AbjF2IwH (ORCPT ); Thu, 29 Jun 2023 04:52:07 -0400 Received: from forward103c.mail.yandex.net (forward103c.mail.yandex.net [IPv6:2a02:6b8:c03:500:1:45:d181:d103]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C2AA32693 for ; Thu, 29 Jun 2023 01:51:48 -0700 (PDT) Received: from mail-nwsmtp-smtp-production-canary-88.sas.yp-c.yandex.net (mail-nwsmtp-smtp-production-canary-88.sas.yp-c.yandex.net [IPv6:2a02:6b8:c08:1d21:0:640:c9e4:0]) by forward103c.mail.yandex.net (Yandex) with ESMTP id C27FF60020; Thu, 29 Jun 2023 11:51:45 +0300 (MSK) Received: by mail-nwsmtp-smtp-production-canary-88.sas.yp-c.yandex.net (smtp/Yandex) with ESMTPSA id ipIxcZ1DSeA0-ueLZJa0F; Thu, 29 Jun 2023 11:51:45 +0300 X-Yandex-Fwd: 1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1688028705; bh=LDSwx6T2pybWuexKQ6K8L5O84LPiT9lRnVFusPQ+UX8=; h=Message-ID:Date:Cc:Subject:To:From; b=D0f9pC0QM426JxZHzVdXpfFuGL0lub0ZeMKxE0XVDAxQi2auCNFIl13iqjz7kxcTi Mq587XAbBB5IH8cAY/s9ZeiY7UiAGeRiRLHscnD/UgBLNhEy+4eN4o6kpKaYH/eQCz qnqJ8xgeVaBqNEO6VGmZyjMZoujGyLel0+GNHPAE= Authentication-Results: mail-nwsmtp-smtp-production-canary-88.sas.yp-c.yandex.net; dkim=pass header.i=@yandex.ru From: Dmitry Antipov To: Kalle Valo Cc: Brian Norris , linux-wireless@vger.kernel.org, Dmitry Antipov Subject: [PATCH 1/3] [v4] wifi: mwifiex: prefer strscpy() over strlcpy() Date: Thu, 29 Jun 2023 11:51:00 +0300 Message-ID: <20230629085115.180499-1-dmantipov@yandex.ru> X-Mailer: git-send-email 2.41.0 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org Prefer 'strscpy()' over 'strlcpy()' in 'mwifiex_init_hw_fw()'. Signed-off-by: Dmitry Antipov Reviewed-by: Brian Norris --- v4: simplify to drop strlcpy() only (Brian Norris) --- drivers/net/wireless/marvell/mwifiex/main.c | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/drivers/net/wireless/marvell/mwifiex/main.c b/drivers/net/wireless/marvell/mwifiex/main.c index ea22a08e6c08..64512b00e8b5 100644 --- a/drivers/net/wireless/marvell/mwifiex/main.c +++ b/drivers/net/wireless/marvell/mwifiex/main.c @@ -724,14 +724,9 @@ static int mwifiex_init_hw_fw(struct mwifiex_adapter *adapter, /* Override default firmware with manufacturing one if * manufacturing mode is enabled */ - if (mfg_mode) { - if (strlcpy(adapter->fw_name, MFG_FIRMWARE, - sizeof(adapter->fw_name)) >= - sizeof(adapter->fw_name)) { - pr_err("%s: fw_name too long!\n", __func__); - return -1; - } - } + if (mfg_mode) + strscpy(adapter->fw_name, MFG_FIRMWARE, + sizeof(adapter->fw_name)); if (req_fw_nowait) { ret = request_firmware_nowait(THIS_MODULE, 1, adapter->fw_name, From patchwork Thu Jun 29 08:51:01 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Dmitry Antipov X-Patchwork-Id: 698304 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0991AEB64D9 for ; Thu, 29 Jun 2023 08:52:45 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232274AbjF2Iwn (ORCPT ); Thu, 29 Jun 2023 04:52:43 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56506 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232172AbjF2IwJ (ORCPT ); Thu, 29 Jun 2023 04:52:09 -0400 Received: from forward102b.mail.yandex.net (forward102b.mail.yandex.net [IPv6:2a02:6b8:c02:900:1:45:d181:d102]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DAEC335BD for ; Thu, 29 Jun 2023 01:51:50 -0700 (PDT) Received: from mail-nwsmtp-smtp-production-canary-88.sas.yp-c.yandex.net (mail-nwsmtp-smtp-production-canary-88.sas.yp-c.yandex.net [IPv6:2a02:6b8:c08:1d21:0:640:c9e4:0]) by forward102b.mail.yandex.net (Yandex) with ESMTP id 36D7960078; Thu, 29 Jun 2023 11:51:48 +0300 (MSK) Received: by mail-nwsmtp-smtp-production-canary-88.sas.yp-c.yandex.net (smtp/Yandex) with ESMTPSA id ipIxcZ1DSeA0-leAGuNpX; Thu, 29 Jun 2023 11:51:47 +0300 X-Yandex-Fwd: 1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1688028707; bh=vEu8vMjIbX7nXG+CG0tA3nYjyZt9E4ldyPBMZU2sSFk=; h=Cc:Message-ID:References:Date:In-Reply-To:Subject:To:From; b=Qx6vJajV1TR0IUJfVBNBCyleYIybb3t1/DM+kk2rvPNw/kqSIMwkNAcvFA6uyib/7 6GnJIX11dYikW5tugIUQNUOCB66oPGfeldmCTFA1H/7Z4qPNKaiJEuZom+OOuzb7JQ O9NJR0oRiMT0rEXMAGfgPNNWnmWQbWM+PZmKx4Uk= Authentication-Results: mail-nwsmtp-smtp-production-canary-88.sas.yp-c.yandex.net; dkim=pass header.i=@yandex.ru From: Dmitry Antipov To: Kalle Valo Cc: Brian Norris , linux-wireless@vger.kernel.org, Dmitry Antipov Subject: [PATCH 2/3] [v4] wifi: mwifiex: fix fortify warning Date: Thu, 29 Jun 2023 11:51:01 +0300 Message-ID: <20230629085115.180499-2-dmantipov@yandex.ru> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20230629085115.180499-1-dmantipov@yandex.ru> References: <20230629085115.180499-1-dmantipov@yandex.ru> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org When compiling with gcc 13.1 and CONFIG_FORTIFY_SOURCE=y, I've noticed the following: In function ‘fortify_memcpy_chk’, inlined from ‘mwifiex_construct_tdls_action_frame’ at drivers/net/wireless/marvell/mwifiex/tdls.c:765:3, inlined from ‘mwifiex_send_tdls_action_frame’ at drivers/net/wireless/marvell/mwifiex/tdls.c:856:6: ./include/linux/fortify-string.h:529:25: warning: call to ‘__read_overflow2_field’ declared with attribute warning: detected read beyond size of field (2nd parameter); maybe use struct_group()? [-Wattribute-warning] 529 | __read_overflow2_field(q_size_field, size); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The compiler actually complains on: memmove(pos + ETH_ALEN, &mgmt->u.action.category, sizeof(mgmt->u.action.u.tdls_discover_resp)); and it happens because the fortification logic interprets this as an attempt to overread 1-byte 'u.action.category' member of 'struct ieee80211_mgmt'. To silence this warning, it's enough to pass an address of 'u.action' itself instead of an address of its first member. This also fixes an improper usage of 'sizeof()'. Since 'skb' is extended with 'sizeof(mgmt->u.action.u.tdls_discover_resp) + 1' bytes (where 1 is actually 'sizeof(mgmt->u.action.category)'), I assume that the same number of bytes should be copied. Suggested-by: Brian Norris Signed-off-by: Dmitry Antipov --- v4: fix memmove() size calculation (Brian Norris) --- drivers/net/wireless/marvell/mwifiex/tdls.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/drivers/net/wireless/marvell/mwifiex/tdls.c b/drivers/net/wireless/marvell/mwifiex/tdls.c index 97bb87c3676b..6c60621b6ccc 100644 --- a/drivers/net/wireless/marvell/mwifiex/tdls.c +++ b/drivers/net/wireless/marvell/mwifiex/tdls.c @@ -735,6 +735,7 @@ mwifiex_construct_tdls_action_frame(struct mwifiex_private *priv, int ret; u16 capab; struct ieee80211_ht_cap *ht_cap; + unsigned int extra; u8 radio, *pos; capab = priv->curr_bss_params.bss_descriptor.cap_info_bitmap; @@ -753,7 +754,10 @@ mwifiex_construct_tdls_action_frame(struct mwifiex_private *priv, switch (action_code) { case WLAN_PUB_ACTION_TDLS_DISCOVER_RES: - skb_put(skb, sizeof(mgmt->u.action.u.tdls_discover_resp) + 1); + /* See the layout of 'struct ieee80211_mgmt'. */ + extra = sizeof(mgmt->u.action.u.tdls_discover_resp) + + sizeof(mgmt->u.action.category); + skb_put(skb, extra); mgmt->u.action.category = WLAN_CATEGORY_PUBLIC; mgmt->u.action.u.tdls_discover_resp.action_code = WLAN_PUB_ACTION_TDLS_DISCOVER_RES; @@ -762,8 +766,7 @@ mwifiex_construct_tdls_action_frame(struct mwifiex_private *priv, mgmt->u.action.u.tdls_discover_resp.capability = cpu_to_le16(capab); /* move back for addr4 */ - memmove(pos + ETH_ALEN, &mgmt->u.action.category, - sizeof(mgmt->u.action.u.tdls_discover_resp)); + memmove(pos + ETH_ALEN, &mgmt->u.action, extra); /* init address 4 */ eth_broadcast_addr(pos); From patchwork Thu Jun 29 08:51:02 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dmitry Antipov X-Patchwork-Id: 697905 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 909D3EB64DC for ; Thu, 29 Jun 2023 08:52:42 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232076AbjF2Iwk (ORCPT ); Thu, 29 Jun 2023 04:52:40 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56688 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232206AbjF2IwJ (ORCPT ); Thu, 29 Jun 2023 04:52:09 -0400 Received: from forward102b.mail.yandex.net (forward102b.mail.yandex.net [IPv6:2a02:6b8:c02:900:1:45:d181:d102]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 325D935BF for ; Thu, 29 Jun 2023 01:51:51 -0700 (PDT) Received: from mail-nwsmtp-smtp-production-canary-88.sas.yp-c.yandex.net (mail-nwsmtp-smtp-production-canary-88.sas.yp-c.yandex.net [IPv6:2a02:6b8:c08:1d21:0:640:c9e4:0]) by forward102b.mail.yandex.net (Yandex) with ESMTP id BBB7160023; Thu, 29 Jun 2023 11:51:49 +0300 (MSK) Received: by mail-nwsmtp-smtp-production-canary-88.sas.yp-c.yandex.net (smtp/Yandex) with ESMTPSA id ipIxcZ1DSeA0-L0RnnBoy; Thu, 29 Jun 2023 11:51:49 +0300 X-Yandex-Fwd: 1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1688028709; bh=lRNb0vhgA7lDOn3efwzkRAqW2F4EsHu4+8yk/WhuG/g=; h=Message-ID:Date:In-Reply-To:Cc:Subject:References:To:From; b=k+bUrGCnjucKCugVDeU4nQdoGxRNAP+2wa59ViLkKlMTiyhVMiV30/YJYdQdQHwzf xH8JUWE/cXu56bkMXh/vhQFwmp33Z1NVkG2a+n7XhEE8bXIYV+noNu1VZMYKUYjnNk K7CxdUVO1YxI3ZKcJ0ALQVgpOfIurXmf65DRACvk= Authentication-Results: mail-nwsmtp-smtp-production-canary-88.sas.yp-c.yandex.net; dkim=pass header.i=@yandex.ru From: Dmitry Antipov To: Kalle Valo Cc: Brian Norris , linux-wireless@vger.kernel.org, Dmitry Antipov Subject: [PATCH 3/3] [v4] wifi: mwifiex: drop BUG_ON() from TX error handling Date: Thu, 29 Jun 2023 11:51:02 +0300 Message-ID: <20230629085115.180499-3-dmantipov@yandex.ru> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20230629085115.180499-1-dmantipov@yandex.ru> References: <20230629085115.180499-1-dmantipov@yandex.ru> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org Remove 'BUG_ON()' from 'mwifiex_process_sta_txpd()' and 'mwifiex_process_uap_txpd()'. In case of insufficient headrom, issue warning and return NULL, which should be gracefully handled in 'mwifiex_process_tx()'. Also mark error handling branches with 'unlikely()' and adjust format specifiers to match actual 'unsigned int' type. Signed-off-by: Dmitry Antipov --- v4: initial version to match series --- drivers/net/wireless/marvell/mwifiex/sta_tx.c | 13 +++++++++---- drivers/net/wireless/marvell/mwifiex/uap_txrx.c | 13 +++++++++---- 2 files changed, 18 insertions(+), 8 deletions(-) diff --git a/drivers/net/wireless/marvell/mwifiex/sta_tx.c b/drivers/net/wireless/marvell/mwifiex/sta_tx.c index 13c0e67ededf..d43f6ec1ad37 100644 --- a/drivers/net/wireless/marvell/mwifiex/sta_tx.c +++ b/drivers/net/wireless/marvell/mwifiex/sta_tx.c @@ -39,14 +39,19 @@ void *mwifiex_process_sta_txpd(struct mwifiex_private *priv, u16 pkt_type, pkt_offset; int hroom = adapter->intf_hdr_len; - if (!skb->len) { + if (unlikely(!skb->len)) { mwifiex_dbg(adapter, ERROR, - "Tx: bad packet length: %d\n", skb->len); + "Tx: bad packet length: %u\n", skb->len); tx_info->status_code = -1; return skb->data; } - - BUG_ON(skb_headroom(skb) < MWIFIEX_MIN_DATA_HEADER_LEN); + if (unlikely(skb_headroom(skb) < MWIFIEX_MIN_DATA_HEADER_LEN)) { + mwifiex_dbg(adapter, ERROR, + "Tx: insufficient skb headroom: %u\n", + skb_headroom(skb)); + tx_info->status_code = -1; + return NULL; + } pkt_type = mwifiex_is_skb_mgmt_frame(skb) ? PKT_TYPE_MGMT : 0; diff --git a/drivers/net/wireless/marvell/mwifiex/uap_txrx.c b/drivers/net/wireless/marvell/mwifiex/uap_txrx.c index e495f7eaea03..b27266742795 100644 --- a/drivers/net/wireless/marvell/mwifiex/uap_txrx.c +++ b/drivers/net/wireless/marvell/mwifiex/uap_txrx.c @@ -452,14 +452,19 @@ void *mwifiex_process_uap_txpd(struct mwifiex_private *priv, u16 pkt_type, pkt_offset; int hroom = adapter->intf_hdr_len; - if (!skb->len) { + if (unlikely(!skb->len)) { mwifiex_dbg(adapter, ERROR, - "Tx: bad packet length: %d\n", skb->len); + "Tx: bad packet length: %u\n", skb->len); tx_info->status_code = -1; return skb->data; } - - BUG_ON(skb_headroom(skb) < MWIFIEX_MIN_DATA_HEADER_LEN); + if (unlikely(skb_headroom(skb) < MWIFIEX_MIN_DATA_HEADER_LEN)) { + mwifiex_dbg(adapter, ERROR, + "Tx: insufficient skb headroom: %u\n", + skb_headroom(skb)); + tx_info->status_code = -1; + return NULL; + } pkt_type = mwifiex_is_skb_mgmt_frame(skb) ? PKT_TYPE_MGMT : 0;