| Message ID | 20220523180200.115fa27fbece.Ie66d874b047e7afad63900aa2df70f031711147e@changeid |
|---|---|
| State | New |
| Headers | show |
| Series | wifi: libertas: use variable-size data in assoc req/resp cmd | expand |
On Mon, 23 May 2022 18:02:01 +0200 Johannes Berg wrote: > From: Johannes Berg <johannes.berg@intel.com> > > The firmware has a 512 limit here, but we use less, so gcc > starts complaining about it: > > drivers/net/wireless/marvell/libertas/cfg.c:1198:63: warning: array subscript ‘struct cmd_ds_802_11_associate_response[0]’ is partly outside array bounds of ‘unsigned char[203]’ [-Warray-bounds] > 1198 | "aid 0x%04x\n", status, le16_to_cpu(resp->statuscode), > | ^~ > > Since we size the command and response buffer per our needs > and not per the firmware maximum, change to a variable size > data array and put the 512 only into a comment. > > In the end, that's actually what the code always wanted, and > it simplifies the code that used to subtract the fixed size > buffer size in two places. > > Reported-by: Jakub Kicinski <kuba@kernel.org> > Signed-off-by: Johannes Berg <johannes.berg@intel.com> Is there a chance to get this into net before the merge window is over?
Johannes Berg <johannes@sipsolutions.net> writes: > On Wed, 2022-05-25 at 13:53 -0700, Jakub Kicinski wrote: >> On Mon, 23 May 2022 18:02:01 +0200 Johannes Berg wrote: >> > From: Johannes Berg <johannes.berg@intel.com> >> > >> > The firmware has a 512 limit here, but we use less, so gcc >> > starts complaining about it: >> > >> > drivers/net/wireless/marvell/libertas/cfg.c:1198:63: warning: array subscript ‘struct cmd_ds_802_11_associate_response[0]’ is partly outside array bounds of ‘unsigned char[203]’ [-Warray-bounds] >> > 1198 | "aid 0x%04x\n", status, le16_to_cpu(resp->statuscode), >> > | ^~ >> > >> > Since we size the command and response buffer per our needs >> > and not per the firmware maximum, change to a variable size >> > data array and put the 512 only into a comment. >> > >> > In the end, that's actually what the code always wanted, and >> > it simplifies the code that used to subtract the fixed size >> > buffer size in two places. >> > >> > Reported-by: Jakub Kicinski <kuba@kernel.org> >> > Signed-off-by: Johannes Berg <johannes.berg@intel.com> >> >> Is there a chance to get this into net before the merge window is over? >> > I guess you can just apply it. Kalle? Yeah, Jakub can take this directly to net tree: Acked-by: Kalle Valo <kvalo@kernel.org> But I can also take this to wireless tree and send a pull request on Wednesday. Whichever is better for you, just let me know.
Johannes Berg <johannes@sipsolutions.net> writes: > From: Johannes Berg <johannes.berg@intel.com> > > The firmware has a 512 limit here, but we use less, so gcc > starts complaining about it: > > drivers/net/wireless/marvell/libertas/cfg.c:1198:63: warning: array subscript ‘struct cmd_ds_802_11_associate_response[0]’ is partly outside array bounds of ‘unsigned char[203]’ [-Warray-bounds] > 1198 | "aid 0x%04x\n", status, le16_to_cpu(resp->statuscode), > | ^~ > > Since we size the command and response buffer per our needs > and not per the firmware maximum, change to a variable size > data array and put the 512 only into a comment. > > In the end, that's actually what the code always wanted, and > it simplifies the code that used to subtract the fixed size > buffer size in two places. > > Reported-by: Jakub Kicinski <kuba@kernel.org> > Signed-off-by: Johannes Berg <johannes.berg@intel.com> Can we now remove the no-array-bounds hack from libertas? +# FIXME: temporarily silence -Warray-bounds on non W=1+ builds +ifndef KBUILD_EXTRA_WARN +CFLAGS_cfg.o += -Wno-array-bounds +endif
On Fri, 2022-05-27 at 14:43 +0300, Kalle Valo wrote: > Johannes Berg <johannes@sipsolutions.net> writes: > > > From: Johannes Berg <johannes.berg@intel.com> > > > > The firmware has a 512 limit here, but we use less, so gcc > > starts complaining about it: > > > > drivers/net/wireless/marvell/libertas/cfg.c:1198:63: warning: array subscript ‘struct cmd_ds_802_11_associate_response[0]’ is partly outside array bounds of ‘unsigned char[203]’ [-Warray-bounds] > > 1198 | "aid 0x%04x\n", status, le16_to_cpu(resp->statuscode), > > | ^~ > > > > Since we size the command and response buffer per our needs > > and not per the firmware maximum, change to a variable size > > data array and put the 512 only into a comment. > > > > In the end, that's actually what the code always wanted, and > > it simplifies the code that used to subtract the fixed size > > buffer size in two places. > > > > Reported-by: Jakub Kicinski <kuba@kernel.org> > > Signed-off-by: Johannes Berg <johannes.berg@intel.com> > > Can we now remove the no-array-bounds hack from libertas? > I think Jakub said he dropped it from the patches? johannes
Johannes Berg <johannes@sipsolutions.net> writes: > On Fri, 2022-05-27 at 14:43 +0300, Kalle Valo wrote: >> Johannes Berg <johannes@sipsolutions.net> writes: >> >> > From: Johannes Berg <johannes.berg@intel.com> >> > >> > The firmware has a 512 limit here, but we use less, so gcc >> > starts complaining about it: >> > >> > drivers/net/wireless/marvell/libertas/cfg.c:1198:63: warning: array subscript ‘struct cmd_ds_802_11_associate_response[0]’ is partly outside array bounds of ‘unsigned char[203]’ [-Warray-bounds] >> > 1198 | "aid 0x%04x\n", status, le16_to_cpu(resp->statuscode), >> > | ^~ >> > >> > Since we size the command and response buffer per our needs >> > and not per the firmware maximum, change to a variable size >> > data array and put the 512 only into a comment. >> > >> > In the end, that's actually what the code always wanted, and >> > it simplifies the code that used to subtract the fixed size >> > buffer size in two places. >> > >> > Reported-by: Jakub Kicinski <kuba@kernel.org> >> > Signed-off-by: Johannes Berg <johannes.berg@intel.com> >> >> Can we now remove the no-array-bounds hack from libertas? >> > > I think Jakub said he dropped it from the patches? Ah, indeed. I missed that, sorry for the noise.
On Fri, 27 May 2022 14:40:50 +0300 Kalle Valo wrote: > >> Is there a chance to get this into net before the merge window is over? > >> > > I guess you can just apply it. Kalle? > > Yeah, Jakub can take this directly to net tree: > > Acked-by: Kalle Valo <kvalo@kernel.org> > > But I can also take this to wireless tree and send a pull request on > Wednesday. Whichever is better for you, just let me know. PR on Wednesday sounds good, thanks! The patch didn't end up in our PW instance, I'd have to apply it manually.
Johannes Berg <johannes@sipsolutions.net> wrote: > From: Johannes Berg <johannes.berg@intel.com> > > The firmware has a 512 limit here, but we use less, so gcc > starts complaining about it: > > drivers/net/wireless/marvell/libertas/cfg.c:1198:63: warning: array subscript ‘struct cmd_ds_802_11_associate_response[0]’ is partly outside array bounds of ‘unsigned char[203]’ [-Warray-bounds] > 1198 | "aid 0x%04x\n", status, le16_to_cpu(resp->statuscode), > | ^~ > > Since we size the command and response buffer per our needs > and not per the firmware maximum, change to a variable size > data array and put the 512 only into a comment. > > In the end, that's actually what the code always wanted, and > it simplifies the code that used to subtract the fixed size > buffer size in two places. > > Reported-by: Jakub Kicinski <kuba@kernel.org> > Signed-off-by: Johannes Berg <johannes.berg@intel.com> > Acked-by: Kalle Valo <kvalo@kernel.org> Patch applied to wireless.git, thanks. d944e09ea839 wifi: libertas: use variable-size data in assoc req/resp cmd
diff --git a/drivers/net/wireless/marvell/libertas/cfg.c b/drivers/net/wireless/marvell/libertas/cfg.c index 4e3de684928b..b0b3f59dabc6 100644 --- a/drivers/net/wireless/marvell/libertas/cfg.c +++ b/drivers/net/wireless/marvell/libertas/cfg.c @@ -1053,7 +1053,6 @@ static int lbs_set_authtype(struct lbs_private *priv, */ #define LBS_ASSOC_MAX_CMD_SIZE \ (sizeof(struct cmd_ds_802_11_associate) \ - - 512 /* cmd_ds_802_11_associate.iebuf */ \ + LBS_MAX_SSID_TLV_SIZE \ + LBS_MAX_CHANNEL_TLV_SIZE \ + LBS_MAX_CF_PARAM_TLV_SIZE \ @@ -1130,8 +1129,7 @@ static int lbs_associate(struct lbs_private *priv, if (sme->ie && sme->ie_len) pos += lbs_add_wpa_tlv(pos, sme->ie, sme->ie_len); - len = (sizeof(*cmd) - sizeof(cmd->iebuf)) + - (u16)(pos - (u8 *) &cmd->iebuf); + len = sizeof(*cmd) + (u16)(pos - (u8 *) &cmd->iebuf); cmd->hdr.size = cpu_to_le16(len); lbs_deb_hex(LBS_DEB_ASSOC, "ASSOC_CMD", (u8 *) cmd, diff --git a/drivers/net/wireless/marvell/libertas/host.h b/drivers/net/wireless/marvell/libertas/host.h index ceff4b92e7a1..a202b716ad5d 100644 --- a/drivers/net/wireless/marvell/libertas/host.h +++ b/drivers/net/wireless/marvell/libertas/host.h @@ -528,7 +528,8 @@ struct cmd_ds_802_11_associate { __le16 listeninterval; __le16 bcnperiod; u8 dtimperiod; - u8 iebuf[512]; /* Enough for required and most optional IEs */ + /* 512 permitted - enough for required and most optional IEs */ + u8 iebuf[]; } __packed; struct cmd_ds_802_11_associate_response { @@ -537,7 +538,8 @@ struct cmd_ds_802_11_associate_response { __le16 capability; __le16 statuscode; __le16 aid; - u8 iebuf[512]; + /* max 512 */ + u8 iebuf[]; } __packed; struct cmd_ds_802_11_set_wep {