| Message ID | 20250421204153.work.935-kees@kernel.org |
|---|---|
| State | New |
| Headers | show |
| Series | wifi: iwlwifi: mld: Work around Clang loop unrolling bug | expand |
diff --git a/drivers/net/wireless/intel/iwlwifi/mld/d3.c b/drivers/net/wireless/intel/iwlwifi/mld/d3.c index 2c6e8ecd93b7..1daca1ef02b2 100644 --- a/drivers/net/wireless/intel/iwlwifi/mld/d3.c +++ b/drivers/net/wireless/intel/iwlwifi/mld/d3.c @@ -1754,7 +1754,7 @@ iwl_mld_send_proto_offload(struct iwl_mld *mld, addrconf_addr_solict_mult(&wowlan_data->target_ipv6_addrs[i], &solicited_addr); - for (j = 0; j < c; j++) + for (j = 0; j < c && j < n_nsc; j++) if (ipv6_addr_cmp(&nsc[j].dest_ipv6_addr, &solicited_addr) == 0) break;
The nested loop in iwl_mld_send_proto_offload() confuses Clang into thinking there could be final loop iteration past the end of the "nsc" array (which is only 4 entries). The FORTIFY checking in memcmp() (via ipv6_addr_cmp()) notices this (due to the available bytes in the out-of-bounds position of &nsc[4] being 0), and errors out, failing the build. For some reason (likely due to architectural loop unrolling configurations), this is only exposed on ARM builds currently. Due to Clang's lack of inline tracking[1], the warning is not very helpful: include/linux/fortify-string.h:719:4: error: call to '__read_overflow' declared with 'error' attribute: detected read beyond size of object (1st parameter) 719 | __read_overflow(); | ^ 1 error generated. But this was tracked down to iwl_mld_send_proto_offload()'s ipv6_addr_cmp() call. An upstream Clang bug has been filed[2] to track this, but for now. Fix the build by explicitly bounding the inner loop by "n_nsc", which is what "c" is already limited to. Reported-by: Nathan Chancellor <nathan@kernel.org> Closes: https://github.com/ClangBuiltLinux/linux/issues/2076 Link: https://github.com/llvm/llvm-project/pull/73552 [1] Link: https://github.com/llvm/llvm-project/issues/136603 [2] Signed-off-by: Kees Cook <kees@kernel.org> --- Cc: Miri Korenblit <miriam.rachel.korenblit@intel.com> Cc: Johannes Berg <johannes.berg@intel.com> Cc: Yedidya Benshimol <yedidya.ben.shimol@intel.com> Cc: Emmanuel Grumbach <emmanuel.grumbach@intel.com> Cc: Avraham Stern <avraham.stern@intel.com> Cc: Daniel Gabay <daniel.gabay@intel.com> Cc: <linux-wireless@vger.kernel.org> --- drivers/net/wireless/intel/iwlwifi/mld/d3.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)