From patchwork Tue Jun 20 07:31:57 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dmitry Antipov X-Patchwork-Id: 13285242 X-Patchwork-Delegate: toke@redhat.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id F39ADEB64D7 for ; Tue, 20 Jun 2023 07:32:49 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229901AbjFTHct (ORCPT ); Tue, 20 Jun 2023 03:32:49 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36208 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229683AbjFTHcs (ORCPT ); Tue, 20 Jun 2023 03:32:48 -0400 Received: from forward102c.mail.yandex.net (forward102c.mail.yandex.net [IPv6:2a02:6b8:c03:500:1:45:d181:d102]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E1E9711D for ; Tue, 20 Jun 2023 00:32:46 -0700 (PDT) Received: from mail-nwsmtp-smtp-production-main-39.sas.yp-c.yandex.net (mail-nwsmtp-smtp-production-main-39.sas.yp-c.yandex.net [IPv6:2a02:6b8:c08:2087:0:640:7bf5:0]) by forward102c.mail.yandex.net (Yandex) with ESMTP id 756AC6004B; Tue, 20 Jun 2023 10:32:44 +0300 (MSK) Received: by mail-nwsmtp-smtp-production-main-39.sas.yp-c.yandex.net (smtp/Yandex) with ESMTPSA id UWb0SEqDfiE0-AGNkaZ9G; Tue, 20 Jun 2023 10:32:43 +0300 X-Yandex-Fwd: 1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1687246364; bh=s67ry7Co9MPhktxsgxXhz8/DBce/8Tak4qy6/Iz1lww=; h=Message-ID:Date:Cc:Subject:To:From; b=EtmzobNtIVFrceZeSKxv4ZJbLRBsLbEEhLwDE3Cu5s61KPFkzQLJPW4Rtiw5NHgnD BsXd099p1JskoPsBWiKy7dw6JZWjWnbHrlip5jAKFf5W9pemHcsO6Qi6KZVfLiFO3e w/l4e3XNErD/ZifyRTdcuMm14kA4SHcBqBsXs+6Q= Authentication-Results: mail-nwsmtp-smtp-production-main-39.sas.yp-c.yandex.net; dkim=pass header.i=@yandex.ru From: Dmitry Antipov To: =?utf-8?q?Toke_H=C3=B8iland-J=C3=B8rgensen?= Cc: Kalle Valo , linux-wireless@vger.kernel.org, Dmitry Antipov Subject: [PATCH 1/2] wifi: ath9k: avoid using uninitialized array Date: Tue, 20 Jun 2023 10:31:57 +0300 Message-ID: <20230620073228.363207-1-dmantipov@yandex.ru> X-Mailer: git-send-email 2.41.0 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org In 'ath_tx_count_frames()', 'ba' array may be used uninitialized, so add 'memset()' call similar to one used in 'ath_tx_complete_aggr()'. Signed-off-by: Dmitry Antipov --- drivers/net/wireless/ath/ath9k/xmit.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/net/wireless/ath/ath9k/xmit.c b/drivers/net/wireless/ath/ath9k/xmit.c index f6f2ab7a63ff..8babaaacacf5 100644 --- a/drivers/net/wireless/ath/ath9k/xmit.c +++ b/drivers/net/wireless/ath/ath9k/xmit.c @@ -466,6 +466,8 @@ static void ath_tx_count_frames(struct ath_softc *sc, struct ath_buf *bf, *nframes = 0; isaggr = bf_isaggr(bf); + memset(ba, 0, WME_BA_BMP_SIZE >> 3); + if (isaggr) { seq_st = ts->ts_seqnum; memcpy(ba, &ts->ba_low, WME_BA_BMP_SIZE >> 3); From patchwork Tue Jun 20 07:31:58 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Dmitry Antipov X-Patchwork-Id: 13285243 X-Patchwork-Delegate: toke@redhat.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id BE63BEB64DC for ; Tue, 20 Jun 2023 07:32:52 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229753AbjFTHcv (ORCPT ); Tue, 20 Jun 2023 03:32:51 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36234 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229683AbjFTHcu (ORCPT ); Tue, 20 Jun 2023 03:32:50 -0400 Received: from forward102b.mail.yandex.net (forward102b.mail.yandex.net [IPv6:2a02:6b8:c02:900:1:45:d181:d102]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5ADBDDF for ; Tue, 20 Jun 2023 00:32:48 -0700 (PDT) Received: from mail-nwsmtp-smtp-production-main-39.sas.yp-c.yandex.net (mail-nwsmtp-smtp-production-main-39.sas.yp-c.yandex.net [IPv6:2a02:6b8:c08:2087:0:640:7bf5:0]) by forward102b.mail.yandex.net (Yandex) with ESMTP id 5DC4A6011D; Tue, 20 Jun 2023 10:32:46 +0300 (MSK) Received: by mail-nwsmtp-smtp-production-main-39.sas.yp-c.yandex.net (smtp/Yandex) with ESMTPSA id UWb0SEqDfiE0-gyPtXFwZ; Tue, 20 Jun 2023 10:32:45 +0300 X-Yandex-Fwd: 1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1687246365; bh=NijMV3+E8XkZYhvELiFDZ8763krT3D51AnOa5G+Egmg=; h=Cc:Message-ID:References:Date:In-Reply-To:Subject:To:From; b=c8x6xaGFOnlhhNwuIeeTyw4TBlpjiINAg65ice+8Yy7wfkTuj2BpLvguLlY4u8PhD fISfsLhCJ6kNsuPlm6243/yjvjF5gOqUfSnoKViiIX3pVW6lcR0D2BMpz73eCLzla+ hHwggxT4yONILT9Eu97bIdQfAJhcezTmVg126JXA= Authentication-Results: mail-nwsmtp-smtp-production-main-39.sas.yp-c.yandex.net; dkim=pass header.i=@yandex.ru From: Dmitry Antipov To: =?utf-8?q?Toke_H=C3=B8iland-J=C3=B8rgensen?= Cc: Kalle Valo , linux-wireless@vger.kernel.org, Dmitry Antipov Subject: [PATCH 2/2] wifi: ath9k: fix fortify warnings Date: Tue, 20 Jun 2023 10:31:58 +0300 Message-ID: <20230620073228.363207-2-dmantipov@yandex.ru> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20230620073228.363207-1-dmantipov@yandex.ru> References: <20230620073228.363207-1-dmantipov@yandex.ru> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org When compiling with gcc 13.1 and CONFIG_FORTIFY_SOURCE=y, I've noticed the following: In function ‘fortify_memcpy_chk’, inlined from ‘ath_tx_complete_aggr’ at drivers/net/wireless/ath/ath9k/xmit.c:556:4, inlined from ‘ath_tx_process_buffer’ at drivers/net/wireless/ath/ath9k/xmit.c:773:3: ./include/linux/fortify-string.h:529:25: warning: call to ‘__read_overflow2_field’ declared with attribute warning: detected read beyond size of field (2nd parameter); maybe use struct_group()? [-Wattribute-warning] 529 | __read_overflow2_field(q_size_field, size); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In function ‘fortify_memcpy_chk’, inlined from ‘ath_tx_count_frames’ at drivers/net/wireless/ath/ath9k/xmit.c:473:3, inlined from ‘ath_tx_complete_aggr’ at drivers/net/wireless/ath/ath9k/xmit.c:572:2, inlined from ‘ath_tx_process_buffer’ at drivers/net/wireless/ath/ath9k/xmit.c:773:3: ./include/linux/fortify-string.h:529:25: warning: call to ‘__read_overflow2_field’ declared with attribute warning: detected read beyond size of field (2nd parameter); maybe use struct_group()? [-Wattribute-warning] 529 | __read_overflow2_field(q_size_field, size); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In both cases, the compiler complains on: memcpy(ba, &ts->ba_low, WME_BA_BMP_SIZE >> 3); which is the legal way to copy both 'ba_low' and following 'ba_high' members of 'struct ath_tx_status' at once (that is, issue one 8-byte 'memcpy()' for two 4-byte fields). Since the fortification logic seems interprets this trick as an attempt to overread 4-byte 'ba_low', relevant warnings may be silenced by specifying source buffer with 'offsetof()' of the 'ba_low' instead of using an address of the latter. Signed-off-by: Dmitry Antipov --- drivers/net/wireless/ath/ath9k/xmit.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/ath/ath9k/xmit.c b/drivers/net/wireless/ath/ath9k/xmit.c index 8babaaacacf5..5a70395a3a2a 100644 --- a/drivers/net/wireless/ath/ath9k/xmit.c +++ b/drivers/net/wireless/ath/ath9k/xmit.c @@ -470,7 +470,8 @@ static void ath_tx_count_frames(struct ath_softc *sc, struct ath_buf *bf, if (isaggr) { seq_st = ts->ts_seqnum; - memcpy(ba, &ts->ba_low, WME_BA_BMP_SIZE >> 3); + memcpy(ba, ts + offsetof(struct ath_tx_status, ba_low), + WME_BA_BMP_SIZE >> 3); } while (bf) { @@ -553,7 +554,8 @@ static void ath_tx_complete_aggr(struct ath_softc *sc, struct ath_txq *txq, if (isaggr && txok) { if (ts->ts_flags & ATH9K_TX_BA) { seq_st = ts->ts_seqnum; - memcpy(ba, &ts->ba_low, WME_BA_BMP_SIZE >> 3); + memcpy(ba, ts + offsetof(struct ath_tx_status, ba_low), + WME_BA_BMP_SIZE >> 3); } else { /* * AR5416 can become deaf/mute when BA