| Message ID | YIKzmoMiTdToaIyP@mwanda |
|---|---|
| State | New |
| Headers | show |
| Series | brcmfmac: fix a loop exit condition | expand |
On 23/04/2021 13:46, Dan Carpenter wrote: > This code is supposed to loop over the whole board_type[] string. The > current code kind of works just because ascii values start 97 and the > string is likely shorter than that so it will break when we hit the NUL > terminator. But really the condition should be "i < len" instead of > "i < board_type[i]". > > Fixes: 29e354ebeeec ("brcmfmac: Transform compatible string for FW loading") > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Good catch, I actually have serious doubts about whatever I was thinking when writing that line of code. Reviewed-by: Matthias Brugger <mbrugger@suse.com> > --- > drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c > index a7554265f95f..9b75e396fc50 100644 > --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c > +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c > @@ -34,7 +34,7 @@ void brcmf_of_probe(struct device *dev, enum brcmf_bus_type bus_type, > len = strlen(tmp) + 1; > board_type = devm_kzalloc(dev, len, GFP_KERNEL); > strscpy(board_type, tmp, len); > - for (i = 0; i < board_type[i]; i++) { > + for (i = 0; i < len; i++) { > if (board_type[i] == '/') > board_type[i] = '-'; > } >
Le 23/04/2021 à 14:11, Dan Carpenter a écrit : > On Fri, Apr 23, 2021 at 01:59:36PM +0200, Johannes Berg wrote: >> On Fri, 2021-04-23 at 14:46 +0300, Dan Carpenter wrote: >>> This code is supposed to loop over the whole board_type[] string. The >>> current code kind of works just because ascii values start 97 and the >>> string is likely shorter than that so it will break when we hit the NUL >>> terminator. But really the condition should be "i < len" instead of >>> "i < board_type[i]". >>> >>> Fixes: 29e354ebeeec ("brcmfmac: Transform compatible string for FW loading") >>> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> >>> --- >>> drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c | 2 +- >>> 1 file changed, 1 insertion(+), 1 deletion(-) >>> >>> diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c >>> index a7554265f95f..9b75e396fc50 100644 >>> --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c >>> +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c >>> @@ -34,7 +34,7 @@ void brcmf_of_probe(struct device *dev, enum brcmf_bus_type bus_type, >>> len = strlen(tmp) + 1; >>> board_type = devm_kzalloc(dev, len, GFP_KERNEL); >>> strscpy(board_type, tmp, len); >>> - for (i = 0; i < board_type[i]; i++) { >>> + for (i = 0; i < len; i++) { >>> if (board_type[i] == '/') >>> board_type[i] = '-'; >>> } >> >> It should probably just use strreplace() though :) > > Good point. I'll send a v2. > and the 2 lines above look like a devm_kstrdup. The (unlikely) malloc failure test is also missing. CJ > regards, > dan carpenter > >
On Fri, Apr 23, 2021 at 02:20:35PM +0200, Christophe JAILLET wrote: > Le 23/04/2021 à 14:11, Dan Carpenter a écrit : > > On Fri, Apr 23, 2021 at 01:59:36PM +0200, Johannes Berg wrote: > > > On Fri, 2021-04-23 at 14:46 +0300, Dan Carpenter wrote: > > > > This code is supposed to loop over the whole board_type[] string. The > > > > current code kind of works just because ascii values start 97 and the > > > > string is likely shorter than that so it will break when we hit the NUL > > > > terminator. But really the condition should be "i < len" instead of > > > > "i < board_type[i]". > > > > > > > > Fixes: 29e354ebeeec ("brcmfmac: Transform compatible string for FW loading") > > > > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > > > > --- > > > > drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c | 2 +- > > > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > > > > > diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c > > > > index a7554265f95f..9b75e396fc50 100644 > > > > --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c > > > > +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c > > > > @@ -34,7 +34,7 @@ void brcmf_of_probe(struct device *dev, enum brcmf_bus_type bus_type, > > > > len = strlen(tmp) + 1; > > > > board_type = devm_kzalloc(dev, len, GFP_KERNEL); > > > > strscpy(board_type, tmp, len); > > > > - for (i = 0; i < board_type[i]; i++) { > > > > + for (i = 0; i < len; i++) { > > > > if (board_type[i] == '/') > > > > board_type[i] = '-'; > > > > } > > > > > > It should probably just use strreplace() though :) > > > > Good point. I'll send a v2. > > > > and the 2 lines above look like a devm_kstrdup. > > The (unlikely) malloc failure test is also missing. It turns out that Smatch checks for allocation failure were really ancient and really crap... I need to add all devm_ functions. Probably should re-write all that code. Also originally GFP_NOFAIL was 0x800 and now it is 0x8000. Smatch was out of sync. So the functions that were supposed to be checked were all disabled... Need to figure out a better way to do that as well. regards, dan carpenter
Dan Carpenter <dan.carpenter@oracle.com> wrote: > This code is supposed to loop over the whole board_type[] string. The > current code kind of works just because ascii values start 97 and the > string is likely shorter than that so it will break when we hit the NUL > terminator. But really the condition should be "i < len" instead of > "i < board_type[i]". > > Fixes: 29e354ebeeec ("brcmfmac: Transform compatible string for FW loading") > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > Reviewed-by: Matthias Brugger <mbrugger@suse.com> There was talk about v2, but I don't see it in the patchwork. Patch set to Changes Requested. -- https://patchwork.kernel.org/project/linux-wireless/patch/YIKzmoMiTdToaIyP@mwanda/ https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
On Tue, Jun 15, 2021 at 10:26:56AM +0000, Kalle Valo wrote: > Dan Carpenter <dan.carpenter@oracle.com> wrote: > > > This code is supposed to loop over the whole board_type[] string. The > > current code kind of works just because ascii values start 97 and the > > string is likely shorter than that so it will break when we hit the NUL > > terminator. But really the condition should be "i < len" instead of > > "i < board_type[i]". > > > > Fixes: 29e354ebeeec ("brcmfmac: Transform compatible string for FW loading") > > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > > Reviewed-by: Matthias Brugger <mbrugger@suse.com> > > There was talk about v2, but I don't see it in the patchwork. > Ah, crap. I started to debug Smatch to find out why it wasn't warning about some of these bugs and I got a bit carried away writing Smatch code and forgot to come back to this. I will send it tomorrow. regards, dan carpenter
Dan Carpenter <dan.carpenter@oracle.com> writes: > On Tue, Jun 15, 2021 at 10:26:56AM +0000, Kalle Valo wrote: >> Dan Carpenter <dan.carpenter@oracle.com> wrote: >> >> > This code is supposed to loop over the whole board_type[] string. The >> > current code kind of works just because ascii values start 97 and the >> > string is likely shorter than that so it will break when we hit the NUL >> > terminator. But really the condition should be "i < len" instead of >> > "i < board_type[i]". >> > >> > Fixes: 29e354ebeeec ("brcmfmac: Transform compatible string for FW loading") >> > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> >> > Reviewed-by: Matthias Brugger <mbrugger@suse.com> >> >> There was talk about v2, but I don't see it in the patchwork. > > Ah, crap. I started to debug Smatch to find out why it wasn't warning > about some of these bugs and I got a bit carried away writing Smatch > code and forgot to come back to this. > > I will send it tomorrow. No worries, take your time :) I just wanted to remind about this, or see if patchwork or the mailing list have lost patches again (which has happened in the past). -- https://patchwork.kernel.org/project/linux-wireless/list/ https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c index a7554265f95f..9b75e396fc50 100644 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c @@ -34,7 +34,7 @@ void brcmf_of_probe(struct device *dev, enum brcmf_bus_type bus_type, len = strlen(tmp) + 1; board_type = devm_kzalloc(dev, len, GFP_KERNEL); strscpy(board_type, tmp, len); - for (i = 0; i < board_type[i]; i++) { + for (i = 0; i < len; i++) { if (board_type[i] == '/') board_type[i] = '-'; }
This code is supposed to loop over the whole board_type[] string. The current code kind of works just because ascii values start 97 and the string is likely shorter than that so it will break when we hit the NUL terminator. But really the condition should be "i < len" instead of "i < board_type[i]". Fixes: 29e354ebeeec ("brcmfmac: Transform compatible string for FW loading") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> --- drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)