From patchwork Tue Jan 17 10:45:08 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Alexey V. Vissarionov" X-Patchwork-Id: 644043 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6053AC63797 for ; Tue, 17 Jan 2023 10:45:16 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236478AbjAQKpP (ORCPT ); Tue, 17 Jan 2023 05:45:15 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48300 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235963AbjAQKpN (ORCPT ); Tue, 17 Jan 2023 05:45:13 -0500 Received: from air.basealt.ru (air.basealt.ru [194.107.17.39]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A217F72A4; Tue, 17 Jan 2023 02:45:12 -0800 (PST) Received: by air.basealt.ru (Postfix, from userid 490) id 408F52F20230; Tue, 17 Jan 2023 10:45:11 +0000 (UTC) Received: from localhost (broadband-188-32-10-232.ip.moscow.rt.ru [188.32.10.232]) by air.basealt.ru (Postfix) with ESMTPSA id 6A7CD2F2022A; Tue, 17 Jan 2023 10:45:08 +0000 (UTC) Date: Tue, 17 Jan 2023 13:45:08 +0300 From: "Alexey V. Vissarionov" To: Arend van Spriel Cc: Franky Lin , Hante Meuleman , Kalle Valo , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Alvin =?utf-8?q?=C5=A0ipraga?= , Chi-hsien Lin , Ahmad Fatoum , Wataru Gohda , Sebastian Andrzej Siewior , Wolfram Sang , Pieter-Paul Giesberts , linux-wireless@vger.kernel.org, brcm80211-dev-list.pdl@broadcom.com, SHA-cyfmac-dev-list@infineon.com, netdev@vger.kernel.org, lvc-project@linuxtesting.org, "Alexey V. Vissarionov" Subject: [PATCH] wifi: brcmfmac: Fix allocation size Message-ID: <20230117104508.GB12547@altlinux.org> MIME-Version: 1.0 Content-Disposition: inline Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org The "pkt" is a pointer to struct sk_buff, so it's just 4 or 8 bytes, while the structure itself is much bigger. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: bbd1f932e7c45ef1 ("brcmfmac: cleanup ampdu-rx host reorder code") Signed-off-by: Alexey V. Vissarionov diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c index 36af81975855c525..0d283456da331464 100644 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c @@ -1711,7 +1711,7 @@ void brcmf_fws_rxreorder(struct brcmf_if *ifp, struct sk_buff *pkt) buf_size = sizeof(*rfi); max_idx = reorder_data[BRCMF_RXREORDER_MAXIDX_OFFSET]; - buf_size += (max_idx + 1) * sizeof(pkt); + buf_size += (max_idx + 1) * sizeof(struct sk_buff); /* allocate space for flow reorder info */ brcmf_dbg(INFO, "flow-%d: start, maxidx %d\n",