In hfa384x_drvr_flashdl_write, hfa384x_dowmem is called in a cycle
without checking the result. Ignoring an error there may lead to an
incorrect flash download buffer value during the consequent write.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Signed-off-by: Anton Gusev <[email protected]>
---
drivers/staging/wlan-ng/hfa384x_usb.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/staging/wlan-ng/hfa384x_usb.c b/drivers/staging/wlan-ng/hfa384x_usb.c
index c7cd54171d99..baac5c02f904 100644
--- a/drivers/staging/wlan-ng/hfa384x_usb.c
+++ b/drivers/staging/wlan-ng/hfa384x_usb.c
@@ -1880,6 +1880,12 @@ int hfa384x_drvr_flashdl_write(struct hfa384x *hw, u32 daddr,
writepage,
writeoffset,
writebuf, writelen);
+ if (result) {
+ netdev_err(hw->wlandev->netdev,
+ "dowmem(page=%x,offset=%x,data=%p,len=%d) failed, result=%d. Aborting d/l\n",
+ writepage, writeoffset, writebuf, writelen, result);
+ return result;
+ }
}
/* set the download 'write flash' mode */
--
2.39.1
On Thu, Feb 09, 2023 at 07:18:36PM +0300, Anton Gusev wrote:
> In hfa384x_drvr_flashdl_write, hfa384x_dowmem is called in a cycle
> without checking the result. Ignoring an error there may lead to an
> incorrect flash download buffer value during the consequent write.
Did you reproduce this on a running system?
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
How was this tested? If not tested you HAVE TO SAY SO! Especially when
dealing with random tools that we know nothing about.
>
> Signed-off-by: Anton Gusev <[email protected]>
> ---
> drivers/staging/wlan-ng/hfa384x_usb.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/drivers/staging/wlan-ng/hfa384x_usb.c b/drivers/staging/wlan-ng/hfa384x_usb.c
> index c7cd54171d99..baac5c02f904 100644
> --- a/drivers/staging/wlan-ng/hfa384x_usb.c
> +++ b/drivers/staging/wlan-ng/hfa384x_usb.c
> @@ -1880,6 +1880,12 @@ int hfa384x_drvr_flashdl_write(struct hfa384x *hw, u32 daddr,
> writepage,
> writeoffset,
> writebuf, writelen);
> + if (result) {
> + netdev_err(hw->wlandev->netdev,
> + "dowmem(page=%x,offset=%x,data=%p,len=%d) failed, result=%d. Aborting d/l\n",
> + writepage, writeoffset, writebuf, writelen, result);
> + return result;
> + }
> }
>
> /* set the download 'write flash' mode */
> --
> 2.39.1
>
>
Please fix up your tool, this patch does not follow the pattern of the
rest of the "exit on error" paths in this function so of course I'm not
going to accept this.
At this point, it really really feels like something needs to change
with your submissions, they are not working well :(
{sigh}
greg k-h