2014-03-02 09:21:15

by Vladimir Kondratiev

[permalink] [raw]
Subject: [PATCH 0/2] wil6210: fixes for issues found by smatch

Smatch found 2 issues, one real off-by-one causing buffer
overflow, and one minor warning. Fixing both.

Vladimir Kondratiev (2):
wil6210: fix buffer overflow in wil_txdesc_debugfs_show()
wil6210: fix smatch warning in wil_cfg80211_get_station()

drivers/net/wireless/ath/wil6210/cfg80211.c | 2 +-
drivers/net/wireless/ath/wil6210/debugfs.c | 12 ++++++------
2 files changed, 7 insertions(+), 7 deletions(-)

--
1.8.3.2



2014-03-02 09:21:19

by Vladimir Kondratiev

[permalink] [raw]
Subject: [PATCH 2/2] wil6210: fix smatch warning in wil_cfg80211_get_station()

Smatch suggests to propagate error code from wil_find_cid(), and, indeed,
it is a good idea.

Signed-off-by: Vladimir Kondratiev <[email protected]>
---
drivers/net/wireless/ath/wil6210/cfg80211.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/wireless/ath/wil6210/cfg80211.c b/drivers/net/wireless/ath/wil6210/cfg80211.c
index a4da064..7439303 100644
--- a/drivers/net/wireless/ath/wil6210/cfg80211.c
+++ b/drivers/net/wireless/ath/wil6210/cfg80211.c
@@ -181,7 +181,7 @@ static int wil_cfg80211_get_station(struct wiphy *wiphy,

wil_info(wil, "%s(%pM) CID %d\n", __func__, mac, cid);
if (cid < 0)
- return -ENOENT;
+ return cid;

rc = wil_cid_fill_sinfo(wil, cid, sinfo);

--
1.8.3.2


2014-03-02 09:21:23

by Vladimir Kondratiev

[permalink] [raw]
Subject: [PATCH 1/2] wil6210: fix buffer overflow in wil_txdesc_debugfs_show()

Wrong index comparison logic, found by smatch:

drivers/net/wireless/ath/wil6210/debugfs.c:402 wil_txdesc_debugfs_show() warn: buffer overflow 'wil->vring_tx' 24 <= 24

Signed-off-by: Vladimir Kondratiev <[email protected]>
---
drivers/net/wireless/ath/wil6210/debugfs.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/drivers/net/wireless/ath/wil6210/debugfs.c b/drivers/net/wireless/ath/wil6210/debugfs.c
index 729e774..1d09a4b 100644
--- a/drivers/net/wireless/ath/wil6210/debugfs.c
+++ b/drivers/net/wireless/ath/wil6210/debugfs.c
@@ -26,8 +26,7 @@
/* Nasty hack. Better have per device instances */
static u32 mem_addr;
static u32 dbg_txdesc_index;
-static u32 dbg_vring_index; /* 25 for Rx, 0..24 for Tx */
-#define WIL_DBG_VRING_INDEX_RX (WIL6210_MAX_TX_RINGS + 1)
+static u32 dbg_vring_index; /* 24+ for Rx, 0..23 for Tx */

static void wil_print_vring(struct seq_file *s, struct wil6210_priv *wil,
const char *name, struct vring *vring,
@@ -404,13 +403,14 @@ static int wil_txdesc_debugfs_show(struct seq_file *s, void *data)
{
struct wil6210_priv *wil = s->private;
struct vring *vring;
- if (dbg_vring_index <= WIL6210_MAX_TX_RINGS)
+ bool tx = (dbg_vring_index < WIL6210_MAX_TX_RINGS);
+ if (tx)
vring = &(wil->vring_tx[dbg_vring_index]);
else
vring = &wil->vring_rx;

if (!vring->va) {
- if (dbg_vring_index <= WIL6210_MAX_TX_RINGS)
+ if (tx)
seq_printf(s, "No Tx[%2d] VRING\n", dbg_vring_index);
else
seq_puts(s, "No Rx VRING\n");
@@ -426,7 +426,7 @@ static int wil_txdesc_debugfs_show(struct seq_file *s, void *data)
volatile u32 *u = (volatile u32 *)d;
struct sk_buff *skb = vring->ctx[dbg_txdesc_index].skb;

- if (dbg_vring_index <= WIL6210_MAX_TX_RINGS)
+ if (tx)
seq_printf(s, "Tx[%2d][%3d] = {\n", dbg_vring_index,
dbg_txdesc_index);
else
@@ -461,7 +461,7 @@ static int wil_txdesc_debugfs_show(struct seq_file *s, void *data)
}
seq_printf(s, "}\n");
} else {
- if (dbg_vring_index <= WIL6210_MAX_TX_RINGS)
+ if (tx)
seq_printf(s, "[%2d] TxDesc index (%d) >= size (%d)\n",
dbg_vring_index, dbg_txdesc_index,
vring->size);
--
1.8.3.2