This code is supposed to loop over the whole board_type[] string. The
current code kind of works just because ascii values start 97 and the
string is likely shorter than that so it will break when we hit the NUL
terminator. But really the condition should be "i < len" instead of
"i < board_type[i]".
Fixes: 29e354ebeeec ("brcmfmac: Transform compatible string for FW loading")
Signed-off-by: Dan Carpenter <[email protected]>
---
drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c
index a7554265f95f..9b75e396fc50 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c
@@ -34,7 +34,7 @@ void brcmf_of_probe(struct device *dev, enum brcmf_bus_type bus_type,
len = strlen(tmp) + 1;
board_type = devm_kzalloc(dev, len, GFP_KERNEL);
strscpy(board_type, tmp, len);
- for (i = 0; i < board_type[i]; i++) {
+ for (i = 0; i < len; i++) {
if (board_type[i] == '/')
board_type[i] = '-';
}
--
2.30.2
On 23/04/2021 13:46, Dan Carpenter wrote:
> This code is supposed to loop over the whole board_type[] string. The
> current code kind of works just because ascii values start 97 and the
> string is likely shorter than that so it will break when we hit the NUL
> terminator. But really the condition should be "i < len" instead of
> "i < board_type[i]".
>
> Fixes: 29e354ebeeec ("brcmfmac: Transform compatible string for FW loading")
> Signed-off-by: Dan Carpenter <[email protected]>
Good catch, I actually have serious doubts about whatever I was thinking when
writing that line of code.
Reviewed-by: Matthias Brugger <[email protected]>
> ---
> drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c
> index a7554265f95f..9b75e396fc50 100644
> --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c
> +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c
> @@ -34,7 +34,7 @@ void brcmf_of_probe(struct device *dev, enum brcmf_bus_type bus_type,
> len = strlen(tmp) + 1;
> board_type = devm_kzalloc(dev, len, GFP_KERNEL);
> strscpy(board_type, tmp, len);
> - for (i = 0; i < board_type[i]; i++) {
> + for (i = 0; i < len; i++) {
> if (board_type[i] == '/')
> board_type[i] = '-';
> }
>
On Fri, 2021-04-23 at 14:46 +0300, Dan Carpenter wrote:
> This code is supposed to loop over the whole board_type[] string. The
> current code kind of works just because ascii values start 97 and the
> string is likely shorter than that so it will break when we hit the NUL
> terminator. But really the condition should be "i < len" instead of
> "i < board_type[i]".
>
> Fixes: 29e354ebeeec ("brcmfmac: Transform compatible string for FW loading")
> Signed-off-by: Dan Carpenter <[email protected]>
> ---
> drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c
> index a7554265f95f..9b75e396fc50 100644
> --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c
> +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c
> @@ -34,7 +34,7 @@ void brcmf_of_probe(struct device *dev, enum brcmf_bus_type bus_type,
> len = strlen(tmp) + 1;
> board_type = devm_kzalloc(dev, len, GFP_KERNEL);
> strscpy(board_type, tmp, len);
> - for (i = 0; i < board_type[i]; i++) {
> + for (i = 0; i < len; i++) {
> if (board_type[i] == '/')
> board_type[i] = '-';
> }
It should probably just use strreplace() though :)
johannes
On Fri, Apr 23, 2021 at 01:59:36PM +0200, Johannes Berg wrote:
> On Fri, 2021-04-23 at 14:46 +0300, Dan Carpenter wrote:
> > This code is supposed to loop over the whole board_type[] string. The
> > current code kind of works just because ascii values start 97 and the
> > string is likely shorter than that so it will break when we hit the NUL
> > terminator. But really the condition should be "i < len" instead of
> > "i < board_type[i]".
> >
> > Fixes: 29e354ebeeec ("brcmfmac: Transform compatible string for FW loading")
> > Signed-off-by: Dan Carpenter <[email protected]>
> > ---
> > ?drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c | 2 +-
> > ?1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c
> > index a7554265f95f..9b75e396fc50 100644
> > --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c
> > +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c
> > @@ -34,7 +34,7 @@ void brcmf_of_probe(struct device *dev, enum brcmf_bus_type bus_type,
> > ? len = strlen(tmp) + 1;
> > ? board_type = devm_kzalloc(dev, len, GFP_KERNEL);
> > ? strscpy(board_type, tmp, len);
> > - for (i = 0; i < board_type[i]; i++) {
> > + for (i = 0; i < len; i++) {
> > ? if (board_type[i] == '/')
> > ? board_type[i] = '-';
> > ? }
>
> It should probably just use strreplace() though :)
Good point. I'll send a v2.
regards,
dan carpenter
Le 23/04/2021 à 14:11, Dan Carpenter a écrit :
> On Fri, Apr 23, 2021 at 01:59:36PM +0200, Johannes Berg wrote:
>> On Fri, 2021-04-23 at 14:46 +0300, Dan Carpenter wrote:
>>> This code is supposed to loop over the whole board_type[] string. The
>>> current code kind of works just because ascii values start 97 and the
>>> string is likely shorter than that so it will break when we hit the NUL
>>> terminator. But really the condition should be "i < len" instead of
>>> "i < board_type[i]".
>>>
>>> Fixes: 29e354ebeeec ("brcmfmac: Transform compatible string for FW loading")
>>> Signed-off-by: Dan Carpenter <[email protected]>
>>> ---
>>> drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c | 2 +-
>>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>>
>>> diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c
>>> index a7554265f95f..9b75e396fc50 100644
>>> --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c
>>> +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c
>>> @@ -34,7 +34,7 @@ void brcmf_of_probe(struct device *dev, enum brcmf_bus_type bus_type,
>>> len = strlen(tmp) + 1;
>>> board_type = devm_kzalloc(dev, len, GFP_KERNEL);
>>> strscpy(board_type, tmp, len);
>>> - for (i = 0; i < board_type[i]; i++) {
>>> + for (i = 0; i < len; i++) {
>>> if (board_type[i] == '/')
>>> board_type[i] = '-';
>>> }
>>
>> It should probably just use strreplace() though :)
>
> Good point. I'll send a v2.
>
and the 2 lines above look like a devm_kstrdup.
The (unlikely) malloc failure test is also missing.
CJ
> regards,
> dan carpenter
>
>
On Fri, 2021-04-23 at 14:20 +0200, Christophe JAILLET wrote:
>
> > > > +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c
> > > > @@ -34,7 +34,7 @@ void brcmf_of_probe(struct device *dev, enum brcmf_bus_type bus_type,
> > > > len = strlen(tmp) + 1;
> > > > board_type = devm_kzalloc(dev, len, GFP_KERNEL);
> > > > strscpy(board_type, tmp, len);
> > > > - for (i = 0; i < board_type[i]; i++) {
> > > > + for (i = 0; i < len; i++) {
> > > > if (board_type[i] == '/')
> > > > board_type[i] = '-';
> > > > }
> > >
> > > It should probably just use strreplace() though :)
> >
> > Good point. I'll send a v2.
> >
>
> and the 2 lines above look like a devm_kstrdup.
>
> The (unlikely) malloc failure test is also missing.
How many issues can you have in 6 lines of code ;-)
johannes
On Fri, Apr 23, 2021 at 02:20:35PM +0200, Christophe JAILLET wrote:
> Le 23/04/2021 ? 14:11, Dan Carpenter a ?crit?:
> > On Fri, Apr 23, 2021 at 01:59:36PM +0200, Johannes Berg wrote:
> > > On Fri, 2021-04-23 at 14:46 +0300, Dan Carpenter wrote:
> > > > This code is supposed to loop over the whole board_type[] string. The
> > > > current code kind of works just because ascii values start 97 and the
> > > > string is likely shorter than that so it will break when we hit the NUL
> > > > terminator. But really the condition should be "i < len" instead of
> > > > "i < board_type[i]".
> > > >
> > > > Fixes: 29e354ebeeec ("brcmfmac: Transform compatible string for FW loading")
> > > > Signed-off-by: Dan Carpenter <[email protected]>
> > > > ---
> > > > ?drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c | 2 +-
> > > > ?1 file changed, 1 insertion(+), 1 deletion(-)
> > > >
> > > > diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c
> > > > index a7554265f95f..9b75e396fc50 100644
> > > > --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c
> > > > +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c
> > > > @@ -34,7 +34,7 @@ void brcmf_of_probe(struct device *dev, enum brcmf_bus_type bus_type,
> > > > ? len = strlen(tmp) + 1;
> > > > ? board_type = devm_kzalloc(dev, len, GFP_KERNEL);
> > > > ? strscpy(board_type, tmp, len);
> > > > - for (i = 0; i < board_type[i]; i++) {
> > > > + for (i = 0; i < len; i++) {
> > > > ? if (board_type[i] == '/')
> > > > ? board_type[i] = '-';
> > > > ? }
> > >
> > > It should probably just use strreplace() though :)
> >
> > Good point. I'll send a v2.
> >
>
> and the 2 lines above look like a devm_kstrdup.
>
> The (unlikely) malloc failure test is also missing.
It turns out that Smatch checks for allocation failure were really
ancient and really crap... I need to add all devm_ functions.
Probably should re-write all that code.
Also originally GFP_NOFAIL was 0x800 and now it is 0x8000. Smatch
was out of sync. So the functions that were supposed to be checked
were all disabled... Need to figure out a better way to do that as
well.
regards,
dan carpenter
Dan Carpenter <[email protected]> wrote:
> This code is supposed to loop over the whole board_type[] string. The
> current code kind of works just because ascii values start 97 and the
> string is likely shorter than that so it will break when we hit the NUL
> terminator. But really the condition should be "i < len" instead of
> "i < board_type[i]".
>
> Fixes: 29e354ebeeec ("brcmfmac: Transform compatible string for FW loading")
> Signed-off-by: Dan Carpenter <[email protected]>
> Reviewed-by: Matthias Brugger <[email protected]>
There was talk about v2, but I don't see it in the patchwork.
Patch set to Changes Requested.
--
https://patchwork.kernel.org/project/linux-wireless/patch/YIKzmoMiTdToaIyP@mwanda/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
On Tue, Jun 15, 2021 at 10:26:56AM +0000, Kalle Valo wrote:
> Dan Carpenter <[email protected]> wrote:
>
> > This code is supposed to loop over the whole board_type[] string. The
> > current code kind of works just because ascii values start 97 and the
> > string is likely shorter than that so it will break when we hit the NUL
> > terminator. But really the condition should be "i < len" instead of
> > "i < board_type[i]".
> >
> > Fixes: 29e354ebeeec ("brcmfmac: Transform compatible string for FW loading")
> > Signed-off-by: Dan Carpenter <[email protected]>
> > Reviewed-by: Matthias Brugger <[email protected]>
>
> There was talk about v2, but I don't see it in the patchwork.
>
Ah, crap. I started to debug Smatch to find out why it wasn't warning
about some of these bugs and I got a bit carried away writing Smatch
code and forgot to come back to this.
I will send it tomorrow.
regards,
dan carpenter
Dan Carpenter <[email protected]> writes:
> On Tue, Jun 15, 2021 at 10:26:56AM +0000, Kalle Valo wrote:
>> Dan Carpenter <[email protected]> wrote:
>>
>> > This code is supposed to loop over the whole board_type[] string. The
>> > current code kind of works just because ascii values start 97 and the
>> > string is likely shorter than that so it will break when we hit the NUL
>> > terminator. But really the condition should be "i < len" instead of
>> > "i < board_type[i]".
>> >
>> > Fixes: 29e354ebeeec ("brcmfmac: Transform compatible string for FW loading")
>> > Signed-off-by: Dan Carpenter <[email protected]>
>> > Reviewed-by: Matthias Brugger <[email protected]>
>>
>> There was talk about v2, but I don't see it in the patchwork.
>
> Ah, crap. I started to debug Smatch to find out why it wasn't warning
> about some of these bugs and I got a bit carried away writing Smatch
> code and forgot to come back to this.
>
> I will send it tomorrow.
No worries, take your time :) I just wanted to remind about this, or see
if patchwork or the mailing list have lost patches again (which has
happened in the past).
--
https://patchwork.kernel.org/project/linux-wireless/list/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches