Received: by 2002:a05:6358:a55:b0:ec:fcf4:3ecf with SMTP id 21csp4587849rwb;
        Tue, 17 Jan 2023 02:55:08 -0800 (PST)
X-Google-Smtp-Source: AMrXdXvACwt8FlxgsDLbLfKY6frEItZZqW/js9rlLcm7V+cCBIJAYqaP2IY43MoabFnAMbao6WJR
X-Received: by 2002:a17:906:40d7:b0:84d:16d0:717 with SMTP id a23-20020a17090640d700b0084d16d00717mr2789452ejk.65.1673952908284;
        Tue, 17 Jan 2023 02:55:08 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1673952908; cv=none;
        d=google.com; s=arc-20160816;
        b=gWMq27o8W9nXXaWR7vWRX8w4mG+45FsxAxbh0J4VqwvP8O9awmLwhej5oi9k76pp3Y
         kAoBMLkfpP9FfpSvp/gSesVA3jZ7/isS0I4Dxupju1fCSU2ulCC8uuhfsL9R4/QjEWSZ
         UkTs/g7grPJVGH4QHMgRbjr1vbSHZjt3rhzizwx/0F+jbNeK3HFsLmm8i6hqAuyKuxwc
         oarKbvaMDFL6GD/c1fe3D0NytAyS+ppoaQB1Vb1lIEJ49d3rwfG7vL771DV+18XeR4Gt
         g26WZvIjgOrdGskehONjPScnNzidEWE0a/eSXKJZ7ktxDBpiFEq4PUQGK4cyocKnZiR2
         Z2cw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-disposition:mime-version:message-id
         :subject:cc:to:from:date;
        bh=Hef5hhm4O6llMw8HKZsrfwc5rn7Qkwz6yUzO1zbertM=;
        b=Up8w6zlOUZGb3rkkdJVR7GqOIRvSYfEizm3DlMoO3Q1s7zPbn0Yeo363/+2UJ4BGMy
         Y2Eo+oSjUzoXCxyZ5X1tuJ8z21pg3AP1bOVfZTsHfBXVy2ILdKgBZttrbvvMkWWRY6SP
         vt6FsmEPpR5/pPVOxe1UMztEI7wb4ujHVmW+UxsNOkQZtPQgqLcMvmFtwXfAgAfZNDUP
         5PpHigfoi9mA5pi6c5sPRYtxEa4/mbAiI293JTMws8cTBQg7fOe+9u94UbSB3k9gjwTL
         R4IBnbXopue9I0HKiL/iNIXbKeJxTZkmYDWZ3Moz70OPkpslMqW0T6Wb4jIVO1nlCHIZ
         pBRQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org
Return-Path: <linux-wireless-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id nb11-20020a1709071c8b00b00858a806e49esi10031790ejc.521.2023.01.17.02.54.50;
        Tue, 17 Jan 2023 02:55:08 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S236478AbjAQKpP (ORCPT <rfc822;hsy1995313@gmail.com> + 63 others);
        Tue, 17 Jan 2023 05:45:15 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48300 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S235963AbjAQKpN (ORCPT
        <rfc822;linux-wireless@vger.kernel.org>);
        Tue, 17 Jan 2023 05:45:13 -0500
Received: from air.basealt.ru (air.basealt.ru [194.107.17.39])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A217F72A4;
        Tue, 17 Jan 2023 02:45:12 -0800 (PST)
Received: by air.basealt.ru (Postfix, from userid 490)
        id 408F52F20230; Tue, 17 Jan 2023 10:45:11 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
X-Spam-Level: 
X-Spam-Status: No, score=-1.6 required=5.0 tests=BAYES_00,
        HEADER_FROM_DIFFERENT_DOMAINS,SPF_HELO_NONE,SPF_PASS autolearn=no
        autolearn_force=no version=3.4.6
Received: from localhost (broadband-188-32-10-232.ip.moscow.rt.ru [188.32.10.232])
        by air.basealt.ru (Postfix) with ESMTPSA id 6A7CD2F2022A;
        Tue, 17 Jan 2023 10:45:08 +0000 (UTC)
Date:   Tue, 17 Jan 2023 13:45:08 +0300
From:   "Alexey V. Vissarionov" <gremlin@altlinux.org>
To:     Arend van Spriel <aspriel@gmail.com>
Cc:     Franky Lin <franky.lin@broadcom.com>,
        Hante Meuleman <hante.meuleman@broadcom.com>,
        Kalle Valo <kvalo@kernel.org>,
        "David S. Miller" <davem@davemloft.net>,
        Eric Dumazet <edumazet@google.com>,
        Jakub Kicinski <kuba@kernel.org>,
        Paolo Abeni <pabeni@redhat.com>,
        Alvin =?utf-8?Q?=C5=A0ipraga?= <alsi@bang-olufsen.dk>,
        Chi-hsien Lin <chi-hsien.lin@cypress.com>,
        Ahmad Fatoum <a.fatoum@pengutronix.de>,
        Wataru Gohda <wataru.gohda@cypress.com>,
        Sebastian Andrzej Siewior <bigeasy@linutronix.de>,
        Wolfram Sang <wsa+renesas@sang-engineering.com>,
        Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>,
        linux-wireless@vger.kernel.org,
        brcm80211-dev-list.pdl@broadcom.com,
        SHA-cyfmac-dev-list@infineon.com, netdev@vger.kernel.org,
        lvc-project@linuxtesting.org,
        "Alexey V. Vissarionov" <gremlin@altlinux.org>
Subject: [PATCH] wifi: brcmfmac: Fix allocation size
Message-ID: <20230117104508.GB12547@altlinux.org>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
        protocol="application/pgp-signature"; boundary="UlVJffcvxoiEqYs2"
Content-Disposition: inline
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org


--UlVJffcvxoiEqYs2
Content-Type: text/plain; charset=koi8-r
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

The "pkt" is a pointer to struct sk_buff, so it's just 4 or 8
bytes, while the structure itself is much bigger.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: bbd1f932e7c45ef1 ("brcmfmac: cleanup ampdu-rx host reorder code")
Signed-off-by: Alexey V. Vissarionov <gremlin@altlinux.org>

diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c b/=
drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c
index 36af81975855c525..0d283456da331464 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c
@@ -1711,7 +1711,7 @@ void brcmf_fws_rxreorder(struct brcmf_if *ifp, struct=
 sk_buff *pkt)
 		buf_size =3D sizeof(*rfi);
 		max_idx =3D reorder_data[BRCMF_RXREORDER_MAXIDX_OFFSET];
=20
-		buf_size +=3D (max_idx + 1) * sizeof(pkt);
+		buf_size +=3D (max_idx + 1) * sizeof(struct sk_buff);
=20
 		/* allocate space for flow reorder info */
 		brcmf_dbg(INFO, "flow-%d: start, maxidx %d\n",



--=20
Alexey V. Vissarionov
gremlin =F0=F2=E9 altlinux =F4=FE=EB org; +vii-cmiii-ccxxix-lxxix-xlii
GPG: 0D92F19E1C0DC36E27F61A29CD17E2B43D879005 @ hkp://keys.gnupg.net

--UlVJffcvxoiEqYs2
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJjxnw0AAoJEFv2F9znRj5KQvAP/0vVdNTgXeTXiNmYRz66mfge
uzb0OEuTbO7b5fm+PszT9w+gArHzfoPuJIviWLJlC34vH/25WUTouZudPmF9QhG4
WiixT07wc1Urd+1Oi62bEoSn41gs9UE431R1wRuUKENwRp5E8JVQ15xW5O9YrxLi
oQ1KzOIHR84Z5Qi+3bQnp/8ZX5b3G+2Zs9h573szhsfGWQ7+ERBJ2MgJI76Mw5aZ
IEy2Pmtxy4YE5pYqz7fNRSSBS8ogFSjY8AXqQkfGJcKyU5xsWEo9Pv6+QnouE55K
jMQ8+04IxdS6sONhYh4AWawQRHsFzEwnCqLTagScUeahPgAXeHTmjWbw6n5rddF0
hEgsby5bEgIQMoaRyAowUsnoUsBE+TXGywlVZwjHMmH6z1Gl2EElWm111wJjaNo4
J54EFfodR8SDyHlLPj8KGq3NkBX0Ur2UTdGw69acRnoNqA4gCCBy7KobPoanRNFG
831bqWdEdFymktaKgZlq136MC+WAAf3ZVpCM/RPY44E6iP1iZs8A0RcV2Q4nfuJE
nLPih2ehsVYvcrOHB+Neyfxf/iNt4TUZVmYIpo8KAiIZDTm/9/RKqDZBm50vL9TI
PPpExGb36sl83O/Pkna0PQ0v8gp37kpD453Tbhu0bcDsQaEm70Rfruexec0CNC6g
twh9nUXNws+N5iuGCPQk
=yQpN
-----END PGP SIGNATURE-----

--UlVJffcvxoiEqYs2--