| Message ID | 151520104323.32271.6614158873750932410.stgit@dwillia2-desk3.amr.corp.intel.com (mailing list archive) |
|---|---|
| State | Not Applicable |
| Delegated to: | Kalle Valo |
| Headers | show |
On 1/6/2018 4:10 AM, Dan Williams wrote: > Static analysis reports that 'queue' may be a user controlled value that > is used as a data dependency to read from the 'priv->qos_params' array. > In order to avoid potential leaks of kernel memory values, block > speculative execution of the instruction stream that could issue reads > based on an invalid result of 'priv->qos_params[queue]'. > > Based on an original patch by Elena Reshetova. > > Cc: Christian Lamparter <chunkeey@googlemail.com> > Cc: Kalle Valo <kvalo@codeaurora.org> > Cc: linux-wireless@vger.kernel.org > Cc: netdev@vger.kernel.org > Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> > Signed-off-by: Dan Williams <dan.j.williams@intel.com> > --- > drivers/net/wireless/intersil/p54/main.c | 8 +++++--- > 1 file changed, 5 insertions(+), 3 deletions(-) > > diff --git a/drivers/net/wireless/intersil/p54/main.c b/drivers/net/wireless/intersil/p54/main.c > index ab6d39e12069..85c9cbee35fc 100644 > --- a/drivers/net/wireless/intersil/p54/main.c > +++ b/drivers/net/wireless/intersil/p54/main.c [...] > @@ -411,12 +412,13 @@ static int p54_conf_tx(struct ieee80211_hw *dev, > const struct ieee80211_tx_queue_params *params) > { > struct p54_common *priv = dev->priv; > + struct p54_edcf_queue_param *p54_q; > int ret; > > mutex_lock(&priv->conf_mutex); > - if (queue < dev->queues) { > - P54_SET_QUEUE(priv->qos_params[queue], params->aifs, > - params->cw_min, params->cw_max, params->txop); > + if ((p54_q = nospec_array_ptr(priv->qos_params, queue, dev->queues))) { Same complaint here... > + P54_SET_QUEUE(p54_q[0], params->aifs, params->cw_min, > + params->cw_max, params->txop); > ret = p54_set_edcf(priv); > } else > ret = -EINVAL; > MBR, Sergei
diff --git a/drivers/net/wireless/intersil/p54/main.c b/drivers/net/wireless/intersil/p54/main.c index ab6d39e12069..85c9cbee35fc 100644 --- a/drivers/net/wireless/intersil/p54/main.c +++ b/drivers/net/wireless/intersil/p54/main.c @@ -20,6 +20,7 @@ #include <linux/firmware.h> #include <linux/etherdevice.h> #include <linux/module.h> +#include <linux/compiler.h> #include <net/mac80211.h> @@ -411,12 +412,13 @@ static int p54_conf_tx(struct ieee80211_hw *dev, const struct ieee80211_tx_queue_params *params) { struct p54_common *priv = dev->priv; + struct p54_edcf_queue_param *p54_q; int ret; mutex_lock(&priv->conf_mutex); - if (queue < dev->queues) { - P54_SET_QUEUE(priv->qos_params[queue], params->aifs, - params->cw_min, params->cw_max, params->txop); + if ((p54_q = nospec_array_ptr(priv->qos_params, queue, dev->queues))) { + P54_SET_QUEUE(p54_q[0], params->aifs, params->cw_min, + params->cw_max, params->txop); ret = p54_set_edcf(priv); } else ret = -EINVAL;