wifi: brcmfmac: Fix allocation size

Message ID	20230117104508.GB12547@altlinux.org (mailing list archive)
State	Changes Requested
Delegated to:	Kalle Valo
Headers	show Return-Path: <linux-wireless-owner@vger.kernel.org> X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6053AC63797 for <linux-wireless@archiver.kernel.org>; Tue, 17 Jan 2023 10:45:16 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236478AbjAQKpP (ORCPT <rfc822;linux-wireless@archiver.kernel.org>); Tue, 17 Jan 2023 05:45:15 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48300 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235963AbjAQKpN (ORCPT <rfc822;linux-wireless@vger.kernel.org>); Tue, 17 Jan 2023 05:45:13 -0500 Received: from air.basealt.ru (air.basealt.ru [194.107.17.39]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A217F72A4; Tue, 17 Jan 2023 02:45:12 -0800 (PST) Received: by air.basealt.ru (Postfix, from userid 490) id 408F52F20230; Tue, 17 Jan 2023 10:45:11 +0000 (UTC) Received: from localhost (broadband-188-32-10-232.ip.moscow.rt.ru [188.32.10.232]) by air.basealt.ru (Postfix) with ESMTPSA id 6A7CD2F2022A; Tue, 17 Jan 2023 10:45:08 +0000 (UTC) Date: Tue, 17 Jan 2023 13:45:08 +0300 From: "Alexey V. Vissarionov" <gremlin@altlinux.org> To: Arend van Spriel <aspriel@gmail.com> Cc: Franky Lin <franky.lin@broadcom.com>, Hante Meuleman <hante.meuleman@broadcom.com>, Kalle Valo <kvalo@kernel.org>, "David S. Miller" <davem@davemloft.net>, Eric Dumazet <edumazet@google.com>, Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>, Alvin =?utf-8?q?=C5=A0ipraga?= <alsi@bang-olufsen.dk>, Chi-hsien Lin <chi-hsien.lin@cypress.com>, Ahmad Fatoum <a.fatoum@pengutronix.de>, Wataru Gohda <wataru.gohda@cypress.com>, Sebastian Andrzej Siewior <bigeasy@linutronix.de>, Wolfram Sang <wsa+renesas@sang-engineering.com>, Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>, linux-wireless@vger.kernel.org, brcm80211-dev-list.pdl@broadcom.com, SHA-cyfmac-dev-list@infineon.com, netdev@vger.kernel.org, lvc-project@linuxtesting.org, "Alexey V. Vissarionov" <gremlin@altlinux.org> Subject: [PATCH] wifi: brcmfmac: Fix allocation size Message-ID: <20230117104508.GB12547@altlinux.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="UlVJffcvxoiEqYs2" Content-Disposition: inline Precedence: bulk List-ID: <linux-wireless.vger.kernel.org> X-Mailing-List: linux-wireless@vger.kernel.org
Series	wifi: brcmfmac: Fix allocation size \| expand wifi: brcmfmac: Fix allocation size

Alexey V. Vissarionov Jan. 17, 2023, 10:45 a.m. UTC

The "pkt" is a pointer to struct sk_buff, so it's just 4 or 8
bytes, while the structure itself is much bigger.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: bbd1f932e7c45ef1 ("brcmfmac: cleanup ampdu-rx host reorder code")
Signed-off-by: Alexey V. Vissarionov <gremlin@altlinux.org>

Kalle Valo Jan. 17, 2023, 11:05 a.m. UTC | #1

"Alexey V. Vissarionov" <gremlin@altlinux.org> writes:

> The "pkt" is a pointer to struct sk_buff, so it's just 4 or 8
> bytes, while the structure itself is much bigger.
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Fixes: bbd1f932e7c45ef1 ("brcmfmac: cleanup ampdu-rx host reorder code")
> Signed-off-by: Alexey V. Vissarionov <gremlin@altlinux.org>
>
> diff --git
> a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c
> b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c
> index 36af81975855c525..0d283456da331464 100644
> --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c
> +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c
> @@ -1711,7 +1711,7 @@ void brcmf_fws_rxreorder(struct brcmf_if *ifp,
> struct sk_buff *pkt)
>  		buf_size = sizeof(*rfi);
>  		max_idx = reorder_data[BRCMF_RXREORDER_MAXIDX_OFFSET];
>  
> -		buf_size += (max_idx + 1) * sizeof(pkt);
> +		buf_size += (max_idx + 1) * sizeof(struct sk_buff);

Wouldn't sizeof(*pkt) be better? Just like with sizeof(*rfi) few lines
above.

Simon Horman Jan. 17, 2023, 11:13 a.m. UTC | #2

On Tue, Jan 17, 2023 at 01:45:08PM +0300, Alexey V. Vissarionov wrote:
> The "pkt" is a pointer to struct sk_buff, so it's just 4 or 8
> bytes, while the structure itself is much bigger.
> 
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
> 
> Fixes: bbd1f932e7c45ef1 ("brcmfmac: cleanup ampdu-rx host reorder code")
> Signed-off-by: Alexey V. Vissarionov <gremlin@altlinux.org>
> 
> diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c
> index 36af81975855c525..0d283456da331464 100644
> --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c
> +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c
> @@ -1711,7 +1711,7 @@ void brcmf_fws_rxreorder(struct brcmf_if *ifp, struct sk_buff *pkt)
>  		buf_size = sizeof(*rfi);
>  		max_idx = reorder_data[BRCMF_RXREORDER_MAXIDX_OFFSET];
>  
> -		buf_size += (max_idx + 1) * sizeof(pkt);
> +		buf_size += (max_idx + 1) * sizeof(struct sk_buff);
>  
>  		/* allocate space for flow reorder info */
>  		brcmf_dbg(INFO, "flow-%d: start, maxidx %d\n",

Hi Alexey,

This is followed by:

		rfi = kzalloc(buf_size, GFP_ATOMIC);
		...
		rfi->pktslots = (struct sk_buff **)(rfi + 1);

The type of rfi is struct brcmf_ampdu_rx_reorder, which looks like this:

struct brcmf_ampdu_rx_reorder {
        struct sk_buff **pktslots;                                       
	...
};

And it looks to me that pkt is used as an array of (struct sk_buff *).

So in all, it seems to me that the current code is correct.

Is there a particular code that leads you to think otherwise?

Kind regards,
Simon

Alexey V. Vissarionov Jan. 17, 2023, 11:21 a.m. UTC | #3

On 2023-01-17 13:05:24 +0200, Kalle Valo wrote:

 >> - buf_size += (max_idx + 1) * sizeof(pkt);
 >> + buf_size += (max_idx + 1) * sizeof(struct sk_buff);
 > Wouldn't sizeof(*pkt) be better?

Usually sizeof(type) produces less errors than sizeof(var)...

 > Just like with sizeof(*rfi) few lines above.

... but to keep consistency sizeof(*pkt) would also be ok.

Alexey V. Vissarionov Jan. 17, 2023, 11:54 a.m. UTC | #4

On 2023-01-17 12:13:06 +0100, Simon Horman wrote:

 >> buf_size = sizeof(*rfi);
 >> max_idx = reorder_data[BRCMF_RXREORDER_MAXIDX_OFFSET];
 >> - buf_size += (max_idx + 1) * sizeof(pkt);
 >> + buf_size += (max_idx + 1) * sizeof(struct sk_buff);

 > This is followed by:
 > rfi = kzalloc(buf_size, GFP_ATOMIC);
 > ...
 > rfi->pktslots = (struct sk_buff **)(rfi + 1);
 > The type of rfi is struct brcmf_ampdu_rx_reorder, which
 > looks like this:
 > struct brcmf_ampdu_rx_reorder
 > { struct sk_buff **pktslots; ... };
 > And it looks to me that pkt is used as an array of
 > (struct sk_buff *).
 > So in all, it seems to me that the current code is correct.

So, the buf_size is a sum of sizeof(struct brcmf_ampdu_rx_reorder)
and size of array of pointers... and yes, this array is filled with
pointers: rfi->pktslots[rfi->cur_idx] = pkt;

Hmmm... looks correct. Sorry for bothering.

Arend van Spriel Jan. 17, 2023, 1:56 p.m. UTC | #5

On 1/17/2023 12:54 PM, Alexey V. Vissarionov wrote:
> On 2023-01-17 12:13:06 +0100, Simon Horman wrote:
> 
>   >> buf_size = sizeof(*rfi);
>   >> max_idx = reorder_data[BRCMF_RXREORDER_MAXIDX_OFFSET];
>   >> - buf_size += (max_idx + 1) * sizeof(pkt);
>   >> + buf_size += (max_idx + 1) * sizeof(struct sk_buff);
> 
>   > This is followed by:
>   > rfi = kzalloc(buf_size, GFP_ATOMIC);
>   > ...
>   > rfi->pktslots = (struct sk_buff **)(rfi + 1);
>   > The type of rfi is struct brcmf_ampdu_rx_reorder, which
>   > looks like this:
>   > struct brcmf_ampdu_rx_reorder
>   > { struct sk_buff **pktslots; ... };
>   > And it looks to me that pkt is used as an array of
>   > (struct sk_buff *).
>   > So in all, it seems to me that the current code is correct.
> 
> So, the buf_size is a sum of sizeof(struct brcmf_ampdu_rx_reorder)
> and size of array of pointers... and yes, this array is filled with
> pointers: rfi->pktslots[rfi->cur_idx] = pkt;
> 
> Hmmm... looks correct. Sorry for bothering.

No problem. Nice to see the water went still without me chiming in. It 
has been a while since this was added to the driver and there could be 
issues with this code, but if this allocation was wrong we would have 
had reports by now.

Thanks,
Arend

Kalle Valo Jan. 18, 2023, 3:59 a.m. UTC | #6

"Alexey V. Vissarionov" <gremlin@altlinux.org> writes:

> On 2023-01-17 13:05:24 +0200, Kalle Valo wrote:
>
>  >> - buf_size += (max_idx + 1) * sizeof(pkt);
>  >> + buf_size += (max_idx + 1) * sizeof(struct sk_buff);
>  > Wouldn't sizeof(*pkt) be better?
>
> Usually sizeof(type) produces less errors than sizeof(var)...

This matter of taste really but FWIW I prefer sizeof(var) as then the
type can't be different by accident. And the coding style says something
similar, although that's related to memory allocation:

https://www.kernel.org/doc/html/latest/process/coding-style.html#allocating-memory

wifi: brcmfmac: Fix allocation size

Commit Message

Comments

Patch