diff mbox series

brcmfmac: fix a loop exit condition

Message ID YIKzmoMiTdToaIyP@mwanda (mailing list archive)
State Changes Requested
Delegated to: Kalle Valo
Headers show
Series brcmfmac: fix a loop exit condition | expand

Commit Message

Dan Carpenter April 23, 2021, 11:46 a.m. UTC
This code is supposed to loop over the whole board_type[] string.  The
current code kind of works just because ascii values start 97 and the
string is likely shorter than that so it will break when we hit the NUL
terminator.  But really the condition should be "i < len" instead of
"i < board_type[i]".

Fixes: 29e354ebeeec ("brcmfmac: Transform compatible string for FW loading")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
 drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Matthias Brugger April 23, 2021, 11:56 a.m. UTC | #1
On 23/04/2021 13:46, Dan Carpenter wrote:
> This code is supposed to loop over the whole board_type[] string.  The
> current code kind of works just because ascii values start 97 and the
> string is likely shorter than that so it will break when we hit the NUL
> terminator.  But really the condition should be "i < len" instead of
> "i < board_type[i]".
> 
> Fixes: 29e354ebeeec ("brcmfmac: Transform compatible string for FW loading")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

Good catch, I actually have serious doubts about whatever I was thinking when
writing that line of code.

Reviewed-by: Matthias Brugger <mbrugger@suse.com>

> ---
>  drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c
> index a7554265f95f..9b75e396fc50 100644
> --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c
> +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c
> @@ -34,7 +34,7 @@ void brcmf_of_probe(struct device *dev, enum brcmf_bus_type bus_type,
>  		len = strlen(tmp) + 1;
>  		board_type = devm_kzalloc(dev, len, GFP_KERNEL);
>  		strscpy(board_type, tmp, len);
> -		for (i = 0; i < board_type[i]; i++) {
> +		for (i = 0; i < len; i++) {
>  			if (board_type[i] == '/')
>  				board_type[i] = '-';
>  		}
>
Johannes Berg April 23, 2021, 11:59 a.m. UTC | #2
On Fri, 2021-04-23 at 14:46 +0300, Dan Carpenter wrote:
> This code is supposed to loop over the whole board_type[] string.  The
> current code kind of works just because ascii values start 97 and the
> string is likely shorter than that so it will break when we hit the NUL
> terminator.  But really the condition should be "i < len" instead of
> "i < board_type[i]".
> 
> Fixes: 29e354ebeeec ("brcmfmac: Transform compatible string for FW loading")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
>  drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c
> index a7554265f95f..9b75e396fc50 100644
> --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c
> +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c
> @@ -34,7 +34,7 @@ void brcmf_of_probe(struct device *dev, enum brcmf_bus_type bus_type,
>  		len = strlen(tmp) + 1;
>  		board_type = devm_kzalloc(dev, len, GFP_KERNEL);
>  		strscpy(board_type, tmp, len);
> -		for (i = 0; i < board_type[i]; i++) {
> +		for (i = 0; i < len; i++) {
>  			if (board_type[i] == '/')
>  				board_type[i] = '-';
>  		}

It should probably just use strreplace() though :)

johannes
Dan Carpenter April 23, 2021, 12:11 p.m. UTC | #3
On Fri, Apr 23, 2021 at 01:59:36PM +0200, Johannes Berg wrote:
> On Fri, 2021-04-23 at 14:46 +0300, Dan Carpenter wrote:
> > This code is supposed to loop over the whole board_type[] string.  The
> > current code kind of works just because ascii values start 97 and the
> > string is likely shorter than that so it will break when we hit the NUL
> > terminator.  But really the condition should be "i < len" instead of
> > "i < board_type[i]".
> > 
> > Fixes: 29e354ebeeec ("brcmfmac: Transform compatible string for FW loading")
> > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> > ---
> >  drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c
> > index a7554265f95f..9b75e396fc50 100644
> > --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c
> > +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c
> > @@ -34,7 +34,7 @@ void brcmf_of_probe(struct device *dev, enum brcmf_bus_type bus_type,
> >  		len = strlen(tmp) + 1;
> >  		board_type = devm_kzalloc(dev, len, GFP_KERNEL);
> >  		strscpy(board_type, tmp, len);
> > -		for (i = 0; i < board_type[i]; i++) {
> > +		for (i = 0; i < len; i++) {
> >  			if (board_type[i] == '/')
> >  				board_type[i] = '-';
> >  		}
> 
> It should probably just use strreplace() though :)

Good point.  I'll send a v2.

regards,
dan carpenter
Christophe JAILLET April 23, 2021, 12:20 p.m. UTC | #4
Le 23/04/2021 à 14:11, Dan Carpenter a écrit :
> On Fri, Apr 23, 2021 at 01:59:36PM +0200, Johannes Berg wrote:
>> On Fri, 2021-04-23 at 14:46 +0300, Dan Carpenter wrote:
>>> This code is supposed to loop over the whole board_type[] string.  The
>>> current code kind of works just because ascii values start 97 and the
>>> string is likely shorter than that so it will break when we hit the NUL
>>> terminator.  But really the condition should be "i < len" instead of
>>> "i < board_type[i]".
>>>
>>> Fixes: 29e354ebeeec ("brcmfmac: Transform compatible string for FW loading")
>>> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
>>> ---
>>>   drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c | 2 +-
>>>   1 file changed, 1 insertion(+), 1 deletion(-)
>>>
>>> diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c
>>> index a7554265f95f..9b75e396fc50 100644
>>> --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c
>>> +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c
>>> @@ -34,7 +34,7 @@ void brcmf_of_probe(struct device *dev, enum brcmf_bus_type bus_type,
>>>   		len = strlen(tmp) + 1;
>>>   		board_type = devm_kzalloc(dev, len, GFP_KERNEL);
>>>   		strscpy(board_type, tmp, len);
>>> -		for (i = 0; i < board_type[i]; i++) {
>>> +		for (i = 0; i < len; i++) {
>>>   			if (board_type[i] == '/')
>>>   				board_type[i] = '-';
>>>   		}
>>
>> It should probably just use strreplace() though :)
> 
> Good point.  I'll send a v2.
> 

and the 2 lines above look like a devm_kstrdup.

The (unlikely) malloc failure test is also missing.

CJ

> regards,
> dan carpenter
> 
>
Johannes Berg April 23, 2021, 12:54 p.m. UTC | #5
On Fri, 2021-04-23 at 14:20 +0200, Christophe JAILLET wrote:
> 
> > > > +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c
> > > > @@ -34,7 +34,7 @@ void brcmf_of_probe(struct device *dev, enum brcmf_bus_type bus_type,
> > > >   		len = strlen(tmp) + 1;
> > > >   		board_type = devm_kzalloc(dev, len, GFP_KERNEL);
> > > >   		strscpy(board_type, tmp, len);
> > > > -		for (i = 0; i < board_type[i]; i++) {
> > > > +		for (i = 0; i < len; i++) {
> > > >   			if (board_type[i] == '/')
> > > >   				board_type[i] = '-';
> > > >   		}
> > > 
> > > It should probably just use strreplace() though :)
> > 
> > Good point.  I'll send a v2.
> > 
> 
> and the 2 lines above look like a devm_kstrdup.
> 
> The (unlikely) malloc failure test is also missing.

How many issues can you have in 6 lines of code ;-)

johannes
Dan Carpenter May 8, 2021, 11:02 a.m. UTC | #6
On Fri, Apr 23, 2021 at 02:20:35PM +0200, Christophe JAILLET wrote:
> Le 23/04/2021 à 14:11, Dan Carpenter a écrit :
> > On Fri, Apr 23, 2021 at 01:59:36PM +0200, Johannes Berg wrote:
> > > On Fri, 2021-04-23 at 14:46 +0300, Dan Carpenter wrote:
> > > > This code is supposed to loop over the whole board_type[] string.  The
> > > > current code kind of works just because ascii values start 97 and the
> > > > string is likely shorter than that so it will break when we hit the NUL
> > > > terminator.  But really the condition should be "i < len" instead of
> > > > "i < board_type[i]".
> > > > 
> > > > Fixes: 29e354ebeeec ("brcmfmac: Transform compatible string for FW loading")
> > > > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> > > > ---
> > > >   drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c | 2 +-
> > > >   1 file changed, 1 insertion(+), 1 deletion(-)
> > > > 
> > > > diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c
> > > > index a7554265f95f..9b75e396fc50 100644
> > > > --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c
> > > > +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c
> > > > @@ -34,7 +34,7 @@ void brcmf_of_probe(struct device *dev, enum brcmf_bus_type bus_type,
> > > >   		len = strlen(tmp) + 1;
> > > >   		board_type = devm_kzalloc(dev, len, GFP_KERNEL);
> > > >   		strscpy(board_type, tmp, len);
> > > > -		for (i = 0; i < board_type[i]; i++) {
> > > > +		for (i = 0; i < len; i++) {
> > > >   			if (board_type[i] == '/')
> > > >   				board_type[i] = '-';
> > > >   		}
> > > 
> > > It should probably just use strreplace() though :)
> > 
> > Good point.  I'll send a v2.
> > 
> 
> and the 2 lines above look like a devm_kstrdup.
> 
> The (unlikely) malloc failure test is also missing.

It turns out that Smatch checks for allocation failure were really
ancient and really crap...  I need to add all devm_ functions.
Probably should re-write all that code.

Also originally GFP_NOFAIL was 0x800 and now it is 0x8000.  Smatch
was out of sync.  So the functions that were supposed to be checked
were all disabled...  Need to figure out a better way to do that as
well.

regards,
dan carpenter
Kalle Valo June 15, 2021, 10:26 a.m. UTC | #7
Dan Carpenter <dan.carpenter@oracle.com> wrote:

> This code is supposed to loop over the whole board_type[] string.  The
> current code kind of works just because ascii values start 97 and the
> string is likely shorter than that so it will break when we hit the NUL
> terminator.  But really the condition should be "i < len" instead of
> "i < board_type[i]".
> 
> Fixes: 29e354ebeeec ("brcmfmac: Transform compatible string for FW loading")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> Reviewed-by: Matthias Brugger <mbrugger@suse.com>

There was talk about v2, but I don't see it in the patchwork.

Patch set to Changes Requested.
Dan Carpenter June 15, 2021, 12:52 p.m. UTC | #8
On Tue, Jun 15, 2021 at 10:26:56AM +0000, Kalle Valo wrote:
> Dan Carpenter <dan.carpenter@oracle.com> wrote:
> 
> > This code is supposed to loop over the whole board_type[] string.  The
> > current code kind of works just because ascii values start 97 and the
> > string is likely shorter than that so it will break when we hit the NUL
> > terminator.  But really the condition should be "i < len" instead of
> > "i < board_type[i]".
> > 
> > Fixes: 29e354ebeeec ("brcmfmac: Transform compatible string for FW loading")
> > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> > Reviewed-by: Matthias Brugger <mbrugger@suse.com>
> 
> There was talk about v2, but I don't see it in the patchwork.
> 

Ah, crap.  I started to debug Smatch to find out why it wasn't warning
about some of these bugs and I got a bit carried away writing Smatch
code and forgot to come back to this.

I will send it tomorrow.

regards,
dan carpenter
Kalle Valo June 15, 2021, 1:45 p.m. UTC | #9
Dan Carpenter <dan.carpenter@oracle.com> writes:

> On Tue, Jun 15, 2021 at 10:26:56AM +0000, Kalle Valo wrote:
>> Dan Carpenter <dan.carpenter@oracle.com> wrote:
>> 
>> > This code is supposed to loop over the whole board_type[] string.  The
>> > current code kind of works just because ascii values start 97 and the
>> > string is likely shorter than that so it will break when we hit the NUL
>> > terminator.  But really the condition should be "i < len" instead of
>> > "i < board_type[i]".
>> > 
>> > Fixes: 29e354ebeeec ("brcmfmac: Transform compatible string for FW loading")
>> > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
>> > Reviewed-by: Matthias Brugger <mbrugger@suse.com>
>> 
>> There was talk about v2, but I don't see it in the patchwork.
>
> Ah, crap.  I started to debug Smatch to find out why it wasn't warning
> about some of these bugs and I got a bit carried away writing Smatch
> code and forgot to come back to this.
>
> I will send it tomorrow.

No worries, take your time :) I just wanted to remind about this, or see
if patchwork or the mailing list have lost patches again (which has
happened in the past).
diff mbox series

Patch

diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c
index a7554265f95f..9b75e396fc50 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c
@@ -34,7 +34,7 @@  void brcmf_of_probe(struct device *dev, enum brcmf_bus_type bus_type,
 		len = strlen(tmp) + 1;
 		board_type = devm_kzalloc(dev, len, GFP_KERNEL);
 		strscpy(board_type, tmp, len);
-		for (i = 0; i < board_type[i]; i++) {
+		for (i = 0; i < len; i++) {
 			if (board_type[i] == '/')
 				board_type[i] = '-';
 		}