From patchwork Tue Feb 28 16:28:25 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jacob Keller X-Patchwork-Id: 13155056 X-Patchwork-Delegate: kvalo@adurom.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4E3ADC64EC7 for ; Tue, 28 Feb 2023 16:29:00 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229574AbjB1Q27 (ORCPT ); Tue, 28 Feb 2023 11:28:59 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51352 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229509AbjB1Q26 (ORCPT ); Tue, 28 Feb 2023 11:28:58 -0500 Received: from mga07.intel.com (mga07.intel.com [134.134.136.100]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2BD70F97B for ; Tue, 28 Feb 2023 08:28:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1677601714; x=1709137714; h=from:to:cc:subject:date:message-id:mime-version: content-transfer-encoding; bh=3IUiuQDXLWHfaTHU14YJHaMpCG6zn1yfzHLbH9QGLlg=; b=E5hHnAdn0MDWaijKGpC8fn4sUBAOFdlwzFpisJ3pOFEHk32ff7eaPIDb SM6bywoCtqVxggYHxr8RLYEYevqsnQmwHqUPbowzpyY9AlAsCLX2FNYkP sTbfEt0aBr0yokONcJAaEcDHbRnGaB7uPGEJwVviHlfIVNeZDppjBIfVl YqYjsJVxZOh8kMhm6jW2+aShYrOkSkYtCBRWGk2UFggG85s0HqwV8Zbu3 BwhfySh1YJzcRuK/M7nrrm55CX93rDNgDozgHj6+4uSRXBbAPX8HQFE/E SPB28cJVeHSAmCLlE/ymHRsnTDGJtIoVwchXXxNODEjvb9X2uJGi2joKK Q==; X-IronPort-AV: E=McAfee;i="6500,9779,10635"; a="398964470" X-IronPort-AV: E=Sophos;i="5.98,222,1673942400"; d="scan'208";a="398964470" Received: from fmsmga007.fm.intel.com ([10.253.24.52]) by orsmga105.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 28 Feb 2023 08:28:33 -0800 X-IronPort-AV: E=McAfee;i="6500,9779,10635"; a="676361737" X-IronPort-AV: E=Sophos;i="5.98,222,1673942400"; d="scan'208";a="676361737" Received: from jekeller-desk.amr.corp.intel.com (HELO jekeller-desk.jekeller.internal) ([10.166.241.1]) by fmsmga007-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 28 Feb 2023 08:28:32 -0800 From: Jacob Keller To: Johannes Berg Cc: Kalle Valo , linux-wireless@vger.kernel.org, Jacob Keller , Stanislav Yakovlev Subject: [PATCH 1/3] wifi: ipw2x00: convert ipw_fw_error->elem to flexible array[] Date: Tue, 28 Feb 2023 08:28:25 -0800 Message-Id: <20230228162827.3876606-1-jacob.e.keller@intel.com> X-Mailer: git-send-email 2.39.1.405.gd4c25cc71f83 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org The ipw_fw_error structure contains a payload[] flexible array as well as two pointers to this array area, ->elem, and ->log. The total size of the allocated structure is computed without use of the macros. There's no reason to keep both a payload[] and an extra pointer to both the elem and log members. Convert the elem pointer member into the flexible array member, removing payload. Fix the allocation of the ipw_fw_error structure to use size_add(), struct_size(), and array_size() to compute the allocation. This ensures that any overflow saturates at SIZE_MAX rather than overflowing and potentially allowing an undersized allocation. Before the structure change, the layout of ipw_fw_error was: struct ipw_fw_error { long unsigned int jiffies; /* 0 8 */ u32 status; /* 8 4 */ u32 config; /* 12 4 */ u32 elem_len; /* 16 4 */ u32 log_len; /* 20 4 */ struct ipw_error_elem * elem; /* 24 8 */ struct ipw_event * log; /* 32 8 */ u8 payload[]; /* 40 0 */ /* size: 40, cachelines: 1, members: 8 */ /* last cacheline: 40 bytes */ }; After this change, the layout is now: struct ipw_fw_error { long unsigned int jiffies; /* 0 8 */ u32 status; /* 8 4 */ u32 config; /* 12 4 */ u32 elem_len; /* 16 4 */ u32 log_len; /* 20 4 */ struct ipw_event * log; /* 24 8 */ struct ipw_error_elem elem[]; /* 32 0 */ /* size: 32, cachelines: 1, members: 7 */ /* last cacheline: 32 bytes */ }; This saves a total of 8 bytes for every ipw_fw_error allocation, and removes the risk of a potential overflow on the allocation. Signed-off-by: Jacob Keller Cc: Stanislav Yakovlev --- drivers/net/wireless/intel/ipw2x00/ipw2200.c | 7 +++---- drivers/net/wireless/intel/ipw2x00/ipw2200.h | 3 +-- 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/drivers/net/wireless/intel/ipw2x00/ipw2200.c b/drivers/net/wireless/intel/ipw2x00/ipw2200.c index d382f2017325..b91b1a2d0be7 100644 --- a/drivers/net/wireless/intel/ipw2x00/ipw2200.c +++ b/drivers/net/wireless/intel/ipw2x00/ipw2200.c @@ -1234,9 +1234,9 @@ static struct ipw_fw_error *ipw_alloc_error_log(struct ipw_priv *priv) u32 base = ipw_read32(priv, IPW_ERROR_LOG); u32 elem_len = ipw_read_reg32(priv, base); - error = kmalloc(sizeof(*error) + - sizeof(*error->elem) * elem_len + - sizeof(*error->log) * log_len, GFP_ATOMIC); + error = kmalloc(size_add(struct_size(error, elem, elem_len), + array_size(sizeof(*error->log), log_len)), + GFP_ATOMIC); if (!error) { IPW_ERROR("Memory allocation for firmware error log " "failed.\n"); @@ -1247,7 +1247,6 @@ static struct ipw_fw_error *ipw_alloc_error_log(struct ipw_priv *priv) error->config = priv->config; error->elem_len = elem_len; error->log_len = log_len; - error->elem = (struct ipw_error_elem *)error->payload; error->log = (struct ipw_event *)(error->elem + elem_len); ipw_capture_event_log(priv, log_len, error->log); diff --git a/drivers/net/wireless/intel/ipw2x00/ipw2200.h b/drivers/net/wireless/intel/ipw2x00/ipw2200.h index 09ddd21608d4..8ebf09121e17 100644 --- a/drivers/net/wireless/intel/ipw2x00/ipw2200.h +++ b/drivers/net/wireless/intel/ipw2x00/ipw2200.h @@ -1106,9 +1106,8 @@ struct ipw_fw_error { /* XXX */ u32 config; u32 elem_len; u32 log_len; - struct ipw_error_elem *elem; struct ipw_event *log; - u8 payload[]; + struct ipw_error_elem elem[]; } __packed; #ifdef CONFIG_IPW2200_PROMISCUOUS From patchwork Tue Feb 28 16:28:26 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jacob Keller X-Patchwork-Id: 13155057 X-Patchwork-Delegate: kvalo@adurom.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5FEF5C64EC7 for ; Tue, 28 Feb 2023 16:29:06 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229712AbjB1Q3E (ORCPT ); Tue, 28 Feb 2023 11:29:04 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51436 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229509AbjB1Q3D (ORCPT ); Tue, 28 Feb 2023 11:29:03 -0500 Received: from mga07.intel.com (mga07.intel.com [134.134.136.100]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 70FB7EC46 for ; Tue, 28 Feb 2023 08:28:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1677601738; x=1709137738; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=odol+JxuQvFhwv30ibTMrdYzc0CJZkzAskFzrU/34ro=; b=MCkix5oWriVmLeC/AvaRBvEDeX0OjXV+yJxTeqE7ugoiuU12HUl7+k8+ rYJuluFyf6bDLBxq+WHg/FSAUnPHY94yLJutdv8Ioze4o7qy2Iky8AUXf zXWGLm7rXngPa93le5AGwfAd9tbfOPMApE+kNJUwRUdnj8KQIPquNe/Kz 4cuXi92oTzax5qJphCFlYUnWzRoXcPyL9gdyxnjpXX9C7E2q6K2OowhV2 EUAoA3pEpkUQo6LQNYqKGLfCFwgT+UKg3tRfkmjESbGhEU8VcKrshsB3+ sF3RTCm5OVKyaSaqEApOBMYJHbAszv7+Jq7Ies10tzyq2RWlMhnkii2L/ w==; X-IronPort-AV: E=McAfee;i="6500,9779,10635"; a="398964476" X-IronPort-AV: E=Sophos;i="5.98,222,1673942400"; d="scan'208";a="398964476" Received: from fmsmga007.fm.intel.com ([10.253.24.52]) by orsmga105.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 28 Feb 2023 08:28:33 -0800 X-IronPort-AV: E=McAfee;i="6500,9779,10635"; a="676361741" X-IronPort-AV: E=Sophos;i="5.98,222,1673942400"; d="scan'208";a="676361741" Received: from jekeller-desk.amr.corp.intel.com (HELO jekeller-desk.jekeller.internal) ([10.166.241.1]) by fmsmga007-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 28 Feb 2023 08:28:33 -0800 From: Jacob Keller To: Johannes Berg Cc: Kalle Valo , linux-wireless@vger.kernel.org, Jacob Keller , Igor Mitsyanko , Sergey Matyukevich Subject: [PATCH 2/3] wifi: cfg80211: use struct_size and size_sub for payload length Date: Tue, 28 Feb 2023 08:28:26 -0800 Message-Id: <20230228162827.3876606-2-jacob.e.keller@intel.com> X-Mailer: git-send-email 2.39.1.405.gd4c25cc71f83 In-Reply-To: <20230228162827.3876606-1-jacob.e.keller@intel.com> References: <20230228162827.3876606-1-jacob.e.keller@intel.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org Replace the calculations for the payload length in qtnf_cmd_band_fill_iftype with struct_size() and size_sub(). While the payload length does not get directly passed to an allocation function, the performed calculation is still calculating the size of a flexible array structure (minus the size of a header structure). Signed-off-by: Jacob Keller Cc: Igor Mitsyanko Cc: Sergey Matyukevich --- drivers/net/wireless/quantenna/qtnfmac/commands.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/net/wireless/quantenna/qtnfmac/commands.c b/drivers/net/wireless/quantenna/qtnfmac/commands.c index b1b73478d89b..68ae9c7ea95a 100644 --- a/drivers/net/wireless/quantenna/qtnfmac/commands.c +++ b/drivers/net/wireless/quantenna/qtnfmac/commands.c @@ -1325,9 +1325,10 @@ static int qtnf_cmd_band_fill_iftype(const u8 *data, struct ieee80211_sband_iftype_data *iftype_data; const struct qlink_tlv_iftype_data *tlv = (const struct qlink_tlv_iftype_data *)data; - size_t payload_len = tlv->n_iftype_data * sizeof(*tlv->iftype_data) + - sizeof(*tlv) - - sizeof(struct qlink_tlv_hdr); + size_t payload_len; + + payload_len = struct_size(tlv, iftype_data, tlv->n_iftype_data); + payload_len = size_sub(payload_len, sizeof(struct qlink_tlv_hdr)); if (tlv->hdr.len != cpu_to_le16(payload_len)) { pr_err("bad IFTYPE_DATA TLV len %u\n", tlv->hdr.len); From patchwork Tue Feb 28 16:28:27 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jacob Keller X-Patchwork-Id: 13155058 X-Patchwork-Delegate: johannes@sipsolutions.net Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id B687BC64ED6 for ; Tue, 28 Feb 2023 16:29:07 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229509AbjB1Q3G (ORCPT ); Tue, 28 Feb 2023 11:29:06 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51454 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229715AbjB1Q3E (ORCPT ); Tue, 28 Feb 2023 11:29:04 -0500 Received: from mga07.intel.com (mga07.intel.com [134.134.136.100]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A5CF319F2C for ; Tue, 28 Feb 2023 08:28:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1677601738; x=1709137738; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=N0I8Pr28OQ/BUMXsVVB3Jj3rOIxZmI4REJbM4qETlHM=; b=M4vd0np9pBzmCqvnsjDu5KeuUmXc/tPETM8tfU85rlaHKr1zEw4rBVec XZ/QV91qaGTnRGCAxFrRx7i7KgUChXge4m5cFExqz0KA7UzP20uJENksf haMX199uRR13cZfCi8aok3aD5zxvO6SP6GKITwWFBiAT1XTQUZHLM8RmM pvA4B6gD9ZvXViCE3Zs5DJ6IkuEGzOJLjhdnXz+F5Xn0BqzV1/sfhkhK+ Q0+zIC4YlDp/AmIzSy60ia4uVs+sKXUMlf9AO/p5Q/eyeh8749l1Sxtpo GQ+33x7KqqM+xF5GthKdwTri21shqoJjRWBZ5eNRMnEY2rGHSR7+d72B4 w==; X-IronPort-AV: E=McAfee;i="6500,9779,10635"; a="398964480" X-IronPort-AV: E=Sophos;i="5.98,222,1673942400"; d="scan'208";a="398964480" Received: from fmsmga007.fm.intel.com ([10.253.24.52]) by orsmga105.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 28 Feb 2023 08:28:34 -0800 X-IronPort-AV: E=McAfee;i="6500,9779,10635"; a="676361744" X-IronPort-AV: E=Sophos;i="5.98,222,1673942400"; d="scan'208";a="676361744" Received: from jekeller-desk.amr.corp.intel.com (HELO jekeller-desk.jekeller.internal) ([10.166.241.1]) by fmsmga007-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 28 Feb 2023 08:28:33 -0800 From: Jacob Keller To: Johannes Berg Cc: Kalle Valo , linux-wireless@vger.kernel.org, Jacob Keller Subject: [PATCH 3/3] wifi: nl80211: convert cfg80211_scan_request allocation to *_size macros Date: Tue, 28 Feb 2023 08:28:27 -0800 Message-Id: <20230228162827.3876606-3-jacob.e.keller@intel.com> X-Mailer: git-send-email 2.39.1.405.gd4c25cc71f83 In-Reply-To: <20230228162827.3876606-1-jacob.e.keller@intel.com> References: <20230228162827.3876606-1-jacob.e.keller@intel.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org The cfg80211_scan_request structure is followed by a flexible array member as well as several other arrays that are then stored into pointers in the structure. These are allocated currently using a simple sequence of multiplications. Replace the calculations with struct_size(), size_add(), and array_size() helper macros. These macros saturate the calculation at SIZE_MAX rather than overflowing. Note that we can't use flex_array_size() instead of array_size() because the fields are not arrays, but simple pointers. Signed-off-by: Jacob Keller Cc: Johannes Berg --- net/wireless/nl80211.c | 26 ++++++++++++++------------ 1 file changed, 14 insertions(+), 12 deletions(-) diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c index 112b4bb009c8..e5b08546bf30 100644 --- a/net/wireless/nl80211.c +++ b/net/wireless/nl80211.c @@ -9019,7 +9019,7 @@ static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info) struct nlattr *attr; struct wiphy *wiphy; int err, tmp, n_ssids = 0, n_channels, i; - size_t ie_len; + size_t ie_len, size; wiphy = &rdev->wiphy; @@ -9064,10 +9064,10 @@ static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info) if (ie_len > wiphy->max_scan_ie_len) return -EINVAL; - request = kzalloc(sizeof(*request) - + sizeof(*request->ssids) * n_ssids - + sizeof(*request->channels) * n_channels - + ie_len, GFP_KERNEL); + size = struct_size(request, channels, n_channels); + size = size_add(size, array_size(sizeof(*request->ssids), n_ssids)); + size = size_add(size, ie_len); + request = kzalloc(size, GFP_KERNEL); if (!request) return -ENOMEM; @@ -9400,7 +9400,7 @@ nl80211_parse_sched_scan(struct wiphy *wiphy, struct wireless_dev *wdev, struct nlattr *attr; int err, tmp, n_ssids = 0, n_match_sets = 0, n_channels, i, n_plans = 0; enum nl80211_band band; - size_t ie_len; + size_t ie_len, size; struct nlattr *tb[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1]; s32 default_match_rssi = NL80211_SCAN_RSSI_THOLD_OFF; @@ -9509,12 +9509,14 @@ nl80211_parse_sched_scan(struct wiphy *wiphy, struct wireless_dev *wdev, attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST])) return ERR_PTR(-EINVAL); - request = kzalloc(sizeof(*request) - + sizeof(*request->ssids) * n_ssids - + sizeof(*request->match_sets) * n_match_sets - + sizeof(*request->scan_plans) * n_plans - + sizeof(*request->channels) * n_channels - + ie_len, GFP_KERNEL); + size = struct_size(request, channels, n_channels); + size = size_add(size, array_size(sizeof(*request->ssids), n_ssids)); + size = size_add(size, array_size(sizeof(*request->match_sets), + n_match_sets)); + size = size_add(size, array_size(sizeof(*request->scan_plans), + n_plans)); + size = size_add(size, ie_len); + request = kzalloc(size, GFP_KERNEL); if (!request) return ERR_PTR(-ENOMEM);