From: Kees Cook <keescook@chromium.org>
To: Vlastimil Babka <vbabka@suse.cz>
Cc: "Kees Cook" <keescook@chromium.org>,
"Gregory Greenman" <gregory.greenman@intel.com>,
"Kalle Valo" <kvalo@kernel.org>,
"Johannes Berg" <johannes.berg@intel.com>,
linux-wireless@vger.kernel.org, netdev@vger.kernel.org,
"Pekka Enberg" <penberg@kernel.org>,
"David Rientjes" <rientjes@google.com>,
"Joonsoo Kim" <iamjoonsoo.kim@lge.com>,
"Andrew Morton" <akpm@linux-foundation.org>,
"David S. Miller" <davem@davemloft.net>,
"Eric Dumazet" <edumazet@google.com>,
"Jakub Kicinski" <kuba@kernel.org>,
"Paolo Abeni" <pabeni@redhat.com>,
"Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
"Nick Desaulniers" <ndesaulniers@google.com>,
"Alex Elder" <elder@kernel.org>,
"Josef Bacik" <josef@toxicpanda.com>,
"David Sterba" <dsterba@suse.com>,
"Sumit Semwal" <sumit.semwal@linaro.org>,
"Christian König" <christian.koenig@amd.com>,
"Jesse Brandeburg" <jesse.brandeburg@intel.com>,
"Daniel Micay" <danielmicay@gmail.com>,
"Yonghong Song" <yhs@fb.com>, "Marco Elver" <elver@google.com>,
"Miguel Ojeda" <ojeda@kernel.org>,
"Jacob Shin" <jacob.shin@amd.com>,
linux-kernel@vger.kernel.org, linux-mm@kvack.org,
linux-btrfs@vger.kernel.org, linux-media@vger.kernel.org,
dri-devel@lists.freedesktop.org, linaro-mm-sig@lists.linaro.org,
linux-fsdevel@vger.kernel.org, intel-wired-lan@lists.osuosl.org,
dev@openvswitch.org, x86@kernel.org, llvm@lists.linux.dev,
linux-hardening@vger.kernel.org
Subject: [PATCH 10/12] iwlwifi: Track scan_cmd allocation size explicitly
Date: Wed, 21 Sep 2022 20:10:11 -0700 [thread overview]
Message-ID: <20220922031013.2150682-11-keescook@chromium.org> (raw)
In-Reply-To: <20220922031013.2150682-1-keescook@chromium.org>
In preparation for reducing the use of ksize(), explicitly track the
size of scan_cmd allocations. This also allows for noticing if the scan
size changes unexpectedly. Note that using ksize() was already incorrect
here, in the sense that ksize() would not match the actual allocation
size, which would trigger future run-time allocation bounds checking.
(In other words, memset() may know how large scan_cmd was allocated for,
but ksize() will return the upper bounds of the actually allocated memory,
causing a run-time warning about an overflow.)
Cc: Gregory Greenman <gregory.greenman@intel.com>
Cc: Kalle Valo <kvalo@kernel.org>
Cc: Johannes Berg <johannes.berg@intel.com>
Cc: linux-wireless@vger.kernel.org
Cc: netdev@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
drivers/net/wireless/intel/iwlwifi/dvm/dev.h | 1 +
drivers/net/wireless/intel/iwlwifi/dvm/scan.c | 10 ++++++++--
drivers/net/wireless/intel/iwlwifi/mvm/mvm.h | 3 ++-
drivers/net/wireless/intel/iwlwifi/mvm/ops.c | 3 ++-
drivers/net/wireless/intel/iwlwifi/mvm/scan.c | 6 +++---
5 files changed, 16 insertions(+), 7 deletions(-)
diff --git a/drivers/net/wireless/intel/iwlwifi/dvm/dev.h b/drivers/net/wireless/intel/iwlwifi/dvm/dev.h
index bbd574091201..1a9eadace188 100644
--- a/drivers/net/wireless/intel/iwlwifi/dvm/dev.h
+++ b/drivers/net/wireless/intel/iwlwifi/dvm/dev.h
@@ -696,6 +696,7 @@ struct iwl_priv {
/* Scan related variables */
unsigned long scan_start;
unsigned long scan_start_tsf;
+ size_t scan_cmd_size;
void *scan_cmd;
enum nl80211_band scan_band;
struct cfg80211_scan_request *scan_request;
diff --git a/drivers/net/wireless/intel/iwlwifi/dvm/scan.c b/drivers/net/wireless/intel/iwlwifi/dvm/scan.c
index 2d38227dfdd2..a7e85c5c8c72 100644
--- a/drivers/net/wireless/intel/iwlwifi/dvm/scan.c
+++ b/drivers/net/wireless/intel/iwlwifi/dvm/scan.c
@@ -626,7 +626,7 @@ static int iwlagn_request_scan(struct iwl_priv *priv, struct ieee80211_vif *vif)
u8 active_chains;
u8 scan_tx_antennas = priv->nvm_data->valid_tx_ant;
int ret;
- int scan_cmd_size = sizeof(struct iwl_scan_cmd) +
+ size_t scan_cmd_size = sizeof(struct iwl_scan_cmd) +
MAX_SCAN_CHANNEL * sizeof(struct iwl_scan_channel) +
priv->fw->ucode_capa.max_probe_length;
const u8 *ssid = NULL;
@@ -649,9 +649,15 @@ static int iwlagn_request_scan(struct iwl_priv *priv, struct ieee80211_vif *vif)
"fail to allocate memory for scan\n");
return -ENOMEM;
}
+ priv->scan_cmd_size = scan_cmd_size;
+ }
+ if (priv->scan_cmd_size < scan_cmd_size) {
+ IWL_DEBUG_SCAN(priv,
+ "memory needed for scan grew unexpectedly\n");
+ return -ENOMEM;
}
scan = priv->scan_cmd;
- memset(scan, 0, scan_cmd_size);
+ memset(scan, 0, priv->scan_cmd_size);
scan->quiet_plcp_th = IWL_PLCP_QUIET_THRESH;
scan->quiet_time = IWL_ACTIVE_QUIET_TIME;
diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h b/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h
index bf35e130c876..214b8a525cc6 100644
--- a/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h
@@ -860,6 +860,7 @@ struct iwl_mvm {
/* Scan status, cmd (pre-allocated) and auxiliary station */
unsigned int scan_status;
+ size_t scan_cmd_size;
void *scan_cmd;
struct iwl_mcast_filter_cmd *mcast_filter_cmd;
/* For CDB this is low band scan type, for non-CDB - type. */
@@ -1705,7 +1706,7 @@ int iwl_mvm_update_quotas(struct iwl_mvm *mvm, bool force_upload,
int iwl_mvm_reg_scan_start(struct iwl_mvm *mvm, struct ieee80211_vif *vif,
struct cfg80211_scan_request *req,
struct ieee80211_scan_ies *ies);
-int iwl_mvm_scan_size(struct iwl_mvm *mvm);
+size_t iwl_mvm_scan_size(struct iwl_mvm *mvm);
int iwl_mvm_scan_stop(struct iwl_mvm *mvm, int type, bool notify);
int iwl_mvm_max_scan_ie_len(struct iwl_mvm *mvm);
void iwl_mvm_report_scan_aborted(struct iwl_mvm *mvm);
diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/ops.c b/drivers/net/wireless/intel/iwlwifi/mvm/ops.c
index db43c8a83a31..b9cbb18b0dcb 100644
--- a/drivers/net/wireless/intel/iwlwifi/mvm/ops.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/ops.c
@@ -1065,7 +1065,7 @@ iwl_op_mode_mvm_start(struct iwl_trans *trans, const struct iwl_cfg *cfg,
static const u8 no_reclaim_cmds[] = {
TX_CMD,
};
- int scan_size;
+ size_t scan_size;
u32 min_backoff;
struct iwl_mvm_csme_conn_info *csme_conn_info __maybe_unused;
@@ -1299,6 +1299,7 @@ iwl_op_mode_mvm_start(struct iwl_trans *trans, const struct iwl_cfg *cfg,
mvm->scan_cmd = kmalloc(scan_size, GFP_KERNEL);
if (!mvm->scan_cmd)
goto out_free;
+ mvm->scan_cmd_size = scan_size;
/* invalidate ids to prevent accidental removal of sta_id 0 */
mvm->aux_sta.sta_id = IWL_MVM_INVALID_STA;
diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/scan.c b/drivers/net/wireless/intel/iwlwifi/mvm/scan.c
index 582a95ffc7ab..acd8803dbcdd 100644
--- a/drivers/net/wireless/intel/iwlwifi/mvm/scan.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/scan.c
@@ -2626,7 +2626,7 @@ static int iwl_mvm_build_scan_cmd(struct iwl_mvm *mvm,
u8 scan_ver;
lockdep_assert_held(&mvm->mutex);
- memset(mvm->scan_cmd, 0, ksize(mvm->scan_cmd));
+ memset(mvm->scan_cmd, 0, mvm->scan_cmd_size);
if (!fw_has_capa(&mvm->fw->ucode_capa, IWL_UCODE_TLV_CAPA_UMAC_SCAN)) {
hcmd->id = SCAN_OFFLOAD_REQUEST_CMD;
@@ -3091,7 +3091,7 @@ static int iwl_mvm_scan_stop_wait(struct iwl_mvm *mvm, int type)
1 * HZ);
}
-static int iwl_scan_req_umac_get_size(u8 scan_ver)
+static size_t iwl_scan_req_umac_get_size(u8 scan_ver)
{
switch (scan_ver) {
case 12:
@@ -3104,7 +3104,7 @@ static int iwl_scan_req_umac_get_size(u8 scan_ver)
return 0;
}
-int iwl_mvm_scan_size(struct iwl_mvm *mvm)
+size_t iwl_mvm_scan_size(struct iwl_mvm *mvm)
{
int base_size, tail_size;
u8 scan_ver = iwl_fw_lookup_cmd_ver(mvm->fw, SCAN_REQ_UMAC,
--
2.34.1
next prev parent reply other threads:[~2022-09-22 3:12 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-22 3:10 [PATCH 00/12] slab: Introduce kmalloc_size_roundup() Kees Cook
2022-09-22 3:10 ` [PATCH 01/12] " Kees Cook
2022-09-22 11:12 ` Hyeonggon Yoo
2022-09-23 1:17 ` Feng Tang
2022-09-23 18:50 ` Kees Cook
2022-09-22 3:10 ` [PATCH 02/12] skbuff: Proactively round up to kmalloc bucket size Kees Cook
2022-09-22 19:40 ` Jakub Kicinski
2022-09-22 3:10 ` [PATCH 03/12] net: ipa: " Kees Cook
2022-09-22 13:45 ` Alex Elder
2022-09-22 15:57 ` Kees Cook
2022-09-22 3:10 ` [PATCH 04/12] btrfs: send: " Kees Cook
2022-09-22 13:30 ` David Sterba
2022-09-22 3:10 ` [PATCH 05/12] dma-buf: " Kees Cook
2022-09-22 3:10 ` [PATCH 06/12] coredump: " Kees Cook
2022-09-22 3:10 ` [PATCH 07/12] igb: " Kees Cook
2022-09-22 15:56 ` Ruhl, Michael J
2022-09-22 16:00 ` Kees Cook
2022-09-22 3:10 ` [PATCH 08/12] openvswitch: " Kees Cook
2022-09-22 3:10 ` [PATCH 09/12] x86/microcode/AMD: Track patch allocation size explicitly Kees Cook
2022-09-22 3:10 ` Kees Cook [this message]
2022-09-22 4:18 ` [PATCH 10/12] iwlwifi: Track scan_cmd " Kalle Valo
2022-09-22 5:26 ` Kees Cook
2022-09-22 3:10 ` [PATCH 11/12] slab: Remove __malloc attribute from realloc functions Kees Cook
2022-09-22 9:23 ` Miguel Ojeda
2022-09-22 15:56 ` Kees Cook
2022-09-22 17:41 ` Miguel Ojeda
2022-09-22 3:10 ` [PATCH 12/12] slab: Restore __alloc_size attribute to __kmalloc_track_caller Kees Cook
2022-09-22 7:10 ` [PATCH 00/12] slab: Introduce kmalloc_size_roundup() Christian König
2022-09-22 15:55 ` Kees Cook
2022-09-22 21:05 ` Vlastimil Babka
2022-09-22 21:49 ` Kees Cook
2022-09-23 9:07 ` Vlastimil Babka
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220922031013.2150682-11-keescook@chromium.org \
--to=keescook@chromium.org \
--cc=akpm@linux-foundation.org \
--cc=christian.koenig@amd.com \
--cc=danielmicay@gmail.com \
--cc=davem@davemloft.net \
--cc=dev@openvswitch.org \
--cc=dri-devel@lists.freedesktop.org \
--cc=dsterba@suse.com \
--cc=edumazet@google.com \
--cc=elder@kernel.org \
--cc=elver@google.com \
--cc=gregkh@linuxfoundation.org \
--cc=gregory.greenman@intel.com \
--cc=iamjoonsoo.kim@lge.com \
--cc=intel-wired-lan@lists.osuosl.org \
--cc=jacob.shin@amd.com \
--cc=jesse.brandeburg@intel.com \
--cc=johannes.berg@intel.com \
--cc=josef@toxicpanda.com \
--cc=kuba@kernel.org \
--cc=kvalo@kernel.org \
--cc=linaro-mm-sig@lists.linaro.org \
--cc=linux-btrfs@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-wireless@vger.kernel.org \
--cc=llvm@lists.linux.dev \
--cc=ndesaulniers@google.com \
--cc=netdev@vger.kernel.org \
--cc=ojeda@kernel.org \
--cc=pabeni@redhat.com \
--cc=penberg@kernel.org \
--cc=rientjes@google.com \
--cc=sumit.semwal@linaro.org \
--cc=vbabka@suse.cz \
--cc=x86@kernel.org \
--cc=yhs@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).