All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] cfg80211: Fix array-bounds warning in fragment copy
@ 2017-03-25  1:06 Matthias Kaehlcke
  2017-03-27 10:47 ` Johannes Berg
  0 siblings, 1 reply; 5+ messages in thread
From: Matthias Kaehlcke @ 2017-03-25  1:06 UTC (permalink / raw)
  To: Johannes Berg, David S . Miller, Felix Fietkau
  Cc: netdev, linux-kernel, Grant Grundler, Matthias Kaehlcke

__ieee80211_amsdu_copy_frag intentionally initializes a pointer to
array[-1] to increment it later to valid values. clang rightfully
generates an array-bounds warning on the initialization statement.
Work around this by initializing the pointer to array[0] and
decrementing it later, which allows to leave the rest of the
algorithm untouched.

Signed-off-by: Matthias Kaehlcke <mka@chromium.org>
---
 net/wireless/util.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/wireless/util.c b/net/wireless/util.c
index 68e5f2ecee1a..d3d459e4a070 100644
--- a/net/wireless/util.c
+++ b/net/wireless/util.c
@@ -659,7 +659,7 @@ __ieee80211_amsdu_copy_frag(struct sk_buff *skb, struct sk_buff *frame,
 			    int offset, int len)
 {
 	struct skb_shared_info *sh = skb_shinfo(skb);
-	const skb_frag_t *frag = &sh->frags[-1];
+	const skb_frag_t *frag = &sh->frags[0];
 	struct page *frag_page;
 	void *frag_ptr;
 	int frag_len, frag_size;
@@ -669,6 +669,7 @@ __ieee80211_amsdu_copy_frag(struct sk_buff *skb, struct sk_buff *frame,
 	frag_page = virt_to_head_page(skb->head);
 	frag_ptr = skb->data;
 	frag_size = head_size;
+	frag--;
 
 	while (offset >= frag_size) {
 		offset -= frag_size;
-- 
2.12.1.578.ge9c3154ca4-goog

^ permalink raw reply related	[flat|nested] 5+ messages in thread
* Re: [PATCH] cfg80211: Fix array-bounds warning in fragment copy
  2017-03-25  1:06 [PATCH] cfg80211: Fix array-bounds warning in fragment copy Matthias Kaehlcke
@ 2017-03-27 10:47 ` Johannes Berg
  2017-03-27 11:29   ` Felix Fietkau
  2017-03-27 19:32   ` Matthias Kaehlcke
  0 siblings, 2 replies; 5+ messages in thread
From: Johannes Berg @ 2017-03-27 10:47 UTC (permalink / raw)
  To: Matthias Kaehlcke, David S . Miller, Felix Fietkau
  Cc: netdev, linux-kernel, Grant Grundler

On Fri, 2017-03-24 at 18:06 -0700, Matthias Kaehlcke wrote:
> __ieee80211_amsdu_copy_frag intentionally initializes a pointer to
> array[-1] to increment it later to valid values. clang rightfully
> generates an array-bounds warning on the initialization statement.
> Work around this by initializing the pointer to array[0] and
> decrementing it later, which allows to leave the rest of the
> algorithm untouched.
> 
> Signed-off-by: Matthias Kaehlcke <mka@chromium.org>
> ---
>  net/wireless/util.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/net/wireless/util.c b/net/wireless/util.c
> index 68e5f2ecee1a..d3d459e4a070 100644
> --- a/net/wireless/util.c
> +++ b/net/wireless/util.c
> @@ -659,7 +659,7 @@ __ieee80211_amsdu_copy_frag(struct sk_buff *skb,
> struct sk_buff *frame,
>  			    int offset, int len)
>  {
>  	struct skb_shared_info *sh = skb_shinfo(skb);
> -	const skb_frag_t *frag = &sh->frags[-1];
> +	const skb_frag_t *frag = &sh->frags[0];
>  	struct page *frag_page;
>  	void *frag_ptr;
>  	int frag_len, frag_size;
> @@ -669,6 +669,7 @@ __ieee80211_amsdu_copy_frag(struct sk_buff *skb,
> struct sk_buff *frame,
>  	frag_page = virt_to_head_page(skb->head);
>  	frag_ptr = skb->data;
>  	frag_size = head_size;
> +	frag--;

Isn't it just a question of time until the compiler will see through
this trick and warn about it?

johannes

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [PATCH] cfg80211: Fix array-bounds warning in fragment copy
  2017-03-27 10:47 ` Johannes Berg
@ 2017-03-27 11:29   ` Felix Fietkau
  2017-03-27 11:38     ` Johannes Berg
  2017-03-27 19:32   ` Matthias Kaehlcke
  1 sibling, 1 reply; 5+ messages in thread
From: Felix Fietkau @ 2017-03-27 11:29 UTC (permalink / raw)
  To: Johannes Berg, Matthias Kaehlcke, David S . Miller, Felix Fietkau
  Cc: netdev, linux-kernel, Grant Grundler

On 2017-03-27 12:47, Johannes Berg wrote:
> On Fri, 2017-03-24 at 18:06 -0700, Matthias Kaehlcke wrote:
>> __ieee80211_amsdu_copy_frag intentionally initializes a pointer to
>> array[-1] to increment it later to valid values. clang rightfully
>> generates an array-bounds warning on the initialization statement.
>> Work around this by initializing the pointer to array[0] and
>> decrementing it later, which allows to leave the rest of the
>> algorithm untouched.
>> 
>> Signed-off-by: Matthias Kaehlcke <mka@chromium.org>
>> ---
>>  net/wireless/util.c | 3 ++-
>>  1 file changed, 2 insertions(+), 1 deletion(-)
>> 
>> diff --git a/net/wireless/util.c b/net/wireless/util.c
>> index 68e5f2ecee1a..d3d459e4a070 100644
>> --- a/net/wireless/util.c
>> +++ b/net/wireless/util.c
>> @@ -659,7 +659,7 @@ __ieee80211_amsdu_copy_frag(struct sk_buff *skb,
>> struct sk_buff *frame,
>>  			    int offset, int len)
>>  {
>>  	struct skb_shared_info *sh = skb_shinfo(skb);
>> -	const skb_frag_t *frag = &sh->frags[-1];
>> +	const skb_frag_t *frag = &sh->frags[0];
>>  	struct page *frag_page;
>>  	void *frag_ptr;
>>  	int frag_len, frag_size;
>> @@ -669,6 +669,7 @@ __ieee80211_amsdu_copy_frag(struct sk_buff *skb,
>> struct sk_buff *frame,
>>  	frag_page = virt_to_head_page(skb->head);
>>  	frag_ptr = skb->data;
>>  	frag_size = head_size;
>> +	frag--;
> 
> Isn't it just a question of time until the compiler will see through
> this trick and warn about it?
Frag is incremented again before being accessed, so there is nothing for
the compiler to see through here.

Acked-by: Felix Fietkau <nbd@nbd.name>

- Felix

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [PATCH] cfg80211: Fix array-bounds warning in fragment copy
  2017-03-27 11:29   ` Felix Fietkau
@ 2017-03-27 11:38     ` Johannes Berg
  0 siblings, 0 replies; 5+ messages in thread
From: Johannes Berg @ 2017-03-27 11:38 UTC (permalink / raw)
  To: Felix Fietkau, Matthias Kaehlcke, David S . Miller, Felix Fietkau
  Cc: netdev, linux-kernel, Grant Grundler


> > > -	const skb_frag_t *frag = &sh->frags[-1];
> > > +	const skb_frag_t *frag = &sh->frags[0];
[...]
> > > +	frag--;
> > 
> > Isn't it just a question of time until the compiler will see
> > through this trick and warn about it?
> 
> Frag is incremented again before being accessed, so there is nothing
> for the compiler to see through here.

But by that argument the existing code was already fine. The compiler
flagged it nonetheless, perhaps because it couldn't prove it was
incremented unconditionally/in all branches?

johannes

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [PATCH] cfg80211: Fix array-bounds warning in fragment copy
  2017-03-27 10:47 ` Johannes Berg
  2017-03-27 11:29   ` Felix Fietkau
@ 2017-03-27 19:32   ` Matthias Kaehlcke
  1 sibling, 0 replies; 5+ messages in thread
From: Matthias Kaehlcke @ 2017-03-27 19:32 UTC (permalink / raw)
  To: Johannes Berg
  Cc: David S . Miller, Felix Fietkau, netdev, linux-kernel, Grant Grundler

El Mon, Mar 27, 2017 at 12:47:59PM +0200 Johannes Berg ha dit:

> On Fri, 2017-03-24 at 18:06 -0700, Matthias Kaehlcke wrote:
> > __ieee80211_amsdu_copy_frag intentionally initializes a pointer to
> > array[-1] to increment it later to valid values. clang rightfully
> > generates an array-bounds warning on the initialization statement.
> > Work around this by initializing the pointer to array[0] and
> > decrementing it later, which allows to leave the rest of the
> > algorithm untouched.
> > 
> > Signed-off-by: Matthias Kaehlcke <mka@chromium.org>
> > ---
> >  net/wireless/util.c | 3 ++-
> >  1 file changed, 2 insertions(+), 1 deletion(-)
> > 
> > diff --git a/net/wireless/util.c b/net/wireless/util.c
> > index 68e5f2ecee1a..d3d459e4a070 100644
> > --- a/net/wireless/util.c
> > +++ b/net/wireless/util.c
> > @@ -659,7 +659,7 @@ __ieee80211_amsdu_copy_frag(struct sk_buff *skb,
> > struct sk_buff *frame,
> >  			    int offset, int len)
> >  {
> >  	struct skb_shared_info *sh = skb_shinfo(skb);
> > -	const skb_frag_t *frag = &sh->frags[-1];
> > +	const skb_frag_t *frag = &sh->frags[0];
> >  	struct page *frag_page;
> >  	void *frag_ptr;
> >  	int frag_len, frag_size;
> > @@ -669,6 +669,7 @@ __ieee80211_amsdu_copy_frag(struct sk_buff *skb,
> > struct sk_buff *frame,
> >  	frag_page = virt_to_head_page(skb->head);
> >  	frag_ptr = skb->data;
> >  	frag_size = head_size;
> > +	frag--;
> 
> Isn't it just a question of time until the compiler will see through
> this trick and warn about it?

Maybe.

Actually it seems the algorithm can be easily adapted to increment the
pointer after consumption, which is clearer anyway. I will give this a
shot. I'm not sure how to exercise the code path for testing and would
appreciate help on this end.

Matthias

^ permalink raw reply	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2017-03-27 19:41 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-03-25  1:06 [PATCH] cfg80211: Fix array-bounds warning in fragment copy Matthias Kaehlcke
2017-03-27 10:47 ` Johannes Berg
2017-03-27 11:29   ` Felix Fietkau
2017-03-27 11:38     ` Johannes Berg
2017-03-27 19:32   ` Matthias Kaehlcke

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.