* [PATCH] brcmfmac: fix a loop exit condition @ 2021-04-23 11:46 Dan Carpenter 2021-04-23 11:56 ` Matthias Brugger ` (3 more replies) 0 siblings, 4 replies; 10+ messages in thread From: Dan Carpenter @ 2021-04-23 11:46 UTC (permalink / raw) To: Arend van Spriel, Matthias Brugger Cc: Franky Lin, Hante Meuleman, Chi-hsien Lin, Wright Feng, Chung-hsien Hsu, Kalle Valo, Hans deGoede, linux-wireless, brcm80211-dev-list.pdl, kernel-janitors This code is supposed to loop over the whole board_type[] string. The current code kind of works just because ascii values start 97 and the string is likely shorter than that so it will break when we hit the NUL terminator. But really the condition should be "i < len" instead of "i < board_type[i]". Fixes: 29e354ebeeec ("brcmfmac: Transform compatible string for FW loading") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> --- drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c index a7554265f95f..9b75e396fc50 100644 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c @@ -34,7 +34,7 @@ void brcmf_of_probe(struct device *dev, enum brcmf_bus_type bus_type, len = strlen(tmp) + 1; board_type = devm_kzalloc(dev, len, GFP_KERNEL); strscpy(board_type, tmp, len); - for (i = 0; i < board_type[i]; i++) { + for (i = 0; i < len; i++) { if (board_type[i] == '/') board_type[i] = '-'; } -- 2.30.2 ^ permalink raw reply related [flat|nested] 10+ messages in thread
* Re: [PATCH] brcmfmac: fix a loop exit condition 2021-04-23 11:46 [PATCH] brcmfmac: fix a loop exit condition Dan Carpenter @ 2021-04-23 11:56 ` Matthias Brugger 2021-04-23 11:59 ` Johannes Berg ` (2 subsequent siblings) 3 siblings, 0 replies; 10+ messages in thread From: Matthias Brugger @ 2021-04-23 11:56 UTC (permalink / raw) To: Dan Carpenter, Arend van Spriel Cc: Franky Lin, Hante Meuleman, Chi-hsien Lin, Wright Feng, Chung-hsien Hsu, Kalle Valo, Hans deGoede, linux-wireless, brcm80211-dev-list.pdl, kernel-janitors On 23/04/2021 13:46, Dan Carpenter wrote: > This code is supposed to loop over the whole board_type[] string. The > current code kind of works just because ascii values start 97 and the > string is likely shorter than that so it will break when we hit the NUL > terminator. But really the condition should be "i < len" instead of > "i < board_type[i]". > > Fixes: 29e354ebeeec ("brcmfmac: Transform compatible string for FW loading") > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Good catch, I actually have serious doubts about whatever I was thinking when writing that line of code. Reviewed-by: Matthias Brugger <mbrugger@suse.com> > --- > drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c > index a7554265f95f..9b75e396fc50 100644 > --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c > +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c > @@ -34,7 +34,7 @@ void brcmf_of_probe(struct device *dev, enum brcmf_bus_type bus_type, > len = strlen(tmp) + 1; > board_type = devm_kzalloc(dev, len, GFP_KERNEL); > strscpy(board_type, tmp, len); > - for (i = 0; i < board_type[i]; i++) { > + for (i = 0; i < len; i++) { > if (board_type[i] == '/') > board_type[i] = '-'; > } > ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] brcmfmac: fix a loop exit condition 2021-04-23 11:46 [PATCH] brcmfmac: fix a loop exit condition Dan Carpenter 2021-04-23 11:56 ` Matthias Brugger @ 2021-04-23 11:59 ` Johannes Berg 2021-04-23 12:11 ` Dan Carpenter 2021-06-15 10:26 ` Kalle Valo [not found] ` <20210615102656.DBB04C43143@smtp.codeaurora.org> 3 siblings, 1 reply; 10+ messages in thread From: Johannes Berg @ 2021-04-23 11:59 UTC (permalink / raw) To: Dan Carpenter, Arend van Spriel, Matthias Brugger Cc: Franky Lin, Hante Meuleman, Chi-hsien Lin, Wright Feng, Chung-hsien Hsu, Kalle Valo, Hans deGoede, linux-wireless, brcm80211-dev-list.pdl, kernel-janitors On Fri, 2021-04-23 at 14:46 +0300, Dan Carpenter wrote: > This code is supposed to loop over the whole board_type[] string. The > current code kind of works just because ascii values start 97 and the > string is likely shorter than that so it will break when we hit the NUL > terminator. But really the condition should be "i < len" instead of > "i < board_type[i]". > > Fixes: 29e354ebeeec ("brcmfmac: Transform compatible string for FW loading") > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > --- > drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c > index a7554265f95f..9b75e396fc50 100644 > --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c > +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c > @@ -34,7 +34,7 @@ void brcmf_of_probe(struct device *dev, enum brcmf_bus_type bus_type, > len = strlen(tmp) + 1; > board_type = devm_kzalloc(dev, len, GFP_KERNEL); > strscpy(board_type, tmp, len); > - for (i = 0; i < board_type[i]; i++) { > + for (i = 0; i < len; i++) { > if (board_type[i] == '/') > board_type[i] = '-'; > } It should probably just use strreplace() though :) johannes ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] brcmfmac: fix a loop exit condition 2021-04-23 11:59 ` Johannes Berg @ 2021-04-23 12:11 ` Dan Carpenter 2021-04-23 12:20 ` Christophe JAILLET 0 siblings, 1 reply; 10+ messages in thread From: Dan Carpenter @ 2021-04-23 12:11 UTC (permalink / raw) To: Johannes Berg Cc: Arend van Spriel, Matthias Brugger, Franky Lin, Hante Meuleman, Chi-hsien Lin, Wright Feng, Chung-hsien Hsu, Kalle Valo, Hans deGoede, linux-wireless, brcm80211-dev-list.pdl, kernel-janitors On Fri, Apr 23, 2021 at 01:59:36PM +0200, Johannes Berg wrote: > On Fri, 2021-04-23 at 14:46 +0300, Dan Carpenter wrote: > > This code is supposed to loop over the whole board_type[] string. The > > current code kind of works just because ascii values start 97 and the > > string is likely shorter than that so it will break when we hit the NUL > > terminator. But really the condition should be "i < len" instead of > > "i < board_type[i]". > > > > Fixes: 29e354ebeeec ("brcmfmac: Transform compatible string for FW loading") > > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > > --- > > drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c > > index a7554265f95f..9b75e396fc50 100644 > > --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c > > +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c > > @@ -34,7 +34,7 @@ void brcmf_of_probe(struct device *dev, enum brcmf_bus_type bus_type, > > len = strlen(tmp) + 1; > > board_type = devm_kzalloc(dev, len, GFP_KERNEL); > > strscpy(board_type, tmp, len); > > - for (i = 0; i < board_type[i]; i++) { > > + for (i = 0; i < len; i++) { > > if (board_type[i] == '/') > > board_type[i] = '-'; > > } > > It should probably just use strreplace() though :) Good point. I'll send a v2. regards, dan carpenter ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] brcmfmac: fix a loop exit condition 2021-04-23 12:11 ` Dan Carpenter @ 2021-04-23 12:20 ` Christophe JAILLET 2021-04-23 12:54 ` Johannes Berg 2021-05-08 11:02 ` Dan Carpenter 0 siblings, 2 replies; 10+ messages in thread From: Christophe JAILLET @ 2021-04-23 12:20 UTC (permalink / raw) To: Dan Carpenter, Johannes Berg Cc: Arend van Spriel, Matthias Brugger, Franky Lin, Hante Meuleman, Chi-hsien Lin, Wright Feng, Chung-hsien Hsu, Kalle Valo, Hans deGoede, linux-wireless, brcm80211-dev-list.pdl, kernel-janitors Le 23/04/2021 à 14:11, Dan Carpenter a écrit : > On Fri, Apr 23, 2021 at 01:59:36PM +0200, Johannes Berg wrote: >> On Fri, 2021-04-23 at 14:46 +0300, Dan Carpenter wrote: >>> This code is supposed to loop over the whole board_type[] string. The >>> current code kind of works just because ascii values start 97 and the >>> string is likely shorter than that so it will break when we hit the NUL >>> terminator. But really the condition should be "i < len" instead of >>> "i < board_type[i]". >>> >>> Fixes: 29e354ebeeec ("brcmfmac: Transform compatible string for FW loading") >>> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> >>> --- >>> drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c | 2 +- >>> 1 file changed, 1 insertion(+), 1 deletion(-) >>> >>> diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c >>> index a7554265f95f..9b75e396fc50 100644 >>> --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c >>> +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c >>> @@ -34,7 +34,7 @@ void brcmf_of_probe(struct device *dev, enum brcmf_bus_type bus_type, >>> len = strlen(tmp) + 1; >>> board_type = devm_kzalloc(dev, len, GFP_KERNEL); >>> strscpy(board_type, tmp, len); >>> - for (i = 0; i < board_type[i]; i++) { >>> + for (i = 0; i < len; i++) { >>> if (board_type[i] == '/') >>> board_type[i] = '-'; >>> } >> >> It should probably just use strreplace() though :) > > Good point. I'll send a v2. > and the 2 lines above look like a devm_kstrdup. The (unlikely) malloc failure test is also missing. CJ > regards, > dan carpenter > > ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] brcmfmac: fix a loop exit condition 2021-04-23 12:20 ` Christophe JAILLET @ 2021-04-23 12:54 ` Johannes Berg 2021-05-08 11:02 ` Dan Carpenter 1 sibling, 0 replies; 10+ messages in thread From: Johannes Berg @ 2021-04-23 12:54 UTC (permalink / raw) To: Christophe JAILLET, Dan Carpenter Cc: Arend van Spriel, Matthias Brugger, Franky Lin, Hante Meuleman, Chi-hsien Lin, Wright Feng, Chung-hsien Hsu, Kalle Valo, Hans deGoede, linux-wireless, brcm80211-dev-list.pdl, kernel-janitors On Fri, 2021-04-23 at 14:20 +0200, Christophe JAILLET wrote: > > > > > +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c > > > > @@ -34,7 +34,7 @@ void brcmf_of_probe(struct device *dev, enum brcmf_bus_type bus_type, > > > > len = strlen(tmp) + 1; > > > > board_type = devm_kzalloc(dev, len, GFP_KERNEL); > > > > strscpy(board_type, tmp, len); > > > > - for (i = 0; i < board_type[i]; i++) { > > > > + for (i = 0; i < len; i++) { > > > > if (board_type[i] == '/') > > > > board_type[i] = '-'; > > > > } > > > > > > It should probably just use strreplace() though :) > > > > Good point. I'll send a v2. > > > > and the 2 lines above look like a devm_kstrdup. > > The (unlikely) malloc failure test is also missing. How many issues can you have in 6 lines of code ;-) johannes ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] brcmfmac: fix a loop exit condition 2021-04-23 12:20 ` Christophe JAILLET 2021-04-23 12:54 ` Johannes Berg @ 2021-05-08 11:02 ` Dan Carpenter 1 sibling, 0 replies; 10+ messages in thread From: Dan Carpenter @ 2021-05-08 11:02 UTC (permalink / raw) To: Christophe JAILLET Cc: Johannes Berg, Arend van Spriel, Matthias Brugger, Franky Lin, Hante Meuleman, Chi-hsien Lin, Wright Feng, Chung-hsien Hsu, Kalle Valo, Hans deGoede, linux-wireless, brcm80211-dev-list.pdl, kernel-janitors On Fri, Apr 23, 2021 at 02:20:35PM +0200, Christophe JAILLET wrote: > Le 23/04/2021 à 14:11, Dan Carpenter a écrit : > > On Fri, Apr 23, 2021 at 01:59:36PM +0200, Johannes Berg wrote: > > > On Fri, 2021-04-23 at 14:46 +0300, Dan Carpenter wrote: > > > > This code is supposed to loop over the whole board_type[] string. The > > > > current code kind of works just because ascii values start 97 and the > > > > string is likely shorter than that so it will break when we hit the NUL > > > > terminator. But really the condition should be "i < len" instead of > > > > "i < board_type[i]". > > > > > > > > Fixes: 29e354ebeeec ("brcmfmac: Transform compatible string for FW loading") > > > > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > > > > --- > > > > drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c | 2 +- > > > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > > > > > diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c > > > > index a7554265f95f..9b75e396fc50 100644 > > > > --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c > > > > +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c > > > > @@ -34,7 +34,7 @@ void brcmf_of_probe(struct device *dev, enum brcmf_bus_type bus_type, > > > > len = strlen(tmp) + 1; > > > > board_type = devm_kzalloc(dev, len, GFP_KERNEL); > > > > strscpy(board_type, tmp, len); > > > > - for (i = 0; i < board_type[i]; i++) { > > > > + for (i = 0; i < len; i++) { > > > > if (board_type[i] == '/') > > > > board_type[i] = '-'; > > > > } > > > > > > It should probably just use strreplace() though :) > > > > Good point. I'll send a v2. > > > > and the 2 lines above look like a devm_kstrdup. > > The (unlikely) malloc failure test is also missing. It turns out that Smatch checks for allocation failure were really ancient and really crap... I need to add all devm_ functions. Probably should re-write all that code. Also originally GFP_NOFAIL was 0x800 and now it is 0x8000. Smatch was out of sync. So the functions that were supposed to be checked were all disabled... Need to figure out a better way to do that as well. regards, dan carpenter ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] brcmfmac: fix a loop exit condition 2021-04-23 11:46 [PATCH] brcmfmac: fix a loop exit condition Dan Carpenter 2021-04-23 11:56 ` Matthias Brugger 2021-04-23 11:59 ` Johannes Berg @ 2021-06-15 10:26 ` Kalle Valo [not found] ` <20210615102656.DBB04C43143@smtp.codeaurora.org> 3 siblings, 0 replies; 10+ messages in thread From: Kalle Valo @ 2021-06-15 10:26 UTC (permalink / raw) To: Dan Carpenter Cc: Arend van Spriel, Matthias Brugger, Franky Lin, Hante Meuleman, Chi-hsien Lin, Wright Feng, Chung-hsien Hsu, Hans deGoede, linux-wireless, brcm80211-dev-list.pdl, kernel-janitors Dan Carpenter <dan.carpenter@oracle.com> wrote: > This code is supposed to loop over the whole board_type[] string. The > current code kind of works just because ascii values start 97 and the > string is likely shorter than that so it will break when we hit the NUL > terminator. But really the condition should be "i < len" instead of > "i < board_type[i]". > > Fixes: 29e354ebeeec ("brcmfmac: Transform compatible string for FW loading") > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > Reviewed-by: Matthias Brugger <mbrugger@suse.com> There was talk about v2, but I don't see it in the patchwork. Patch set to Changes Requested. -- https://patchwork.kernel.org/project/linux-wireless/patch/YIKzmoMiTdToaIyP@mwanda/ https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches ^ permalink raw reply [flat|nested] 10+ messages in thread
[parent not found: <20210615102656.DBB04C43143@smtp.codeaurora.org>]
* Re: [PATCH] brcmfmac: fix a loop exit condition [not found] ` <20210615102656.DBB04C43143@smtp.codeaurora.org> @ 2021-06-15 12:52 ` Dan Carpenter 2021-06-15 13:45 ` Kalle Valo 0 siblings, 1 reply; 10+ messages in thread From: Dan Carpenter @ 2021-06-15 12:52 UTC (permalink / raw) To: Kalle Valo Cc: Arend van Spriel, Matthias Brugger, Franky Lin, Hante Meuleman, Chi-hsien Lin, Wright Feng, Chung-hsien Hsu, Hans deGoede, linux-wireless, brcm80211-dev-list.pdl, kernel-janitors On Tue, Jun 15, 2021 at 10:26:56AM +0000, Kalle Valo wrote: > Dan Carpenter <dan.carpenter@oracle.com> wrote: > > > This code is supposed to loop over the whole board_type[] string. The > > current code kind of works just because ascii values start 97 and the > > string is likely shorter than that so it will break when we hit the NUL > > terminator. But really the condition should be "i < len" instead of > > "i < board_type[i]". > > > > Fixes: 29e354ebeeec ("brcmfmac: Transform compatible string for FW loading") > > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > > Reviewed-by: Matthias Brugger <mbrugger@suse.com> > > There was talk about v2, but I don't see it in the patchwork. > Ah, crap. I started to debug Smatch to find out why it wasn't warning about some of these bugs and I got a bit carried away writing Smatch code and forgot to come back to this. I will send it tomorrow. regards, dan carpenter ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] brcmfmac: fix a loop exit condition 2021-06-15 12:52 ` Dan Carpenter @ 2021-06-15 13:45 ` Kalle Valo 0 siblings, 0 replies; 10+ messages in thread From: Kalle Valo @ 2021-06-15 13:45 UTC (permalink / raw) To: Dan Carpenter Cc: Arend van Spriel, Matthias Brugger, Franky Lin, Hante Meuleman, Chi-hsien Lin, Wright Feng, Chung-hsien Hsu, Hans deGoede, linux-wireless, brcm80211-dev-list.pdl, kernel-janitors Dan Carpenter <dan.carpenter@oracle.com> writes: > On Tue, Jun 15, 2021 at 10:26:56AM +0000, Kalle Valo wrote: >> Dan Carpenter <dan.carpenter@oracle.com> wrote: >> >> > This code is supposed to loop over the whole board_type[] string. The >> > current code kind of works just because ascii values start 97 and the >> > string is likely shorter than that so it will break when we hit the NUL >> > terminator. But really the condition should be "i < len" instead of >> > "i < board_type[i]". >> > >> > Fixes: 29e354ebeeec ("brcmfmac: Transform compatible string for FW loading") >> > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> >> > Reviewed-by: Matthias Brugger <mbrugger@suse.com> >> >> There was talk about v2, but I don't see it in the patchwork. > > Ah, crap. I started to debug Smatch to find out why it wasn't warning > about some of these bugs and I got a bit carried away writing Smatch > code and forgot to come back to this. > > I will send it tomorrow. No worries, take your time :) I just wanted to remind about this, or see if patchwork or the mailing list have lost patches again (which has happened in the past). -- https://patchwork.kernel.org/project/linux-wireless/list/ https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches ^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2021-06-15 13:45 UTC | newest] Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2021-04-23 11:46 [PATCH] brcmfmac: fix a loop exit condition Dan Carpenter 2021-04-23 11:56 ` Matthias Brugger 2021-04-23 11:59 ` Johannes Berg 2021-04-23 12:11 ` Dan Carpenter 2021-04-23 12:20 ` Christophe JAILLET 2021-04-23 12:54 ` Johannes Berg 2021-05-08 11:02 ` Dan Carpenter 2021-06-15 10:26 ` Kalle Valo [not found] ` <20210615102656.DBB04C43143@smtp.codeaurora.org> 2021-06-15 12:52 ` Dan Carpenter 2021-06-15 13:45 ` Kalle Valo
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.