[PATCH] brcmfmac: fix a loop exit condition

[PATCH] brcmfmac: fix a loop exit condition

[Dan Carpenter]

This code is supposed to loop over the whole board_type[] string.  The
current code kind of works just because ascii values start 97 and the
string is likely shorter than that so it will break when we hit the NUL
terminator.  But really the condition should be "i < len" instead of
"i < board_type[i]".

Fixes: 29e354ebeeec ("brcmfmac: Transform compatible string for FW loading")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
 drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c
index a7554265f95f..9b75e396fc50 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c
@@ -34,7 +34,7 @@ void brcmf_of_probe(struct device *dev, enum brcmf_bus_type bus_type,
 		len = strlen(tmp) + 1;
 		board_type = devm_kzalloc(dev, len, GFP_KERNEL);
 		strscpy(board_type, tmp, len);
-		for (i = 0; i < board_type[i]; i++) {
+		for (i = 0; i < len; i++) {
 			if (board_type[i] == '/')
 				board_type[i] = '-';
 		}
-- 
2.30.2

Re: [PATCH] brcmfmac: fix a loop exit condition

[Matthias Brugger]

On 23/04/2021 13:46, Dan Carpenter wrote:
> This code is supposed to loop over the whole board_type[] string.  The
> current code kind of works just because ascii values start 97 and the
> string is likely shorter than that so it will break when we hit the NUL
> terminator.  But really the condition should be "i < len" instead of
> "i < board_type[i]".
> 
> Fixes: 29e354ebeeec ("brcmfmac: Transform compatible string for FW loading")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

Good catch, I actually have serious doubts about whatever I was thinking when
writing that line of code.

Reviewed-by: Matthias Brugger <mbrugger@suse.com>

> ---
>  drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c
> index a7554265f95f..9b75e396fc50 100644
> --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c
> +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c
> @@ -34,7 +34,7 @@ void brcmf_of_probe(struct device *dev, enum brcmf_bus_type bus_type,
>  		len = strlen(tmp) + 1;
>  		board_type = devm_kzalloc(dev, len, GFP_KERNEL);
>  		strscpy(board_type, tmp, len);
> -		for (i = 0; i < board_type[i]; i++) {
> +		for (i = 0; i < len; i++) {
>  			if (board_type[i] == '/')
>  				board_type[i] = '-';
>  		}
> 

Re: [PATCH] brcmfmac: fix a loop exit condition

[Johannes Berg]

On Fri, 2021-04-23 at 14:46 +0300, Dan Carpenter wrote:
> This code is supposed to loop over the whole board_type[] string.  The
> current code kind of works just because ascii values start 97 and the
> string is likely shorter than that so it will break when we hit the NUL
> terminator.  But really the condition should be "i < len" instead of
> "i < board_type[i]".
> 
> Fixes: 29e354ebeeec ("brcmfmac: Transform compatible string for FW loading")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
>  drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c
> index a7554265f95f..9b75e396fc50 100644
> --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c
> +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c
> @@ -34,7 +34,7 @@ void brcmf_of_probe(struct device *dev, enum brcmf_bus_type bus_type,
>  		len = strlen(tmp) + 1;
>  		board_type = devm_kzalloc(dev, len, GFP_KERNEL);
>  		strscpy(board_type, tmp, len);
> -		for (i = 0; i < board_type[i]; i++) {
> +		for (i = 0; i < len; i++) {
>  			if (board_type[i] == '/')
>  				board_type[i] = '-';
>  		}

It should probably just use strreplace() though :)

johannes

Re: [PATCH] brcmfmac: fix a loop exit condition

[Dan Carpenter]

On Fri, Apr 23, 2021 at 01:59:36PM +0200, Johannes Berg wrote:
> On Fri, 2021-04-23 at 14:46 +0300, Dan Carpenter wrote:
> > This code is supposed to loop over the whole board_type[] string.  The
> > current code kind of works just because ascii values start 97 and the
> > string is likely shorter than that so it will break when we hit the NUL
> > terminator.  But really the condition should be "i < len" instead of
> > "i < board_type[i]".
> > 
> > Fixes: 29e354ebeeec ("brcmfmac: Transform compatible string for FW loading")
> > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> > ---
> >  drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c
> > index a7554265f95f..9b75e396fc50 100644
> > --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c
> > +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c
> > @@ -34,7 +34,7 @@ void brcmf_of_probe(struct device *dev, enum brcmf_bus_type bus_type,
> >  		len = strlen(tmp) + 1;
> >  		board_type = devm_kzalloc(dev, len, GFP_KERNEL);
> >  		strscpy(board_type, tmp, len);
> > -		for (i = 0; i < board_type[i]; i++) {
> > +		for (i = 0; i < len; i++) {
> >  			if (board_type[i] == '/')
> >  				board_type[i] = '-';
> >  		}
> 
> It should probably just use strreplace() though :)

Good point.  I'll send a v2.

regards,
dan carpenter

Re: [PATCH] brcmfmac: fix a loop exit condition

[Christophe JAILLET]

Le 23/04/2021 à 14:11, Dan Carpenter a écrit :
> On Fri, Apr 23, 2021 at 01:59:36PM +0200, Johannes Berg wrote:
>> On Fri, 2021-04-23 at 14:46 +0300, Dan Carpenter wrote:
>>> This code is supposed to loop over the whole board_type[] string.  The
>>> current code kind of works just because ascii values start 97 and the
>>> string is likely shorter than that so it will break when we hit the NUL
>>> terminator.  But really the condition should be "i < len" instead of
>>> "i < board_type[i]".
>>>
>>> Fixes: 29e354ebeeec ("brcmfmac: Transform compatible string for FW loading")
>>> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
>>> ---
>>>   drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c | 2 +-
>>>   1 file changed, 1 insertion(+), 1 deletion(-)
>>>
>>> diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c
>>> index a7554265f95f..9b75e396fc50 100644
>>> --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c
>>> +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c
>>> @@ -34,7 +34,7 @@ void brcmf_of_probe(struct device *dev, enum brcmf_bus_type bus_type,
>>>   		len = strlen(tmp) + 1;
>>>   		board_type = devm_kzalloc(dev, len, GFP_KERNEL);
>>>   		strscpy(board_type, tmp, len);
>>> -		for (i = 0; i < board_type[i]; i++) {
>>> +		for (i = 0; i < len; i++) {
>>>   			if (board_type[i] == '/')
>>>   				board_type[i] = '-';
>>>   		}
>>
>> It should probably just use strreplace() though :)
> 
> Good point.  I'll send a v2.
> 

and the 2 lines above look like a devm_kstrdup.

The (unlikely) malloc failure test is also missing.

CJ

> regards,
> dan carpenter
> 
> 

Re: [PATCH] brcmfmac: fix a loop exit condition

[Johannes Berg]

On Fri, 2021-04-23 at 14:20 +0200, Christophe JAILLET wrote:
> 
> > > > +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c
> > > > @@ -34,7 +34,7 @@ void brcmf_of_probe(struct device *dev, enum brcmf_bus_type bus_type,
> > > >   		len = strlen(tmp) + 1;
> > > >   		board_type = devm_kzalloc(dev, len, GFP_KERNEL);
> > > >   		strscpy(board_type, tmp, len);
> > > > -		for (i = 0; i < board_type[i]; i++) {
> > > > +		for (i = 0; i < len; i++) {
> > > >   			if (board_type[i] == '/')
> > > >   				board_type[i] = '-';
> > > >   		}
> > > 
> > > It should probably just use strreplace() though :)
> > 
> > Good point.  I'll send a v2.
> > 
> 
> and the 2 lines above look like a devm_kstrdup.
> 
> The (unlikely) malloc failure test is also missing.

How many issues can you have in 6 lines of code ;-)

johannes

Re: [PATCH] brcmfmac: fix a loop exit condition

[Dan Carpenter]

On Fri, Apr 23, 2021 at 02:20:35PM +0200, Christophe JAILLET wrote:
> Le 23/04/2021 à 14:11, Dan Carpenter a écrit :
> > On Fri, Apr 23, 2021 at 01:59:36PM +0200, Johannes Berg wrote:
> > > On Fri, 2021-04-23 at 14:46 +0300, Dan Carpenter wrote:
> > > > This code is supposed to loop over the whole board_type[] string.  The
> > > > current code kind of works just because ascii values start 97 and the
> > > > string is likely shorter than that so it will break when we hit the NUL
> > > > terminator.  But really the condition should be "i < len" instead of
> > > > "i < board_type[i]".
> > > > 
> > > > Fixes: 29e354ebeeec ("brcmfmac: Transform compatible string for FW loading")
> > > > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> > > > ---
> > > >   drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c | 2 +-
> > > >   1 file changed, 1 insertion(+), 1 deletion(-)
> > > > 
> > > > diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c
> > > > index a7554265f95f..9b75e396fc50 100644
> > > > --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c
> > > > +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c
> > > > @@ -34,7 +34,7 @@ void brcmf_of_probe(struct device *dev, enum brcmf_bus_type bus_type,
> > > >   		len = strlen(tmp) + 1;
> > > >   		board_type = devm_kzalloc(dev, len, GFP_KERNEL);
> > > >   		strscpy(board_type, tmp, len);
> > > > -		for (i = 0; i < board_type[i]; i++) {
> > > > +		for (i = 0; i < len; i++) {
> > > >   			if (board_type[i] == '/')
> > > >   				board_type[i] = '-';
> > > >   		}
> > > 
> > > It should probably just use strreplace() though :)
> > 
> > Good point.  I'll send a v2.
> > 
> 
> and the 2 lines above look like a devm_kstrdup.
> 
> The (unlikely) malloc failure test is also missing.

It turns out that Smatch checks for allocation failure were really
ancient and really crap...  I need to add all devm_ functions.
Probably should re-write all that code.

Also originally GFP_NOFAIL was 0x800 and now it is 0x8000.  Smatch
was out of sync.  So the functions that were supposed to be checked
were all disabled...  Need to figure out a better way to do that as
well.

regards,
dan carpenter

Re: [PATCH] brcmfmac: fix a loop exit condition

[Kalle Valo]

Dan Carpenter <dan.carpenter@oracle.com> wrote:

> This code is supposed to loop over the whole board_type[] string.  The
> current code kind of works just because ascii values start 97 and the
> string is likely shorter than that so it will break when we hit the NUL
> terminator.  But really the condition should be "i < len" instead of
> "i < board_type[i]".
> 
> Fixes: 29e354ebeeec ("brcmfmac: Transform compatible string for FW loading")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> Reviewed-by: Matthias Brugger <mbrugger@suse.com>

There was talk about v2, but I don't see it in the patchwork.

Patch set to Changes Requested.

-- 
https://patchwork.kernel.org/project/linux-wireless/patch/YIKzmoMiTdToaIyP@mwanda/

https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches

Re: [PATCH] brcmfmac: fix a loop exit condition

[Dan Carpenter]

On Tue, Jun 15, 2021 at 10:26:56AM +0000, Kalle Valo wrote:
> Dan Carpenter <dan.carpenter@oracle.com> wrote:
> 
> > This code is supposed to loop over the whole board_type[] string.  The
> > current code kind of works just because ascii values start 97 and the
> > string is likely shorter than that so it will break when we hit the NUL
> > terminator.  But really the condition should be "i < len" instead of
> > "i < board_type[i]".
> > 
> > Fixes: 29e354ebeeec ("brcmfmac: Transform compatible string for FW loading")
> > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> > Reviewed-by: Matthias Brugger <mbrugger@suse.com>
> 
> There was talk about v2, but I don't see it in the patchwork.
> 

Ah, crap.  I started to debug Smatch to find out why it wasn't warning
about some of these bugs and I got a bit carried away writing Smatch
code and forgot to come back to this.

I will send it tomorrow.

regards,
dan carpenter

Re: [PATCH] brcmfmac: fix a loop exit condition

[Kalle Valo]

Dan Carpenter <dan.carpenter@oracle.com> writes:

> On Tue, Jun 15, 2021 at 10:26:56AM +0000, Kalle Valo wrote:
>> Dan Carpenter <dan.carpenter@oracle.com> wrote:
>> 
>> > This code is supposed to loop over the whole board_type[] string.  The
>> > current code kind of works just because ascii values start 97 and the
>> > string is likely shorter than that so it will break when we hit the NUL
>> > terminator.  But really the condition should be "i < len" instead of
>> > "i < board_type[i]".
>> > 
>> > Fixes: 29e354ebeeec ("brcmfmac: Transform compatible string for FW loading")
>> > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
>> > Reviewed-by: Matthias Brugger <mbrugger@suse.com>
>> 
>> There was talk about v2, but I don't see it in the patchwork.
>
> Ah, crap.  I started to debug Smatch to find out why it wasn't warning
> about some of these bugs and I got a bit carried away writing Smatch
> code and forgot to come back to this.
>
> I will send it tomorrow.

No worries, take your time :) I just wanted to remind about this, or see
if patchwork or the mailing list have lost patches again (which has
happened in the past).

-- 
https://patchwork.kernel.org/project/linux-wireless/list/

https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches