linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [mt76/mt7603/mac] Question about missing variable assignment
@ 2019-03-02 21:10 Gustavo A. R. Silva
  2019-03-03 10:05 ` Felix Fietkau
  0 siblings, 1 reply; 3+ messages in thread
From: Gustavo A. R. Silva @ 2019-03-02 21:10 UTC (permalink / raw)
  To: Felix Fietkau, Lorenzo Bianconi, Kalle Valo, David S. Miller,
	Matthias Brugger
  Cc: linux-wireless, netdev, linux-arm-kernel, linux-mediatek,
	linux-kernel, Gustavo A. R. Silva

Hi all,

The following piece of code in drivers/net/wireless/mediatek/mt76/mt7603/mac.c
is missing a variable assignment before line 1058.  Notice that there
is a potential execution path in which variable *i* is compared against
magic number 15 at line 1075 without being initialized previously
(this was reported by Coverity):

1055 out:
1056         final_rate_flags = info->status.rates[final_idx].flags;
1057 
1058         switch (FIELD_GET(MT_TX_RATE_MODE, final_rate)) {
1059         case MT_PHY_TYPE_CCK:
1060                 cck = true;
1061                 /* fall through */
1062         case MT_PHY_TYPE_OFDM:
1063                 if (dev->mt76.chandef.chan->band == NL80211_BAND_5GHZ)
1064                         sband = &dev->mt76.sband_5g.sband;
1065                 else
1066                         sband = &dev->mt76.sband_2g.sband;
1067                 final_rate &= GENMASK(5, 0);
1068                 final_rate = mt7603_get_rate(dev, sband, final_rate, cck);
1069                 final_rate_flags = 0;
1070                 break;
1071         case MT_PHY_TYPE_HT_GF:
1072         case MT_PHY_TYPE_HT:
1073                 final_rate_flags |= IEEE80211_TX_RC_MCS;
1074                 final_rate &= GENMASK(5, 0);
1075                 if (i > 15)
1076                         return false;
1077                 break;
1078         default:
1079                 return false;
1080         }

My guess is that such missing assignment should be something similar
to the one at line 566:

	i = FIELD_GET(MT_RXV1_TX_RATE, rxdg0);

but I'm not sure what the proper arguments for macro FIELD_GET should
be.

This code was introduced by commit c8846e1015022d2531ac4c895783e400b3e5babe

What do you think?

Thanks
--
Gustavo


^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [mt76/mt7603/mac] Question about missing variable assignment
  2019-03-02 21:10 [mt76/mt7603/mac] Question about missing variable assignment Gustavo A. R. Silva
@ 2019-03-03 10:05 ` Felix Fietkau
  2019-03-03 15:06   ` Gustavo A. R. Silva
  0 siblings, 1 reply; 3+ messages in thread
From: Felix Fietkau @ 2019-03-03 10:05 UTC (permalink / raw)
  To: Gustavo A. R. Silva, Lorenzo Bianconi, Kalle Valo,
	David S. Miller, Matthias Brugger
  Cc: linux-wireless, netdev, linux-arm-kernel, linux-mediatek, linux-kernel

On 2019-03-02 22:10, Gustavo A. R. Silva wrote:
> Hi all,
> 
> The following piece of code in drivers/net/wireless/mediatek/mt76/mt7603/mac.c
> is missing a variable assignment before line 1058.  Notice that there
> is a potential execution path in which variable *i* is compared against
> magic number 15 at line 1075 without being initialized previously
> (this was reported by Coverity):
> 
> 1055 out:
> 1056         final_rate_flags = info->status.rates[final_idx].flags;
> 1057 
> 1058         switch (FIELD_GET(MT_TX_RATE_MODE, final_rate)) {
> 1059         case MT_PHY_TYPE_CCK:
> 1060                 cck = true;
> 1061                 /* fall through */
> 1062         case MT_PHY_TYPE_OFDM:
> 1063                 if (dev->mt76.chandef.chan->band == NL80211_BAND_5GHZ)
> 1064                         sband = &dev->mt76.sband_5g.sband;
> 1065                 else
> 1066                         sband = &dev->mt76.sband_2g.sband;
> 1067                 final_rate &= GENMASK(5, 0);
> 1068                 final_rate = mt7603_get_rate(dev, sband, final_rate, cck);
> 1069                 final_rate_flags = 0;
> 1070                 break;
> 1071         case MT_PHY_TYPE_HT_GF:
> 1072         case MT_PHY_TYPE_HT:
> 1073                 final_rate_flags |= IEEE80211_TX_RC_MCS;
> 1074                 final_rate &= GENMASK(5, 0);
> 1075                 if (i > 15)
> 1076                         return false;
> 1077                 break;
> 1078         default:
> 1079                 return false;
> 1080         }
> 
> My guess is that such missing assignment should be something similar
> to the one at line 566:
> 
> 	i = FIELD_GET(MT_RXV1_TX_RATE, rxdg0);
> 
> but I'm not sure what the proper arguments for macro FIELD_GET should
> be.
> 
> This code was introduced by commit c8846e1015022d2531ac4c895783e400b3e5babe
> 
> What do you think?
Thanks for reporting this. The fix is simpler than that, the check
should be: if (final_rate > 15)
I will send a fix.

- Felix

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [mt76/mt7603/mac] Question about missing variable assignment
  2019-03-03 10:05 ` Felix Fietkau
@ 2019-03-03 15:06   ` Gustavo A. R. Silva
  0 siblings, 0 replies; 3+ messages in thread
From: Gustavo A. R. Silva @ 2019-03-03 15:06 UTC (permalink / raw)
  To: Felix Fietkau, Lorenzo Bianconi, Kalle Valo, David S. Miller,
	Matthias Brugger
  Cc: linux-wireless, netdev, linux-arm-kernel, linux-mediatek, linux-kernel



On 3/3/19 4:05 AM, Felix Fietkau wrote:
> On 2019-03-02 22:10, Gustavo A. R. Silva wrote:
>> Hi all,
>>
>> The following piece of code in drivers/net/wireless/mediatek/mt76/mt7603/mac.c
>> is missing a variable assignment before line 1058.  Notice that there
>> is a potential execution path in which variable *i* is compared against
>> magic number 15 at line 1075 without being initialized previously
>> (this was reported by Coverity):
>>
>> 1055 out:
>> 1056         final_rate_flags = info->status.rates[final_idx].flags;
>> 1057 
>> 1058         switch (FIELD_GET(MT_TX_RATE_MODE, final_rate)) {
>> 1059         case MT_PHY_TYPE_CCK:
>> 1060                 cck = true;
>> 1061                 /* fall through */
>> 1062         case MT_PHY_TYPE_OFDM:
>> 1063                 if (dev->mt76.chandef.chan->band == NL80211_BAND_5GHZ)
>> 1064                         sband = &dev->mt76.sband_5g.sband;
>> 1065                 else
>> 1066                         sband = &dev->mt76.sband_2g.sband;
>> 1067                 final_rate &= GENMASK(5, 0);
>> 1068                 final_rate = mt7603_get_rate(dev, sband, final_rate, cck);
>> 1069                 final_rate_flags = 0;
>> 1070                 break;
>> 1071         case MT_PHY_TYPE_HT_GF:
>> 1072         case MT_PHY_TYPE_HT:
>> 1073                 final_rate_flags |= IEEE80211_TX_RC_MCS;
>> 1074                 final_rate &= GENMASK(5, 0);
>> 1075                 if (i > 15)
>> 1076                         return false;
>> 1077                 break;
>> 1078         default:
>> 1079                 return false;
>> 1080         }
>>
>> My guess is that such missing assignment should be something similar
>> to the one at line 566:
>>
>> 	i = FIELD_GET(MT_RXV1_TX_RATE, rxdg0);
>>
>> but I'm not sure what the proper arguments for macro FIELD_GET should
>> be.
>>
>> This code was introduced by commit c8846e1015022d2531ac4c895783e400b3e5babe
>>
>> What do you think?
> Thanks for reporting this. The fix is simpler than that, the check
> should be: if (final_rate > 15)
> I will send a fix.
> 

Great. Glad to help. :)

Thanks
--
Gustavo

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-03-03 15:27 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-03-02 21:10 [mt76/mt7603/mac] Question about missing variable assignment Gustavo A. R. Silva
2019-03-03 10:05 ` Felix Fietkau
2019-03-03 15:06   ` Gustavo A. R. Silva

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).