Re: [PATCH] wifi: iwlwifi: mvm: Fix __counted_by usage in cfg80211_wowlan_nd_*

Wed, 19 Jun 2024 14:22:23 -0700 



On 19/06/24 23:12, Kees Cook wrote:

Both struct cfg80211_wowlan_nd_match and struct cfg80211_wowlan_nd_info
pre-allocate space for channels and matches, but then may end up using
fewer that the full allocation. Shrink the associated counter
(n_channels and n_matches) after counting the results. This avoids
compile-time (and run-time) warnings from __counted_by. (The counter
member needs to be updated _before_ accessing the array index.)

Seen with coming GCC 15:

drivers/net/wireless/intel/iwlwifi/mvm/d3.c: In function 
'iwl_mvm_query_set_freqs':
drivers/net/wireless/intel/iwlwifi/mvm/d3.c:2877:66: warning: operation on 
'match->n_channels' may be undefined [-Wsequence-point]
  2877 |                                 match->channels[match->n_channels++] =
       |                                                 ~~~~~~~~~~~~~~~~~^~
drivers/net/wireless/intel/iwlwifi/mvm/d3.c:2885:66: warning: operation on 
'match->n_channels' may be undefined [-Wsequence-point]
  2885 |                                 match->channels[match->n_channels++] =
       |                                                 ~~~~~~~~~~~~~~~~~^~
drivers/net/wireless/intel/iwlwifi/mvm/d3.c: In function 
'iwl_mvm_query_netdetect_reasons':
drivers/net/wireless/intel/iwlwifi/mvm/d3.c:2982:58: warning: operation on 
'net_detect->n_matches' may be undefined [-Wsequence-point]
  2982 |                 net_detect->matches[net_detect->n_matches++] = match;
       |                                     ~~~~~~~~~~~~~~~~~~~~~^~



Nice catch! :)


Fixes: aa4ec06c455d ("wifi: cfg80211: use __counted_by where appropriate")
Signed-off-by: Kees Cook <k...@kernel.org>


Reviewed-by: Gustavo A. R. Silva <gustavo...@kernel.org>

Thanks
--
Gustavo


---
Cc: Miri Korenblit <miriam.rachel.korenb...@intel.com>
Cc: Kalle Valo <kv...@kernel.org>
Cc: Johannes Berg <johannes.b...@intel.com>
Cc: Gustavo A. R. Silva <gustavo...@kernel.org>
Cc: Luca Coelho <luciano.coe...@intel.com>
Cc: Gregory Greenman <gregory.green...@intel.com>
Cc: Yedidya Benshimol <yedidya.ben.shi...@intel.com>
Cc: Haim Dreyfuss <haim.dreyf...@intel.com>
Cc: linux-wirel...@vger.kernel.org
---
  drivers/net/wireless/intel/iwlwifi/mvm/d3.c | 14 +++++++++++---
  1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/d3.c 
b/drivers/net/wireless/intel/iwlwifi/mvm/d3.c
index 54f4acbbd05b..9cd03ea4680d 100644
--- a/drivers/net/wireless/intel/iwlwifi/mvm/d3.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/d3.c
@@ -2866,6 +2866,7 @@ static void iwl_mvm_query_set_freqs(struct iwl_mvm *mvm,
                                    int idx)
  {
        int i;
+       int n_channels = 0;

  
  	if (fw_has_api(&mvm->fw->ucode_capa,

                       IWL_UCODE_TLV_API_SCAN_OFFLOAD_CHANS)) {
@@ -2874,7 +2875,7 @@ static void iwl_mvm_query_set_freqs(struct iwl_mvm *mvm,

  
  		for (i = 0; i < SCAN_OFFLOAD_MATCHING_CHANNELS_LEN * 8; i++)

                        if (matches[idx].matching_channels[i / 8] & (BIT(i % 
8)))
-                               match->channels[match->n_channels++] =
+                               match->channels[n_channels++] =
                                        mvm->nd_channels[i]->center_freq;
        } else {
                struct iwl_scan_offload_profile_match_v1 *matches =
@@ -2882,9 +2883,11 @@ static void iwl_mvm_query_set_freqs(struct iwl_mvm *mvm,

  
  		for (i = 0; i < SCAN_OFFLOAD_MATCHING_CHANNELS_LEN_V1 * 8; i++)

                        if (matches[idx].matching_channels[i / 8] & (BIT(i % 
8)))
-                               match->channels[match->n_channels++] =
+                               match->channels[n_channels++] =
                                        mvm->nd_channels[i]->center_freq;
        }
+       /* We may have ended up with fewer channels than we allocated. */
+       match->n_channels = n_channels;
  }

  
  /**

@@ -2965,6 +2968,8 @@ static void iwl_mvm_query_netdetect_reasons(struct 
iwl_mvm *mvm,
                             GFP_KERNEL);
        if (!net_detect || !n_matches)
                goto out_report_nd;
+       net_detect->n_matches = n_matches;
+       n_matches = 0;

  
  	for_each_set_bit(i, &matched_profiles, mvm->n_nd_match_sets) {

                struct cfg80211_wowlan_nd_match *match;
@@ -2978,8 +2983,9 @@ static void iwl_mvm_query_netdetect_reasons(struct 
iwl_mvm *mvm,
                                GFP_KERNEL);
                if (!match)
                        goto out_report_nd;
+               match->n_channels = n_channels;

  
-		net_detect->matches[net_detect->n_matches++] = match;

+               net_detect->matches[n_matches++] = match;

  
  		/* We inverted the order of the SSIDs in the scan

                 * request, so invert the index here.
@@ -2994,6 +3000,8 @@ static void iwl_mvm_query_netdetect_reasons(struct 
iwl_mvm *mvm,

  
  		iwl_mvm_query_set_freqs(mvm, d3_data->nd_results, match, i);

        }
+       /* We may have fewer matches than we allocated. */
+       net_detect->n_matches = n_matches;

  
  out_report_nd:

        wakeup.net_detect = net_detect;
























					Reply via email to