[ This code is predates your patch which just cleaned up the code. - dan ]
Hello Ping-Ke Shih,
The patch 3bde4ed3da38: "rtlwifi: 8192de: Reduce indentation and fix
coding style" from May 10, 2019, leads to the following static
checker warning:
drivers/net/wireless/realtek/rtlwifi/rtl8192de/dm.c:999 rtl92d_dm_txpower_tracking_callback_thermalmeter()
error: buffer overflow 'ofdm_index' 2 <= 2 (assuming for loop doesn't break)
drivers/net/wireless/realtek/rtlwifi/rtl8192de/dm.c
769 static void rtl92d_dm_txpower_tracking_callback_thermalmeter(
770 struct ieee80211_hw *hw)
771 {
772 struct rtl_priv *rtlpriv = rtl_priv(hw);
773 struct rtl_hal *rtlhal = rtl_hal(rtl_priv(hw));
774 struct rtl_phy *rtlphy = &(rtlpriv->phy);
775 struct rtl_efuse *rtlefuse = rtl_efuse(rtl_priv(hw));
776 u8 thermalvalue, delta, delta_lck, delta_iqk, delta_rxgain;
777 u8 offset, thermalvalue_avg_count = 0;
778 u32 thermalvalue_avg = 0;
779 bool internal_pa = false;
780 long ele_a = 0, ele_d, temp_cck, val_x, value32;
781 long val_y, ele_c = 0;
782 u8 ofdm_index[2];
^^^^^^^^^^^^^^^^
ofdm_index[] has two elements.
783 s8 cck_index = 0;
784 u8 ofdm_index_old[2] = {0, 0};
785 s8 cck_index_old = 0;
786 u8 index;
787 int i;
788 bool is2t = IS_92D_SINGLEPHY(rtlhal->version);
^^^^^^^^^^^
is2t is set here.
789 u8 ofdm_min_index = 6, ofdm_min_index_internal_pa = 3, rf;
790 u8 indexforchannel =
791 rtl92d_get_rightchnlplace_for_iqk(rtlphy->current_channel);
792 static const u8 index_mapping[5][INDEX_MAPPING_NUM] = {
793 /* 5G, path A/MAC 0, decrease power */
794 {0, 1, 3, 6, 8, 9, 11, 13, 14, 16, 17, 18, 18},
795 /* 5G, path A/MAC 0, increase power */
[ snip ]
830 rtl92d_phy_ap_calibrate(hw, (thermalvalue -
831 rtlefuse->eeprom_thermalmeter));
832
833 if (!thermalvalue)
834 goto exit;
835
836 if (is2t)
837 rf = 2;
838 else
839 rf = 1;
"rf" is either 1 or 2 depending on "is2t".
840
841 if (rtlpriv->dm.thermalvalue && !rtlhal->reloadtxpowerindex)
842 goto old_index_done;
843
844 ele_d = rtl_get_bbreg(hw, ROFDM0_XATXIQIMBALANCE, MASKDWORD) & MASKOFDM_D;
[ snip ]
983 rtl_dbg(rtlpriv, COMP_POWER_TRACKING, DBG_LOUD,
984 "temp OFDM_A_index=0x%x,cck_index = 0x%x\n",
985 rtlpriv->dm.ofdm_index[0],
986 rtlpriv->dm.cck_index);
987 }
988 for (i = 0; i < rf; i++) {
989 if (ofdm_index[i] > OFDM_TABLE_SIZE_92D - 1)
990 ofdm_index[i] = OFDM_TABLE_SIZE_92D - 1;
991 else if (ofdm_index[i] < ofdm_min_index)
992 ofdm_index[i] = ofdm_min_index;
993 }
i is equal to "rf" after this loop.
994 if (rtlhal->current_bandtype == BAND_ON_2_4G) {
995 if (cck_index > CCK_TABLE_SIZE - 1) {
996 cck_index = CCK_TABLE_SIZE - 1;
997 } else if (internal_pa ||
998 rtlhal->current_bandtype == BAND_ON_2_4G) {
999 if (ofdm_index[i] < ofdm_min_index_internal_pa)
^^^^^^^^^^^^^
1000 ofdm_index[i] = ofdm_min_index_internal_pa;
^^^^^^^^^^^^^
Using "i" after we exited the loop without hitting a break looks wrong
to me. It's potentially correct if we know that "is2t" is false but how
do we know that?
1001 } else if (cck_index < 0) {
1002 cck_index = 0;
1003 }
1004 }
1005 if (is2t) {
1006 rtl_dbg(rtlpriv, COMP_POWER_TRACKING, DBG_LOUD,
1007 "new OFDM_A_index=0x%x, OFDM_B_index = 0x%x, cck_index=0x%x\n",
1008 ofdm_index[0], ofdm_index[1],
1009 cck_index);
regards,
dan carpenter
