On Tue, Jan 17, 2023 at 01:45:08PM +0300, Alexey V. Vissarionov wrote:
> The "pkt" is a pointer to struct sk_buff, so it's just 4 or 8
> bytes, while the structure itself is much bigger.
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Fixes: bbd1f932e7c45ef1 ("brcmfmac: cleanup ampdu-rx host reorder code")
> Signed-off-by: Alexey V. Vissarionov <gremlin@xxxxxxxxxxxx>
>
> diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c
> index 36af81975855c525..0d283456da331464 100644
> --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c
> +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c
> @@ -1711,7 +1711,7 @@ void brcmf_fws_rxreorder(struct brcmf_if *ifp, struct sk_buff *pkt)
> buf_size = sizeof(*rfi);
> max_idx = reorder_data[BRCMF_RXREORDER_MAXIDX_OFFSET];
>
> - buf_size += (max_idx + 1) * sizeof(pkt);
> + buf_size += (max_idx + 1) * sizeof(struct sk_buff);
>
> /* allocate space for flow reorder info */
> brcmf_dbg(INFO, "flow-%d: start, maxidx %d\n",
Hi Alexey,
This is followed by:
rfi = kzalloc(buf_size, GFP_ATOMIC);
...
rfi->pktslots = (struct sk_buff **)(rfi + 1);
The type of rfi is struct brcmf_ampdu_rx_reorder, which looks like this:
struct brcmf_ampdu_rx_reorder {
struct sk_buff **pktslots;
...
};
And it looks to me that pkt is used as an array of (struct sk_buff *).
So in all, it seems to me that the current code is correct.
Is there a particular code that leads you to think otherwise?
Kind regards,
Simon
