On Wed, Sep 18, 2024 at 01:45:57PM +0000, Kalle Valo wrote: > Ben Hutchings <ben@xxxxxxxxxxxxxxx> wrote: > > > iwlegacy uses command buffers with a payload size of 320 > > bytes (default) or 4092 bytes (huge). The struct il_device_cmd type > > describes the default buffers and there is no separate type describing > > the huge buffers. > > > > The il_enqueue_hcmd() function works with both default and huge > > buffers, and has a memcpy() to the buffer payload. The size of > > this copy may exceed 320 bytes when using a huge buffer, which > > now results in a run-time warning: > > > > memcpy: detected field-spanning write (size 1014) of single field "&out_cmd->cmd.payload" at drivers/net/wireless/intel/iwlegacy/common.c:3170 (size 320) > > > > To fix this: > > > > - Define a new struct type for huge buffers, with a correctly sized > > payload field > > - When using a huge buffer in il_enqueue_hcmd(), cast the command > > buffer pointer to that type when looking up the payload field > > > > Reported-by: Martin-Éric Racine <martin-eric.racine@xxxxxx> > > References: https://bugs.debian.org/1062421 > > References: https://bugzilla.kernel.org/show_bug.cgi?id=219124 > > Signed-off-by: Ben Hutchings <ben@xxxxxxxxxxxxxxx> > > Fixes: 54d9469bc515 ("fortify: Add run-time WARN for cross-field memcpy()") > > Tested-by: Martin-Éric Racine <martin-eric.racine@xxxxxx> > > Tested-by: Brandon Nielsen <nielsenb@xxxxxxxxxxx> > > Acked-by: Stanislaw Gruszka <stf_xl@xxxxx> > > Should this patch go wireless tree for v6.12? As this is a regression I think > it should. It's not driver regression per se, just false positive warning when built with CONFIG_FORTIFY_SOURCE. But it should go to 6.12 IMHO as fix for the warning. Regards Stanislaw
