Patch "wifi: rtw88: phy: fix warning of possible buffer overflow" has been added to the 6.0-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 16 Oct 2022 22:33:52 -0400

This is a note to let you know that I've just added the patch titled

    wifi: rtw88: phy: fix warning of possible buffer overflow

to the 6.0-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     wifi-rtw88-phy-fix-warning-of-possible-buffer-overfl.patch
and it can be found in the queue-6.0 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 2714944b5a876ccb56cd7ddd6462e949a4087a90
Author: Zong-Zhe Yang <kevin_yang@xxxxxxxxxxx>
Date:   Wed Jul 27 14:50:03 2022 +0800

    wifi: rtw88: phy: fix warning of possible buffer overflow
    
    [ Upstream commit 86331c7e0cd819bf0c1d0dcf895e0c90b0aa9a6f ]
    
    reported by smatch
    
    phy.c:854 rtw_phy_linear_2_db() error: buffer overflow 'db_invert_table[i]'
    8 <= 8 (assuming for loop doesn't break)
    
    However, it seems to be a false alarm because we prevent it originally via
           if (linear >= db_invert_table[11][7])
                   return 96; /* maximum 96 dB */
    
    Still, we adjust the code to be more readable and avoid smatch warning.
    
    Signed-off-by: Zong-Zhe Yang <kevin_yang@xxxxxxxxxxx>
    Signed-off-by: Ping-Ke Shih <pkshih@xxxxxxxxxxx>
    Signed-off-by: Kalle Valo <kvalo@xxxxxxxxxx>
    Link: https://lore.kernel.org/r/20220727065003.28340-5-pkshih@xxxxxxxxxxx
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/net/wireless/realtek/rtw88/phy.c b/drivers/net/wireless/realtek/rtw88/phy.c
index 8982e0c98dac..da1efec0aa85 100644
--- a/drivers/net/wireless/realtek/rtw88/phy.c
+++ b/drivers/net/wireless/realtek/rtw88/phy.c
@@ -816,23 +816,18 @@ static u8 rtw_phy_linear_2_db(u64 linear)
 	u8 j;
 	u32 dB;
 
-	if (linear >= db_invert_table[11][7])
-		return 96; /* maximum 96 dB */
-
 	for (i = 0; i < 12; i++) {
-		if (i <= 2 && (linear << FRAC_BITS) <= db_invert_table[i][7])
-			break;
-		else if (i > 2 && linear <= db_invert_table[i][7])
-			break;
+		for (j = 0; j < 8; j++) {
+			if (i <= 2 && (linear << FRAC_BITS) <= db_invert_table[i][j])
+				goto cnt;
+			else if (i > 2 && linear <= db_invert_table[i][j])
+				goto cnt;
+		}
 	}
 
-	for (j = 0; j < 8; j++) {
-		if (i <= 2 && (linear << FRAC_BITS) <= db_invert_table[i][j])
-			break;
-		else if (i > 2 && linear <= db_invert_table[i][j])
-			break;
-	}
+	return 96; /* maximum 96 dB */
 
+cnt:
 	if (j == 0 && i == 0)
 		goto end;
 






