Patch "wifi: ath9k: fix fortify warnings" has been added to the 5.15-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    wifi: ath9k: fix fortify warnings

to the 5.15-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     wifi-ath9k-fix-fortify-warnings.patch
and it can be found in the queue-5.15 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 3ba5683d96edd6b9a405403a24d05e6373bce2fa
Author: Dmitry Antipov <dmantipov@xxxxxxxxx>
Date:   Mon Jul 24 13:11:07 2023 +0300

    wifi: ath9k: fix fortify warnings
    
    [ Upstream commit 810e41cebb6c6e394f2068f839e1a3fc745a5dcc ]
    
    When compiling with gcc 13.1 and CONFIG_FORTIFY_SOURCE=y,
    I've noticed the following:
    
    In function ‘fortify_memcpy_chk’,
        inlined from ‘ath_tx_complete_aggr’ at drivers/net/wireless/ath/ath9k/xmit.c:556:4,
        inlined from ‘ath_tx_process_buffer’ at drivers/net/wireless/ath/ath9k/xmit.c:773:3:
    ./include/linux/fortify-string.h:529:25: warning: call to ‘__read_overflow2_field’
    declared with attribute warning: detected read beyond size of field (2nd parameter);
    maybe use struct_group()? [-Wattribute-warning]
      529 |                         __read_overflow2_field(q_size_field, size);
          |                         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    In function ‘fortify_memcpy_chk’,
        inlined from ‘ath_tx_count_frames’ at drivers/net/wireless/ath/ath9k/xmit.c:473:3,
        inlined from ‘ath_tx_complete_aggr’ at drivers/net/wireless/ath/ath9k/xmit.c:572:2,
        inlined from ‘ath_tx_process_buffer’ at drivers/net/wireless/ath/ath9k/xmit.c:773:3:
    ./include/linux/fortify-string.h:529:25: warning: call to ‘__read_overflow2_field’
    declared with attribute warning: detected read beyond size of field (2nd parameter);
    maybe use struct_group()? [-Wattribute-warning]
      529 |                         __read_overflow2_field(q_size_field, size);
          |                         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    In both cases, the compiler complains on:
    
    memcpy(ba, &ts->ba_low, WME_BA_BMP_SIZE >> 3);
    
    which is the legal way to copy both 'ba_low' and following 'ba_high'
    members of 'struct ath_tx_status' at once (that is, issue one 8-byte
    'memcpy()' for two 4-byte fields). Since the fortification logic seems
    interprets this trick as an attempt to overread 4-byte 'ba_low', silence
    relevant warnings by using the convenient 'struct_group()' quirk.
    
    Suggested-by: Johannes Berg <johannes@xxxxxxxxxxxxxxxx>
    Signed-off-by: Dmitry Antipov <dmantipov@xxxxxxxxx>
    Acked-by: Toke Høiland-Jørgensen <toke@xxxxxxx>
    Signed-off-by: Kalle Valo <quic_kvalo@xxxxxxxxxxx>
    Link: https://lore.kernel.org/r/20230620080855.396851-2-dmantipov@xxxxxxxxx
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/net/wireless/ath/ath9k/mac.h b/drivers/net/wireless/ath/ath9k/mac.h
index fd6aa49adadfe..9b00e77a6fc3c 100644
--- a/drivers/net/wireless/ath/ath9k/mac.h
+++ b/drivers/net/wireless/ath/ath9k/mac.h
@@ -113,8 +113,10 @@ struct ath_tx_status {
 	u8 qid;
 	u16 desc_id;
 	u8 tid;
-	u32 ba_low;
-	u32 ba_high;
+	struct_group(ba,
+		u32 ba_low;
+		u32 ba_high;
+	);
 	u32 evm0;
 	u32 evm1;
 	u32 evm2;
diff --git a/drivers/net/wireless/ath/ath9k/xmit.c b/drivers/net/wireless/ath/ath9k/xmit.c
index 6555abf02f18b..84c68aefc171a 100644
--- a/drivers/net/wireless/ath/ath9k/xmit.c
+++ b/drivers/net/wireless/ath/ath9k/xmit.c
@@ -421,7 +421,7 @@ static void ath_tx_count_frames(struct ath_softc *sc, struct ath_buf *bf,
 	isaggr = bf_isaggr(bf);
 	if (isaggr) {
 		seq_st = ts->ts_seqnum;
-		memcpy(ba, &ts->ba_low, WME_BA_BMP_SIZE >> 3);
+		memcpy(ba, &ts->ba, WME_BA_BMP_SIZE >> 3);
 	}
 
 	while (bf) {
@@ -504,7 +504,7 @@ static void ath_tx_complete_aggr(struct ath_softc *sc, struct ath_txq *txq,
 	if (isaggr && txok) {
 		if (ts->ts_flags & ATH9K_TX_BA) {
 			seq_st = ts->ts_seqnum;
-			memcpy(ba, &ts->ba_low, WME_BA_BMP_SIZE >> 3);
+			memcpy(ba, &ts->ba, WME_BA_BMP_SIZE >> 3);
 		} else {
 			/*
 			 * AR5416 can become deaf/mute when BA



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux