From patchwork Fri Jun 23 15:23:59 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arnd Bergmann X-Patchwork-Id: 112225 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:994d:0:b0:3d9:f83d:47d9 with SMTP id k13csp5876115vqr; Fri, 23 Jun 2023 09:00:33 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ4b62RUmRnAu46kX4cKywF/2v+P7uamzLKmi8x2VdrtFgmUL6do+kg7bCFWrluIprMcAMrZ X-Received: by 2002:a05:6a20:7346:b0:100:15c4:23af with SMTP id v6-20020a056a20734600b0010015c423afmr12780026pzc.60.1687536033377; Fri, 23 Jun 2023 09:00:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1687536033; cv=none; d=google.com; s=arc-20160816; b=eX2ydlnMz/GgX8USXmUPq5EJMDX8B5t8QMSzGxSNa3016brUdPWacRWC6YiftRp68i FRppPP9dHnp6THzAq9W4OjBpOGTl9K2v871+Pg0HbN4Q7Ky/OnBt6aWTYe0uqqWaQ+AM xk/6lLe+gVy+i4yTgEnJXCUnQJ9lR2esfOdFKPanj3Y5ZGRuGxCn87qI4Mcy6RXRDqTb UBhIR+bDbEGB8MwDAZcU9R+jl2HhMC+yeFGJ0sXR06+CXaDHUyqvN73/YeqVzdsljmoe lwpGOZU9dbEnvD3Sx/GQEag5M54urSaE7fESLRKW7y7QYv4IzIoCULdtRTnnxDoxhyEi TCUw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=coFgCqOTB8MvClb8Nls3IHBhJBMCfDPdOvFaoOpq31w=; b=OCGbpvgFyPr+azlLspagmuO8xUE3DOwbmJrGUJkl7LlbRY7S0XG2MfMqEzQTmaMG8y OYQ+MfjU0tAm2qCcCtXgoXwfzYuh53vn8hYKU4CtXowR/u/gsWjx3SW7OAJm6vOfcIiw qSwl28aYHCCJaZ3xN6P6xBYaBmbyHuej3oL+X9Pxf25RxB8KORNyo7j/8zo+sfLH2xfg 3iC1mvnMks9ethP9pNK3iw5GpPNswApL4zv1J2/aCkTHANnVqT8OHfvUw6l0EEYIZHtc XApFYV2s1dLB+XeNudycyXcPJE7X6+F+KU2VSiQ4c9inX6QOit9dWJxnwz+iXZqnyTEB IG6Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=P5hRm+79; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id p6-20020a625b06000000b00666acab17acsi2469317pfb.318.2023.06.23.09.00.16; Fri, 23 Jun 2023 09:00:33 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=P5hRm+79; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232367AbjFWPZO (ORCPT + 99 others); Fri, 23 Jun 2023 11:25:14 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42078 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232211AbjFWPZN (ORCPT ); Fri, 23 Jun 2023 11:25:13 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 313621BF2; Fri, 23 Jun 2023 08:25:12 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id B7A2761AA0; Fri, 23 Jun 2023 15:25:11 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 730FFC433C8; Fri, 23 Jun 2023 15:25:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1687533911; bh=PWzWmQ+cBgJK6M6TA5MtMDmO0z6eE5AOkMWX2YVaO2k=; h=From:To:Cc:Subject:Date:From; b=P5hRm+79D+2sZ4kgfzfW91OywrM3XnOisdudNi2GlRMtyg5UH0fJKk2zIoCvyQc0P OwxUG8xC5hN6tuNUjuWTNRak3gq/OOfYS97/iZCng3xsnGxJBupj1nQL4aFhvctmTl augdY8OVO3DMh8cmyA8rxuEBFe/VRRgZQOTlmPsUAmYmcvKAUXHz+EIfDEAFO5yorG jOArBFZOJ+JaLhy4odrlwAyqdOyzmGfQemDAzuZZPVMFdSw6hqjMbX4XQiLJ8l/Zjj z3IgMXZdxB3oDlwbQ0XHp6Lf1srAPR+fS7bEartCAlVGgVq1o5ryKAW6kT7e8BK7jn CoDA9RnFTW+uA== From: Arnd Bergmann To: Christian Lamparter , Kalle Valo , Kees Cook , Johannes Berg Cc: Arnd Bergmann , linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH 1/2] carl9170: re-fix fortified-memset warning Date: Fri, 23 Jun 2023 17:23:59 +0200 Message-Id: <20230623152443.2296825-1-arnd@kernel.org> X-Mailer: git-send-email 2.39.2 MIME-Version: 1.0 X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1769509784157164358?= X-GMAIL-MSGID: =?utf-8?q?1769509784157164358?= From: Arnd Bergmann The carl9170_tx_release() function sometimes triggers a fortified-memset warning in my randconfig builds: In file included from include/linux/string.h:254, from drivers/net/wireless/ath/carl9170/tx.c:40: In function 'fortify_memset_chk', inlined from 'carl9170_tx_release' at drivers/net/wireless/ath/carl9170/tx.c:283:2, inlined from 'kref_put' at include/linux/kref.h:65:3, inlined from 'carl9170_tx_put_skb' at drivers/net/wireless/ath/carl9170/tx.c:342:9: include/linux/fortify-string.h:493:25: error: call to '__write_overflow_field' declared with attribute warning: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror=attribute-warning] 493 | __write_overflow_field(p_size_field, size); Kees previously tried to avoid this by using memset_after(), but it seems this does not fully address the problem. I noticed that the memset_after() here is done on a different part of the union (status) than the original cast was from (rate_driver_data), which may confuse the compiler. Unfortunately, the memset_after() trick does not work on driver_rates[] because that is part of an anonymous struct, and I could not get struct_group() to do this either. Using two separate memset() calls on the two members does address the warning though. Fixes: fb5f6a0e8063b ("mac80211: Use memset_after() to clear tx status") Signed-off-by: Arnd Bergmann --- drivers/net/wireless/ath/carl9170/tx.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/net/wireless/ath/carl9170/tx.c b/drivers/net/wireless/ath/carl9170/tx.c index 6bb9aa2bfe654..88ef6e023f826 100644 --- a/drivers/net/wireless/ath/carl9170/tx.c +++ b/drivers/net/wireless/ath/carl9170/tx.c @@ -280,7 +280,8 @@ static void carl9170_tx_release(struct kref *ref) * carl9170_tx_fill_rateinfo() has filled the rate information * before we get to this point. */ - memset_after(&txinfo->status, 0, rates); + memset(&txinfo->pad, 0, sizeof(txinfo->pad)); + memset(&txinfo->rate_driver_data, 0, sizeof(txinfo->rate_driver_data)); if (atomic_read(&ar->tx_total_queued)) ar->tx_schedule = true; From patchwork Fri Jun 23 15:24:00 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arnd Bergmann X-Patchwork-Id: 112216 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:994d:0:b0:3d9:f83d:47d9 with SMTP id k13csp5862959vqr; Fri, 23 Jun 2023 08:38:01 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ6V2lJvMpqW/mtnxPbcQ64S6yCiKyaXW0PAj8L8TMx8XUxJNCaG/a0JezrkWc5rKmfp7XH1 X-Received: by 2002:a05:6a00:2d0c:b0:668:843e:d409 with SMTP id fa12-20020a056a002d0c00b00668843ed409mr13429969pfb.4.1687534680978; Fri, 23 Jun 2023 08:38:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1687534680; cv=none; d=google.com; s=arc-20160816; b=VVyLc2+hgo0o3wl/eCtiKVGZpeHkfmUF/QR8rp/BTgLxnvIIscnflZVo4kJ0gvuam5 rQxyqjuEwhL/cZeR6iFQhamHzDZtEk9CshX/u0kLQDdp5oeq4VL1I8qDN1Mz7YIG/Tgr Bu+Loi8u3CZAX4BL/0VXnaz/E2440vz2xiUs5LHb2NKBufLPsxFtL/MZbZCh0HqgU/YS RK8LDu711Roo6XJn3FvY4xqdZXhbH0T4sV6FCd+gcOrjfmQSp8co7nvpKinzyeaHAIfe Fi/EMCpnyMuiQy1pBEyqW9h88HopymPdb4FIGz+CTTE9QUUQAhiDPZjzqvEpOAA8QUVJ FWtQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=tWYJWwdeFUCmQMbwQEPBAX4py3L0CHJ+WjGM8MRAedU=; b=Tp8RrDPLpX8XXAWC13hraV4QMsbqQj9cnH9LwXoIuW134dwJ4F5elkyRgXL2DCNflR QnHUS1f8Lzg2cb0pE9xuYT9AQ5w/5wi1KuBvs01L/viLKmjACVfj7T0jfBbb3QQ0RGmy /KSDEp3ZLI9ybv3v9bdyNGQtOFn7rAXEUwNwG5OkkJGoNEbICIdWKsEkbb3/vlPW0Lq/ Az0CLPF1+3jmO+JB+A16Eezt01oh4UiD41ZZSgYVEVTxcfuUPWyZzBNXOQi4DlxQuE/k 5b8mao01XEzlRjdw6rZkDK+EYwrF+IGZh2a88V+EaKx8tAf3Xm/nyyzzo6g0W0x1y5qR NzNQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=jjSV3khY; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id b68-20020a62cf47000000b006689f320421si2497580pfg.150.2023.06.23.08.37.43; Fri, 23 Jun 2023 08:38:00 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=jjSV3khY; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232465AbjFWP0D (ORCPT + 99 others); Fri, 23 Jun 2023 11:26:03 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42788 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232532AbjFWPZy (ORCPT ); Fri, 23 Jun 2023 11:25:54 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 28E692129; Fri, 23 Jun 2023 08:25:47 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id B4AE461A9D; Fri, 23 Jun 2023 15:25:46 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id D02DBC433C0; Fri, 23 Jun 2023 15:25:41 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1687533946; bh=NvWgTGjsHRqDtvBYDx/2FZ7WiFRdFqxIOJ2GEgQdP5s=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=jjSV3khYn7DQtMsuDg9EoNpKhthnIYHAR3qxDpF7Arr09pVBiSIRwUoI5OImA8F3s qmlveYBP11wTA/VaTOeOK/7UPuOJpMlPgbxtyOfpAb7MCX8PGdeVw8AX2mWpyCMGL/ pkngpeZ4JGYxGMlzpLK1o860FrlWOZPNVFSi7u08r2V15VEqmBbkab00TOFCACUWYH qtq0Jf3f/vajbOgUJdUm+WzWV7Ycb5rkdLKbMJIkjBXxGD5sCB3mTP3mKs5YT28mI7 8dwmjH+dAP0xRobOCLzn27EAfNnGTez82/9NOZJ5i1Hx9WiBXLPIU4DNp17r5a4SQV 4BuY8MkMhjXJg== From: Arnd Bergmann To: Johannes Berg Cc: Arnd Bergmann , Christian Lamparter , Kalle Valo , Johannes Berg , Kees Cook , linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org, "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Gregory Greenman , Benjamin Berg , Ryder Lee , Ilan Peer , Felix Fietkau , Aloka Dixit , Avraham Stern , Emmanuel Grumbach , netdev@vger.kernel.org Subject: [PATCH 2/2] mac80211: make ieee80211_tx_info padding explicit Date: Fri, 23 Jun 2023 17:24:00 +0200 Message-Id: <20230623152443.2296825-2-arnd@kernel.org> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20230623152443.2296825-1-arnd@kernel.org> References: <20230623152443.2296825-1-arnd@kernel.org> MIME-Version: 1.0 X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1769508365507452517?= X-GMAIL-MSGID: =?utf-8?q?1769508365507452517?= From: Arnd Bergmann While looking at a bug, I got rather confused by the layout of the 'status' field in ieee80211_tx_info. Apparently, the intention is that status_driver_data[] is used for driver specific data, and fills up the size of the union to 40 bytes, just like the other ones. This is indeed what actually happens, but only because of the combination of two mistakes: - "void *status_driver_data[18 / sizeof(void *)];" is intended to be 18 bytes long but is actually two bytes shorter because of rounding-down in the division, to a multiple of the pointer size (4 bytes or 8 bytes). - The other fields combined are intended to be 22 bytes long, but are actually 24 bytes because of padding in front of the unaligned tx_time member, and in front of the pointer array. The two mistakes cancel out. so the size ends up fine, but it seems more helpful to make this explicit, by having a multiple of 8 bytes in the size calculation and explicitly describing the padding. Fixes: ea5907db2a9cc ("mac80211: fix struct ieee80211_tx_info size") Fixes: 02219b3abca59 ("mac80211: add WMM admission control support") Signed-off-by: Arnd Bergmann Reviewed-by: Kees Cook --- include/net/mac80211.h | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/include/net/mac80211.h b/include/net/mac80211.h index 3a8a2d2c58c38..ca4dc8a14f1bb 100644 --- a/include/net/mac80211.h +++ b/include/net/mac80211.h @@ -1192,9 +1192,11 @@ struct ieee80211_tx_info { u8 ampdu_ack_len; u8 ampdu_len; u8 antenna; + u8 pad; u16 tx_time; u8 flags; - void *status_driver_data[18 / sizeof(void *)]; + u8 pad2; + void *status_driver_data[16 / sizeof(void *)]; } status; struct { struct ieee80211_tx_rate driver_rates[