From patchwork Fri Oct 13 08:26:52 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Alexis_Lothor=C3=A9?=
 <alexis.lothore@bootlin.com>
X-Patchwork-Id: 152388
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:612c:2908:b0:403:3b70:6f57 with SMTP id
 ib8csp1740581vqb;
        Fri, 13 Oct 2023 01:27:19 -0700 (PDT)
X-Google-Smtp-Source: 
 AGHT+IFouhQt5BURsPUZnvacMaOwvkEM5h3BLo3OLeSEIJlo3pSUndH1U3Yw4EYfz+5X+SXY2XHr
X-Received: by 2002:a17:902:d4c9:b0:1b8:9fc4:2733 with SMTP id
 o9-20020a170902d4c900b001b89fc42733mr29231676plg.3.1697185639743;
        Fri, 13 Oct 2023 01:27:19 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1697185639; cv=none;
        d=google.com; s=arc-20160816;
        b=JZB6kokzLvNwnP1CpfoRhIPDpgTp7Bb52aqqpROBeKZ7DpZ+DlhXDOl1hXGFeEQntX
         3B+qEYFSyv89j8WeWwB3SbYvIcOUwQi8ZGELOTk2LFG8nGunBnns1J9rAFLRP70x5KUR
         FSXaTrr6jL+hMXYyZCAddAK1z4kzWV3kSaFMyit0AgMH1VQNR63l2alrg4MIaBi6HjX/
         AlWS76vZIcvYLn9V/IPFsGqjjGyWsk0lR4z/BqogjG0RbOSm7QvaEI85eoMqWZ+IH/VK
         ml76Y99ZZ1qOZmBsHJMT/zVF3HtTaf18aNL1tQg0cm4lKyGkzMoX4OfFegwQbv2kz5pz
         ua4g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=list-id:precedence:cc:to:message-id:content-transfer-encoding
         :mime-version:subject:date:from:dkim-signature;
        bh=XnBwm2IvHLuWvz5q9qZS2KbVkC5/vLI/x4BmkQloMCc=;
        fh=FifMxdmAabxddcTJcu/IJ831cQ+An41Q2z4v9nUh6AY=;
        b=icorNlvxPZCKCpKYNPcRIpudVVvuEU2QVF62CO8p4VsWqWSsgdBx8W+/tGQyJ9gdjH
         +WpuVUQ8OmpzhlFuJLI7XnJcPk7gsnkzywq+GqqBOVpU6tiDkR1Uq/lUeLbaSxqE2nGn
         Sfkw5fTobkHWBIh1+rhEDMj8ZH03pAUttyZhh2yJv7L751FORKk1RwjBEiHznZltPgbF
         +geH2XQh2w8nz+uihw49dgMg0jbpLmeJdHaleyu7Dr5vGdLV7NFqDIUYVzts8+V38XnU
         e+66II1sc90cvi+FquzTcKhhBdgs5sg9DOGt5Hf7/m3UehKojHditaVukNKV4f4GwR2v
         rKmA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@bootlin.com header.s=gm1 header.b=Jbac0TbS;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::3:3 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=bootlin.com
Received: from lipwig.vger.email (lipwig.vger.email. [2620:137:e000::3:3])
        by mx.google.com with ESMTPS id
 l12-20020a170903244c00b001bbae3ae2bcsi4164031pls.413.2023.10.13.01.27.19
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 13 Oct 2023 01:27:19 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::3:3 as permitted sender)
 client-ip=2620:137:e000::3:3;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@bootlin.com header.s=gm1 header.b=Jbac0TbS;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::3:3 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=bootlin.com
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by lipwig.vger.email (Postfix) with ESMTP id 84DF18063CCF;
	Fri, 13 Oct 2023 01:27:17 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at lipwig.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S230161AbjJMI1C (ORCPT <rfc822;rua109.linux@gmail.com>
        + 19 others); Fri, 13 Oct 2023 04:27:02 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55246 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S230094AbjJMI0u (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 13 Oct 2023 04:26:50 -0400
Received: from relay6-d.mail.gandi.net (relay6-d.mail.gandi.net
 [217.70.183.198])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id F1C82CC;
        Fri, 13 Oct 2023 01:26:46 -0700 (PDT)
Received: by mail.gandi.net (Postfix) with ESMTPSA id 39874C0009;
        Fri, 13 Oct 2023 08:26:43 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=gm1;
        t=1697185604;
        h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
         to:to:cc:cc:mime-version:mime-version:content-type:content-type:
         content-transfer-encoding:content-transfer-encoding;
        bh=XnBwm2IvHLuWvz5q9qZS2KbVkC5/vLI/x4BmkQloMCc=;
        b=Jbac0TbSHmC1eG0PRUzvqNqBaaDAi5BFU9DGBKUJ8IgHy1uCpuwsw/gCUWXy09q8wD++Ia
        CXQQ7HmMcPFz0r3tI0dVmq1hzK4RBu4vrBxA+/Du+xvkT31ho+hc/3fZf2l72m2/dBdqrQ
        LTIoUNtSNIIc6w63UndezFo5wWZP+rSDuBgNdc48+gxWbb2SRsOykmo8DEtjw/wqnw9p2g
        7zv6fpXjvsXi3OAnJBjz36k5SS5D/9XRxtJttm8nQ4m9ic0RQCK3JznDR2I04ofAWg6S/Y
        v6eSbxQADPlBqDf80TMZtpqLbZgJ9O21lRzJyawXx2o00SdMQ0A63Ur74ZAvwg==
From: =?utf-8?q?Alexis_Lothor=C3=A9?= <alexis.lothore@bootlin.com>
Date: Fri, 13 Oct 2023 10:26:52 +0200
Subject: [PATCH] wifi: wilc1000: use vmm_table as array in wilc struct
MIME-Version: 1.0
Message-Id: <20231013-wilc1000_tx_oops-v1-1-3761beb9524d@bootlin.com>
X-B4-Tracking: v=1; b=H4sIAEv/KGUC/6tWKk4tykwtVrJSqFYqSi3LLM7MzwNyDHUUlJIzE
 vPSU3UzU4B8JSMDI2NDA0Mj3fLMnGRDAwOD+JKK+Pz8gmJdU4vkVEvD1FTjVEtjJaC2gqLUtMw
 KsJHRsbW1AKu7TRBiAAAA
To: Claudiu Beznea <claudiu.beznea@tuxon.dev>,
        Kalle Valo <kvalo@kernel.org>,
        Michael Walle <mwalle@kernel.org>
Cc: linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org,
 Thomas Petazzoni <thomas.petazzoni@bootlin.com>,
 Ajay Singh <ajay.kathat@microchip.com>, stable@vger.kernel.org, =?utf-8?q?A?=
	=?utf-8?q?lexis_Lothor=C3=A9?= <alexis.lothore@bootlin.com>
X-Mailer: b4 0.12.3
X-GND-Sasl: alexis.lothore@bootlin.com
X-Spam-Status: No, score=-0.8 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,
	SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no
	version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lipwig.vger.email
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test,
 not delayed by milter-greylist-4.6.4 (lipwig.vger.email [0.0.0.0]);
 Fri, 13 Oct 2023 01:27:17 -0700 (PDT)
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1779628129299737083
X-GMAIL-MSGID: 1779628129299737083

From: Ajay Singh <ajay.kathat@microchip.com>

Enabling KASAN and running some iperf tests raises some memory issues with
vmm_table:

BUG: KASAN: slab-out-of-bounds in wilc_wlan_handle_txq+0x6ac/0xdb4
Write of size 4 at addr c3a61540 by task wlan0-tx/95

KASAN detects that we are writing data beyond range allocated to vmm_table.
There is indeed a mismatch between the size passed to allocator in
wilc_wlan_init, and the range of possible indexes used later: allocation
size is missing a multiplication by sizeof(u32)

While at it, instead of simply multiplying the allocation size, do not keep
dedicated dynamic allocation for vmm_table: define it as an array with the
relevant size in wilc struct, which is already dynamically allocated

Fixes: 40b717bfcefa ("wifi: wilc1000: fix DMA on stack objects")
Cc: stable@vger.kernel.org
Signed-off-by: Ajay Singh <ajay.kathat@microchip.com>
Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
---
 drivers/net/wireless/microchip/wilc1000/netdev.h |  2 +-
 drivers/net/wireless/microchip/wilc1000/wlan.c   | 12 ------------
 2 files changed, 1 insertion(+), 13 deletions(-)


---
base-commit: f28d2198de8cbefa17286d5182337a1d6d518643
change-id: 20231012-wilc1000_tx_oops-58ce91ee3e93

Best regards,

diff --git a/drivers/net/wireless/microchip/wilc1000/netdev.h b/drivers/net/wireless/microchip/wilc1000/netdev.h
index bb1a315a7b7e..2137ef294953 100644
--- a/drivers/net/wireless/microchip/wilc1000/netdev.h
+++ b/drivers/net/wireless/microchip/wilc1000/netdev.h
@@ -245,7 +245,7 @@ struct wilc {
 	u8 *rx_buffer;
 	u32 rx_buffer_offset;
 	u8 *tx_buffer;
-	u32 *vmm_table;
+	u32 vmm_table[WILC_VMM_TBL_SIZE];
 
 	struct txq_handle txq[NQUEUES];
 	int txq_entries;
diff --git a/drivers/net/wireless/microchip/wilc1000/wlan.c b/drivers/net/wireless/microchip/wilc1000/wlan.c
index 58bbf50081e4..d93493c40e49 100644
--- a/drivers/net/wireless/microchip/wilc1000/wlan.c
+++ b/drivers/net/wireless/microchip/wilc1000/wlan.c
@@ -1252,8 +1252,6 @@ void wilc_wlan_cleanup(struct net_device *dev)
 	while ((rqe = wilc_wlan_rxq_remove(wilc)))
 		kfree(rqe);
 
-	kfree(wilc->vmm_table);
-	wilc->vmm_table = NULL;
 	kfree(wilc->rx_buffer);
 	wilc->rx_buffer = NULL;
 	kfree(wilc->tx_buffer);
@@ -1491,14 +1489,6 @@ int wilc_wlan_init(struct net_device *dev)
 			goto fail;
 	}
 
-	if (!wilc->vmm_table)
-		wilc->vmm_table = kzalloc(WILC_VMM_TBL_SIZE, GFP_KERNEL);
-
-	if (!wilc->vmm_table) {
-		ret = -ENOBUFS;
-		goto fail;
-	}
-
 	if (!wilc->tx_buffer)
 		wilc->tx_buffer = kmalloc(WILC_TX_BUFF_SIZE, GFP_KERNEL);
 
@@ -1523,8 +1513,6 @@ int wilc_wlan_init(struct net_device *dev)
 	return 0;
 
 fail:
-	kfree(wilc->vmm_table);
-	wilc->vmm_table = NULL;
 	kfree(wilc->rx_buffer);
 	wilc->rx_buffer = NULL;
 	kfree(wilc->tx_buffer);