iwlwifi: testing the wrong variable

Message ID	20100218094529.GA1298@bicker
State	Not Applicable, archived
Delegated to:	David Miller
Headers	show Return-Path: <netdev-owner@vger.kernel.org> DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=date:from:to:cc:subject:message-id:mail-followup-to:mime-version :content-type:content-disposition:user-agent; b=gn2Mx+kRWv+sbQ3uukhUq93fxUZS/rZHVFTkPxlZorxjPx8HTjuxXlTXk+S+DHRme2 9aTL5LD5b3kaQMAE/RLFElSklA8V2WVtpCDP68BuZKni5Kb2gOYpooArB3gZ2O5RBsvX 6DqoPusSeEnknropsZUzQxlsjaAsxvHTAlDiU= Date: Thu, 18 Feb 2010 12:45:29 +0300 From: Dan Carpenter <error27@gmail.com> To: Zhu Yi <yi.zhu@intel.com> Cc: Reinette Chatre <reinette.chatre@intel.com>, Intel Linux Wireless <ilw@linux.intel.com>, "John W. Linville" <linville@tuxdriver.com>, Wey-Yi Guy <wey-yi.w.guy@intel.com>, Abhijeet Kolekar <abhijeet.kolekar@intel.com>, Johannes Berg <johannes@sipsolutions.net>, linux-wireless@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, kernel-janitors@vger.kernel.org Subject: [patch] iwlwifi: testing the wrong variable Message-ID: <20100218094529.GA1298@bicker> Mail-Followup-To: Dan Carpenter <error27@gmail.com>, Zhu Yi <yi.zhu@intel.com>, Reinette Chatre <reinette.chatre@intel.com>, Intel Linux Wireless <ilw@linux.intel.com>, "John W. Linville" <linville@tuxdriver.com>, Wey-Yi Guy <wey-yi.w.guy@intel.com>, Abhijeet Kolekar <abhijeet.kolekar@intel.com>, Johannes Berg <johannes@sipsolutions.net>, linux-wireless@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, kernel-janitors@vger.kernel.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.18 (2008-05-17) Sender: netdev-owner@vger.kernel.org Precedence: bulk

Message ID

20100218094529.GA1298@bicker

State

Not Applicable, archived

Delegated to:

David Miller

Headers

DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=date:from:to:cc:subject:message-id:mail-followup-to:mime-version
	:content-type:content-disposition:user-agent;
	b=gn2Mx+kRWv+sbQ3uukhUq93fxUZS/rZHVFTkPxlZorxjPx8HTjuxXlTXk+S+DHRme2
	9aTL5LD5b3kaQMAE/RLFElSklA8V2WVtpCDP68BuZKni5Kb2gOYpooArB3gZ2O5RBsvX
	6DqoPusSeEnknropsZUzQxlsjaAsxvHTAlDiU=
Date: Thu, 18 Feb 2010 12:45:29 +0300
From: Dan Carpenter <error27@gmail.com>
To: Zhu Yi <yi.zhu@intel.com>
Cc: Reinette Chatre <reinette.chatre@intel.com>,
	Intel Linux Wireless <ilw@linux.intel.com>,
	"John W. Linville" <linville@tuxdriver.com>,
	Wey-Yi Guy <wey-yi.w.guy@intel.com>,
	Abhijeet Kolekar <abhijeet.kolekar@intel.com>,
	Johannes Berg <johannes@sipsolutions.net>,
	linux-wireless@vger.kernel.org, netdev@vger.kernel.org,
	linux-kernel@vger.kernel.org, kernel-janitors@vger.kernel.org
Subject: [patch] iwlwifi: testing the wrong variable
Message-ID: <20100218094529.GA1298@bicker>
Mail-Followup-To: Dan Carpenter <error27@gmail.com>,
	Zhu Yi <yi.zhu@intel.com>,
	Reinette Chatre <reinette.chatre@intel.com>,
	Intel Linux Wireless <ilw@linux.intel.com>,
	"John W. Linville" <linville@tuxdriver.com>,
	Wey-Yi Guy <wey-yi.w.guy@intel.com>,
	Abhijeet Kolekar <abhijeet.kolekar@intel.com>,
	Johannes Berg <johannes@sipsolutions.net>,
	linux-wireless@vger.kernel.org, netdev@vger.kernel.org,
	linux-kernel@vger.kernel.org, kernel-janitors@vger.kernel.org
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.18 (2008-05-17)
Sender: netdev-owner@vger.kernel.org
Precedence: bulk

Commit Message

Dan Carpenter Feb. 18, 2010, 9:45 a.m. UTC

The first one fixes a smatch false positive and the second one fixes
a potential bug.

drivers/net/wireless/iwlwifi/iwl-5000.c +786 iwl5000_txq_update_byte_cnt_tbl(37) error: buffer overflow 
'(scd_bc_tbl+txq_id)->tfd_offset' 320 <= 512
drivers/net/wireless/iwlwifi/iwl-5000.c +808 iwl5000_txq_inval_byte_cnt_tbl(19) error: buffer overflow 
'(scd_bc_tbl+txq_id)->tfd_offset' 320 <= 512

Signed-off-by: Dan Carpenter <error27@gmail.com>
Cc: stable@kernel.org
---
I don't have the hardware to test this change.


--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Comments

Reinette Chatre Feb. 18, 2010, 6:04 p.m. UTC | #1

On Thu, 2010-02-18 at 01:45 -0800, Dan Carpenter wrote:
> The first one fixes a smatch false positive and the second one fixes
> a potential bug.
> 
> drivers/net/wireless/iwlwifi/iwl-5000.c +786 iwl5000_txq_update_byte_cnt_tbl(37) error: buffer overflow 
> '(scd_bc_tbl+txq_id)->tfd_offset' 320 <= 512
> drivers/net/wireless/iwlwifi/iwl-5000.c +808 iwl5000_txq_inval_byte_cnt_tbl(19) error: buffer overflow 
> '(scd_bc_tbl+txq_id)->tfd_offset' 320 <= 512
> 
> Signed-off-by: Dan Carpenter <error27@gmail.com>
> Cc: stable@kernel.org
> ---

This has already been fixed by patch below (taken from
wireless-next-2.6). John and Greg, could you please pick this one up for
2.6.33 and stable instead?

commit 8ce1ef4a914aef8b9b90a2a2c670494168a2cca9
Author: Wey-Yi Guy <wey-yi.w.guy@intel.com>
Date:   Fri Jan 8 10:04:44 2010 -0800

    iwlwifi: fix bug in tx byte count table
    
    When setting invalid byte count in txq byte count table, read
pointer
    should be used instead of write pointer.
    
    Reported-by: Guo, Chaohong <chaohong.guo@intel.com>
    Signed-off-by: Wey-Yi Guy <wey-yi.w.guy@intel.com>
    Signed-off-by: Zhu Yi <yi.zhu@intel.com>
    Signed-off-by: Reinette Chatre <reinette.chatre@intel.com>
    Signed-off-by: John W. Linville <linville@tuxdriver.com>

Reinette


--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

John W. Linville Feb. 19, 2010, 8:30 p.m. UTC | #2

On Thu, Feb 18, 2010 at 10:04:42AM -0800, reinette chatre wrote:
> On Thu, 2010-02-18 at 01:45 -0800, Dan Carpenter wrote:
> > The first one fixes a smatch false positive and the second one fixes
> > a potential bug.
> > 
> > drivers/net/wireless/iwlwifi/iwl-5000.c +786 iwl5000_txq_update_byte_cnt_tbl(37) error: buffer overflow 
> > '(scd_bc_tbl+txq_id)->tfd_offset' 320 <= 512
> > drivers/net/wireless/iwlwifi/iwl-5000.c +808 iwl5000_txq_inval_byte_cnt_tbl(19) error: buffer overflow 
> > '(scd_bc_tbl+txq_id)->tfd_offset' 320 <= 512
> > 
> > Signed-off-by: Dan Carpenter <error27@gmail.com>
> > Cc: stable@kernel.org
> > ---
> 
> This has already been fixed by patch below (taken from
> wireless-next-2.6). John and Greg, could you please pick this one up for
> 2.6.33 and stable instead?
> 
> commit 8ce1ef4a914aef8b9b90a2a2c670494168a2cca9
> Author: Wey-Yi Guy <wey-yi.w.guy@intel.com>
> Date:   Fri Jan 8 10:04:44 2010 -0800
> 
>     iwlwifi: fix bug in tx byte count table
>     
>     When setting invalid byte count in txq byte count table, read
> pointer
>     should be used instead of write pointer.
>     
>     Reported-by: Guo, Chaohong <chaohong.guo@intel.com>
>     Signed-off-by: Wey-Yi Guy <wey-yi.w.guy@intel.com>
>     Signed-off-by: Zhu Yi <yi.zhu@intel.com>
>     Signed-off-by: Reinette Chatre <reinette.chatre@intel.com>
>     Signed-off-by: John W. Linville <linville@tuxdriver.com>

So for the record, that patch is basically identical to Dan's patch
but with some whitespace fixups in some nearby lines as well.

How important is this patch?  Is there an actual bug report?  Is it
a regression?

It is very late in the 2.6.33 cycle and it isn't obvious to me that
this is worth pushing for 2.6.33 at this point...?

John

Reinette Chatre Feb. 19, 2010, 8:57 p.m. UTC | #3

On Fri, 2010-02-19 at 12:30 -0800, John W. Linville wrote:
> So for the record, that patch is basically identical to Dan's patch
> but with some whitespace fixups in some nearby lines as well.
> 
> How important is this patch?  Is there an actual bug report?  Is it
> a regression?
> 
> It is very late in the 2.6.33 cycle and it isn't obvious to me that
> this is worth pushing for 2.6.33 at this point...?

This is exactly the reason why we did not post the patch to 2.6.33 or
stable when we submitted it upstream since there was no regression or
bug tied to it at that time. It surely is a problem that needs fixing,
which we did in the current release. I just highlighted that if there is
a request for this to be fixed in stable then we already have the patch
available. I'm ok with this one only going into 2.6.34.

Reinette

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/drivers/net/wireless/iwlwifi/iwl-5000.c b/drivers/net/wireless/iwlwifi/iwl-5000.c
index de45f30..b45150d 100644
--- a/drivers/net/wireless/iwlwifi/iwl-5000.c
+++ b/drivers/net/wireless/iwlwifi/iwl-5000.c
@@ -781,7 +781,7 @@  void iwl5000_txq_update_byte_cnt_tbl(struct iwl_priv *priv,
 
 	scd_bc_tbl[txq_id].tfd_offset[write_ptr] = bc_ent;
 
-	if (txq->q.write_ptr < TFD_QUEUE_SIZE_BC_DUP)
+	if (write_ptr < TFD_QUEUE_SIZE_BC_DUP)
 		scd_bc_tbl[txq_id].
 			tfd_offset[TFD_QUEUE_SIZE_MAX + write_ptr] = bc_ent;
 }
@@ -803,7 +803,7 @@  void iwl5000_txq_inval_byte_cnt_tbl(struct iwl_priv *priv,
 	bc_ent =  cpu_to_le16(1 | (sta_id << 12));
 	scd_bc_tbl[txq_id].tfd_offset[read_ptr] = bc_ent;
 
-	if (txq->q.write_ptr < TFD_QUEUE_SIZE_BC_DUP)
+	if (read_ptr < TFD_QUEUE_SIZE_BC_DUP)
 		scd_bc_tbl[txq_id].
 			tfd_offset[TFD_QUEUE_SIZE_MAX + read_ptr] =  bc_ent;
 }

iwlwifi: testing the wrong variable

Commit Message

Comments

Patch