[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <26b15f4702cef17fe70b496a62f03735874bd16a.camel@sipsolutions.net>
Date: Tue, 24 Oct 2023 22:11:38 +0200
From: Johannes Berg <johannes@...solutions.net>
To: "Gustavo A. R. Silva" <gustavo@...eddedor.com>, Kalle Valo
<kvalo@...nel.org>, Jeff Johnson <quic_jjohnson@...cinc.com>
Cc: ath10k@...ts.infradead.org, linux-wireless@...r.kernel.org,
linux-kernel@...r.kernel.org, "Gustavo A. R. Silva"
<gustavoars@...nel.org>, linux-hardening@...r.kernel.org
Subject: Re: [RFC - is this a bug?] wifi: ath10k: Asking for some light on
this, please :)
On Tue, 2023-10-24 at 13:50 -0600, Gustavo A. R. Silva wrote:
> Hi all,
>
> While working on tranforming one-element array `peer_chan_list` in
> `struct wmi_tdls_peer_capabilities` into a flex-array member
>
> 7187 struct wmi_tdls_peer_capabilities {
> ...
> 7199 struct wmi_channel peer_chan_list[1];
> 7200 } __packed;
>
> the following line caught my attention:
>
> ./drivers/net/wireless/ath/ath10k/wmi.c:
> 8920 memset(skb->data, 0, sizeof(*cmd));
>
> Notice that before the flex-array transformation, we are zeroing 128
> bytes in `skb->data` because `sizeof(*cmd) == 128`, see below:
> So, my question is: do we really need to zero out those extra 24 bytes in
> `skb->data`? or is it rather a bug in the original code?
>
If we look a step further, I _think_ even that memset is unnecessary?
struct sk_buff *ath10k_wmi_alloc_skb(struct ath10k *ar, u32 len)
{
struct sk_buff *skb;
u32 round_len = roundup(len, 4);
skb = ath10k_htc_alloc_skb(ar, WMI_SKB_HEADROOM + round_len);
if (!skb)
return NULL;
skb_reserve(skb, WMI_SKB_HEADROOM);
if (!IS_ALIGNED((unsigned long)skb->data, 4))
ath10k_warn(ar, "Unaligned WMI skb\n");
skb_put(skb, round_len);
memset(skb->data, 0, round_len);
return skb;
}
So shouldn't the outgoing skb be exactly the same?
Anyway, just looking at the code out of curiosity, I don't actually know
anything about this driver :)
johannes
Powered by blists - more mailing lists