lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Mon, 11 May 2020 17:49:26 +0200
From:   Jerome Pouiller <Jerome.Pouiller@...abs.com>
To:     devel@...verdev.osuosl.org, linux-wireless@...r.kernel.org
Cc:     netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        Kalle Valo <kvalo@...eaurora.org>,
        "David S . Miller" <davem@...emloft.net>,
        Jérôme Pouiller 
        <jerome.pouiller@...abs.com>
Subject: [PATCH 13/17] staging: wfx: fix endianness of the field 'len'

From: Jérôme Pouiller <jerome.pouiller@...abs.com>

The struct hif_msg is received from the hardware. So, it declared as
little endian. However, it is also accessed from many places in the
driver. Sparse complains about that:

    drivers/staging/wfx/bh.c:88:32: warning: restricted __le16 degrades to integer
    drivers/staging/wfx/bh.c:88:32: warning: restricted __le16 degrades to integer
    drivers/staging/wfx/bh.c:93:32: warning: restricted __le16 degrades to integer
    drivers/staging/wfx/bh.c:93:32: warning: cast to restricted __le16
    drivers/staging/wfx/bh.c:93:32: warning: restricted __le16 degrades to integer
    drivers/staging/wfx/bh.c:121:25: warning: incorrect type in argument 2 (different base types)
    drivers/staging/wfx/bh.c:121:25:    expected unsigned int len
    drivers/staging/wfx/bh.c:121:25:    got restricted __le16 [usertype] len
    drivers/staging/wfx/hif_rx.c:27:22: warning: restricted __le16 degrades to integer
    drivers/staging/wfx/hif_rx.c:347:39: warning: incorrect type in argument 7 (different base types)
    drivers/staging/wfx/hif_rx.c:347:39:    expected unsigned int [usertype] len
    drivers/staging/wfx/hif_rx.c:347:39:    got restricted __le16 const [usertype] len
    drivers/staging/wfx/hif_rx.c:365:39: warning: incorrect type in argument 7 (different base types)
    drivers/staging/wfx/hif_rx.c:365:39:    expected unsigned int [usertype] len
    drivers/staging/wfx/hif_rx.c:365:39:    got restricted __le16 const [usertype] len
    drivers/staging/wfx/./traces.h:195:1: warning: incorrect type in assignment (different base types)
    drivers/staging/wfx/./traces.h:195:1:    expected int msg_len
    drivers/staging/wfx/./traces.h:195:1:    got restricted __le16 const [usertype] len
    drivers/staging/wfx/./traces.h:195:1: warning: incorrect type in assignment (different base types)
    drivers/staging/wfx/./traces.h:195:1:    expected int msg_len
    drivers/staging/wfx/./traces.h:195:1:    got restricted __le16 const [usertype] len
    drivers/staging/wfx/debug.c:319:20: warning: restricted __le16 degrades to integer
    drivers/staging/wfx/secure_link.c:85:27: warning: restricted __le16 degrades to integer
    drivers/staging/wfx/secure_link.c:85:27: warning: restricted __le16 degrades to integer

In order to make Sparse happy and to keep access from the driver easy,
this patch declare 'len' with native endianness.

On reception of hardware data, this patch takes care to do byte-swap and
keep Sparse happy.

Signed-off-by: Jérôme Pouiller <jerome.pouiller@...abs.com>
---
 drivers/staging/wfx/bh.c              | 7 ++++---
 drivers/staging/wfx/data_tx.c         | 2 +-
 drivers/staging/wfx/hif_api_general.h | 8 ++++++--
 drivers/staging/wfx/hif_tx.c          | 2 +-
 4 files changed, 12 insertions(+), 7 deletions(-)

diff --git a/drivers/staging/wfx/bh.c b/drivers/staging/wfx/bh.c
index 55724e4295c4..0355b1a1c4bb 100644
--- a/drivers/staging/wfx/bh.c
+++ b/drivers/staging/wfx/bh.c
@@ -74,6 +74,7 @@ static int rx_helper(struct wfx_dev *wdev, size_t read_len, int *is_cnf)
 	_trace_piggyback(piggyback, false);
 
 	hif = (struct hif_msg *)skb->data;
+	le16_to_cpus((__le16 *)&hif->len);
 	WARN(hif->encrypted & 0x1, "unsupported encryption type");
 	if (hif->encrypted == 0x2) {
 		if (wfx_sl_decode(wdev, (void *)hif)) {
@@ -84,12 +85,11 @@ static int rx_helper(struct wfx_dev *wdev, size_t read_len, int *is_cnf)
 			// piggyback is probably correct.
 			return piggyback;
 		}
-		le16_to_cpus(&hif->len);
+		le16_to_cpus((__le16 *)&hif->len);
 		computed_len = round_up(hif->len - sizeof(hif->len), 16)
 			       + sizeof(struct hif_sl_msg)
 			       + sizeof(struct hif_sl_tag);
 	} else {
-		le16_to_cpus(&hif->len);
 		computed_len = round_up(hif->len, 2);
 	}
 	if (computed_len != read_len) {
@@ -172,7 +172,7 @@ static void tx_helper(struct wfx_dev *wdev, struct hif_msg *hif)
 	int ret;
 	void *data;
 	bool is_encrypted = false;
-	size_t len = le16_to_cpu(hif->len);
+	size_t len = hif->len;
 
 	WARN(len < sizeof(*hif), "try to send corrupted data");
 
@@ -199,6 +199,7 @@ static void tx_helper(struct wfx_dev *wdev, struct hif_msg *hif)
 	WARN(len > wdev->hw_caps.size_inp_ch_buf,
 	     "%s: request exceed WFx capability: %zu > %d\n", __func__,
 	     len, wdev->hw_caps.size_inp_ch_buf);
+	cpu_to_le16s(((struct hif_msg *)data)->len);
 	len = wdev->hwbus_ops->align_size(wdev->hwbus_priv, len);
 	ret = wfx_data_write(wdev, data, len);
 	if (ret)
diff --git a/drivers/staging/wfx/data_tx.c b/drivers/staging/wfx/data_tx.c
index 014fa36c8f78..84656d1a6278 100644
--- a/drivers/staging/wfx/data_tx.c
+++ b/drivers/staging/wfx/data_tx.c
@@ -384,7 +384,7 @@ static int wfx_tx_inner(struct wfx_vif *wvif, struct ieee80211_sta *sta,
 	skb_push(skb, wmsg_len);
 	memset(skb->data, 0, wmsg_len);
 	hif_msg = (struct hif_msg *)skb->data;
-	hif_msg->len = cpu_to_le16(skb->len);
+	hif_msg->len = skb->len;
 	hif_msg->id = HIF_REQ_ID_TX;
 	hif_msg->interface = wvif->id;
 	if (skb->len > wvif->wdev->hw_caps.size_inp_ch_buf) {
diff --git a/drivers/staging/wfx/hif_api_general.h b/drivers/staging/wfx/hif_api_general.h
index 995752b9f168..a359ae76511a 100644
--- a/drivers/staging/wfx/hif_api_general.h
+++ b/drivers/staging/wfx/hif_api_general.h
@@ -23,7 +23,10 @@
 #define HIF_COUNTER_MAX           7
 
 struct hif_msg {
-	__le16 len;
+	// len is in fact little endian. However, it is widely used in the
+	// driver, so we declare it in native byte order and we reorder just
+	// before/after send/receive it (see bh.c).
+	u16    len;
 	u8     id;
 	u8     reserved:1;
 	u8     interface:2;
@@ -277,7 +280,8 @@ struct hif_sl_msg_hdr {
 
 struct hif_sl_msg {
 	struct hif_sl_msg_hdr hdr;
-	__le16 len;
+	// Same note than struct hif_msg
+	u16    len;
 	u8     payload[];
 } __packed;
 
diff --git a/drivers/staging/wfx/hif_tx.c b/drivers/staging/wfx/hif_tx.c
index 490a9de54faf..6c6618197b91 100644
--- a/drivers/staging/wfx/hif_tx.c
+++ b/drivers/staging/wfx/hif_tx.c
@@ -33,7 +33,7 @@ static void wfx_fill_header(struct hif_msg *hif, int if_id,
 	WARN(size > 0xFFF, "requested buffer is too large: %zu bytes", size);
 	WARN(if_id > 0x3, "invalid interface ID %d", if_id);
 
-	hif->len = cpu_to_le16(size + 4);
+	hif->len = size + 4;
 	hif->id = cmd;
 	hif->interface = if_id;
 }
-- 
2.26.2

Powered by blists - more mailing lists