drivers/net/wireless/realtek/rtw88/phy.c:641 rtw_phy_linear_2_db() error: buffer overflow 8 <= 8 (assuming for loop doesn't break)

From: kernel test robot
Date: Wed Aug 12 2020 - 07:51:06 EST

Next message: syzbot: "Re: WARNING: suspicious RCU usage in tipc_l2_send_msg"
Previous message: Jorge Ramirez-Ortiz, Foundries: "Re: [PATCHv7] drivers: optee: allow op-tee to access devices on the i2c bus"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Zong-Zhe,

First bad commit (maybe != root cause):

tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
head: fb893de323e2d39f7a1f6df425703a2edbdf56ea
commit: ba0fbe236fb8a7b992e82d6eafb03a600f5eba43 rtw88: extract: make 8822c an individual kernel module
date: 3 months ago
config: parisc-randconfig-m031-20200811 (attached as .config)
compiler: hppa-linux-gcc (GCC) 9.3.0

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@xxxxxxxxx>

smatch warnings:
drivers/net/wireless/realtek/rtw88/phy.c:641 rtw_phy_linear_2_db() error: buffer overflow 'db_invert_table[i]' 8 <= 8 (assuming for loop doesn't break)

vim +641 drivers/net/wireless/realtek/rtw88/phy.c

e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 599
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 600 static u8 rtw_phy_linear_2_db(u64 linear)
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 601 {
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 602 u8 i;
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 603 u8 j;
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 604 u32 dB;
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 605
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 606 if (linear >= db_invert_table[11][7])
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 607 return 96; /* maximum 96 dB */
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 608
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 609 for (i = 0; i < 12; i++) {
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 610 if (i <= 2 && (linear << FRAC_BITS) <= db_invert_table[i][7])
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 611 break;
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 612 else if (i > 2 && linear <= db_invert_table[i][7])
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 613 break;
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 614 }
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 615
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 616 for (j = 0; j < 8; j++) {
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 617 if (i <= 2 && (linear << FRAC_BITS) <= db_invert_table[i][j])
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 618 break;
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 619 else if (i > 2 && linear <= db_invert_table[i][j])
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 620 break;
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 621 }
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 622
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 623 if (j == 0 && i == 0)
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 624 goto end;
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 625
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 626 if (j == 0) {
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 627 if (i != 3) {
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 628 if (db_invert_table[i][0] - linear >
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 629 linear - db_invert_table[i - 1][7]) {
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 630 i = i - 1;
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 631 j = 7;
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 632 }
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 633 } else {
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 634 if (db_invert_table[3][0] - linear >
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 635 linear - db_invert_table[2][7]) {
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 636 i = 2;
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 637 j = 7;
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 638 }
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 639 }
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 640 } else {
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 @641 if (db_invert_table[i][j] - linear >
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 642 linear - db_invert_table[i][j - 1]) {
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 643 j = j - 1;
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 644 }
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 645 }
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 646 end:
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 647 dB = (i << 3) + j + 1;
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 648
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 649 return dB;
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 650 }
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 651

:::::: The code at line 641 was first introduced by commit
:::::: e3037485c68ec1a299ff41160d8fedbd4abc29b9 rtw88: new Realtek 802.11ac driver

:::::: TO: Yan-Hsuan Chuang <yhchuang@xxxxxxxxxxx>
:::::: CC: Kalle Valo <kvalo@xxxxxxxxxxxxxx>

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@xxxxxxxxxxxx

Attachment: .config.gz
Description: application/gzip

Next message: syzbot: "Re: WARNING: suspicious RCU usage in tipc_l2_send_msg"
Previous message: Jorge Ramirez-Ortiz, Foundries: "Re: [PATCHv7] drivers: optee: allow op-tee to access devices on the i2c bus"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]