diff options
| author | Sergey Matyukevich <sergey.matyukevich.os@quantenna.com> | 2020-01-27 10:46:58 +0000 |
|---|---|---|
| committer | Kalle Valo <kvalo@codeaurora.org> | 2020-02-12 18:16:49 +0200 |
| commit | 946d077a4256c1afffcb1fd4213529da2d793d8e (patch) | |
| tree | 21681b301703a8ddb8a321f6e75bd0ba2296a02d | |
| parent | 501c3be1ec3ccc3297543057e7337a39b4959495 (diff) | |
| download | linux-946d077a4256c1afffcb1fd4213529da2d793d8e.tar.bz2 | |
qtnfmac: fix potential Spectre vulnerabilities
Fix potential Spectre vulnerabilities and other warnings
reported by smatch:
drivers/net/wireless/quantenna/qtnfmac/core.c:49 qtnf_core_get_mac() warn: potential spectre issue 'bus->mac' [r] (local cap)
drivers/net/wireless/quantenna/qtnfmac/core.c:51 qtnf_core_get_mac() warn: possible spectre second half. 'mac'
drivers/net/wireless/quantenna/qtnfmac/event.c:671 qtnf_event_parse() warn: potential spectre issue 'mac->iflist' [r] (local cap)
drivers/net/wireless/quantenna/qtnfmac/pcie/pearl_pcie.c:912 qtnf_pcie_skb_send() warn: variable dereferenced before check 'skb' (see line 881)
Signed-off-by: Sergey Matyukevich <sergey.matyukevich.os@quantenna.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
| -rw-r--r-- | drivers/net/wireless/quantenna/qtnfmac/core.c | 4 | ||||
| -rw-r--r-- | drivers/net/wireless/quantenna/qtnfmac/event.c | 9 | ||||
| -rw-r--r-- | drivers/net/wireless/quantenna/qtnfmac/pcie/pearl_pcie.c | 2 |
3 files changed, 10 insertions, 5 deletions
diff --git a/drivers/net/wireless/quantenna/qtnfmac/core.c b/drivers/net/wireless/quantenna/qtnfmac/core.c index 74c9aa297ec9..9e666fac8b5f 100644 --- a/drivers/net/wireless/quantenna/qtnfmac/core.c +++ b/drivers/net/wireless/quantenna/qtnfmac/core.c @@ -4,6 +4,7 @@ #include <linux/kernel.h> #include <linux/module.h> #include <linux/if_ether.h> +#include <linux/nospec.h> #include "core.h" #include "bus.h" @@ -41,11 +42,12 @@ struct qtnf_wmac *qtnf_core_get_mac(const struct qtnf_bus *bus, u8 macid) { struct qtnf_wmac *mac = NULL; - if (unlikely(macid >= QTNF_MAX_MAC)) { + if (macid >= QTNF_MAX_MAC) { pr_err("invalid MAC index %u\n", macid); return NULL; } + macid = array_index_nospec(macid, QTNF_MAX_MAC); mac = bus->mac[macid]; if (unlikely(!mac)) { diff --git a/drivers/net/wireless/quantenna/qtnfmac/event.c b/drivers/net/wireless/quantenna/qtnfmac/event.c index 9d3849488fc7..7e408b5c5549 100644 --- a/drivers/net/wireless/quantenna/qtnfmac/event.c +++ b/drivers/net/wireless/quantenna/qtnfmac/event.c @@ -4,6 +4,7 @@ #include <linux/kernel.h> #include <linux/module.h> #include <linux/slab.h> +#include <linux/nospec.h> #include "cfg80211.h" #include "core.h" @@ -632,18 +633,20 @@ static int qtnf_event_parse(struct qtnf_wmac *mac, int ret = -1; u16 event_id; u16 event_len; + u8 vifid; event = (const struct qlink_event *)event_skb->data; event_id = le16_to_cpu(event->event_id); event_len = le16_to_cpu(event->mhdr.len); - if (likely(event->vifid < QTNF_MAX_INTF)) { - vif = &mac->iflist[event->vifid]; - } else { + if (event->vifid >= QTNF_MAX_INTF) { pr_err("invalid vif(%u)\n", event->vifid); return -EINVAL; } + vifid = array_index_nospec(event->vifid, QTNF_MAX_INTF); + vif = &mac->iflist[vifid]; + switch (event_id) { case QLINK_EVENT_STA_ASSOCIATED: ret = qtnf_event_handle_sta_assoc(mac, vif, (const void *)event, diff --git a/drivers/net/wireless/quantenna/qtnfmac/pcie/pearl_pcie.c b/drivers/net/wireless/quantenna/qtnfmac/pcie/pearl_pcie.c index 8e0d8018208a..dbb241106d8a 100644 --- a/drivers/net/wireless/quantenna/qtnfmac/pcie/pearl_pcie.c +++ b/drivers/net/wireless/quantenna/qtnfmac/pcie/pearl_pcie.c @@ -593,7 +593,7 @@ static int qtnf_pcie_skb_send(struct qtnf_bus *bus, struct sk_buff *skb) priv->tx_bd_w_index = i; tx_done: - if (ret && skb) { + if (ret) { pr_err_ratelimited("drop skb\n"); if (skb->dev) skb->dev->stats.tx_dropped++; |