phy.c:641 rtw_phy_linear_2_db() error: buffer overflow 8 <= 8 (assuming for loop doesn't break)

kernel test robot Wed, 12 Aug 2020 04:51:43 -0700

Hi Zong-Zhe,

First bad commit (maybe != root cause):


tree:   https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 
master
head:   fb893de323e2d39f7a1f6df425703a2edbdf56ea
commit: ba0fbe236fb8a7b992e82d6eafb03a600f5eba43 rtw88: extract: make 8822c an 
individual kernel module
date:   3 months ago
config: parisc-randconfig-m031-20200811 (attached as .config)
compiler: hppa-linux-gcc (GCC) 9.3.0

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <[email protected]>

smatch warnings:
drivers/net/wireless/realtek/rtw88/phy.c:641 rtw_phy_linear_2_db() error: 
buffer overflow 'db_invert_table[i]' 8 <= 8 (assuming for loop doesn't break)

vim +641 drivers/net/wireless/realtek/rtw88/phy.c

e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  599  
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  600  static u8 
rtw_phy_linear_2_db(u64 linear)
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  601  {
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  602         u8 i;
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  603         u8 j;
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  604         u32 dB;
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  605  
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  606         if (linear >= 
db_invert_table[11][7])
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  607                 return 96; /* 
maximum 96 dB */
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  608  
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  609         for (i = 0; i < 12; 
i++) {
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  610                 if (i <= 2 && 
(linear << FRAC_BITS) <= db_invert_table[i][7])
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  611                         break;
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  612                 else if (i > 2 
&& linear <= db_invert_table[i][7])
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  613                         break;
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  614         }
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  615  
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  616         for (j = 0; j < 8; j++) 
{
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  617                 if (i <= 2 && 
(linear << FRAC_BITS) <= db_invert_table[i][j])
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  618                         break;
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  619                 else if (i > 2 
&& linear <= db_invert_table[i][j])
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  620                         break;
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  621         }
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  622  
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  623         if (j == 0 && i == 0)
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  624                 goto end;
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  625  
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  626         if (j == 0) {
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  627                 if (i != 3) {
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  628                         if 
(db_invert_table[i][0] - linear >
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  629                             
linear - db_invert_table[i - 1][7]) {
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  630                                 
i = i - 1;
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  631                                 
j = 7;
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  632                         }
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  633                 } else {
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  634                         if 
(db_invert_table[3][0] - linear >
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  635                             
linear - db_invert_table[2][7]) {
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  636                                 
i = 2;
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  637                                 
j = 7;
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  638                         }
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  639                 }
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  640         } else {
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26 @641                 if 
(db_invert_table[i][j] - linear >
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  642                     linear - 
db_invert_table[i][j - 1]) {
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  643                         j = j - 
1;
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  644                 }
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  645         }
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  646  end:
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  647         dB = (i << 3) + j + 1;
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  648  
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  649         return dB;
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  650  }
e3037485c68ec1 Yan-Hsuan Chuang 2019-04-26  651  

:::::: The code at line 641 was first introduced by commit
:::::: e3037485c68ec1a299ff41160d8fedbd4abc29b9 rtw88: new Realtek 802.11ac 
driver

:::::: TO: Yan-Hsuan Chuang <[email protected]>
:::::: CC: Kalle Valo <[email protected]>

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/[email protected]

.config.gz
Description: application/gzip

drivers/net/wireless/realtek/rtw88/phy.c:641 rtw_phy_linear_2_db() error: buffer overflow 8 <= 8 (assuming for loop doesn't break)

Reply via email to