Hello Ido Yariv,

The patch 2b55f43f8e47: "iwlwifi: mvm: Add mem debugfs entry" from
Aug 23, 2016, leads to the following static checker warning:

        drivers/net/wireless/intel/iwlwifi/mvm/debugfs.c:1561 
iwl_dbgfs_mem_read()
        warn: unsigned 'len' is never less than zero.

drivers/net/wireless/intel/iwlwifi/mvm/debugfs.c
  1521  static ssize_t iwl_dbgfs_mem_read(struct file *file, char __user 
*user_buf,
  1522                                    size_t count, loff_t *ppos)
  1523  {
  1524          struct iwl_mvm *mvm = file->private_data;
  1525          struct iwl_dbg_mem_access_cmd cmd = {};
  1526          struct iwl_dbg_mem_access_rsp *rsp;
  1527          struct iwl_host_cmd hcmd = {
  1528                  .flags = CMD_WANT_SKB | CMD_SEND_IN_RFKILL,
  1529                  .data = { &cmd, },
  1530                  .len = { sizeof(cmd) },
  1531          };
  1532          size_t delta, len;
                              ^^^
Unsigned.

  1533          ssize_t ret;
  1534  
  1535          hcmd.id = iwl_cmd_id(*ppos >> 24 ? UMAC_RD_WR : LMAC_RD_WR,
  1536                               DEBUG_GROUP, 0);
  1537          cmd.op = cpu_to_le32(DEBUG_MEM_OP_READ);
  1538  
  1539          /* Take care of alignment of both the position and the length */
  1540          delta = *ppos & 0x3;
  1541          cmd.addr = cpu_to_le32(*ppos - delta);
  1542          cmd.len = cpu_to_le32(min(ALIGN(count + delta, 4) / 4,
  1543                                    (size_t)DEBUG_MEM_MAX_SIZE_DWORDS));
  1544  
  1545          mutex_lock(&mvm->mutex);
  1546          ret = iwl_mvm_send_cmd(mvm, &hcmd);
  1547          mutex_unlock(&mvm->mutex);
  1548  
  1549          if (ret < 0)
  1550                  return ret;
  1551  
  1552          rsp = (void *)hcmd.resp_pkt->data;
  1553          if (le32_to_cpu(rsp->status) != DEBUG_MEM_STATUS_SUCCESS) {
  1554                  ret = -ENXIO;
  1555                  goto out;
  1556          }
  1557  
  1558          len = min((size_t)le32_to_cpu(rsp->len) << 2,
  1559                    iwl_rx_packet_payload_len(hcmd.resp_pkt) - 
sizeof(*rsp));
  1560          len = min(len - delta, count);
  1561          if (len < 0) {
                    ^^^^^^^
Unpossible.

  1562                  ret = -EFAULT;
  1563                  goto out;
  1564          }
  1565  
  1566          ret = len - copy_to_user(user_buf, (void *)rsp->data + delta, 
len);
  1567          *ppos += ret;
  1568  
  1569  out:
  1570          iwl_free_resp(&hcmd);
  1571          return ret;
  1572  }

regards,
dan carpenter

Reply via email to