From nobody Tue Apr 28 17:03:18 2026
Return-Path: <linux-kernel-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 90DBAC433EF
	for <linux-kernel@archiver.kernel.org>; Tue, 31 May 2022 01:31:43 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S243400AbiEaBbm (ORCPT <rfc822;linux-kernel@archiver.kernel.org>);
        Mon, 30 May 2022 21:31:42 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54082 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S243381AbiEaBbj (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 30 May 2022 21:31:39 -0400
Received: from p-impout004.msg.pkvw.co.charter.net
 (p-impout004aa.msg.pkvw.co.charter.net [47.43.26.135])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AC69010B4
        for <linux-kernel@vger.kernel.org>;
 Mon, 30 May 2022 18:31:38 -0700 (PDT)
Received: from 2603-8090-2005-39b3-0000-0000-0000-100e.res6.spectrum.com.com
 ([24.31.246.181])
        by cmsmtp with ESMTP
        id vqjLnnv0kgPEBvqjSnJB4H; Tue, 31 May 2022 01:31:38 +0000
X-Authority-Analysis: v=2.4 cv=b8OhX/Kx c=1 sm=1 tr=0 ts=62956ffa
 a=cAe/7qmlxnd6JlJqP68I9A==:117 a=cAe/7qmlxnd6JlJqP68I9A==:17
 a=IkcTkHD0fZMA:10 a=yQdBAQUQAAAA:8 a=JKArFDfnAAAA:8 a=yPCof4ZbAAAA:8
 a=T813O89Fk1KhD7x66Y8A:9 a=QEXdDO2ut3YA:10 a=SzazLyfi1tnkUD6oumHU:22
 a=8HTcXXoeXT8DLsUt73VG:22
From: Larry Finger <Larry.Finger@lwfinger.net>
To: gregkh@linuxfoundation.org
Cc: phil@philpotter.co.uk, linux-staging@lists.linux.dev,
        linux-kernel@vger.kernel.org,
        Larry Finger <Larry.Finger@lwfinger.net>,
        Dan Carpenter <dan.carpenter@oracle.com>
Subject: [PATCH v3 1/2] staging: r8188eu: Fix undersized array in rtw_xmit.c
Date: Mon, 30 May 2022 20:31:02 -0500
Message-Id: <20220531013103.2175-2-Larry.Finger@lwfinger.net>
X-Mailer: git-send-email 2.36.1
In-Reply-To: <20220531013103.2175-1-Larry.Finger@lwfinger.net>
References: <20220531013103.2175-1-Larry.Finger@lwfinger.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
c: Dan Carpenter <dan.carpenter@oracle.com>
Content-Transfer-Encoding: quoted-printable
X-CMAE-Envelope: 
 MS4xfPs3TAaI8hV8TKjc34ABI9+CfuSxrbyzSdviviHv+OdjSHStMfavYCRR9Zu+v2HBRLbjvydwbofOlFqsTMSIC6EVL4LKCK8pUVI+3z37SZ0cMcvsZIN+
 wgoDPvPyWpj0o/0UiAwDvFh6Wu23nsZdpdEX1ANljKz1wEPFFREKLbVwe/HkAOWM4AiEnie3sfyfRcPE19YFU8apo1eDxwKfmQ/Shjsz8XE7MVD84p5cXLBM
 Rc+hfLrCT+b6L0aZjVHXFHb7hdIHOfZMxm/3lC8gGdgQoKpoYd5YAwyoJvEKunDc6duorvqhp2dFON6jSkSUgN/d/LneYX8gHsEeDGzutVf3nAi5ETbmHjAh
 svhZC5HEtc4JOE0tjSE47p8ZTM7YAxzTj1rZYMpV4uLHfAgG/1+2S2xJj9jhzyJDWD8XlvFcfQ9YtLTA4KLvTaDHHf3vZYV/PpHBwo1Gd3ho7B+XFz4=
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Compiling with -warray-bounds yields the following warning:

drivers/staging/r8188eu/core/rtw_xmit.c: In function =E2=80=98rtw_alloc_hwx=
mits=E2=80=99:
drivers/staging/r8188eu/core/rtw_xmit.c:1493:24: warning: array subscript 4=
 is outside array bounds of =E2=80=98void[64]=E2=80=99 [-Warray-bounds]
 1493 |                 hwxmits[4] .sta_queue =3D &pxmitpriv->be_pending;
      |                 ~~~~~~~^~~
In file included from drivers/staging/r8188eu/core/../include/osdep_service=
.h:19,
                 from drivers/staging/r8188eu/core/rtw_xmit.c:6:
In function =E2=80=98kmalloc=E2=80=99,
    inlined from =E2=80=98kzalloc=E2=80=99 at ./include/linux/slab.h:733:9,
    inlined from =E2=80=98rtw_alloc_hwxmits=E2=80=99 at drivers/staging/r81=
88eu/core/rtw_xmit.c:1484:23:
./include/linux/slab.h:600:24: note: at offset 64 into object of size 64 al=
located by =E2=80=98kmem_cache_alloc_trace=E2=80=99
  600 |                 return kmem_cache_alloc_trace(
      |                        ^~~~~~~~~~~~~~~~~~~~~~~
  601 |                                 kmalloc_caches[kmalloc_type(flags)]=
[index],
      |                                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=
~~~~~~~~
  602 |                                 flags, size);
      |

This warning arises because the test for (pxmitpriv->hwxmit_entry =3D=3D 5)=
 is totally
bogus. There are only 4 queues available. Thanks to Dan Carpenter for sugge=
sting the
correct patch. Thanks to Dan Carperter for suggesting the correct fix.

Fixes commit 7884fc0a1473 ("staging: r8188eu: introduce new include dir
for RTL8188eu driver")

Fixes: 7884fc0a1473 ("staging: r8188eu: introduce new include dir for RTL81=
88eu driver")
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Cc: Phillip Potter <phil@philpotter.co.uk>
Cc: Dan Carpenter <dan.carpenter@oracle.com>
--
v2 - get proper To and Cc
v3 - Use Dan Carpenter's suggestion for correct fix
Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
---
 drivers/staging/r8188eu/core/rtw_xmit.c | 17 ++++-------------
 1 file changed, 4 insertions(+), 13 deletions(-)

diff --git a/drivers/staging/r8188eu/core/rtw_xmit.c b/drivers/staging/r818=
8eu/core/rtw_xmit.c
index 3d8e9dea7651..066308150b42 100644
--- a/drivers/staging/r8188eu/core/rtw_xmit.c
+++ b/drivers/staging/r8188eu/core/rtw_xmit.c
@@ -1483,19 +1483,10 @@ int rtw_alloc_hwxmits(struct adapter *padapter)
=20
 	hwxmits =3D pxmitpriv->hwxmits;
=20
-	if (pxmitpriv->hwxmit_entry =3D=3D 5) {
-		hwxmits[0] .sta_queue =3D &pxmitpriv->bm_pending;
-		hwxmits[1] .sta_queue =3D &pxmitpriv->vo_pending;
-		hwxmits[2] .sta_queue =3D &pxmitpriv->vi_pending;
-		hwxmits[3] .sta_queue =3D &pxmitpriv->bk_pending;
-		hwxmits[4] .sta_queue =3D &pxmitpriv->be_pending;
-	} else if (pxmitpriv->hwxmit_entry =3D=3D 4) {
-		hwxmits[0] .sta_queue =3D &pxmitpriv->vo_pending;
-		hwxmits[1] .sta_queue =3D &pxmitpriv->vi_pending;
-		hwxmits[2] .sta_queue =3D &pxmitpriv->be_pending;
-		hwxmits[3] .sta_queue =3D &pxmitpriv->bk_pending;
-	} else {
-	}
+	hwxmits[0].sta_queue =3D &pxmitpriv->vo_pending;
+	hwxmits[1].sta_queue =3D &pxmitpriv->vi_pending;
+	hwxmits[2].sta_queue =3D &pxmitpriv->be_pending;
+	hwxmits[3].sta_queue =3D &pxmitpriv->bk_pending;
=20
 	return 0;
 }
--=20
2.36.1

From nobody Tue Apr 28 17:03:18 2026
Return-Path: <linux-kernel-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id D5A06C433EF
	for <linux-kernel@archiver.kernel.org>; Tue, 31 May 2022 01:31:45 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S243402AbiEaBbn (ORCPT <rfc822;linux-kernel@archiver.kernel.org>);
        Mon, 30 May 2022 21:31:43 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54314 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S243394AbiEaBbl (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 30 May 2022 21:31:41 -0400
Received: from p-impout004.msg.pkvw.co.charter.net
 (p-impout004aa.msg.pkvw.co.charter.net [47.43.26.135])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 39553DF5C
        for <linux-kernel@vger.kernel.org>;
 Mon, 30 May 2022 18:31:39 -0700 (PDT)
Received: from 2603-8090-2005-39b3-0000-0000-0000-100e.res6.spectrum.com.com
 ([24.31.246.181])
        by cmsmtp with ESMTP
        id vqjLnnv0kgPEBvqjSnJB4O; Tue, 31 May 2022 01:31:39 +0000
X-Authority-Analysis: v=2.4 cv=b8OhX/Kx c=1 sm=1 tr=0 ts=62956ffb
 a=cAe/7qmlxnd6JlJqP68I9A==:117 a=cAe/7qmlxnd6JlJqP68I9A==:17
 a=IkcTkHD0fZMA:10 a=yQdBAQUQAAAA:8 a=JKArFDfnAAAA:8 a=yPCof4ZbAAAA:8
 a=trFUbqFmGWvzTRzaABQA:9 a=QEXdDO2ut3YA:10 a=SzazLyfi1tnkUD6oumHU:22
 a=8HTcXXoeXT8DLsUt73VG:22
From: Larry Finger <Larry.Finger@lwfinger.net>
To: gregkh@linuxfoundation.org
Cc: phil@philpotter.co.uk, linux-staging@lists.linux.dev,
        linux-kernel@vger.kernel.org,
        Larry Finger <Larry.Finger@lwfinger.net>,
        Dan Carpenter <dan.carpenter@oracle.com>
Subject: [PATCH v3 2/2] staging: r8188eu: Fix warning of array overflow in
 ioctl_linux.c
Date: Mon, 30 May 2022 20:31:03 -0500
Message-Id: <20220531013103.2175-3-Larry.Finger@lwfinger.net>
X-Mailer: git-send-email 2.36.1
In-Reply-To: <20220531013103.2175-1-Larry.Finger@lwfinger.net>
References: <20220531013103.2175-1-Larry.Finger@lwfinger.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-CMAE-Envelope: 
 MS4xfHjbCQQ0ilhvUMTInvLkcBR7pz0MsdzmJXh1BoA+6zbxacd/1ou6F06evJku56zwHtSobOO6nNxCwFmZ+TLIYJJ6DGx0YVFo+Aeyt2zBJkP2ZrqxOHH8
 RCGO7L2GpTm9gJSZ90lPPUkCKGAWr5FDGRAzC3pgfd+C5Ll4RaKXFouIbfaMCXLFg4Oh7/d/7XI3SiHJsj6j4BBAXk1vdrRM4zkn6pOcbSiYAwOaH8nx/H8W
 bHzFJlbsmK/cdzRmPWA6qdyrKKc2MrY/bxjRWCalgtJlvcwf+CCJcMS++B9RB4Fwxx1f4FsOpkeR8/ESCtj9JS9LicD5OoJcqN441srWnSj5OdYkHH17BXcJ
 M4jNLHD7cOIwnDmBRC6J87twXoILuPmfiBh7SxcEghBFluVQnzl7XNm5xTAoI4YUc7kwWFTM+l6iVi/tVQf9Vt/KYIU3P7eGYYz4SN3/uRfctRoinnA=
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Building with -Warray-bounds results in the following warning plus others
related to the same problem:

CC [M]  drivers/staging/r8188eu/os_dep/ioctl_linux.o
In function =E2=80=98wpa_set_encryption=E2=80=99,
    inlined from =E2=80=98rtw_wx_set_enc_ext=E2=80=99 at drivers/staging/r8=
188eu/os_dep/ioctl_linux.c:1868:9:
drivers/staging/r8188eu/os_dep/ioctl_linux.c:412:41: warning: array subscri=
pt =E2=80=98struct ndis_802_11_wep[0]=E2=80=99 is partly outside array boun=
ds of =E2=80=98void[25]=E2=80=99 [-Warray-bounds]
  412 |                         pwep->KeyLength =3D wep_key_len;
      |                         ~~~~~~~~~~~~~~~~^~~~~~~~~~~~~
In file included from drivers/staging/r8188eu/os_dep/../include/osdep_servi=
ce.h:19,
                 from drivers/staging/r8188eu/os_dep/ioctl_linux.c:4:
In function =E2=80=98kmalloc=E2=80=99,
    inlined from =E2=80=98kzalloc=E2=80=99 at ./include/linux/slab.h:733:9,
    inlined from =E2=80=98wpa_set_encryption=E2=80=99 at drivers/staging/r8=
188eu/os_dep/ioctl_linux.c:408:11,
    inlined from =E2=80=98rtw_wx_set_enc_ext=E2=80=99 at drivers/staging/r8=
188eu/os_dep/ioctl_linux.c:1868:9:
./include/linux/slab.h:605:16: note: object of size [17, 25] allocated by =
=E2=80=98__kmalloc=E2=80=99
  605 |         return __kmalloc(size, flags);
      |                ^~~~~~~~~~~~~~~~~~~~~~
./include/linux/slab.h:600:24: note: object of size [17, 25] allocated by =
=E2=80=98kmem_cache_alloc_trace=E2=80=99
  600 |                 return kmem_cache_alloc_trace(
      |                        ^~~~~~~~~~~~~~~~~~~~~~~
  601 |                                 kmalloc_caches[kmalloc_type(flags)]=
[index],
      |                                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=
~~~~~~~~
  602 |                                 flags, size);
      |                                 ~~~~~~~~~~~~

Although it is unlikely that anyone is still using WEP encryption, the
size of the allocation needs to be increased just in case.

Fixes commit 2b42bd58b321 ("staging: r8188eu: introduce new os_dep dir for =
RTL8188eu driver")

Fixes: 2b42bd58b321 ("staging: r8188eu: introduce new os_dep dir for RTL818=
8eu driver")
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Cc: Phillip Potter <phil@philpotter.co.uk>
Cc: Dan Carpenter <dan.carpenter@oracle.com>
---
v2 - get proper To and Cc
v3 - no changes
---
 drivers/staging/r8188eu/os_dep/ioctl_linux.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/staging/r8188eu/os_dep/ioctl_linux.c b/drivers/staging=
/r8188eu/os_dep/ioctl_linux.c
index 1b09462ca908..8dd280e2739a 100644
--- a/drivers/staging/r8188eu/os_dep/ioctl_linux.c
+++ b/drivers/staging/r8188eu/os_dep/ioctl_linux.c
@@ -403,7 +403,7 @@ static int wpa_set_encryption(struct net_device *dev, s=
truct ieee_param *param,
=20
 		if (wep_key_len > 0) {
 			wep_key_len =3D wep_key_len <=3D 5 ? 5 : 13;
-			wep_total_len =3D wep_key_len + FIELD_OFFSET(struct ndis_802_11_wep, Ke=
yMaterial);
+			wep_total_len =3D wep_key_len + sizeof(*pwep);
 			pwep =3D kzalloc(wep_total_len, GFP_KERNEL);
 			if (!pwep)
 				goto exit;
--=20
2.36.1