[bug report] libertas: if_spi, driver for libertas GSPI devices
Dan Carpenter
dan.carpenter at oracle.com
Tue Oct 25 06:34:11 PDT 2016
[ Old code, sorry. -dan ]
Hello Colin McCabe,
The patch d2b21f191753: "libertas: if_spi, driver for libertas GSPI
devices" from Jan 9, 2009, leads to the following static checker
warning:
drivers/net/wireless/marvell/libertas/if_spi.c:731 if_spi_c2h_cmd()
error: __memcpy() 'priv->resp_buf[i]' too small (2312 vs 2400)
drivers/net/wireless/marvell/libertas/if_spi.c
704 /* How many bytes are there to read? */
705 err = spu_read_u16(card, IF_SPI_SCRATCH_2_REG, &len);
706 if (err)
707 goto out;
708 if (!len) {
709 netdev_err(priv->dev, "%s: error: card has no data for host\n",
710 __func__);
711 err = -EINVAL;
712 goto out;
713 } else if (len > IF_SPI_CMD_BUF_SIZE) {
We cap "len" at 2400 bytes.
714 netdev_err(priv->dev,
715 "%s: error: response packet too large: %d bytes, but maximum is %d\n",
716 __func__, len, IF_SPI_CMD_BUF_SIZE);
717 err = -EINVAL;
718 goto out;
719 }
720
721 /* Read the data from the WLAN module into our command buffer */
722 err = spu_read(card, IF_SPI_CMD_RDWRPORT_REG,
723 card->cmd_buffer, ALIGN(len, 4));
724 if (err)
725 goto out;
726
727 spin_lock_irqsave(&priv->driver_lock, flags);
728 i = (priv->resp_idx == 0) ? 1 : 0;
729 BUG_ON(priv->resp_len[i]);
730 priv->resp_len[i] = len;
731 memcpy(priv->resp_buf[i], card->cmd_buffer, len);
^^^^^^^^^^^^^^^^^
But ->resp_buf[i] only has LBS_UPLD_SIZE (2313) bytes.
732 lbs_notify_command_response(priv, i);
733 spin_unlock_irqrestore(&priv->driver_lock, flags);
734
735 out:
736 if (err)
737 netdev_err(priv->dev, "%s: err=%d\n", __func__, err);
738 lbs_deb_leave(LBS_DEB_SPI);
739 return err;
740 }
regards,
dan carpenter
More information about the libertas-dev
mailing list