[PATCH 2/2] ltq-vdsl-vr9-mei: avoid unnecessary usage of unsafe_memcpy
Jan Hoffmann
jan at 3e8.eu
Thu Feb 6 14:54:25 PST 2025
Commit 7bc487c12eef ("kernel: ltq-vdsl-vr9-mei: fix warning about
field-spanning write") patched the driver to use unsafe_memcpy in
MEI_IoctlCmdMsgWrite.
However, this is not actually necessary. The assignment of the variable
"pDestPtr" can be modified so that the compiler knows about the correct
size. This way, the check in the fortified memcpy works correctly.
While at it, also adjust all places where similar code is used to copy
from a CMV_STD_MESSAGE_T struct.
Also mark all related structs as packed, because the code (and the
driver in general) seems to rely on that anyway.
Signed-off-by: Jan Hoffmann <jan at 3e8.eu>
---
.../kernel/lantiq/ltq-vdsl-vr9-mei/Makefile | 2 +-
...ld-spanning-write-mei-mailbox-packed.patch | 179 ++++++++++++++++++
...for-intentional-field-spanning-write.patch | 15 --
3 files changed, 180 insertions(+), 16 deletions(-)
create mode 100644 package/kernel/lantiq/ltq-vdsl-vr9-mei/patches/401-fix-field-spanning-write-mei-mailbox-packed.patch
delete mode 100644 package/kernel/lantiq/ltq-vdsl-vr9-mei/patches/401-use-unsafe_memcpy-for-intentional-field-spanning-write.patch
diff --git a/package/kernel/lantiq/ltq-vdsl-vr9-mei/Makefile b/package/kernel/lantiq/ltq-vdsl-vr9-mei/Makefile
index 9b3dac299fea..2576355bd175 100644
--- a/package/kernel/lantiq/ltq-vdsl-vr9-mei/Makefile
+++ b/package/kernel/lantiq/ltq-vdsl-vr9-mei/Makefile
@@ -9,7 +9,7 @@ include $(INCLUDE_DIR)/kernel.mk
PKG_NAME:=ltq-vdsl-vr9-mei
PKG_VERSION:=1.5.17.6
-PKG_RELEASE:=6
+PKG_RELEASE:=7
PKG_BASE_NAME:=drv_mei_cpe
PKG_SOURCE:=$(PKG_BASE_NAME)-$(PKG_VERSION).tar.gz
diff --git a/package/kernel/lantiq/ltq-vdsl-vr9-mei/patches/401-fix-field-spanning-write-mei-mailbox-packed.patch b/package/kernel/lantiq/ltq-vdsl-vr9-mei/patches/401-fix-field-spanning-write-mei-mailbox-packed.patch
new file mode 100644
index 000000000000..549411b78e04
--- /dev/null
+++ b/package/kernel/lantiq/ltq-vdsl-vr9-mei/patches/401-fix-field-spanning-write-mei-mailbox-packed.patch
@@ -0,0 +1,179 @@
+--- a/src/cmv_message_format.h
++++ b/src/cmv_message_format.h
+@@ -308,7 +308,7 @@ typedef struct cmv_std_message_header_s
+ unsigned short index;
+ /** CMV length */
+ unsigned short length;
+-} CMV_STD_MESSAGE_HEADER_T;
++} __attribute__((packed)) CMV_STD_MESSAGE_HEADER_T;
+
+ /**
+ CMV payload paramaters (8, 16, 32 Bit)
+@@ -318,7 +318,7 @@ typedef union cmv_std_message_payload_s
+ unsigned char params_8Bit[CMV_USED_PAYLOAD_8BIT_SIZE];
+ unsigned short params_16Bit[CMV_USED_PAYLOAD_16BIT_SIZE];
+ unsigned int params_32Bit[CMV_USED_PAYLOAD_32BIT_SIZE];
+-} CMV_STD_MESSAGE_PAYLOAD_T;
++} __attribute__((packed)) CMV_STD_MESSAGE_PAYLOAD_T;
+
+ /**
+ CMV Standard message.
+@@ -327,7 +327,7 @@ typedef struct cmv_std_message_s
+ {
+ CMV_STD_MESSAGE_HEADER_T header;
+ CMV_STD_MESSAGE_PAYLOAD_T payload;
+-} CMV_STD_MESSAGE_T;
++} __attribute__((packed)) CMV_STD_MESSAGE_T;
+
+
+ /* ============================================================================
+@@ -341,7 +341,7 @@ typedef struct cmv_message_modem_rdy_s
+ {
+ CMV_STD_MESSAGE_HEADER_T header;
+ CMV_STD_MESSAGE_PAYLOAD_T modemRdyParams;
+-} CMV_MESSAGE_MODEM_RDY_T;
++} __attribute__((packed)) CMV_MESSAGE_MODEM_RDY_T;
+
+
+ /* ============================================================================
+@@ -358,7 +358,7 @@ typedef struct cmv_message_modem_rdy_s
+ typedef struct cmv_message_cs_static_params_s
+ {
+ unsigned short pageIdx[MEI_CMV_CODESWAP_MAX_PAGES];
+-} CMV_MESSAGE_CS_STATIC_PARAMS_T;
++} __attribute__((packed)) CMV_MESSAGE_CS_STATIC_PARAMS_T;
+
+
+ typedef struct cmv_dyn_codeswap_page_info_s
+@@ -366,7 +366,7 @@ typedef struct cmv_dyn_codeswap_page_inf
+ unsigned short pageIdx;
+ unsigned short h_destAddr;
+ unsigned short l_destAddr;
+-} CMV_DYN_CODESWAP_PAGE_INFO_T;
++} __attribute__((packed)) CMV_DYN_CODESWAP_PAGE_INFO_T;
+
+ /**
+ CMV codeswap message payload (dynamic).
+@@ -374,7 +374,7 @@ typedef struct cmv_dyn_codeswap_page_inf
+ typedef struct cmv_message_cs_dyn_params_s
+ {
+ CMV_DYN_CODESWAP_PAGE_INFO_T pageInfo[MEI_CMV_CODESWAP_MAX_PAGES];
+-} CMV_MESSAGE_CS_DYN_PARAMS_T;
++} __attribute__((packed)) CMV_MESSAGE_CS_DYN_PARAMS_T;
+
+
+ /**
+@@ -388,7 +388,7 @@ typedef struct cmv_message_cs_s
+ CMV_MESSAGE_CS_STATIC_PARAMS_T csStaticParams;
+ CMV_MESSAGE_CS_DYN_PARAMS_T csDynParams;
+ } params;
+-} CMV_MESSAGE_CS_T;
++} __attribute__((packed)) CMV_MESSAGE_CS_T;
+
+ /* ============================================================================
+ CMV Fast Read request message definitions
+@@ -406,7 +406,7 @@ typedef struct cmv_fast_read_params_s
+ unsigned short addrMSW;
+ unsigned short addrLSW;
+ unsigned short size_16bit;
+-} CMV_FAST_READ_PARAMS_T;
++} __attribute__((packed)) CMV_FAST_READ_PARAMS_T;
+
+ /**
+ CMV fast read message payload.
+@@ -414,7 +414,7 @@ typedef struct cmv_fast_read_params_s
+ typedef struct cmv_message_fast_rd_params_s
+ {
+ unsigned short fastRdpage[MEI_CMV_FAST_READ_MAX_PAGES];
+-} CMV_MESSAGE_FAST_RD_PARAMS_T;
++} __attribute__((packed)) CMV_MESSAGE_FAST_RD_PARAMS_T;
+
+ /**
+ CMV codeswap message.
+@@ -423,7 +423,7 @@ typedef struct cmv_message_fast_rd_s
+ {
+ CMV_STD_MESSAGE_HEADER_T header;
+ CMV_MESSAGE_FAST_RD_PARAMS_T fastRdParams;
+-} CMV_MESSAGE_FAST_RD_T;
++} __attribute__((packed)) CMV_MESSAGE_FAST_RD_T;
+
+ /**
+ CMV messages
+@@ -435,7 +435,7 @@ typedef union cmv_message_all_s
+ CMV_MESSAGE_CS_T codeSwap;
+ CMV_MESSAGE_FAST_RD_T fastRd;
+ unsigned short rawMsg[CMV_HEADER_16BIT_SIZE + CMV_USED_PAYLOAD_16BIT_SIZE];
+-} CMV_MESSAGE_ALL_T;
++} __attribute__((packed)) CMV_MESSAGE_ALL_T;
+
+
+
+--- a/src/drv_mei_cpe_mailbox.h
++++ b/src/drv_mei_cpe_mailbox.h
+@@ -197,7 +197,7 @@ typedef union MEI_cmv_mailbox_s
+ CMV_MESSAGE_CS_T codeSwap;
+ /** CMV Fast Read message */
+ CMV_MESSAGE_FAST_RD_T fastRd;
+-} MEI_CMV_MAILBOX_T;
++} __attribute__((packed)) MEI_CMV_MAILBOX_T;
+
+
+ /**
+@@ -206,7 +206,7 @@ typedef union MEI_cmv_mailbox_s
+ typedef struct MEI_mei_mailbox_raw_s
+ {
+ IFX_uint16_t rawMsg[CMV_HEADER_16BIT_SIZE + CMV_USED_PAYLOAD_16BIT_SIZE];
+-} MEI_MEI_MAILBOX_RAW_T;
++} __attribute__((packed)) MEI_MEI_MAILBOX_RAW_T;
+
+
+ /**
+@@ -218,7 +218,7 @@ typedef union MEI_mei_mailbox_s
+ MEI_MEI_MAILBOX_RAW_T mbRaw;
+ /** CMV message type */
+ MEI_CMV_MAILBOX_T mbCmv;
+-} MEI_MEI_MAILBOX_T;
++} __attribute__((packed)) MEI_MEI_MAILBOX_T;
+
+
+ #ifdef __cplusplus
+--- a/src/drv_mei_cpe_msg_process.c
++++ b/src/drv_mei_cpe_msg_process.c
+@@ -2172,7 +2172,7 @@ MEI_STATIC IFX_int32_t MEI_ModemNfcRead(
+ Return IFX/modem message
+ - index and length fields becomes part of the appl. payload
+ */
+- pSource = (unsigned char *)&pMailbox->mbCmv.cmv.header.index;
++ pSource = (unsigned char *)&pMailbox->mbCmv.cmv + offsetof(CMV_STD_MESSAGE_T, header.index);
+
+ /* size field contains number of 16 bit payload elements of the message */
+ paylSize_byte = (CMV_MSGHDR_PAYLOAD_SIZE_GET(pMailbox->mbCmv.cmv)) << CMV_MSG_BIT_SIZE_16BIT;
+@@ -3508,7 +3508,7 @@ IFX_int32_t MEI_IoctlCmdMsgWrite(
+ */
+ cmvMbSize = CMV_HEADER_8BIT_SIZE +
+ pUserMsg->paylSize_byte - (sizeof(IFX_uint16_t) * 2);
+- pDestPtr = (unsigned char *)&pMailbox->mbCmv.cmv.header.index;
++ pDestPtr = (unsigned char *)&pMailbox->mbCmv.cmv + offsetof(CMV_STD_MESSAGE_T, header.index);
+
+ if ( cmvMbSize > (int)(sizeof(MEI_CMV_MAILBOX_T)) )
+ {
+@@ -3622,7 +3622,7 @@ IFX_int32_t MEI_IoctlAckMsgRead(
+ Return IFX/modem message
+ - index and length fields becomes part of the appl. payload
+ */
+- pSource = (unsigned char *)&pMailbox->mbCmv.cmv.header.index;
++ pSource = (unsigned char *)&pMailbox->mbCmv.cmv + offsetof(CMV_STD_MESSAGE_T, header.index);
+
+ /* size field contains number of 16 bit payload elements of the message */
+ paylSize_byte = (CMV_MSGHDR_PAYLOAD_SIZE_GET(pMailbox->mbCmv.cmv)) << CMV_MSG_BIT_SIZE_16BIT;
+--- a/src/drv_mei_cpe_msg_process_ar9.c
++++ b/src/drv_mei_cpe_msg_process_ar9.c
+@@ -1385,7 +1385,7 @@ MEI_STATIC IFX_int32_t MEI_ModemNfcRead(
+ Return IFX/modem message
+ - index and length fields becomes part of the appl. payload
+ */
+- pSource = (unsigned char *)&pMailbox->mbCmv.cmv.header.index;
++ pSource = (unsigned char *)&pMailbox->mbCmv.cmv + offsetof(CMV_STD_MESSAGE_T, header.index);
+
+ /* size field contains number of 16 bit payload elements of the message */
+ paylSize_byte = (CMV_MSGHDR_PAYLOAD_SIZE_GET(pMailbox->mbCmv.cmv)) << CMV_MSG_BIT_SIZE_16BIT;
diff --git a/package/kernel/lantiq/ltq-vdsl-vr9-mei/patches/401-use-unsafe_memcpy-for-intentional-field-spanning-write.patch b/package/kernel/lantiq/ltq-vdsl-vr9-mei/patches/401-use-unsafe_memcpy-for-intentional-field-spanning-write.patch
deleted file mode 100644
index 1542ace44f8a..000000000000
--- a/package/kernel/lantiq/ltq-vdsl-vr9-mei/patches/401-use-unsafe_memcpy-for-intentional-field-spanning-write.patch
+++ /dev/null
@@ -1,15 +0,0 @@
---- a/src/drv_mei_cpe_msg_process.c
-+++ b/src/drv_mei_cpe_msg_process.c
-@@ -3524,7 +3524,12 @@ IFX_int32_t MEI_IoctlCmdMsgWrite(
- {
- if (bInternCall)
- {
-+#if (LINUX_VERSION_CODE < KERNEL_VERSION(5,19,0))
- memcpy(pDestPtr, pUserMsg->pPayload, pUserMsg->paylSize_byte);
-+#else
-+ unsafe_memcpy(pDestPtr, pUserMsg->pPayload, pUserMsg->paylSize_byte,
-+ /* field-spanning writing is used here intentionally */);
-+#endif
- }
- else
- {
--
2.48.1
More information about the openwrt-devel
mailing list