memcpy: detected field-spanning write (size 101) of single field "ext_scan->tlv_buffer" at drivers/net/wireless/marvell/mwifiex/scan.c:2251 (size 1)

From: Ahelenia Ziemiańska
Date: Fri Jan 26 2024 - 14:55:57 EST

Hi!

I have a Google Hana (mt8173-elm-hana.dts) laptop with Wi-Fi provided by
the mmc@11260000/mwifiex@1 device ("marvell,sd8897").

On 6.6.11 in the dmesg I see
[ 41.314595] ------------[ cut here ]------------
[ 41.314634] memcpy: detected field-spanning write (size 101) of single field "ext_scan->tlv_buffer" at drivers/net/wireless/marvell/mwifiex/scan.c:2251 (size 1)
[ 41.314739] WARNING: CPU: 1 PID: 298 at drivers/net/wireless/marvell/mwifiex/scan.c:2251 mwifiex_cmd_802_11_scan_ext+0xa8/0xb8 [mwifiex]
[ 41.314802] Modules linked in: uvcvideo uvc videobuf2_vmalloc xhci_mtk_hcd xhci_hcd hid_multitouch joydev sbs_battery snd_soc_hdmi_codec btmrvl_sdio evdev btmrvl crct10dif_ce bluetooth polyval_ce mwifiex_sdio polyval_generic sha2_ce sha256_arm64 mwifiex sha1_ce arm_smc_wdt mt8173_rt5650 ecdh_generic mt8173_afe_pcm snd_soc_rt5645 snd_soc_mtk_common snd_soc_rl6231 snd_soc_core snd_pcm_dmaengine snd_pcm snd_timer mtu3 snd ofpart udc_core spi_nor i2c_hid_of soundcore i2c_hid elan_i2c elants_i2c melfas_mip4 da9211_regulator mt6577_auxadc spi_mt65xx gpio_keys ghash_generic ghash_ce gf128mul gcm aes_ce_ccm algif_aead crypto_null des_generic libdes ecb algif_skcipher aes_neon_blk aes_ce_blk aes_ce_cipher md4 cfg80211 algif_hash af_alg rfkill binfmt_misc pkcs8_key_parser dm_mod loop efi_pstore dax configfs nfnetlink ip_tables x_tables autofs4
[ 41.315059] CPU: 1 PID: 298 Comm: iwd Not tainted 6.6.11 #75
[ 41.315072] Hardware name: Google Hana (DT)
[ 41.315082] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ 41.315096] pc : mwifiex_cmd_802_11_scan_ext+0xa8/0xb8 [mwifiex]
[ 41.315132] lr : mwifiex_cmd_802_11_scan_ext+0xa4/0xb8 [mwifiex]
[ 41.315169] sp : ffff800082e43620
[ 41.315177] x29: ffff800082e43620 x28: 0000000000000000 x27: 0000000000000000
[ 41.315196] x26: 0000000000000107 x25: 0000000000000001 x24: 0000000000000000
[ 41.315213] x23: ffff0000cb4d3400 x22: ffff0000cb694000 x21: 0000000000000065
[ 41.315230] x20: ffff0000cbc6e3c0 x19: ffff0000cb4d3400 x18: ffff80008154d871
[ 41.315248] x17: 0000000000000001 x16: ffffffffffffffff x15: 0000000000000004
[ 41.315265] x14: ffff800081f1eee8 x13: 0000000000000003 x12: 0000000000000003
[ 41.315283] x11: 0000000000000000 x10: 0000000000000027 x9 : bd143d0859bfb200
[ 41.315300] x8 : bd143d0859bfb200 x7 : 205d343336343133 x6 : 332e31342020205b
[ 41.315318] x5 : ffff80008215d2ff x4 : ffff800082e431d7 x3 : 0000000000000000
[ 41.315335] x2 : 0000000000000065 x1 : ffff800082e433d0 x0 : 0000000000000094
[ 41.315353] Call trace:
[ 41.315362] mwifiex_cmd_802_11_scan_ext+0xa8/0xb8 [mwifiex]
[ 41.315399] mwifiex_sta_prepare_cmd+0x774/0x848 [mwifiex]
[ 41.315435] mwifiex_send_cmd+0x28c/0x300 [mwifiex]
[ 41.315470] mwifiex_scan_channel_list+0x294/0x348 [mwifiex]
[ 41.315506] mwifiex_scan_networks+0x1a4/0x3b8 [mwifiex]
[ 41.315541] mwifiex_cfg80211_scan+0x37c/0x850 [mwifiex]
[ 41.315577] cfg80211_scan+0x48/0x2d0 [cfg80211]
[ 41.315734] nl80211_trigger_scan+0x728/0x788 [cfg80211]
[ 41.315836] genl_family_rcv_msg_doit+0xc4/0x128
[ 41.315855] genl_rcv_msg+0x214/0x228
[ 41.315868] netlink_rcv_skb+0x128/0x148
[ 41.315881] genl_rcv+0x40/0x60
[ 41.315893] netlink_unicast+0x24c/0x400
[ 41.315905] netlink_sendmsg+0x2d8/0x3d8
[ 41.315917] __sys_sendto+0x16c/0x1f8
[ 41.315931] __arm64_sys_sendto+0x34/0x50
[ 41.315944] invoke_syscall+0x78/0x108
[ 41.315959] el0_svc_common+0x8c/0xf0
[ 41.315972] do_el0_svc+0x28/0x40
[ 41.315984] el0_svc+0x40/0xc8
[ 41.315997] el0t_64_sync_handler+0x90/0x100
[ 41.316009] el0t_64_sync+0x190/0x198
[ 41.316021] ---[ end trace 0000000000000000 ]---

(With the line unchanged in ecb1b8288dc7ccbdcb3b9df005fa1c0e0c0388a7.)

I don't really know what the relevancy or meaning of this is,
but one has to assume a WARNING with a backtrace is never good,
so forwarding.

Best,

Attachment: signature.asc
Description: PGP signature