From: Dan Carpenter <dan.carpenter@oracle.com>
To: Amitkumar Karwar <amitkarwar@gmail.com>,
Ganapathi Bhat <ganapathi.bhat@nxp.com>
Cc: linux-wireless@vger.kernel.org
Subject: [bug report] wireless: mwifiex: initial commit for Marvell mwifiex driver
Date: Tue, 17 Mar 2020 12:18:37 +0300 [thread overview]
Message-ID: <20200317091837.GA18001@mwanda> (raw)
[ This is old, but maybe the driver is still really actively maintained
so maybe someone knows the answer. - dan ]
Hello Marvell Developers,
The patch 5e6e3a92b9a4: "wireless: mwifiex: initial commit for
Marvell mwifiex driver" from Mar 21, 2011, leads to the following
static checker warning:
drivers/net/wireless/marvell/mwifiex/11n.c:505 mwifiex_11n_delete_tx_ba_stream_tbl_entry()
error: we previously assumed 'tx_ba_tsr_tbl' could be null (see line 498)
drivers/net/wireless/marvell/mwifiex/11n.c
472 /*
473 * This function checks if the given pointer is valid entry of
474 * Tx BA Stream table.
475 */
476 static int mwifiex_is_tx_ba_stream_ptr_valid(struct mwifiex_private *priv,
477 struct mwifiex_tx_ba_stream_tbl *tx_tbl_ptr)
^^^^^^^^^^
This is always NULL.
478 {
479 struct mwifiex_tx_ba_stream_tbl *tx_ba_tsr_tbl;
480
481 list_for_each_entry(tx_ba_tsr_tbl, &priv->tx_ba_stream_tbl_ptr, list) {
482 if (tx_ba_tsr_tbl == tx_tbl_ptr)
^^^^^^^^^^^^^
tx_ba_tsr_tbl is the list iterator, which is never NULL so this will
never return true.
483 return true;
484 }
485
486 return false;
487 }
488
489 /*
490 * This function deletes the given entry in Tx BA Stream table.
491 *
492 * The function also performs a validity check on the supplied
493 * pointer before trying to delete.
494 */
495 void mwifiex_11n_delete_tx_ba_stream_tbl_entry(struct mwifiex_private *priv,
496 struct mwifiex_tx_ba_stream_tbl *tx_ba_tsr_tbl)
497 {
498 if (!tx_ba_tsr_tbl &&
^^^^^^^^^^^^^
Check for NULL
499 mwifiex_is_tx_ba_stream_ptr_valid(priv, tx_ba_tsr_tbl))
^^^^^^^^^^^^^
Which is passed to here. So maybe the NULL check is reversed?
500 return;
501
502 mwifiex_dbg(priv->adapter, INFO,
503 "info: tx_ba_tsr_tbl %p\n", tx_ba_tsr_tbl);
504
505 list_del(&tx_ba_tsr_tbl->list);
^^^^^^^^^^^^^^^^^^^
Unchecked NULL dereference
506
507 kfree(tx_ba_tsr_tbl);
508 }
regards,
dan carpenter
next reply other threads:[~2020-03-17 9:18 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-17 9:18 Dan Carpenter [this message]
2020-03-17 17:33 ` [bug report] wireless: mwifiex: initial commit for Marvell mwifiex driver Brian Norris
2020-03-18 14:25 ` [EXT] " Ganapathi Bhat
2020-03-18 22:29 ` Brian Norris
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200317091837.GA18001@mwanda \
--to=dan.carpenter@oracle.com \
--cc=amitkarwar@gmail.com \
--cc=ganapathi.bhat@nxp.com \
--cc=linux-wireless@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.