* [PATCH 5.10/5.15/6.1 0/1] wifi: ath10k: Check return value of ath10k_get_arvif() in ath10k_wmi_event_tdls_peer()
@ 2024-10-29 12:59 Dmitry Kandybka
2024-10-29 12:59 ` [PATCH 5.10/5.15/6.1 1/1] " Dmitry Kandybka
0 siblings, 1 reply; 2+ messages in thread
From: Dmitry Kandybka @ 2024-10-29 12:59 UTC (permalink / raw)
To: stable, Greg Kroah-Hartman
Cc: Dmitry Kandybka, Kalle Valo, Jeff Johnson, ath10k, linux-wireless,
linux-kernel, lvc-project
SVACE reports a potential NULL pointer dereference in 5.10, 5.15 and 6.1
stable releases since the commit 4c9f8d114660 ("ath10k: enable TDLS
peer inactivity detection") that caused this report was appeared.
The problem has been fixed by the following upstream patch that was adapted
to 5.10, 5.15 and 6.1. All of the changes made to the patch in order to adapt it
are described at the end of commit message.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Peter Kosyh (1):
wifi: ath10k: Check return value of ath10k_get_arvif() in ath10k_wmi_event_tdls_peer()
drivers/net/wireless/ath/ath10k/wmi-tlv.c | 7 +++++++
1 file changed, 7 insertions(+)
--
2.43.5
^ permalink raw reply [flat|nested] 2+ messages in thread
* [PATCH 5.10/5.15/6.1 1/1] wifi: ath10k: Check return value of ath10k_get_arvif() in ath10k_wmi_event_tdls_peer()
2024-10-29 12:59 [PATCH 5.10/5.15/6.1 0/1] wifi: ath10k: Check return value of ath10k_get_arvif() in ath10k_wmi_event_tdls_peer() Dmitry Kandybka
@ 2024-10-29 12:59 ` Dmitry Kandybka
0 siblings, 0 replies; 2+ messages in thread
From: Dmitry Kandybka @ 2024-10-29 12:59 UTC (permalink / raw)
To: stable, Greg Kroah-Hartman
Cc: Dmitry Kandybka, Kalle Valo, Jeff Johnson, ath10k, linux-wireless,
linux-kernel, lvc-project, Peter Kosyh, Kalle Valo
From: Peter Kosyh <pkosyh@yandex.ru>
commit 473118917cc33b98510880458c724bd833653db6 upstream.
Return value of a function ath10k_get_arvif() is dereferenced without
checking for null in ath10k_wmi_event_tdls_peer(), but it is usually checked
for this function.
Make ath10k_wmi_event_tdls_peer() do check retval of ath10k_get_arvif().
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Signed-off-by: Peter Kosyh <pkosyh@yandex.ru>
Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Link: https://lore.kernel.org/r/20221003091217.322598-1-pkosyh@yandex.ru
Signed-off-by: Dmitry Kandybka <d.kandybka@gmail.com>
---
drivers/net/wireless/ath/ath10k/wmi-tlv.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/net/wireless/ath/ath10k/wmi-tlv.c b/drivers/net/wireless/ath/ath10k/wmi-tlv.c
index 0eeb74245372..72da02fc68ea 100644
--- a/drivers/net/wireless/ath/ath10k/wmi-tlv.c
+++ b/drivers/net/wireless/ath/ath10k/wmi-tlv.c
@@ -584,7 +584,14 @@ static void ath10k_wmi_event_tdls_peer(struct ath10k *ar, struct sk_buff *skb)
ath10k_warn(ar, "did not find station from tdls peer event");
goto exit;
}
+
arvif = ath10k_get_arvif(ar, __le32_to_cpu(ev->vdev_id));
+ if (!arvif) {
+ ath10k_warn(ar, "no vif for vdev_id %d found",
+ __le32_to_cpu(ev->vdev_id));
+ goto exit;
+ }
+
ieee80211_tdls_oper_request(
arvif->vif, station->addr,
NL80211_TDLS_TEARDOWN,
--
2.43.5
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2024-10-29 13:30 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-10-29 12:59 [PATCH 5.10/5.15/6.1 0/1] wifi: ath10k: Check return value of ath10k_get_arvif() in ath10k_wmi_event_tdls_peer() Dmitry Kandybka
2024-10-29 12:59 ` [PATCH 5.10/5.15/6.1 1/1] " Dmitry Kandybka
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).