From: Shayne Chen <shayne.chen@mediatek.com>
To: Lorenzo Bianconi <lorenzo@kernel.org>,
Dan Carpenter <dan.carpenter@linaro.org>
Cc: <linux-wireless@vger.kernel.org>, <linux-mediatek@lists.infradead.org>
Subject: Re: [bug report] wifi: mt76: Check link_conf pointer in mt76_connac_mcu_sta_basic_tlv()
Date: Mon, 24 Mar 2025 10:07:24 +0800 [thread overview]
Message-ID: <960af30b800baf02d51333a5bf52de93d2966e2a.camel@mediatek.com> (raw)
In-Reply-To: <Z92T5j1zmlvG2ssG@lore-desk>
On Fri, 2025-03-21 at 17:29 +0100, Lorenzo Bianconi wrote:
> > Hello Shayne Chen,
> >
> > This is a semi-automatic email about new static checker warnings.
> >
> > Commit 9890624c1b39 ("wifi: mt76: Check link_conf pointer in
> > mt76_connac_mcu_sta_basic_tlv()") from Mar 11, 2025, leads to the
> > following Smatch complaint:
> >
> > drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c:394
> > mt76_connac_mcu_sta_basic_tlv()
> > warn: variable dereferenced before check 'link_conf' (see line
> > 376)
> >
> > drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c
> > 375 {
> > 376 struct ieee80211_vif *vif = link_conf->vif;
> > ^^^^^^^^^^^^^^
>
> Reviewing the codebase, it seems to me it is safe to revert
> 9890624c1b39 since
> link_conf is always not NULL running mt76_connac_mcu_sta_basic_tlv().
> @Shayne Chen: agree?
>
link_conf won't be NULL in this function at the moment, but it could be
NULL after adding "MLO reconfiguration" support. So in our internal
tree, we directly pass struct ieee80211_vif to this function.
Both methods are fine to me, what do you think?
Regards,
Shayne
> Regards,
> Lorenzo
>
> > Dereferenced.
> >
> > 377 struct sta_rec_basic *basic;
> > 378 struct tlv *tlv;
> > 379 int conn_type;
> > 380
> > 381 tlv = mt76_connac_mcu_add_tlv(skb, STA_REC_BASIC,
> > sizeof(*basic));
> > 382
> > 383 basic = (struct sta_rec_basic *)tlv;
> > 384 basic->extra_info = cpu_to_le16(EXTRA_INFO_VER);
> > 385
> > 386 if (newly && conn_state != CONN_STATE_DISCONNECT)
> > 387 basic->extra_info |=
> > cpu_to_le16(EXTRA_INFO_NEW);
> > 388 basic->conn_state = conn_state;
> > 389
> > 390 if (!link_sta) {
> > 391 basic->conn_type =
> > cpu_to_le32(CONNECTION_INFRA_BC);
> > 392
> > 393 if (vif->type == NL80211_IFTYPE_STATION &&
> > 394 link_conf &&
> > !is_zero_ether_addr(link_conf->bssid)) {
> > ^^^^^^^^^
> > The patch adds a NULL dereference but it's too late.
> >
> > 395 memcpy(basic->peer_addr,
> > link_conf->bssid, ETH_ALEN);
> > 396 basic->aid = cpu_to_le16(vif-
> > >cfg.aid);
> >
> > regards,
> > dan carpenter
> >
next prev parent reply other threads:[~2025-03-24 2:07 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-21 14:33 [bug report] wifi: mt76: Check link_conf pointer in mt76_connac_mcu_sta_basic_tlv() Dan Carpenter
2025-03-21 16:29 ` Lorenzo Bianconi
2025-03-24 2:07 ` Shayne Chen [this message]
2025-03-25 13:44 ` Lorenzo Bianconi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=960af30b800baf02d51333a5bf52de93d2966e2a.camel@mediatek.com \
--to=shayne.chen@mediatek.com \
--cc=dan.carpenter@linaro.org \
--cc=linux-mediatek@lists.infradead.org \
--cc=linux-wireless@vger.kernel.org \
--cc=lorenzo@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox