From: Dan Carpenter <dan.carpenter@oracle.com>
To: Amitkumar Karwar <amitkarwar@gmail.com>,
Ganapathi Bhat <ganapathi.bhat@nxp.com>
Cc: linux-wireless@vger.kernel.org
Subject: [bug report] wireless: mwifiex: initial commit for Marvell mwifiex driver
Date: Tue, 17 Mar 2020 12:18:37 +0300 [thread overview]
Message-ID: <20200317091837.GA18001@mwanda> (raw)
[ This is old, but maybe the driver is still really actively maintained
so maybe someone knows the answer. - dan ]
Hello Marvell Developers,
The patch 5e6e3a92b9a4: "wireless: mwifiex: initial commit for
Marvell mwifiex driver" from Mar 21, 2011, leads to the following
static checker warning:
drivers/net/wireless/marvell/mwifiex/11n.c:505 mwifiex_11n_delete_tx_ba_stream_tbl_entry()
error: we previously assumed 'tx_ba_tsr_tbl' could be null (see line 498)
drivers/net/wireless/marvell/mwifiex/11n.c
472 /*
473 * This function checks if the given pointer is valid entry of
474 * Tx BA Stream table.
475 */
476 static int mwifiex_is_tx_ba_stream_ptr_valid(struct mwifiex_private *priv,
477 struct mwifiex_tx_ba_stream_tbl *tx_tbl_ptr)
^^^^^^^^^^
This is always NULL.
478 {
479 struct mwifiex_tx_ba_stream_tbl *tx_ba_tsr_tbl;
480
481 list_for_each_entry(tx_ba_tsr_tbl, &priv->tx_ba_stream_tbl_ptr, list) {
482 if (tx_ba_tsr_tbl == tx_tbl_ptr)
^^^^^^^^^^^^^
tx_ba_tsr_tbl is the list iterator, which is never NULL so this will
never return true.
483 return true;
484 }
485
486 return false;
487 }
488
489 /*
490 * This function deletes the given entry in Tx BA Stream table.
491 *
492 * The function also performs a validity check on the supplied
493 * pointer before trying to delete.
494 */
495 void mwifiex_11n_delete_tx_ba_stream_tbl_entry(struct mwifiex_private *priv,
496 struct mwifiex_tx_ba_stream_tbl *tx_ba_tsr_tbl)
497 {
498 if (!tx_ba_tsr_tbl &&
^^^^^^^^^^^^^
Check for NULL
499 mwifiex_is_tx_ba_stream_ptr_valid(priv, tx_ba_tsr_tbl))
^^^^^^^^^^^^^
Which is passed to here. So maybe the NULL check is reversed?
500 return;
501
502 mwifiex_dbg(priv->adapter, INFO,
503 "info: tx_ba_tsr_tbl %p\n", tx_ba_tsr_tbl);
504
505 list_del(&tx_ba_tsr_tbl->list);
^^^^^^^^^^^^^^^^^^^
Unchecked NULL dereference
506
507 kfree(tx_ba_tsr_tbl);
508 }
regards,
dan carpenter
next reply other threads:[~2020-03-17 9:18 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-17 9:18 Dan Carpenter [this message]
2020-03-17 17:33 ` [bug report] wireless: mwifiex: initial commit for Marvell mwifiex driver Brian Norris
2020-03-18 14:25 ` [EXT] " Ganapathi Bhat
2020-03-18 22:29 ` Brian Norris
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200317091837.GA18001@mwanda \
--to=dan.carpenter@oracle.com \
--cc=amitkarwar@gmail.com \
--cc=ganapathi.bhat@nxp.com \
--cc=linux-wireless@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox