From: Lorenzo Bianconi <lorenzo@kernel.org>
To: Dan Carpenter <dan.carpenter@linaro.org>
Cc: Shayne Chen <shayne.chen@mediatek.com>,
linux-wireless@vger.kernel.org,
linux-mediatek@lists.infradead.org
Subject: Re: [bug report] wifi: mt76: Check link_conf pointer in mt76_connac_mcu_sta_basic_tlv()
Date: Fri, 21 Mar 2025 17:29:26 +0100 [thread overview]
Message-ID: <Z92T5j1zmlvG2ssG@lore-desk> (raw)
In-Reply-To: <868e456f-10db-4b0c-bb29-76e3c0d03cc8@stanley.mountain>
[-- Attachment #1: Type: text/plain, Size: 1823 bytes --]
> Hello Shayne Chen,
>
> This is a semi-automatic email about new static checker warnings.
>
> Commit 9890624c1b39 ("wifi: mt76: Check link_conf pointer in
> mt76_connac_mcu_sta_basic_tlv()") from Mar 11, 2025, leads to the
> following Smatch complaint:
>
> drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c:394 mt76_connac_mcu_sta_basic_tlv()
> warn: variable dereferenced before check 'link_conf' (see line 376)
>
> drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c
> 375 {
> 376 struct ieee80211_vif *vif = link_conf->vif;
> ^^^^^^^^^^^^^^
Reviewing the codebase, it seems to me it is safe to revert 9890624c1b39 since
link_conf is always not NULL running mt76_connac_mcu_sta_basic_tlv().
@Shayne Chen: agree?
Regards,
Lorenzo
> Dereferenced.
>
> 377 struct sta_rec_basic *basic;
> 378 struct tlv *tlv;
> 379 int conn_type;
> 380
> 381 tlv = mt76_connac_mcu_add_tlv(skb, STA_REC_BASIC, sizeof(*basic));
> 382
> 383 basic = (struct sta_rec_basic *)tlv;
> 384 basic->extra_info = cpu_to_le16(EXTRA_INFO_VER);
> 385
> 386 if (newly && conn_state != CONN_STATE_DISCONNECT)
> 387 basic->extra_info |= cpu_to_le16(EXTRA_INFO_NEW);
> 388 basic->conn_state = conn_state;
> 389
> 390 if (!link_sta) {
> 391 basic->conn_type = cpu_to_le32(CONNECTION_INFRA_BC);
> 392
> 393 if (vif->type == NL80211_IFTYPE_STATION &&
> 394 link_conf && !is_zero_ether_addr(link_conf->bssid)) {
> ^^^^^^^^^
> The patch adds a NULL dereference but it's too late.
>
> 395 memcpy(basic->peer_addr, link_conf->bssid, ETH_ALEN);
> 396 basic->aid = cpu_to_le16(vif->cfg.aid);
>
> regards,
> dan carpenter
>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
next prev parent reply other threads:[~2025-03-21 16:29 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-21 14:33 [bug report] wifi: mt76: Check link_conf pointer in mt76_connac_mcu_sta_basic_tlv() Dan Carpenter
2025-03-21 16:29 ` Lorenzo Bianconi [this message]
2025-03-24 2:07 ` Shayne Chen
2025-03-25 13:44 ` Lorenzo Bianconi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Z92T5j1zmlvG2ssG@lore-desk \
--to=lorenzo@kernel.org \
--cc=dan.carpenter@linaro.org \
--cc=linux-mediatek@lists.infradead.org \
--cc=linux-wireless@vger.kernel.org \
--cc=shayne.chen@mediatek.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).