From: Brian Norris <briannorris@chromium.org>
To: Sascha Hauer <s.hauer@pengutronix.de>
Cc: Kalle Valo <kvalo@kernel.org>,
linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org,
David Lin <yu-hao.lin@nxp.com>,
Francesco Dolcini <francesco@dolcini.it>
Subject: Re: [PATCH] [RFC] mwifiex: Fix NULL pointer deref
Date: Fri, 21 Jun 2024 15:50:42 -0700 [thread overview]
Message-ID: <ZnYDwjS293Cb8O1f@google.com> (raw)
In-Reply-To: <ZnVCzx3-pvbcYQLm@pengutronix.de>
On Fri, Jun 21, 2024 at 11:07:27AM +0200, Sascha Hauer wrote:
> I am running plain wpa_supplicant -i mlan0 with this config:
>
> network={
> ssid="somessid"
> mode=2
> frequency=2412
> key_mgmt=WPA-PSK WPA-PSK-SHA256
> proto=RSN
> group=CCMP
> pairwise=CCMP
> psk="12345678"
> }
>
> wait for the AP to be established, <ctrl-c> wpa_supplicant and start it
> again.
Thanks. I still can't reproduce, but that's OK. From your fuller
description now, it seems it depends on the particulars of the bss
indices in use, and maybe my device/firmware is behaving differently.
Anyway, your current description and patch below make a lot more sense.
> It doesn't seem to be a locking problem, see the patch below which fixes
> my problem.
Sure. It's probably harder to trigger real issues out of some of these
kinds of race conditions, and the logical problem below sounds a lot
more likely.
> At some point during incoming events the correct adapter->priv[]
> is selected based on bss_num and bss_type. when adapter->priv[0] is used
> for AP mode then an incoming event with type MWIFIEX_BSS_TYPE_STA leads
> to adapter->priv[1] being picked which is unused and doesn't have a
> wiphy attached to it.
Ack, that makes a lot of sense -- although I think it also implies
either you're getting some kind of corrupt event buffer from your device
too, or there's something else logically weird with your firmware when
you're receiving MWIFIEX_BSS_TYPE_STA events for a *_AP interface. (Or
maybe that's also racy, as you're changing the virtual interface from
STA to AP? Not sure.)
It also highlights that I find this fallback code from
mwifiex_process_event() weird:
/* Get BSS number and corresponding priv */
priv = mwifiex_get_priv_by_id(adapter, EVENT_GET_BSS_NUM(eventcause),
EVENT_GET_BSS_TYPE(eventcause));
if (!priv)
priv = mwifiex_get_priv(adapter, MWIFIEX_BSS_ROLE_ANY);
^^ // if we didn't match the right BSS/event
// metadata, we'll deliver the event to an
// arbitrary interface?
But I don't think that's your problem. And at least so far, I don't
think the AP and STA event IDs collide in any way, so I don't think
we're likely to end up misbehaving even if something is misdelievered.
>
> -------------------------8<----------------------------
>
> From 3357963821294ff7de26259a154a1cb5bab760cb Mon Sep 17 00:00:00 2001
> From: Sascha Hauer <s.hauer@pengutronix.de>
> Date: Tue, 18 Jun 2024 12:20:20 +0200
> Subject: [PATCH] mwifiex: Do not return unused priv in
> mwifiex_get_priv_by_id()
>
> mwifiex_get_priv_by_id() returns the priv pointer corresponding to the
> bss_num and bss_type, but without checking if the priv is actually
> currently in use.
> Unused priv pointers do not have a wiphy attached to them which can lead
> to NULL pointer dereferences further down the callstack.
> Fix this by returning only used priv pointers which have priv->bss_mode
> set to something else than NL80211_IFTYPE_UNSPECIFIED.
>
> Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
> ---
> drivers/net/wireless/marvell/mwifiex/main.h | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/net/wireless/marvell/mwifiex/main.h b/drivers/net/wireless/marvell/mwifiex/main.h
> index 175882485a195..c5164ae41b547 100644
> --- a/drivers/net/wireless/marvell/mwifiex/main.h
> +++ b/drivers/net/wireless/marvell/mwifiex/main.h
> @@ -1287,6 +1287,9 @@ mwifiex_get_priv_by_id(struct mwifiex_adapter *adapter,
>
> for (i = 0; i < adapter->priv_num; i++) {
> if (adapter->priv[i]) {
> + if (adapter->priv[i]->bss_mode == NL80211_IFTYPE_UNSPECIFIED)
> + continue;
> +
> if ((adapter->priv[i]->bss_num == bss_num) &&
> (adapter->priv[i]->bss_type == bss_type))
> break;
Acked-by: Brian Norris <briannorris@chromium.org>
Something about this formatting didn't get properly picked up by
patchwork though, so you'll need to resubmit. Feel free to carry the
above tag with it.
Brian
next prev parent reply other threads:[~2024-06-21 22:50 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-06-19 7:08 [PATCH] [RFC] mwifiex: Fix NULL pointer deref Sascha Hauer
2024-06-19 8:05 ` Kalle Valo
2024-06-20 19:48 ` Brian Norris
2024-06-21 9:07 ` Sascha Hauer
2024-06-21 22:50 ` Brian Norris [this message]
2024-06-24 11:07 ` Kalle Valo
2024-06-24 16:20 ` Francesco Dolcini
2024-07-02 13:32 ` Sascha Hauer
2024-07-02 20:36 ` Francesco Dolcini
2024-07-03 7:24 ` Sascha Hauer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZnYDwjS293Cb8O1f@google.com \
--to=briannorris@chromium.org \
--cc=francesco@dolcini.it \
--cc=kvalo@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=s.hauer@pengutronix.de \
--cc=yu-hao.lin@nxp.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).