Linux wireless drivers development
 help / color / mirror / Atom feed
From: Dan Carpenter <error27@gmail.com>
To: marcan@marcan.st
Cc: linux-wireless@vger.kernel.org, brcm80211-dev-list.pdl@broadcom.com
Subject: [bug report] wifi: brcmfmac: cfg80211: Add support for scan params v2
Date: Fri, 10 Mar 2023 15:30:58 +0300	[thread overview]
Message-ID: <cfc9e588-67a4-4cba-a792-e8e032cc0498@kili.mountain> (raw)

Hello Hector Martin,

The patch 398ce273d6b1: "wifi: brcmfmac: cfg80211: Add support for
scan params v2" from Feb 14, 2023, leads to the following Smatch
static checker warning:

drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c:1459 brcmf_run_escan() error: potential null dereference 'params_v1'.  (kzalloc returns null)
drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c:4319 brcmf_pmksa_v3_op() error: potential null dereference 'pmk_op'.  (kzalloc returns null)

drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
    1451         params->version = cpu_to_le32(BRCMF_ESCAN_REQ_VERSION_V2);
    1452 
    1453         if (!brcmf_feat_is_enabled(ifp, BRCMF_FEAT_SCAN_V2)) {
    1454                 struct brcmf_escan_params_le *params_v1;
    1455 
    1456                 params_size -= BRCMF_SCAN_PARAMS_V2_FIXED_SIZE;
    1457                 params_size += BRCMF_SCAN_PARAMS_FIXED_SIZE;
    1458                 params_v1 = kzalloc(params_size, GFP_KERNEL);

kzalloc() needs a check for failure.

--> 1459                 params_v1->version = cpu_to_le32(BRCMF_ESCAN_REQ_VERSION);
    1460                 brcmf_scan_params_v2_to_v1(&params->params_v2_le, &params_v1->params_le);
    1461                 kfree(params);
    1462                 params = params_v1;
    1463         }
    1464 
    1465         params->action = cpu_to_le16(WL_ESCAN_ACTION_START);
    1466         params->sync_id = cpu_to_le16(0x1234);
    1467 
    1468         err = brcmf_fil_iovar_data_set(ifp, "escan", params, params_size);
    1469         if (err) {
    1470                 if (err == -EBUSY)
    1471                         brcmf_dbg(INFO, "system busy : escan canceled\n");
    1472                 else
    1473                         bphy_err(drvr, "error (%d)\n", err);
    1474         }
    1475 
    1476         kfree(params);
    1477 exit:
    1478         return err;
    1479 }

regards,
dan carpenter

                 reply	other threads:[~2023-03-10 12:31 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=cfc9e588-67a4-4cba-a792-e8e032cc0498@kili.mountain \
    --to=error27@gmail.com \
    --cc=brcm80211-dev-list.pdl@broadcom.com \
    --cc=linux-wireless@vger.kernel.org \
    --cc=marcan@marcan.st \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox