From: "Toke Høiland-Jørgensen" <toke@toke.dk>
To: Dongliang Mu <dzm91@hust.edu.cn>, Kalle Valo <kvalo@kernel.org>,
Sujith Manoharan <c_manoha@qca.qualcomm.com>,
"John W. Linville" <linville@tuxdriver.com>
Cc: hust-os-kernel-patches@googlegroups.com,
Dongliang Mu <dzm91@hust.edu.cn>,
linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] ath9k: fix null-ptr-deref in ath_chanctx_event
Date: Fri, 01 Sep 2023 12:41:33 +0200 [thread overview]
Message-ID: <87y1hqtbtu.fsf@toke.dk> (raw)
In-Reply-To: <20230901080701.1705649-1-dzm91@hust.edu.cn>
Dongliang Mu <dzm91@hust.edu.cn> writes:
> Smatch reports:
>
> ath_chanctx_event() error: we previously assumed 'vif' could be null
>
> The function ath_chanctx_event can be called with vif argument as NULL.
> If vif is NULL, ath_dbg can trigger a null pointer dereference.
>
> Fix this by adding a null pointer check.
>
> Fixes: 878066e745b5 ("ath9k: Add more debug statements for channel context")
> Signed-off-by: Dongliang Mu <dzm91@hust.edu.cn>
> ---
> drivers/net/wireless/ath/ath9k/channel.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/net/wireless/ath/ath9k/channel.c b/drivers/net/wireless/ath/ath9k/channel.c
> index 571062f2e82a..e343c8962d14 100644
> --- a/drivers/net/wireless/ath/ath9k/channel.c
> +++ b/drivers/net/wireless/ath/ath9k/channel.c
> @@ -576,7 +576,9 @@ void ath_chanctx_event(struct ath_softc *sc, struct ieee80211_vif *vif,
> if (sc->sched.state != ATH_CHANCTX_STATE_WAIT_FOR_BEACON)
> break;
>
> - ath_dbg(common, CHAN_CTX, "Preparing beacon for vif: %pM\n", vif->addr);
> + if (vif)
> + ath_dbg(common, CHAN_CTX,
> + "Preparing beacon for vif: %pM\n", vif->addr);
Please don't send patches for static checker errors without actually
checking if there is a valid bug. Which there isn't in this case.
Specifically, that branch of the switch statement dereferences the avp
pointer, which will be NULL if 'vif' is. Meaning we will have crashed
way before reaching this statement if vif is indeed NULL.
-Toke
next prev parent reply other threads:[~2023-09-01 10:41 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-09-01 8:07 [PATCH] ath9k: fix null-ptr-deref in ath_chanctx_event Dongliang Mu
2023-09-01 10:41 ` Toke Høiland-Jørgensen [this message]
2023-09-01 10:59 ` Dongliang Mu
2023-09-01 11:16 ` Toke Høiland-Jørgensen
2023-09-01 11:21 ` Dongliang Mu
2023-09-01 12:24 ` Toke Høiland-Jørgensen
2023-09-07 11:02 ` Dan Carpenter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87y1hqtbtu.fsf@toke.dk \
--to=toke@toke.dk \
--cc=c_manoha@qca.qualcomm.com \
--cc=dzm91@hust.edu.cn \
--cc=hust-os-kernel-patches@googlegroups.com \
--cc=kvalo@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=linville@tuxdriver.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox