* [BUG] Potential Null Pointer Dereference in ieee80211_process_neg_ttlm_req Function
@ 2026-02-14 13:02 冯嘉仪
2026-02-16 9:53 ` Johannes Berg
0 siblings, 1 reply; 2+ messages in thread
From: 冯嘉仪 @ 2026-02-14 13:02 UTC (permalink / raw)
To: johannes
Cc: davem, edumazet, kuba, pabeni, linux-wireless, netdev,
linux-kernel
Dear Maintainer,
Our team recently developed a null-pointer-dereference (NPD) vulnerability detection tool, and we used it to scan the Linux Kernel (version 6.9.6). After manual review, we identified a potentially vulnerable code snippet that could lead to a null-pointer dereference bug. We would appreciate your expert insight to confirm whether this vulnerability could indeed pose a risk to the system.
Vulnerability Description:
File: net/mac80211/mlme.c
In the function ieee80211_process_neg_ttlm_req, we found the following line of code:
BUILD_BUG_ON(ARRAY_SIZE(direction) != ARRAY_SIZE(elems->ttlm));
The issue arises because the elems pointer may be passed as NULL in certain situations. Since elems is NULL, accessing elems->ttlm in the statement could result in a null-pointer dereference.
Proposed Fix:
To prevent the potential null-pointer dereference, we suggest adding a NULL check for the elems pointer before attempting to dereference elems->ttlm in the line.
Request for Review:
We would appreciate your expert insight to confirm whether this vulnerability indeed poses a risk to the system, and if the proposed fix is appropriate. If there are reasons why this issue does not present a real risk (e.g., the NULL check is redundant or unnecessary), we would be grateful for clarification.
Thank you for your time and consideration.
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [BUG] Potential Null Pointer Dereference in ieee80211_process_neg_ttlm_req Function
2026-02-14 13:02 [BUG] Potential Null Pointer Dereference in ieee80211_process_neg_ttlm_req Function 冯嘉仪
@ 2026-02-16 9:53 ` Johannes Berg
0 siblings, 0 replies; 2+ messages in thread
From: Johannes Berg @ 2026-02-16 9:53 UTC (permalink / raw)
To: 冯嘉仪
Cc: davem, edumazet, kuba, pabeni, linux-wireless, netdev,
linux-kernel
Hi,
> Our team recently developed a null-pointer-dereference (NPD) vulnerability detection tool
OK, so you decided to write a new tool. Good for you, but keep in mind
that you need to compete with very well-known tools already.
> After manual review,
(and you have:)
> BUILD_BUG_ON(ARRAY_SIZE(direction) != ARRAY_SIZE(elems->ttlm));
So you're either lying, or decided to task someone with this who doesn't
understand C; even state-of-the art LLMs would do better. State of the
art tools (LLMs and not LLMs like coverity) will also give you a
scenario of how the purported bug can actually happen.
I get that you need human feedback to improve your system, but you've
also apparently decided that it's too expensive / too much work / too
hard to really do this review, and you want the Linux community to do it
for you instead. That's cheaper, yay!
But it doesn't work that way. You're not entitled to free feedback for
your under development tool.
Please stop doing this.
johannes
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-02-16 9:53 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-02-14 13:02 [BUG] Potential Null Pointer Dereference in ieee80211_process_neg_ttlm_req Function 冯嘉仪
2026-02-16 9:53 ` Johannes Berg
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox