| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <8bf5e723-f70f-4767-8d8e-476143c962c3@suswa.mountain>
Date: Mon, 4 Aug 2025 09:36:49 +0300
From: Dan Carpenter <dan.carpenter@...aro.org>
To: oe-kbuild@...ts.linux.dev,
Miri Korenblit <miriam.rachel.korenblit@...el.com>
Cc: lkp@...el.com, oe-kbuild-all@...ts.linux.dev,
linux-kernel@...r.kernel.org,
Johannes Berg <johannes.berg@...el.com>,
Avraham Stern <avraham.stern@...el.com>,
Daniel Gabay <daniel.gabay@...el.com>,
Emmanuel Grumbach <emmanuel.grumbach@...el.com>,
Anjaneyulu <pagadala.yesu.anjaneyulu@...el.com>,
Yedidya Benshimol <yedidya.ben.shimol@...el.com>,
Benjamin Berg <benjamin.berg@...el.com>,
Shaul Triebitz <shaul.triebitz@...el.com>
Subject: drivers/net/wireless/intel/iwlwifi/mld/mac80211.c:2093
iwl_mld_set_key_add() error: we previously assumed 'mld_sta' could be null
(see line 2076)
tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
head: 186f3edfdd41f2ae87fc40a9ccba52a3bf930994
commit: d1e879ec600f9b3bdd253167533959facfefb17b wifi: iwlwifi: add iwlmld sub-driver
config: i386-randconfig-141-20250803 (https://download.01.org/0day-ci/archive/20250803/202508031151.K87baMm4-lkp@intel.com/config)
compiler: clang version 20.1.8 (https://github.com/llvm/llvm-project 87f0227cb60147a26a1eeb4fb06e3b505e9c7261)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@...el.com>
| Reported-by: Dan Carpenter <dan.carpenter@...aro.org>
| Closes: https://lore.kernel.org/r/202508031151.K87baMm4-lkp@intel.com/
smatch warnings:
drivers/net/wireless/intel/iwlwifi/mld/mac80211.c:2093 iwl_mld_set_key_add() error: we previously assumed 'mld_sta' could be null (see line 2076)
drivers/net/wireless/intel/iwlwifi/mld/scan.c:1124 iwl_mld_scan_cmd_set_chan_params() warn: assigning (-128) to unsigned variable 'cfg->v5.psd_20'
drivers/net/wireless/intel/iwlwifi/mld/ptp.c:298 iwl_mld_ptp_init() warn: passing zero to 'PTR_ERR'
The IS_ERR_OR_NULL() check should be changed to IS_ERR(). See
https://staticthinking.wordpress.com/2022/08/01/mixing-error-pointers-and-null/
for more details.
vim +/mld_sta +2093 drivers/net/wireless/intel/iwlwifi/mld/mac80211.c
d1e879ec600f9b Miri Korenblit 2025-02-16 2024 static int iwl_mld_set_key_add(struct iwl_mld *mld,
d1e879ec600f9b Miri Korenblit 2025-02-16 2025 struct ieee80211_vif *vif,
d1e879ec600f9b Miri Korenblit 2025-02-16 2026 struct ieee80211_sta *sta,
d1e879ec600f9b Miri Korenblit 2025-02-16 2027 struct ieee80211_key_conf *key)
d1e879ec600f9b Miri Korenblit 2025-02-16 2028 {
d1e879ec600f9b Miri Korenblit 2025-02-16 2029 struct iwl_mld_vif *mld_vif = iwl_mld_vif_from_mac80211(vif);
d1e879ec600f9b Miri Korenblit 2025-02-16 2030 struct iwl_mld_sta *mld_sta =
d1e879ec600f9b Miri Korenblit 2025-02-16 2031 sta ? iwl_mld_sta_from_mac80211(sta) : NULL;
^^^^
d1e879ec600f9b Miri Korenblit 2025-02-16 2032 struct iwl_mld_ptk_pn *ptk_pn = NULL;
d1e879ec600f9b Miri Korenblit 2025-02-16 2033 int keyidx = key->keyidx;
d1e879ec600f9b Miri Korenblit 2025-02-16 2034 int ret;
d1e879ec600f9b Miri Korenblit 2025-02-16 2035
d1e879ec600f9b Miri Korenblit 2025-02-16 2036 /* Will be set to 0 if added successfully */
d1e879ec600f9b Miri Korenblit 2025-02-16 2037 key->hw_key_idx = STA_KEY_IDX_INVALID;
d1e879ec600f9b Miri Korenblit 2025-02-16 2038
d1e879ec600f9b Miri Korenblit 2025-02-16 2039 switch (key->cipher) {
d1e879ec600f9b Miri Korenblit 2025-02-16 2040 case WLAN_CIPHER_SUITE_WEP40:
d1e879ec600f9b Miri Korenblit 2025-02-16 2041 case WLAN_CIPHER_SUITE_WEP104:
d1e879ec600f9b Miri Korenblit 2025-02-16 2042 IWL_DEBUG_MAC80211(mld, "Use SW encryption for WEP\n");
d1e879ec600f9b Miri Korenblit 2025-02-16 2043 return -EOPNOTSUPP;
d1e879ec600f9b Miri Korenblit 2025-02-16 2044 case WLAN_CIPHER_SUITE_TKIP:
d1e879ec600f9b Miri Korenblit 2025-02-16 2045 if (vif->type == NL80211_IFTYPE_STATION) {
d1e879ec600f9b Miri Korenblit 2025-02-16 2046 key->flags |= IEEE80211_KEY_FLAG_PUT_MIC_SPACE;
d1e879ec600f9b Miri Korenblit 2025-02-16 2047 break;
d1e879ec600f9b Miri Korenblit 2025-02-16 2048 }
d1e879ec600f9b Miri Korenblit 2025-02-16 2049 IWL_DEBUG_MAC80211(mld, "Use SW encryption for TKIP\n");
d1e879ec600f9b Miri Korenblit 2025-02-16 2050 return -EOPNOTSUPP;
d1e879ec600f9b Miri Korenblit 2025-02-16 2051 case WLAN_CIPHER_SUITE_CCMP:
d1e879ec600f9b Miri Korenblit 2025-02-16 2052 case WLAN_CIPHER_SUITE_GCMP:
d1e879ec600f9b Miri Korenblit 2025-02-16 2053 case WLAN_CIPHER_SUITE_GCMP_256:
d1e879ec600f9b Miri Korenblit 2025-02-16 2054 case WLAN_CIPHER_SUITE_AES_CMAC:
d1e879ec600f9b Miri Korenblit 2025-02-16 2055 case WLAN_CIPHER_SUITE_BIP_GMAC_128:
d1e879ec600f9b Miri Korenblit 2025-02-16 2056 case WLAN_CIPHER_SUITE_BIP_GMAC_256:
d1e879ec600f9b Miri Korenblit 2025-02-16 2057 break;
d1e879ec600f9b Miri Korenblit 2025-02-16 2058 default:
d1e879ec600f9b Miri Korenblit 2025-02-16 2059 return -EOPNOTSUPP;
d1e879ec600f9b Miri Korenblit 2025-02-16 2060 }
d1e879ec600f9b Miri Korenblit 2025-02-16 2061
d1e879ec600f9b Miri Korenblit 2025-02-16 2062 if (vif->type == NL80211_IFTYPE_STATION &&
d1e879ec600f9b Miri Korenblit 2025-02-16 2063 (keyidx == 6 || keyidx == 7))
d1e879ec600f9b Miri Korenblit 2025-02-16 2064 rcu_assign_pointer(mld_vif->bigtks[keyidx - 6], key);
d1e879ec600f9b Miri Korenblit 2025-02-16 2065
d1e879ec600f9b Miri Korenblit 2025-02-16 2066 /* After exiting from RFKILL, hostapd configures GTK/ITGK before the
d1e879ec600f9b Miri Korenblit 2025-02-16 2067 * AP is started, but those keys can't be sent to the FW before the
d1e879ec600f9b Miri Korenblit 2025-02-16 2068 * MCAST/BCAST STAs are added to it (which happens upon AP start).
d1e879ec600f9b Miri Korenblit 2025-02-16 2069 * Store it here to be sent later when the AP is started.
d1e879ec600f9b Miri Korenblit 2025-02-16 2070 */
d1e879ec600f9b Miri Korenblit 2025-02-16 2071 if ((vif->type == NL80211_IFTYPE_ADHOC ||
d1e879ec600f9b Miri Korenblit 2025-02-16 2072 vif->type == NL80211_IFTYPE_AP) && !sta &&
d1e879ec600f9b Miri Korenblit 2025-02-16 2073 !mld_vif->ap_ibss_active)
d1e879ec600f9b Miri Korenblit 2025-02-16 2074 return iwl_mld_store_ap_early_key(mld, key, mld_vif);
d1e879ec600f9b Miri Korenblit 2025-02-16 2075
d1e879ec600f9b Miri Korenblit 2025-02-16 @2076 if (!mld->fw_status.in_hw_restart && mld_sta &&
^^^^^^^
This code assumes that mld_sta can be NULL
d1e879ec600f9b Miri Korenblit 2025-02-16 2077 key->flags & IEEE80211_KEY_FLAG_PAIRWISE &&
d1e879ec600f9b Miri Korenblit 2025-02-16 2078 (key->cipher == WLAN_CIPHER_SUITE_CCMP ||
d1e879ec600f9b Miri Korenblit 2025-02-16 2079 key->cipher == WLAN_CIPHER_SUITE_GCMP ||
d1e879ec600f9b Miri Korenblit 2025-02-16 2080 key->cipher == WLAN_CIPHER_SUITE_GCMP_256)) {
d1e879ec600f9b Miri Korenblit 2025-02-16 2081 ret = iwl_mld_alloc_ptk_pn(mld, mld_sta, key, &ptk_pn);
d1e879ec600f9b Miri Korenblit 2025-02-16 2082 if (ret)
d1e879ec600f9b Miri Korenblit 2025-02-16 2083 return ret;
d1e879ec600f9b Miri Korenblit 2025-02-16 2084 }
d1e879ec600f9b Miri Korenblit 2025-02-16 2085
d1e879ec600f9b Miri Korenblit 2025-02-16 2086 IWL_DEBUG_MAC80211(mld, "set hwcrypto key (sta:%pM, id:%d)\n",
d1e879ec600f9b Miri Korenblit 2025-02-16 2087 sta ? sta->addr : NULL, keyidx);
d1e879ec600f9b Miri Korenblit 2025-02-16 2088
d1e879ec600f9b Miri Korenblit 2025-02-16 2089 ret = iwl_mld_add_key(mld, vif, sta, key);
d1e879ec600f9b Miri Korenblit 2025-02-16 2090 if (ret) {
d1e879ec600f9b Miri Korenblit 2025-02-16 2091 IWL_WARN(mld, "set key failed (%d)\n", ret);
d1e879ec600f9b Miri Korenblit 2025-02-16 2092 if (ptk_pn) {
d1e879ec600f9b Miri Korenblit 2025-02-16 @2093 RCU_INIT_POINTER(mld_sta->ptk_pn[keyidx], NULL);
^^^^^^^^^
But here it's dereferenced without checking.
d1e879ec600f9b Miri Korenblit 2025-02-16 2094 kfree(ptk_pn);
d1e879ec600f9b Miri Korenblit 2025-02-16 2095 }
d1e879ec600f9b Miri Korenblit 2025-02-16 2096
d1e879ec600f9b Miri Korenblit 2025-02-16 2097 return -EOPNOTSUPP;
d1e879ec600f9b Miri Korenblit 2025-02-16 2098 }
d1e879ec600f9b Miri Korenblit 2025-02-16 2099
d1e879ec600f9b Miri Korenblit 2025-02-16 2100 return 0;
d1e879ec600f9b Miri Korenblit 2025-02-16 2101 }
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
Powered by blists - more mailing lists