lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <8bf5e723-f70f-4767-8d8e-476143c962c3@suswa.mountain>
Date: Mon, 4 Aug 2025 09:36:49 +0300
From: Dan Carpenter <dan.carpenter@...aro.org>
To: oe-kbuild@...ts.linux.dev,
	Miri Korenblit <miriam.rachel.korenblit@...el.com>
Cc: lkp@...el.com, oe-kbuild-all@...ts.linux.dev,
	linux-kernel@...r.kernel.org,
	Johannes Berg <johannes.berg@...el.com>,
	Avraham Stern <avraham.stern@...el.com>,
	Daniel Gabay <daniel.gabay@...el.com>,
	Emmanuel Grumbach <emmanuel.grumbach@...el.com>,
	Anjaneyulu <pagadala.yesu.anjaneyulu@...el.com>,
	Yedidya Benshimol <yedidya.ben.shimol@...el.com>,
	Benjamin Berg <benjamin.berg@...el.com>,
	Shaul Triebitz <shaul.triebitz@...el.com>
Subject: drivers/net/wireless/intel/iwlwifi/mld/mac80211.c:2093
 iwl_mld_set_key_add() error: we previously assumed 'mld_sta' could be null
 (see line 2076)

tree:   https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
head:   186f3edfdd41f2ae87fc40a9ccba52a3bf930994
commit: d1e879ec600f9b3bdd253167533959facfefb17b wifi: iwlwifi: add iwlmld sub-driver
config: i386-randconfig-141-20250803 (https://download.01.org/0day-ci/archive/20250803/202508031151.K87baMm4-lkp@intel.com/config)
compiler: clang version 20.1.8 (https://github.com/llvm/llvm-project 87f0227cb60147a26a1eeb4fb06e3b505e9c7261)

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@...el.com>
| Reported-by: Dan Carpenter <dan.carpenter@...aro.org>
| Closes: https://lore.kernel.org/r/202508031151.K87baMm4-lkp@intel.com/

smatch warnings:
drivers/net/wireless/intel/iwlwifi/mld/mac80211.c:2093 iwl_mld_set_key_add() error: we previously assumed 'mld_sta' could be null (see line 2076)
drivers/net/wireless/intel/iwlwifi/mld/scan.c:1124 iwl_mld_scan_cmd_set_chan_params() warn: assigning (-128) to unsigned variable 'cfg->v5.psd_20'
drivers/net/wireless/intel/iwlwifi/mld/ptp.c:298 iwl_mld_ptp_init() warn: passing zero to 'PTR_ERR'
   The IS_ERR_OR_NULL() check should be changed to IS_ERR().  See
   https://staticthinking.wordpress.com/2022/08/01/mixing-error-pointers-and-null/
   for more details.

vim +/mld_sta +2093 drivers/net/wireless/intel/iwlwifi/mld/mac80211.c

d1e879ec600f9b Miri Korenblit 2025-02-16  2024  static int iwl_mld_set_key_add(struct iwl_mld *mld,
d1e879ec600f9b Miri Korenblit 2025-02-16  2025  			       struct ieee80211_vif *vif,
d1e879ec600f9b Miri Korenblit 2025-02-16  2026  			       struct ieee80211_sta *sta,
d1e879ec600f9b Miri Korenblit 2025-02-16  2027  			       struct ieee80211_key_conf *key)
d1e879ec600f9b Miri Korenblit 2025-02-16  2028  {
d1e879ec600f9b Miri Korenblit 2025-02-16  2029  	struct iwl_mld_vif *mld_vif = iwl_mld_vif_from_mac80211(vif);
d1e879ec600f9b Miri Korenblit 2025-02-16  2030  	struct iwl_mld_sta *mld_sta =
d1e879ec600f9b Miri Korenblit 2025-02-16  2031  		sta ? iwl_mld_sta_from_mac80211(sta) : NULL;
                                                                                                       ^^^^

d1e879ec600f9b Miri Korenblit 2025-02-16  2032  	struct iwl_mld_ptk_pn *ptk_pn = NULL;
d1e879ec600f9b Miri Korenblit 2025-02-16  2033  	int keyidx = key->keyidx;
d1e879ec600f9b Miri Korenblit 2025-02-16  2034  	int ret;
d1e879ec600f9b Miri Korenblit 2025-02-16  2035  
d1e879ec600f9b Miri Korenblit 2025-02-16  2036  	/* Will be set to 0 if added successfully */
d1e879ec600f9b Miri Korenblit 2025-02-16  2037  	key->hw_key_idx = STA_KEY_IDX_INVALID;
d1e879ec600f9b Miri Korenblit 2025-02-16  2038  
d1e879ec600f9b Miri Korenblit 2025-02-16  2039  	switch (key->cipher) {
d1e879ec600f9b Miri Korenblit 2025-02-16  2040  	case WLAN_CIPHER_SUITE_WEP40:
d1e879ec600f9b Miri Korenblit 2025-02-16  2041  	case WLAN_CIPHER_SUITE_WEP104:
d1e879ec600f9b Miri Korenblit 2025-02-16  2042  		IWL_DEBUG_MAC80211(mld, "Use SW encryption for WEP\n");
d1e879ec600f9b Miri Korenblit 2025-02-16  2043  		return -EOPNOTSUPP;
d1e879ec600f9b Miri Korenblit 2025-02-16  2044  	case WLAN_CIPHER_SUITE_TKIP:
d1e879ec600f9b Miri Korenblit 2025-02-16  2045  		if (vif->type == NL80211_IFTYPE_STATION) {
d1e879ec600f9b Miri Korenblit 2025-02-16  2046  			key->flags |= IEEE80211_KEY_FLAG_PUT_MIC_SPACE;
d1e879ec600f9b Miri Korenblit 2025-02-16  2047  			break;
d1e879ec600f9b Miri Korenblit 2025-02-16  2048  		}
d1e879ec600f9b Miri Korenblit 2025-02-16  2049  		IWL_DEBUG_MAC80211(mld, "Use SW encryption for TKIP\n");
d1e879ec600f9b Miri Korenblit 2025-02-16  2050  		return -EOPNOTSUPP;
d1e879ec600f9b Miri Korenblit 2025-02-16  2051  	case WLAN_CIPHER_SUITE_CCMP:
d1e879ec600f9b Miri Korenblit 2025-02-16  2052  	case WLAN_CIPHER_SUITE_GCMP:
d1e879ec600f9b Miri Korenblit 2025-02-16  2053  	case WLAN_CIPHER_SUITE_GCMP_256:
d1e879ec600f9b Miri Korenblit 2025-02-16  2054  	case WLAN_CIPHER_SUITE_AES_CMAC:
d1e879ec600f9b Miri Korenblit 2025-02-16  2055  	case WLAN_CIPHER_SUITE_BIP_GMAC_128:
d1e879ec600f9b Miri Korenblit 2025-02-16  2056  	case WLAN_CIPHER_SUITE_BIP_GMAC_256:
d1e879ec600f9b Miri Korenblit 2025-02-16  2057  		break;
d1e879ec600f9b Miri Korenblit 2025-02-16  2058  	default:
d1e879ec600f9b Miri Korenblit 2025-02-16  2059  		return -EOPNOTSUPP;
d1e879ec600f9b Miri Korenblit 2025-02-16  2060  	}
d1e879ec600f9b Miri Korenblit 2025-02-16  2061  
d1e879ec600f9b Miri Korenblit 2025-02-16  2062  	if (vif->type == NL80211_IFTYPE_STATION &&
d1e879ec600f9b Miri Korenblit 2025-02-16  2063  	    (keyidx == 6 || keyidx == 7))
d1e879ec600f9b Miri Korenblit 2025-02-16  2064  		rcu_assign_pointer(mld_vif->bigtks[keyidx - 6], key);
d1e879ec600f9b Miri Korenblit 2025-02-16  2065  
d1e879ec600f9b Miri Korenblit 2025-02-16  2066  	/* After exiting from RFKILL, hostapd configures GTK/ITGK before the
d1e879ec600f9b Miri Korenblit 2025-02-16  2067  	 * AP is started, but those keys can't be sent to the FW before the
d1e879ec600f9b Miri Korenblit 2025-02-16  2068  	 * MCAST/BCAST STAs are added to it (which happens upon AP start).
d1e879ec600f9b Miri Korenblit 2025-02-16  2069  	 * Store it here to be sent later when the AP is started.
d1e879ec600f9b Miri Korenblit 2025-02-16  2070  	 */
d1e879ec600f9b Miri Korenblit 2025-02-16  2071  	if ((vif->type == NL80211_IFTYPE_ADHOC ||
d1e879ec600f9b Miri Korenblit 2025-02-16  2072  	     vif->type == NL80211_IFTYPE_AP) && !sta &&
d1e879ec600f9b Miri Korenblit 2025-02-16  2073  	     !mld_vif->ap_ibss_active)
d1e879ec600f9b Miri Korenblit 2025-02-16  2074  		return iwl_mld_store_ap_early_key(mld, key, mld_vif);
d1e879ec600f9b Miri Korenblit 2025-02-16  2075  
d1e879ec600f9b Miri Korenblit 2025-02-16 @2076  	if (!mld->fw_status.in_hw_restart && mld_sta &&
                                                                                             ^^^^^^^
This code assumes that mld_sta can be NULL

d1e879ec600f9b Miri Korenblit 2025-02-16  2077  	    key->flags & IEEE80211_KEY_FLAG_PAIRWISE &&
d1e879ec600f9b Miri Korenblit 2025-02-16  2078  	    (key->cipher == WLAN_CIPHER_SUITE_CCMP ||
d1e879ec600f9b Miri Korenblit 2025-02-16  2079  	     key->cipher == WLAN_CIPHER_SUITE_GCMP ||
d1e879ec600f9b Miri Korenblit 2025-02-16  2080  	     key->cipher == WLAN_CIPHER_SUITE_GCMP_256)) {
d1e879ec600f9b Miri Korenblit 2025-02-16  2081  		ret = iwl_mld_alloc_ptk_pn(mld, mld_sta, key, &ptk_pn);
d1e879ec600f9b Miri Korenblit 2025-02-16  2082  		if (ret)
d1e879ec600f9b Miri Korenblit 2025-02-16  2083  			return ret;
d1e879ec600f9b Miri Korenblit 2025-02-16  2084  	}
d1e879ec600f9b Miri Korenblit 2025-02-16  2085  
d1e879ec600f9b Miri Korenblit 2025-02-16  2086  	IWL_DEBUG_MAC80211(mld, "set hwcrypto key (sta:%pM, id:%d)\n",
d1e879ec600f9b Miri Korenblit 2025-02-16  2087  			   sta ? sta->addr : NULL, keyidx);
d1e879ec600f9b Miri Korenblit 2025-02-16  2088  
d1e879ec600f9b Miri Korenblit 2025-02-16  2089  	ret = iwl_mld_add_key(mld, vif, sta, key);
d1e879ec600f9b Miri Korenblit 2025-02-16  2090  	if (ret) {
d1e879ec600f9b Miri Korenblit 2025-02-16  2091  		IWL_WARN(mld, "set key failed (%d)\n", ret);
d1e879ec600f9b Miri Korenblit 2025-02-16  2092  		if (ptk_pn) {
d1e879ec600f9b Miri Korenblit 2025-02-16 @2093  			RCU_INIT_POINTER(mld_sta->ptk_pn[keyidx], NULL);
                                                                                         ^^^^^^^^^
But here it's dereferenced without checking.

d1e879ec600f9b Miri Korenblit 2025-02-16  2094  			kfree(ptk_pn);
d1e879ec600f9b Miri Korenblit 2025-02-16  2095  		}
d1e879ec600f9b Miri Korenblit 2025-02-16  2096  
d1e879ec600f9b Miri Korenblit 2025-02-16  2097  		return -EOPNOTSUPP;
d1e879ec600f9b Miri Korenblit 2025-02-16  2098  	}
d1e879ec600f9b Miri Korenblit 2025-02-16  2099  
d1e879ec600f9b Miri Korenblit 2025-02-16  2100  	return 0;
d1e879ec600f9b Miri Korenblit 2025-02-16  2101  }

-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ