lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Fri, 13 May 2016 11:54:28 +0300
From:	Dan Carpenter <dan.carpenter@...cle.com>
To:	sara.sharon@...el.com
Cc:	linux-wireless@...r.kernel.org, netdev@...r.kernel.org
Subject: re: iwlwifi: mvm: add reorder buffer per queue

Hello Sara Sharon,

The patch b915c10174fb: "iwlwifi: mvm: add reorder buffer per queue"
from Mar 23, 2016, leads to the following static checker warnings:

	drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c:912 iwl_mvm_rx_mpdu_mq()
	error: potential NULL dereference 'sta'.

	drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c:912 iwl_mvm_rx_mpdu_mq()
	error: we previously assumed 'sta' could be null (see line 796)


drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c
   779  
   780          if (le16_to_cpu(desc->status) & IWL_RX_MPDU_STATUS_SRC_STA_FOUND) {
   781                  u8 id = desc->sta_id_flags & IWL_RX_MPDU_SIF_STA_ID_MASK;
   782  
   783                  if (!WARN_ON_ONCE(id >= IWL_MVM_STATION_COUNT)) {
   784                          sta = rcu_dereference(mvm->fw_id_to_mac_id[id]);
   785                          if (IS_ERR(sta))
   786                                  sta = NULL;
                                        ^^^^^^^^^^^
Assigned to NULL here.

   787                  }
   788          } else if (!is_multicast_ether_addr(hdr->addr2)) {
   789                  /*
   790                   * This is fine since we prevent two stations with the same
   791                   * address from being added.
   792                   */
   793                  sta = ieee80211_find_sta_by_ifaddr(mvm->hw, hdr->addr2, NULL);
   794          }
   795  
   796          if (sta) {
                    ^^^
NULL here.

   797                  struct iwl_mvm_sta *mvmsta = iwl_mvm_sta_from_mac80211(sta);
   798                  u8 baid = (u8)((le32_to_cpu(desc->reorder_data) &
   799                                 IWL_RX_MPDU_REORDER_BAID_MASK) >>
   800                                 IWL_RX_MPDU_REORDER_BAID_SHIFT);

[ snip ]

   909          /* TODO: PHY info - gscan */
   910  
   911          iwl_mvm_create_skb(skb, hdr, len, crypt_len, rxb);
   912          if (!iwl_mvm_reorder(mvm, napi, queue, sta, skb, desc))
                                                       ^^^
New unchecked dereference inside the function call.

   913                  iwl_mvm_pass_packet_to_mac80211(mvm, napi, skb, queue, sta);
   914          rcu_read_unlock();
   915  }

regards,
dan carpenter

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ