[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <164914623778.12306.14074908465775082444.kvalo@kernel.org>
Date: Tue, 5 Apr 2022 08:10:39 +0000 (UTC)
From: Kalle Valo <kvalo@...nel.org>
To: Xiaomeng Tong <xiam0nd.tong@...il.com>
Cc: davem@...emloft.net, kuba@...nel.org, pabeni@...hat.com,
linville@...driver.com, linux-wireless@...r.kernel.org,
netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
Xiaomeng Tong <xiam0nd.tong@...il.com>, stable@...r.kernel.org
Subject: Re: [PATCH v2] carl9170: tx: fix an incorrect use of list iterator
Xiaomeng Tong <xiam0nd.tong@...il.com> wrote:
> If the previous list_for_each_entry_continue_rcu() don't exit early
> (no goto hit inside the loop), the iterator 'cvif' after the loop
> will be a bogus pointer to an invalid structure object containing
> the HEAD (&ar->vif_list). As a result, the use of 'cvif' after that
> will lead to a invalid memory access (i.e., 'cvif->id': the invalid
> pointer dereference when return back to/after the callsite in the
> carl9170_update_beacon()).
>
> The original intention should have been to return the valid 'cvif'
> when found in list, NULL otherwise. So just return NULL when no
> entry found, to fix this bug.
>
> Cc: stable@...r.kernel.org
> Fixes: 1f1d9654e183c ("carl9170: refactor carl9170_update_beacon")
> Signed-off-by: Xiaomeng Tong <xiam0nd.tong@...il.com>
> Signed-off-by: Kalle Valo <quic_kvalo@...cinc.com>
Christian, is this ok to take?
--
https://patchwork.kernel.org/project/linux-wireless/patch/20220328122820.1004-1-xiam0nd.tong@gmail.com/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
Powered by blists - more mailing lists