Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp700359pxb; Tue, 2 Feb 2021 16:02:21 -0800 (PST) X-Google-Smtp-Source: ABdhPJwlJauqWhtwvFngI6ommMv4WrxVmK91fg347BwjmS8FofamiLHbhbU/6Wch1FahWmoyjSgo X-Received: by 2002:a50:fd83:: with SMTP id o3mr484590edt.359.1612310541007; Tue, 02 Feb 2021 16:02:21 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1612310541; cv=none; d=google.com; s=arc-20160816; b=FfgEyW96O8WVUu+gscoF0L5V/jVIZiApd0cYBbCm6bVJS7YbQMKvC0+M0N2YTA5oQ7 e+qmvoGzfG5wFF8OjwBYjHHDo/0LiLVAQtYrcx3z9B0F0VTRtUh3Fkwp0xtt63abnbiS Vpn9piaucAyVHc4kGb+muvkstV12zJT9l+NUSi12ASFQWNsrLK6nCpZCFZU31FHgldwP pT5aRdx94eLiTB2uHCGJ+KQHztL33JYNYWQYzWw5qNPh1xr0ARt/ijp9CvYv9+nr5Q3q N2dZ4E0AsvwQply0d+xi9Mh0XqrAv3Ow8Ss2gtWnM7G/by73Hu2x7EYUI1PDqiL/XWKe Hdiw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=8lAEdXJQorig0ZrxBNZk8IKmPu0OEYnc9/dMxYXJvSE=; b=zMVZO/tcaHM1acJKUwx0ODba5iJm/gQfH2qGPkXd4FRPzhARpxZxJweItDzMYVPige RiAcF4LB1mtboJePDAsDQ/zHPKaGAG7VCzZHDJubcrCnlb8jrAPOKkKsKoYNmpR0flf7 nBmPocXUfLQ7CMxiuCSU3NUj8lNO512NjxxwP7ZWxFZ6MjBHYL1Z+jt0jgaQWE8Lt5NZ 4oTXX9k0kivGnzLsAEkeQfp/zgPTnfbBtPZec+LZxOBYLtW4Z+7NmmprXVUL+EPO9CWA 4l3CneiTKLKiJFehSClYziD+LeqjAxPgLd1A8X2SgeM1H57Jv3xavSSurQoAfHQO0VoY tJDw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=V96q+ZN1; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id n16si161611edt.539.2021.02.02.16.01.56; Tue, 02 Feb 2021 16:02:20 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=V96q+ZN1; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236850AbhBBRnk (ORCPT + 99 others); Tue, 2 Feb 2021 12:43:40 -0500 Received: from mail.kernel.org ([198.145.29.99]:48844 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234110AbhBBOMU (ORCPT ); Tue, 2 Feb 2021 09:12:20 -0500 Received: by mail.kernel.org (Postfix) with ESMTPSA id 6C7B764FAE; Tue, 2 Feb 2021 13:52:03 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1612273924; bh=YmmVrfADKQPkGiEzioXk3a5THk9oy8tVCgLEMIEcB9w=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=V96q+ZN1eA8bp+APjgaa9sZHFhpsYQUWBwC5AkebFaEDJZ+QTTii3RNbPYfibCc4i VLiCxWf2pwkk/QjeXAUjn5QWm6rz0NdqCfS/u7atgVFnhkBh8YpR1Tr9OsHsdKhEtN X7q8pY1k3OGl+FTEzjGzrkx6zSy+IxycSqdGddRY= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+444248c79e117bc99f46@syzkaller.appspotmail.com, syzbot+8b2a88a09653d4084179@syzkaller.appspotmail.com, Johannes Berg Subject: [PATCH 4.14 04/30] wext: fix NULL-ptr-dereference with cfg80211s lack of commit() Date: Tue, 2 Feb 2021 14:38:45 +0100 Message-Id: <20210202132942.317719364@linuxfoundation.org> X-Mailer: git-send-email 2.30.0 In-Reply-To: <20210202132942.138623851@linuxfoundation.org> References: <20210202132942.138623851@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Johannes Berg commit 5122565188bae59d507d90a9a9fd2fd6107f4439 upstream. Since cfg80211 doesn't implement commit, we never really cared about that code there (and it's configured out w/o CONFIG_WIRELESS_EXT). After all, since it has no commit, it shouldn't return -EIWCOMMIT to indicate commit is needed. However, EIWCOMMIT is actually an alias for EINPROGRESS, which _can_ happen if e.g. we try to change the frequency but we're already in the process of connecting to some network, and drivers could return that value (or even cfg80211 itself might). This then causes us to crash because dev->wireless_handlers is NULL but we try to check dev->wireless_handlers->standard[0]. Fix this by also checking dev->wireless_handlers. Also simplify the code a little bit. Cc: stable@vger.kernel.org Reported-by: syzbot+444248c79e117bc99f46@syzkaller.appspotmail.com Reported-by: syzbot+8b2a88a09653d4084179@syzkaller.appspotmail.com Link: https://lore.kernel.org/r/20210121171621.2076e4a37d5a.I5d9c72220fe7bb133fb718751da0180a57ecba4e@changeid Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman --- net/wireless/wext-core.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) --- a/net/wireless/wext-core.c +++ b/net/wireless/wext-core.c @@ -898,8 +898,9 @@ out: int call_commit_handler(struct net_device *dev) { #ifdef CONFIG_WIRELESS_EXT - if ((netif_running(dev)) && - (dev->wireless_handlers->standard[0] != NULL)) + if (netif_running(dev) && + dev->wireless_handlers && + dev->wireless_handlers->standard[0]) /* Call the commit handler on the driver */ return dev->wireless_handlers->standard[0](dev, NULL, NULL, NULL);