Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp726863pxb; Tue, 2 Feb 2021 16:51:26 -0800 (PST) X-Google-Smtp-Source: ABdhPJxDKRi+G7pLqWh3w5A6ayaC8KPV+i8eZ8GlVL2p0E/8vTW37yDkjB9N4MqYZPqNHmkBSO5S X-Received: by 2002:a17:906:4451:: with SMTP id i17mr596842ejp.436.1612313486435; Tue, 02 Feb 2021 16:51:26 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1612313486; cv=none; d=google.com; s=arc-20160816; b=UVa3R7P92qYLGHtjcoWYtvVHTGXmZ+3TtmjrSYrt3WJhXqV2uelfyUKaXicj1yahqk 3bOYLr60tI9xrs1BgHEz/gZYzs1PhlmSOLDwOFWbgmRT7p6CWxVtagizQ97yQoCVLqRv yas5ozcsxbvKEFYPWRgh5AK1Ls85MfxRsvCp4IcmOTqA8Hn30WXorWAYRqumEo9rpb3A f1jm+kJqbEg7zzIpsu+vV3L6ySBWz9bseHk6tNTPLrKXYGO5w/bNdXWAryT++Noj1cRa 35n1P2BhbMrZRkbzqoZoGqgZcPrYjqb0q9KwDFWZ9cuDyxsRpZP63zpbYINXdwOzsbSR lOSw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=AKgN+WCaRb4MxEnx0Zp0EB7lBsPV5c3PIKczKMFzX5w=; b=eUw1QCb1qdkHW4QuwjDG1ZRxPFjGQ8bemnzEI6idI2WahE1J+CNvsQvin6AzJ7PtER xuXg15JHi3i3x/ItNge/tjEH0xg8zDms92Ecy5H6k4TZdNvEEYa/k4ey3Y+LxBXIjC5n 1dqRjNCk12k4J3Pogk35UQO6scCt0+AztI65Rz2SAAW4+J3L76fMpNRKRRm/3BkKGGDk XVMoz6EoPgElxoEjUEspQFk57PtPvrJ2BnhjNwQ6kBGSvbz8E16sldOfqtRn6Jo3MEeo XPJS6+tvDV3vA1bnK+key/TWrie/kBbQrQjee5qUikgsPMSucjG+MWQlIvh3bdh36zjA FOTQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=FqhxxoMo; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id q16si232973edc.229.2021.02.02.16.51.02; Tue, 02 Feb 2021 16:51:26 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=FqhxxoMo; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240468AbhBBUIg (ORCPT + 99 others); Tue, 2 Feb 2021 15:08:36 -0500 Received: from mail.kernel.org ([198.145.29.99]:36434 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232842AbhBBNnB (ORCPT ); Tue, 2 Feb 2021 08:43:01 -0500 Received: by mail.kernel.org (Postfix) with ESMTPSA id EFD3264F68; Tue, 2 Feb 2021 13:40:01 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1612273202; bh=OwOgk+5l5C14L3DgTbWLuH1iGvXtOX8bUN7c/SbjFCU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=FqhxxoMoPF9StwCnNGq74csCqwzbc09c8PrSjCgAATJuRAYg1OEYlhbHkpGHC1PGv qdNmQjKSsNWw+tk2iaRSSJv+zTMTcSR5YkWkrvpJknLzu4MyUMFNxdM2k5dz6ttVQq DkakBRGvSkIyI8mMvLjBAV6DLumODBft35BN9dtU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+444248c79e117bc99f46@syzkaller.appspotmail.com, syzbot+8b2a88a09653d4084179@syzkaller.appspotmail.com, Johannes Berg Subject: [PATCH 5.10 019/142] wext: fix NULL-ptr-dereference with cfg80211s lack of commit() Date: Tue, 2 Feb 2021 14:36:22 +0100 Message-Id: <20210202132958.504186629@linuxfoundation.org> X-Mailer: git-send-email 2.30.0 In-Reply-To: <20210202132957.692094111@linuxfoundation.org> References: <20210202132957.692094111@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Johannes Berg commit 5122565188bae59d507d90a9a9fd2fd6107f4439 upstream. Since cfg80211 doesn't implement commit, we never really cared about that code there (and it's configured out w/o CONFIG_WIRELESS_EXT). After all, since it has no commit, it shouldn't return -EIWCOMMIT to indicate commit is needed. However, EIWCOMMIT is actually an alias for EINPROGRESS, which _can_ happen if e.g. we try to change the frequency but we're already in the process of connecting to some network, and drivers could return that value (or even cfg80211 itself might). This then causes us to crash because dev->wireless_handlers is NULL but we try to check dev->wireless_handlers->standard[0]. Fix this by also checking dev->wireless_handlers. Also simplify the code a little bit. Cc: stable@vger.kernel.org Reported-by: syzbot+444248c79e117bc99f46@syzkaller.appspotmail.com Reported-by: syzbot+8b2a88a09653d4084179@syzkaller.appspotmail.com Link: https://lore.kernel.org/r/20210121171621.2076e4a37d5a.I5d9c72220fe7bb133fb718751da0180a57ecba4e@changeid Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman --- net/wireless/wext-core.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) --- a/net/wireless/wext-core.c +++ b/net/wireless/wext-core.c @@ -896,8 +896,9 @@ out: int call_commit_handler(struct net_device *dev) { #ifdef CONFIG_WIRELESS_EXT - if ((netif_running(dev)) && - (dev->wireless_handlers->standard[0] != NULL)) + if (netif_running(dev) && + dev->wireless_handlers && + dev->wireless_handlers->standard[0]) /* Call the commit handler on the driver */ return dev->wireless_handlers->standard[0](dev, NULL, NULL, NULL);