Received: by 2002:a05:7412:3210:b0:e2:908c:2ebd with SMTP id eu16csp923983rdb;
        Fri, 1 Sep 2023 07:54:52 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IGJHxpCLIulSTqPbWajvh3piTzxg0ZpW9DlHgvyBl50gVy+K4ZoCJ4Kbr+vUa4Ooyh3gryJ
X-Received: by 2002:a05:6a20:7354:b0:149:602e:9233 with SMTP id v20-20020a056a20735400b00149602e9233mr3214377pzc.26.1693580091838;
        Fri, 01 Sep 2023 07:54:51 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1693580091; cv=none;
        d=google.com; s=arc-20160816;
        b=H5YG7BCaFI1SPse2pufkSizZglqFXf2/kGJgpxZiOFyFhkhVJjfXQwgnAINuYgGCGd
         9SOltwOmAoIjpk3MgjVFLYklsC8yECPO/UdO0Ne7wLc2tyJrTTnJA0erxwFLeQemf1xg
         xgSRtyJaTQqtxvFpICLtRr3zXJPBK/OrwQyHxpyFnDUuVcOeg+AK5tg5Mx7WAAEKD18q
         4AunNk1mvLJrlEcBkLGF/3cQfQ9gnkoRGOcOPdIIuCVxdhZYwa7NIJT1Ew+u5i7pEl0r
         dL6j7vf7XjCgx5qlbtphI9S6usLtptWNjwkbpzYmLxkVbEyNHlxBD6i4W70WpTpv3Mv7
         LPKw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:in-reply-to:from
         :references:cc:to:subject:user-agent:mime-version:date:message-id;
        bh=eutnFVEfENH7GakKPLG9MXFXA3exBWYWpyi4WEKPiDQ=;
        fh=hlJdDAFt9p31aYz0JUR5ihGkr9UNTbSDxBtrhMHuxFY=;
        b=iIENt/iySrPgiMLPaW+V87p9r26vkfXpv068ZxOaJsacyELlbHhnR8r39X8tEOD//l
         XpOsr+QxiKgxnbuE4aw3pTCWWuj3KLxdopS8xegSRvt5rvdKCuhtLzCwS1sCvF5sjaIw
         0S6wMlV9KGkZNco+jJcmricC0R1PohRgFZ4iXRhaLh77uq8+S2GAlixnmlQH/tFSMuzK
         JdBSaLuA3B7FcTcqHYN5MRBTo/9bh9Rq6Ux6TUf53d0yEF1t4SYsgIPGIoWFLS7CiwsP
         x1mr4697I7+rHiviThC3nlcIom86y5GHYfTLdlTteBnj7OWPL3m21BdUMewLcfwRMJw2
         sx+Q==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id e13-20020a630f0d000000b0056a670ebd71si3077171pgl.667.2023.09.01.07.54.33;
        Fri, 01 Sep 2023 07:54:51 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1349079AbjIALB0 (ORCPT <rfc822;asselsm@gmail.com> + 99 others);
        Fri, 1 Sep 2023 07:01:26 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39590 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S232230AbjIALBZ (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 1 Sep 2023 07:01:25 -0400
Received: from hust.edu.cn (unknown [202.114.0.240])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5EFF2E42;
        Fri,  1 Sep 2023 04:01:22 -0700 (PDT)
Received: from [IPV6:2001:250:4000:5113:6422:827f:d303:d108] ([172.16.0.254])
        (user=dzm91@hust.edu.cn mech=PLAIN bits=0)
        by mx1.hust.edu.cn  with ESMTP id 381Axifq011181-381Axifr011181
        (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO);
        Fri, 1 Sep 2023 18:59:44 +0800
Message-ID: <317b9482-d750-9093-e891-21f73feeac0c@hust.edu.cn>
Date:   Fri, 1 Sep 2023 18:59:44 +0800
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0)
 Gecko/20100101 Thunderbird/102.14.0
Subject: Re: [PATCH] ath9k: fix null-ptr-deref in ath_chanctx_event
To:     =?UTF-8?Q?Toke_H=c3=b8iland-J=c3=b8rgensen?= <toke@toke.dk>,
        Kalle Valo <kvalo@kernel.org>,
        Sujith Manoharan <c_manoha@qca.qualcomm.com>,
        "John W. Linville" <linville@tuxdriver.com>
Cc:     hust-os-kernel-patches@googlegroups.com,
        linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org
References: <20230901080701.1705649-1-dzm91@hust.edu.cn>
 <87y1hqtbtu.fsf@toke.dk>
From:   Dongliang Mu <dzm91@hust.edu.cn>
In-Reply-To: <87y1hqtbtu.fsf@toke.dk>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
X-FEAS-AUTH-USER: dzm91@hust.edu.cn
X-Spam-Status: No, score=-5.4 required=5.0 tests=BAYES_00,NICE_REPLY_A,
        RCVD_IN_DNSWL_BLOCKED,SPF_HELO_PASS,SPF_PASS autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org


On 2023/9/1 18:41, 'Toke Høiland-Jørgensen' via HUST OS Kernel 
Contribution wrote:
> Dongliang Mu <dzm91@hust.edu.cn> writes:
>
>> Smatch reports:
>>
>> ath_chanctx_event() error: we previously assumed 'vif' could be null
>>
>> The function ath_chanctx_event can be called with vif argument as NULL.
>> If vif is NULL, ath_dbg can trigger a null pointer dereference.
>>
>> Fix this by adding a null pointer check.
>>
>> Fixes: 878066e745b5 ("ath9k: Add more debug statements for channel context")
>> Signed-off-by: Dongliang Mu <dzm91@hust.edu.cn>
>> ---
>>   drivers/net/wireless/ath/ath9k/channel.c | 4 +++-
>>   1 file changed, 3 insertions(+), 1 deletion(-)
>>
>> diff --git a/drivers/net/wireless/ath/ath9k/channel.c b/drivers/net/wireless/ath/ath9k/channel.c
>> index 571062f2e82a..e343c8962d14 100644
>> --- a/drivers/net/wireless/ath/ath9k/channel.c
>> +++ b/drivers/net/wireless/ath/ath9k/channel.c
>> @@ -576,7 +576,9 @@ void ath_chanctx_event(struct ath_softc *sc, struct ieee80211_vif *vif,
>>   		if (sc->sched.state != ATH_CHANCTX_STATE_WAIT_FOR_BEACON)
>>   			break;
>>   
>> -		ath_dbg(common, CHAN_CTX, "Preparing beacon for vif: %pM\n", vif->addr);
>> +		if (vif)
>> +			ath_dbg(common, CHAN_CTX,
>> +				"Preparing beacon for vif: %pM\n", vif->addr);
> Please don't send patches for static checker errors without actually
> checking if there is a valid bug. Which there isn't in this case.

Before sending this patch, I searched in the code, there are many call 
sites of ath_chanctx_event with argument vif as NULL.

Functions calling this function: ath_chanctx_event

   File      Function                   Line
0 beacon.c  ath9k_beacon_tasklet        459 ath_chanctx_event(sc, vif, 
ATH_CHANCTX_EVENT_BEACON_PREPARE);
1 channel.c ath_chanctx_check_active    321 ath_chanctx_event(sc, NULL,
2 channel.c ath_chanctx_beacon_sent_ev  781 ath_chanctx_event(sc, NULL, ev);
3 channel.c ath_chanctx_beacon_recv_ev  787 ath_chanctx_event(sc, NULL, ev);
4 channel.c ath_chanctx_timer          1054 ath_chanctx_event(sc, NULL, 
ATH_CHANCTX_EVENT_TSF_TIMER);
5 channel.c ath_chanctx_set_next       1321 ath_chanctx_event(sc, NULL, 
ATH_CHANCTX_EVENT_SWITCH);
6 channel.c ath9k_p2p_ps_timer         1566 ath_chanctx_event(sc, NULL, 
ATH_CHANCTX_EVENT_TSF_TIMER);
7 main.c    ath9k_sta_state            1671 ath_chanctx_event(sc, vif,
8 main.c    ath9k_remove_chanctx       2577 ath_chanctx_event(sc, NULL, 
ATH_CHANCTX_EVENT_UNASSIGN);
9 xmit.c    ath_tx_edma_tasklet        2749 ath_chanctx_event(sc, NULL,

This NULL parameters would cause some abnormal behaviors.

> Specifically, that branch of the switch statement dereferences the avp
> pointer, which will be NULL if 'vif' is. Meaning we will have crashed
> way before reaching this statement if vif is indeed NULL.
Yeah, you are right. However, no matter where or which variable causing 
the null-ptr-def crash, the crash is there.

I think this is unexpected.

Let me know if I make any mistakes

>
> -Toke
>