LinuxLists.cc - [PATCH] mac80211: fix NULL ptr dereference during mesh peer connection for non HE devices

2021-04-14 15:33:25

Subject: [PATCH] mac80211: fix NULL ptr dereference during mesh peer connection for non HE devices

"sband->iftype_data" is not assigned with any value for non HE supported
devices, which causes NULL pointer access during mesh peer connection
in those devices. Fix this by accessing the pointer after HE
capabilities condition check.

Fixes: 7f7aa94bcaf0 (mac80211: reduce peer HE MCS/NSS to own capabilities)
Signed-off-by: Abinaya Kalaiselvan <[email protected]>
---
net/mac80211/he.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/net/mac80211/he.c b/net/mac80211/he.c
index 0c0b970..543c2cb 100644
--- a/net/mac80211/he.c
+++ b/net/mac80211/he.c
@@ -111,7 +111,7 @@ ieee80211_he_cap_ie_to_sta_he_cap(struct ieee80211_sub_if_data *sdata,
struct sta_info *sta)
{
struct ieee80211_sta_he_cap *he_cap = &sta->sta.he_cap;
- struct ieee80211_sta_he_cap own_he_cap = sband->iftype_data->he_cap;
+ struct ieee80211_sta_he_cap own_he_cap;
struct ieee80211_he_cap_elem *he_cap_ie_elem = (void *)he_cap_ie;
u8 he_ppe_size;
u8 mcs_nss_size;
@@ -123,6 +123,8 @@ ieee80211_he_cap_ie_to_sta_he_cap(struct ieee80211_sub_if_data *sdata,
if (!he_cap_ie || !ieee80211_get_he_sta_cap(sband))
return;

+ own_he_cap = sband->iftype_data->he_cap;
+
/* Make sure size is OK */
mcs_nss_size = ieee80211_he_mcs_nss_size(he_cap_ie_elem);
he_ppe_size =
--
2.7.4

2021-04-14 18:06:58

by kernel test robot

[permalink] [raw]

Subject: Re: [PATCH] mac80211: fix NULL ptr dereference during mesh peer connection for non HE devices

Hi Abinaya,

Thank you for the patch! Perhaps something to improve:

[auto build test WARNING on mac80211-next/master]
[also build test WARNING on mac80211/master linus/master v5.12-rc7 next-20210414]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]

url: https://github.com/0day-ci/linux/commits/Abinaya-Kalaiselvan/mac80211-fix-NULL-ptr-dereference-during-mesh-peer-connection-for-non-HE-devices/20210414-193552
base: https://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211-next.git master
config: x86_64-randconfig-m001-20210414 (attached as .config)
compiler: gcc-9 (Debian 9.3.0-22) 9.3.0

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <[email protected]>

New smatch warnings:
net/mac80211/he.c:126 ieee80211_he_cap_ie_to_sta_he_cap() warn: inconsistent indenting

Old smatch warnings:
net/mac80211/he.c:33 ieee80211_update_from_he_6ghz_capa() error: uninitialized symbol 'smps_mode'.

vim +126 net/mac80211/he.c

105
106 void
107 ieee80211_he_cap_ie_to_sta_he_cap(struct ieee80211_sub_if_data *sdata,
108 struct ieee80211_supported_band *sband,
109 const u8 *he_cap_ie, u8 he_cap_len,
110 const struct ieee80211_he_6ghz_capa *he_6ghz_capa,
111 struct sta_info *sta)
112 {
113 struct ieee80211_sta_he_cap *he_cap = &sta->sta.he_cap;
114 struct ieee80211_sta_he_cap own_he_cap;
115 struct ieee80211_he_cap_elem *he_cap_ie_elem = (void *)he_cap_ie;
116 u8 he_ppe_size;
117 u8 mcs_nss_size;
118 u8 he_total_size;
119 bool own_160, peer_160, own_80p80, peer_80p80;
120
121 memset(he_cap, 0, sizeof(*he_cap));
122
123 if (!he_cap_ie || !ieee80211_get_he_sta_cap(sband))
124 return;
125
> 126 own_he_cap = sband->iftype_data->he_cap;
127
128 /* Make sure size is OK */
129 mcs_nss_size = ieee80211_he_mcs_nss_size(he_cap_ie_elem);
130 he_ppe_size =
131 ieee80211_he_ppe_size(he_cap_ie[sizeof(he_cap->he_cap_elem) +
132 mcs_nss_size],
133 he_cap_ie_elem->phy_cap_info);
134 he_total_size = sizeof(he_cap->he_cap_elem) + mcs_nss_size +
135 he_ppe_size;
136 if (he_cap_len < he_total_size)
137 return;
138
139 memcpy(&he_cap->he_cap_elem, he_cap_ie, sizeof(he_cap->he_cap_elem));
140
141 /* HE Tx/Rx HE MCS NSS Support Field */
142 memcpy(&he_cap->he_mcs_nss_supp,
143 &he_cap_ie[sizeof(he_cap->he_cap_elem)], mcs_nss_size);
144
145 /* Check if there are (optional) PPE Thresholds */
146 if (he_cap->he_cap_elem.phy_cap_info[6] &
147 IEEE80211_HE_PHY_CAP6_PPE_THRESHOLD_PRESENT)
148 memcpy(he_cap->ppe_thres,
149 &he_cap_ie[sizeof(he_cap->he_cap_elem) + mcs_nss_size],
150 he_ppe_size);
151
152 he_cap->has_he = true;
153
154 sta->cur_max_bandwidth = ieee80211_sta_cap_rx_bw(sta);
155 sta->sta.bandwidth = ieee80211_sta_cur_vht_bw(sta);
156
157 if (sband->band == NL80211_BAND_6GHZ && he_6ghz_capa)
158 ieee80211_update_from_he_6ghz_capa(he_6ghz_capa, sta);
159
160 ieee80211_he_mcs_intersection(&own_he_cap.he_mcs_nss_supp.rx_mcs_80,
161 &he_cap->he_mcs_nss_supp.rx_mcs_80,
162 &own_he_cap.he_mcs_nss_supp.tx_mcs_80,
163 &he_cap->he_mcs_nss_supp.tx_mcs_80);
164
165 own_160 = own_he_cap.he_cap_elem.phy_cap_info[0] &
166 IEEE80211_HE_PHY_CAP0_CHANNEL_WIDTH_SET_160MHZ_IN_5G;
167 peer_160 = he_cap->he_cap_elem.phy_cap_info[0] &
168 IEEE80211_HE_PHY_CAP0_CHANNEL_WIDTH_SET_160MHZ_IN_5G;
169
170 if (peer_160 && own_160) {
171 ieee80211_he_mcs_intersection(&own_he_cap.he_mcs_nss_supp.rx_mcs_160,
172 &he_cap->he_mcs_nss_supp.rx_mcs_160,
173 &own_he_cap.he_mcs_nss_supp.tx_mcs_160,
174 &he_cap->he_mcs_nss_supp.tx_mcs_160);
175 } else if (peer_160 && !own_160) {
176 ieee80211_he_mcs_disable(&he_cap->he_mcs_nss_supp.rx_mcs_160);
177 ieee80211_he_mcs_disable(&he_cap->he_mcs_nss_supp.tx_mcs_160);
178 he_cap->he_cap_elem.phy_cap_info[0] &=
179 ~IEEE80211_HE_PHY_CAP0_CHANNEL_WIDTH_SET_160MHZ_IN_5G;
180 }
181
182 own_80p80 = own_he_cap.he_cap_elem.phy_cap_info[0] &
183 IEEE80211_HE_PHY_CAP0_CHANNEL_WIDTH_SET_80PLUS80_MHZ_IN_5G;
184 peer_80p80 = he_cap->he_cap_elem.phy_cap_info[0] &
185 IEEE80211_HE_PHY_CAP0_CHANNEL_WIDTH_SET_80PLUS80_MHZ_IN_5G;
186
187 if (peer_80p80 && own_80p80) {
188 ieee80211_he_mcs_intersection(&own_he_cap.he_mcs_nss_supp.rx_mcs_80p80,
189 &he_cap->he_mcs_nss_supp.rx_mcs_80p80,
190 &own_he_cap.he_mcs_nss_supp.tx_mcs_80p80,
191 &he_cap->he_mcs_nss_supp.tx_mcs_80p80);
192 } else if (peer_80p80 && !own_80p80) {
193 ieee80211_he_mcs_disable(&he_cap->he_mcs_nss_supp.rx_mcs_80p80);
194 ieee80211_he_mcs_disable(&he_cap->he_mcs_nss_supp.tx_mcs_80p80);
195 he_cap->he_cap_elem.phy_cap_info[0] &=
196 ~IEEE80211_HE_PHY_CAP0_CHANNEL_WIDTH_SET_80PLUS80_MHZ_IN_5G;
197 }
198 }
199

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/[email protected]

Attachments:

(No filename) (5.36 kB)
.config.gz (33.23 kB)
Download all attachments