Received: by 2002:a05:7412:f584:b0:e2:908c:2ebd with SMTP id eh4csp685708rdb; Sun, 3 Sep 2023 06:12:41 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHxWsQBUBwc3d746pQjiSpckxRitjUIVvipFBAL2kDH1weOHVbLqRTiRRf5y6EWCcafVIcT X-Received: by 2002:a05:6a00:2d8a:b0:68a:6cf0:cdf8 with SMTP id fb10-20020a056a002d8a00b0068a6cf0cdf8mr7248409pfb.21.1693746760919; Sun, 03 Sep 2023 06:12:40 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1693746760; cv=none; d=google.com; s=arc-20160816; b=eRdenT8n93W8W698ThsvnbG+V4lpfnZYLC0QYjQ6t+C73SVIZLQ6+w3ChfH3D6xpGW n4iV/dnItRmGUB48i3+fxQB16mJBx8tbXdBhMpQbqgn6RanACEv+8uKKTw7nnUDFJWSF y/qzYVWwxtDfI5NZcMRfEFkwtuq4VNAX95Kf74WqWbWrIg4WKK8iLU/btgX6+OGV7G8k VRFemY/ZsLp2DKf4K5MZbsSt69gjNwRXTr1wynwsfAXHOitFxEVoNuR2JCb8m2ArYE72 gGWN/03R90kGNLE5zXkAafeFyH0qY6P2zWo0GQzYXn8lVnlF4dsRgwS2gaOf6sSfZD80 zg8w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:subject:user-agent:mime-version:date:message-id; bh=apqoaW01YP4kDhSuTX5Y3RkAmPedQPx+fvdWF9gn8h8=; fh=hlJdDAFt9p31aYz0JUR5ihGkr9UNTbSDxBtrhMHuxFY=; b=dNpRZ3DUPAOnuiTJS8UmZwBC0F5uP/vTTes17J5wVdscSsHMYTfp3B2paxW/r6oJ+l GAMjoq/9bM/cuoMv11u54ZiT02EdmwK6ZZjOrXm31OQN2syuCEWdL8RgRw4o7r0I/NO7 paONSw8SkQokGOT5wsUSMbgNZvySYz6WC/appjwt6BPckrJDGsnAiSgJXZuwUE3sjE+t IoIw6d31IrSbm6oxCmy0ZeqJ/8znMyKgZfNMiWuOnmLY/a3YdC39Ho257ZVFp76NPHHf dCIiqXGK6XEc2BTS5dlZa72lHSWPvRTAAmt95VTBHBtFqOM76x7YabgpUKQj3Zj8+W8a vR7A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id r145-20020a632b97000000b00565e9ee17d9si6085094pgr.118.2023.09.03.06.12.33; Sun, 03 Sep 2023 06:12:40 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1349139AbjIALXP (ORCPT + 48 others); Fri, 1 Sep 2023 07:23:15 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48218 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1344229AbjIALXM (ORCPT ); Fri, 1 Sep 2023 07:23:12 -0400 Received: from hust.edu.cn (unknown [202.114.0.240]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B13BEE42; Fri, 1 Sep 2023 04:22:59 -0700 (PDT) Received: from [IPV6:2001:250:4000:5113:6422:827f:d303:d108] ([172.16.0.254]) (user=dzm91@hust.edu.cn mech=PLAIN bits=0) by mx1.hust.edu.cn with ESMTP id 381BLVEO021795-381BLVEP021795 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Fri, 1 Sep 2023 19:21:32 +0800 Message-ID: Date: Fri, 1 Sep 2023 19:21:31 +0800 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Thunderbird/102.14.0 Subject: Re: [PATCH] ath9k: fix null-ptr-deref in ath_chanctx_event To: =?UTF-8?Q?Toke_H=c3=b8iland-J=c3=b8rgensen?= , Kalle Valo , Sujith Manoharan , "John W. Linville" Cc: hust-os-kernel-patches@googlegroups.com, linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org References: <20230901080701.1705649-1-dzm91@hust.edu.cn> <87y1hqtbtu.fsf@toke.dk> <317b9482-d750-9093-e891-21f73feeac0c@hust.edu.cn> <87il8uta8f.fsf@toke.dk> From: Dongliang Mu In-Reply-To: <87il8uta8f.fsf@toke.dk> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-FEAS-AUTH-USER: dzm91@hust.edu.cn X-Spam-Status: No, score=-5.4 required=5.0 tests=BAYES_00,NICE_REPLY_A, RCVD_IN_DNSWL_BLOCKED,SPF_HELO_PASS,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org On 2023/9/1 19:16, Toke Høiland-Jørgensen wrote: > Dongliang Mu writes: > >> On 2023/9/1 18:41, 'Toke Høiland-Jørgensen' via HUST OS Kernel >> Contribution wrote: >>> Dongliang Mu writes: >>> >>>> Smatch reports: >>>> >>>> ath_chanctx_event() error: we previously assumed 'vif' could be null >>>> >>>> The function ath_chanctx_event can be called with vif argument as NULL. >>>> If vif is NULL, ath_dbg can trigger a null pointer dereference. >>>> >>>> Fix this by adding a null pointer check. >>>> >>>> Fixes: 878066e745b5 ("ath9k: Add more debug statements for channel context") >>>> Signed-off-by: Dongliang Mu >>>> --- >>>> drivers/net/wireless/ath/ath9k/channel.c | 4 +++- >>>> 1 file changed, 3 insertions(+), 1 deletion(-) >>>> >>>> diff --git a/drivers/net/wireless/ath/ath9k/channel.c b/drivers/net/wireless/ath/ath9k/channel.c >>>> index 571062f2e82a..e343c8962d14 100644 >>>> --- a/drivers/net/wireless/ath/ath9k/channel.c >>>> +++ b/drivers/net/wireless/ath/ath9k/channel.c >>>> @@ -576,7 +576,9 @@ void ath_chanctx_event(struct ath_softc *sc, struct ieee80211_vif *vif, >>>> if (sc->sched.state != ATH_CHANCTX_STATE_WAIT_FOR_BEACON) >>>> break; >>>> >>>> - ath_dbg(common, CHAN_CTX, "Preparing beacon for vif: %pM\n", vif->addr); >>>> + if (vif) >>>> + ath_dbg(common, CHAN_CTX, >>>> + "Preparing beacon for vif: %pM\n", vif->addr); >>> Please don't send patches for static checker errors without actually >>> checking if there is a valid bug. Which there isn't in this case. >> Before sending this patch, I searched in the code, there are many call >> sites of ath_chanctx_event with argument vif as NULL. >> >> Functions calling this function: ath_chanctx_event >> >>   File      Function                   Line >> 0 beacon.c  ath9k_beacon_tasklet        459 ath_chanctx_event(sc, vif, >> ATH_CHANCTX_EVENT_BEACON_PREPARE); > But only this one has ATH_CHANCTX_EVENT_BEACON_PREPARE as an argument, > which is required to hit the code path you are changing. > >> 1 channel.c ath_chanctx_check_active    321 ath_chanctx_event(sc, NULL, >> 2 channel.c ath_chanctx_beacon_sent_ev  781 ath_chanctx_event(sc, NULL, ev); >> 3 channel.c ath_chanctx_beacon_recv_ev  787 ath_chanctx_event(sc, NULL, ev); >> 4 channel.c ath_chanctx_timer          1054 ath_chanctx_event(sc, NULL, >> ATH_CHANCTX_EVENT_TSF_TIMER); >> 5 channel.c ath_chanctx_set_next       1321 ath_chanctx_event(sc, NULL, >> ATH_CHANCTX_EVENT_SWITCH); >> 6 channel.c ath9k_p2p_ps_timer         1566 ath_chanctx_event(sc, NULL, >> ATH_CHANCTX_EVENT_TSF_TIMER); >> 7 main.c    ath9k_sta_state            1671 ath_chanctx_event(sc, vif, >> 8 main.c    ath9k_remove_chanctx       2577 ath_chanctx_event(sc, NULL, >> ATH_CHANCTX_EVENT_UNASSIGN); >> 9 xmit.c    ath_tx_edma_tasklet        2749 ath_chanctx_event(sc, NULL, >> >> This NULL parameters would cause some abnormal behaviors. >> >>> Specifically, that branch of the switch statement dereferences the avp >>> pointer, which will be NULL if 'vif' is. Meaning we will have crashed >>> way before reaching this statement if vif is indeed NULL. >> Yeah, you are right. However, no matter where or which variable causing >> the null-ptr-def crash, the crash is there. > There is no crash, see above. Yeah, I see where my problem is. Please ignore this patch. In the future I will check more and think more about the code logic when verifying the result of static analyzer. Thanks for your patience. > > -Toke