diff mbox series

mac80211: fix NULL ptr dereference during mesh peer connection for non HE devices

Message ID 1618400012-30541-1-git-send-email-akalaise@codeaurora.org
State Superseded
Headers show
Series mac80211: fix NULL ptr dereference during mesh peer connection for non HE devices | expand

Commit Message

Abinaya Kalaiselvan April 14, 2021, 11:33 a.m. UTC 
"sband->iftype_data" is not assigned with any value for non HE supported
devices, which causes NULL pointer access during mesh peer connection
in those devices. Fix this by accessing the pointer after HE
capabilities condition check.

Fixes: 7f7aa94bcaf0 (mac80211: reduce peer HE MCS/NSS to own capabilities)
Signed-off-by: Abinaya Kalaiselvan <akalaise@codeaurora.org>
---
 net/mac80211/he.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

Comments

kernel test robot April 14, 2021, 4:32 p.m. UTC | #1 
Hi Abinaya,

Thank you for the patch! Perhaps something to improve:

[auto build test WARNING on mac80211-next/master]
[also build test WARNING on mac80211/master linus/master v5.12-rc7 next-20210414]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]

url:    https://github.com/0day-ci/linux/commits/Abinaya-Kalaiselvan/mac80211-fix-NULL-ptr-dereference-during-mesh-peer-connection-for-non-HE-devices/20210414-193552
base:   https://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211-next.git master
config: x86_64-randconfig-m001-20210414 (attached as .config)
compiler: gcc-9 (Debian 9.3.0-22) 9.3.0

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>

New smatch warnings:
net/mac80211/he.c:126 ieee80211_he_cap_ie_to_sta_he_cap() warn: inconsistent indenting

Old smatch warnings:
net/mac80211/he.c:33 ieee80211_update_from_he_6ghz_capa() error: uninitialized symbol 'smps_mode'.

vim +126 net/mac80211/he.c

   105	
   106	void
   107	ieee80211_he_cap_ie_to_sta_he_cap(struct ieee80211_sub_if_data *sdata,
   108					  struct ieee80211_supported_band *sband,
   109					  const u8 *he_cap_ie, u8 he_cap_len,
   110					  const struct ieee80211_he_6ghz_capa *he_6ghz_capa,
   111					  struct sta_info *sta)
   112	{
   113		struct ieee80211_sta_he_cap *he_cap = &sta->sta.he_cap;
   114		struct ieee80211_sta_he_cap own_he_cap;
   115		struct ieee80211_he_cap_elem *he_cap_ie_elem = (void *)he_cap_ie;
   116		u8 he_ppe_size;
   117		u8 mcs_nss_size;
   118		u8 he_total_size;
   119		bool own_160, peer_160, own_80p80, peer_80p80;
   120	
   121		memset(he_cap, 0, sizeof(*he_cap));
   122	
   123		if (!he_cap_ie || !ieee80211_get_he_sta_cap(sband))
   124			return;
   125	
 > 126		 own_he_cap = sband->iftype_data->he_cap;
   127	
   128		/* Make sure size is OK */
   129		mcs_nss_size = ieee80211_he_mcs_nss_size(he_cap_ie_elem);
   130		he_ppe_size =
   131			ieee80211_he_ppe_size(he_cap_ie[sizeof(he_cap->he_cap_elem) +
   132							mcs_nss_size],
   133					      he_cap_ie_elem->phy_cap_info);
   134		he_total_size = sizeof(he_cap->he_cap_elem) + mcs_nss_size +
   135				he_ppe_size;
   136		if (he_cap_len < he_total_size)
   137			return;
   138	
   139		memcpy(&he_cap->he_cap_elem, he_cap_ie, sizeof(he_cap->he_cap_elem));
   140	
   141		/* HE Tx/Rx HE MCS NSS Support Field */
   142		memcpy(&he_cap->he_mcs_nss_supp,
   143		       &he_cap_ie[sizeof(he_cap->he_cap_elem)], mcs_nss_size);
   144	
   145		/* Check if there are (optional) PPE Thresholds */
   146		if (he_cap->he_cap_elem.phy_cap_info[6] &
   147		    IEEE80211_HE_PHY_CAP6_PPE_THRESHOLD_PRESENT)
   148			memcpy(he_cap->ppe_thres,
   149			       &he_cap_ie[sizeof(he_cap->he_cap_elem) + mcs_nss_size],
   150			       he_ppe_size);
   151	
   152		he_cap->has_he = true;
   153	
   154		sta->cur_max_bandwidth = ieee80211_sta_cap_rx_bw(sta);
   155		sta->sta.bandwidth = ieee80211_sta_cur_vht_bw(sta);
   156	
   157		if (sband->band == NL80211_BAND_6GHZ && he_6ghz_capa)
   158			ieee80211_update_from_he_6ghz_capa(he_6ghz_capa, sta);
   159	
   160		ieee80211_he_mcs_intersection(&own_he_cap.he_mcs_nss_supp.rx_mcs_80,
   161					      &he_cap->he_mcs_nss_supp.rx_mcs_80,
   162					      &own_he_cap.he_mcs_nss_supp.tx_mcs_80,
   163					      &he_cap->he_mcs_nss_supp.tx_mcs_80);
   164	
   165		own_160 = own_he_cap.he_cap_elem.phy_cap_info[0] &
   166			  IEEE80211_HE_PHY_CAP0_CHANNEL_WIDTH_SET_160MHZ_IN_5G;
   167		peer_160 = he_cap->he_cap_elem.phy_cap_info[0] &
   168			   IEEE80211_HE_PHY_CAP0_CHANNEL_WIDTH_SET_160MHZ_IN_5G;
   169	
   170		if (peer_160 && own_160) {
   171			ieee80211_he_mcs_intersection(&own_he_cap.he_mcs_nss_supp.rx_mcs_160,
   172						      &he_cap->he_mcs_nss_supp.rx_mcs_160,
   173						      &own_he_cap.he_mcs_nss_supp.tx_mcs_160,
   174						      &he_cap->he_mcs_nss_supp.tx_mcs_160);
   175		} else if (peer_160 && !own_160) {
   176			ieee80211_he_mcs_disable(&he_cap->he_mcs_nss_supp.rx_mcs_160);
   177			ieee80211_he_mcs_disable(&he_cap->he_mcs_nss_supp.tx_mcs_160);
   178			he_cap->he_cap_elem.phy_cap_info[0] &=
   179				~IEEE80211_HE_PHY_CAP0_CHANNEL_WIDTH_SET_160MHZ_IN_5G;
   180		}
   181	
   182		own_80p80 = own_he_cap.he_cap_elem.phy_cap_info[0] &
   183			    IEEE80211_HE_PHY_CAP0_CHANNEL_WIDTH_SET_80PLUS80_MHZ_IN_5G;
   184		peer_80p80 = he_cap->he_cap_elem.phy_cap_info[0] &
   185			     IEEE80211_HE_PHY_CAP0_CHANNEL_WIDTH_SET_80PLUS80_MHZ_IN_5G;
   186	
   187		if (peer_80p80 && own_80p80) {
   188			ieee80211_he_mcs_intersection(&own_he_cap.he_mcs_nss_supp.rx_mcs_80p80,
   189						      &he_cap->he_mcs_nss_supp.rx_mcs_80p80,
   190						      &own_he_cap.he_mcs_nss_supp.tx_mcs_80p80,
   191						      &he_cap->he_mcs_nss_supp.tx_mcs_80p80);
   192		} else if (peer_80p80 && !own_80p80) {
   193			ieee80211_he_mcs_disable(&he_cap->he_mcs_nss_supp.rx_mcs_80p80);
   194			ieee80211_he_mcs_disable(&he_cap->he_mcs_nss_supp.tx_mcs_80p80);
   195			he_cap->he_cap_elem.phy_cap_info[0] &=
   196				~IEEE80211_HE_PHY_CAP0_CHANNEL_WIDTH_SET_80PLUS80_MHZ_IN_5G;
   197		}
   198	}
   199	

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
diff mbox series

Patch

diff --git a/net/mac80211/he.c b/net/mac80211/he.c
index 0c0b970..543c2cb 100644
--- a/net/mac80211/he.c
+++ b/net/mac80211/he.c
@@ -111,7 +111,7 @@  ieee80211_he_cap_ie_to_sta_he_cap(struct ieee80211_sub_if_data *sdata,
 				  struct sta_info *sta)
 {
 	struct ieee80211_sta_he_cap *he_cap = &sta->sta.he_cap;
-	struct ieee80211_sta_he_cap own_he_cap = sband->iftype_data->he_cap;
+	struct ieee80211_sta_he_cap own_he_cap;
 	struct ieee80211_he_cap_elem *he_cap_ie_elem = (void *)he_cap_ie;
 	u8 he_ppe_size;
 	u8 mcs_nss_size;
@@ -123,6 +123,8 @@  ieee80211_he_cap_ie_to_sta_he_cap(struct ieee80211_sub_if_data *sdata,
 	if (!he_cap_ie || !ieee80211_get_he_sta_cap(sband))
 		return;
 
+	 own_he_cap = sband->iftype_data->he_cap;
+
 	/* Make sure size is OK */
 	mcs_nss_size = ieee80211_he_mcs_nss_size(he_cap_ie_elem);
 	he_ppe_size =