[PATCH 5.10/5.15/6.1 0/1] wifi: ath10k: Check return value of ath10k_get_arvif() in ath10k_wmi_event_tdls_peer()
SVACE reports a potential NULL pointer dereference in 5.10, 5.15 and 6.1 stable releases since the commit 4c9f8d114660 ("ath10k: enable TDLS peer inactivity detection") that caused this report was appeared.
The problem has been fixed by the following upstream patch that was adapted to 5.10, 5.15 and 6.1. All of the changes made to the patch in order to adapt it are described at the end of commit message.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Peter Kosyh (1): wifi: ath10k: Check return value of ath10k_get_arvif() in ath10k_wmi_event_tdls_peer()
drivers/net/wireless/ath/ath10k/wmi-tlv.c | 7 +++++++ 1 file changed, 7 insertions(+)
From: Peter Kosyh pkosyh@yandex.ru
commit 473118917cc33b98510880458c724bd833653db6 upstream.
Return value of a function ath10k_get_arvif() is dereferenced without checking for null in ath10k_wmi_event_tdls_peer(), but it is usually checked for this function.
Make ath10k_wmi_event_tdls_peer() do check retval of ath10k_get_arvif().
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Signed-off-by: Peter Kosyh pkosyh@yandex.ru Signed-off-by: Kalle Valo quic_kvalo@quicinc.com Link: https://lore.kernel.org/r/20221003091217.322598-1-pkosyh@yandex.ru Signed-off-by: Dmitry Kandybka d.kandybka@gmail.com --- drivers/net/wireless/ath/ath10k/wmi-tlv.c | 7 +++++++ 1 file changed, 7 insertions(+)
diff --git a/drivers/net/wireless/ath/ath10k/wmi-tlv.c b/drivers/net/wireless/ath/ath10k/wmi-tlv.c index 0eeb74245372..72da02fc68ea 100644 --- a/drivers/net/wireless/ath/ath10k/wmi-tlv.c +++ b/drivers/net/wireless/ath/ath10k/wmi-tlv.c @@ -584,7 +584,14 @@ static void ath10k_wmi_event_tdls_peer(struct ath10k *ar, struct sk_buff *skb) ath10k_warn(ar, "did not find station from tdls peer event"); goto exit; } + arvif = ath10k_get_arvif(ar, __le32_to_cpu(ev->vdev_id)); + if (!arvif) { + ath10k_warn(ar, "no vif for vdev_id %d found", + __le32_to_cpu(ev->vdev_id)); + goto exit; + } + ieee80211_tdls_oper_request( arvif->vif, station->addr, NL80211_TDLS_TEARDOWN,
linux-stable-mirror@lists.linaro.org
-
Dmitry Kandybka