Message ID | 20230210111228.370513-1-n.petrova@fintech.ru (mailing list archive) |
---|---|
State | Changes Requested |
Delegated to: | Kalle Valo |
Headers | show |
Series | b43legacy: Add checking for null for ssb_get_devtypedata(dev) | expand |
On 2/10/23 05:12, Natalia Petrova wrote: > Function ssb_get_devtypedata(dev) may return null (next call > B43legacy_WARN_ON(!wl) is used for error handling, including null-value). > Therefore, a check is added before calling b43legacy_wireless_exit(), > where the argument containing this value is expected to be dereferenced. > > Found by Linux Verification Center (linuxtesting.org) with SVACE > > Fixes: 75388acd0cd8 ("[B43LEGACY]: add mac80211-based driver for legacy BCM43xx devices") > Signed-off-by: Natalia Petrova <n.petrova@fintech.ru> > --- > drivers/net/wireless/broadcom/b43legacy/main.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/net/wireless/broadcom/b43legacy/main.c b/drivers/net/wireless/broadcom/b43legacy/main.c > index 760136638a95..1ae65679d704 100644 > --- a/drivers/net/wireless/broadcom/b43legacy/main.c > +++ b/drivers/net/wireless/broadcom/b43legacy/main.c > @@ -3871,7 +3871,7 @@ static int b43legacy_probe(struct ssb_device *dev, > return err; > > err_wireless_exit: > - if (first) > + if (first && wl) > b43legacy_wireless_exit(dev, wl); > return err; > } Looks good to me. Acked-by: Larry Finger <Larry.Finger@gmail.com> Thanks, Larry
On Fri, Feb 10, 2023 at 02:12:28PM +0300, Natalia Petrova wrote: > Function ssb_get_devtypedata(dev) may return null (next call > B43legacy_WARN_ON(!wl) is used for error handling, including null-value). > Therefore, a check is added before calling b43legacy_wireless_exit(), > where the argument containing this value is expected to be dereferenced. I see that is true, however, in that case are resources leaked due to the ieee80211_free_hw() call in b43legacy_wireless_exit() not being made? Moreover, aren't there also unguarded dereferences of wl: 1. In the call to b43legacy_one_core_attach(), which would branch to err_wireless_exit on failure. 2. In the call to schedule_work() just about the out: label. For the record, and because it seems relevant to give contexxt, b43legacy_probe() looks like this: static int b43legacy_probe(struct ssb_device *dev, const struct ssb_device_id *id) { struct b43legacy_wl *wl; int err; int first = 0; wl = ssb_get_devtypedata(dev); if (!wl) { /* Probing the first core - setup common struct b43legacy_wl */ first = 1; err = b43legacy_wireless_init(dev); if (err) goto out; wl = ssb_get_devtypedata(dev); B43legacy_WARN_ON(!wl); } err = b43legacy_one_core_attach(dev, wl); if (err) goto err_wireless_exit; /* setup and start work to load firmware */ INIT_WORK(&wl->firmware_load, b43legacy_request_firmware); schedule_work(&wl->firmware_load); out: return err; err_wireless_exit: if (first) b43legacy_wireless_exit(dev, wl); return err; } > > Found by Linux Verification Center (linuxtesting.org) with SVACE > > Fixes: 75388acd0cd8 ("[B43LEGACY]: add mac80211-based driver for legacy BCM43xx devices") > Signed-off-by: Natalia Petrova <n.petrova@fintech.ru> > --- > drivers/net/wireless/broadcom/b43legacy/main.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/net/wireless/broadcom/b43legacy/main.c b/drivers/net/wireless/broadcom/b43legacy/main.c > index 760136638a95..1ae65679d704 100644 > --- a/drivers/net/wireless/broadcom/b43legacy/main.c > +++ b/drivers/net/wireless/broadcom/b43legacy/main.c > @@ -3871,7 +3871,7 @@ static int b43legacy_probe(struct ssb_device *dev, > return err; > > err_wireless_exit: > - if (first) > + if (first && wl) > b43legacy_wireless_exit(dev, wl); > return err; > } > -- > 2.34.1 >
diff --git a/drivers/net/wireless/broadcom/b43legacy/main.c b/drivers/net/wireless/broadcom/b43legacy/main.c index 760136638a95..1ae65679d704 100644 --- a/drivers/net/wireless/broadcom/b43legacy/main.c +++ b/drivers/net/wireless/broadcom/b43legacy/main.c @@ -3871,7 +3871,7 @@ static int b43legacy_probe(struct ssb_device *dev, return err; err_wireless_exit: - if (first) + if (first && wl) b43legacy_wireless_exit(dev, wl); return err; }
Function ssb_get_devtypedata(dev) may return null (next call B43legacy_WARN_ON(!wl) is used for error handling, including null-value). Therefore, a check is added before calling b43legacy_wireless_exit(), where the argument containing this value is expected to be dereferenced. Found by Linux Verification Center (linuxtesting.org) with SVACE Fixes: 75388acd0cd8 ("[B43LEGACY]: add mac80211-based driver for legacy BCM43xx devices") Signed-off-by: Natalia Petrova <n.petrova@fintech.ru> --- drivers/net/wireless/broadcom/b43legacy/main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)