ath11k: modify null check logic in ath11k_ce_rx_post_pipe()

Message ID	20240909150824.28195-1-m.lobanov@rosalinux.ru (mailing list archive)
State	Deferred
Delegated to:	Kalle Valo
Headers	show Received: from mail.rosalinux.ru (mail.rosalinux.ru [195.19.76.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 927251CD3F; Mon, 9 Sep 2024 15:09:44 +0000 (UTC) From: Mikhail Lobanov <m.lobanov@rosalinux.ru> To: Kalle Valo <kvalo@kernel.org> Cc: Mikhail Lobanov <m.lobanov@rosalinux.ru>, Jeff Johnson <jjohnson@kernel.org>, Govindaraj Saminathan <quic_gsamin@quicinc.com>, Miles Hu <milehu@codeaurora.org>, Sven Eckelmann <seckelmann@datto.com>, Rajkumar Manoharan <rmanohar@codeaurora.org>, John Crispin <john@phrozen.org>, linux-wireless@vger.kernel.org, ath11k@lists.infradead.org, linux-kernel@vger.kernel.org, lvc-project@linuxtesting.org Subject: [PATCH] ath11k: modify null check logic in ath11k_ce_rx_post_pipe() Date: Mon, 9 Sep 2024 11:08:20 -0400 Message-ID: <20240909150824.28195-1-m.lobanov@rosalinux.ru> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable
Series	ath11k: modify null check logic in ath11k_ce_rx_post_pipe() \| expand ath11k: modify null check logic in ath11k_ce_rx_post_pipe()

Message ID

20240909150824.28195-1-m.lobanov@rosalinux.ru (mailing list archive)

State

Deferred

Delegated to:

Kalle Valo

Headers

From: Mikhail Lobanov <m.lobanov@rosalinux.ru>
To: Kalle Valo <kvalo@kernel.org>
Cc: Mikhail Lobanov <m.lobanov@rosalinux.ru>,
	Jeff Johnson <jjohnson@kernel.org>,
	Govindaraj Saminathan <quic_gsamin@quicinc.com>,
	Miles Hu <milehu@codeaurora.org>,
	Sven Eckelmann <seckelmann@datto.com>,
	Rajkumar Manoharan <rmanohar@codeaurora.org>,
	John Crispin <john@phrozen.org>,
	linux-wireless@vger.kernel.org,
	ath11k@lists.infradead.org,
	linux-kernel@vger.kernel.org,
	lvc-project@linuxtesting.org
Subject: [PATCH] ath11k: modify null check logic in ath11k_ce_rx_post_pipe()
Date: Mon,  9 Sep 2024 11:08:20 -0400
Message-ID: <20240909150824.28195-1-m.lobanov@rosalinux.ru>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Series

ath11k: modify null check logic in ath11k_ce_rx_post_pipe() | expand

Commit Message

Mikhail Lobanov Sept. 9, 2024, 3:08 p.m. UTC

The previous logic in ath11k_ce_rx_post_pipe() incorrectly required both 
dest_ring and status_ring to be NULL in order to exit the function. 
This caused the function to continue even if only one of the pointers 
was NULL, potentially leading to null pointer dereferences in 
ath11k_ce_rx_buf_enqueue_pipe().

Fix the condition by modifying the logic so that the function returns 
early if either dest_ring or status_ring is NULL.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices")
Signed-off-by: Mikhail Lobanov <m.lobanov@rosalinux.ru>
---
 drivers/net/wireless/ath/ath11k/ce.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Kalle Valo Sept. 19, 2024, 4:46 p.m. UTC | #1

Mikhail Lobanov <m.lobanov@rosalinux.ru> wrote:

> The previous logic in ath11k_ce_rx_post_pipe() incorrectly required both 
> dest_ring and status_ring to be NULL in order to exit the function. 
> This caused the function to continue even if only one of the pointers 
> was NULL, potentially leading to null pointer dereferences in 
> ath11k_ce_rx_buf_enqueue_pipe().
> 
> Fix the condition by modifying the logic so that the function returns 
> early if either dest_ring or status_ring is NULL.
> 
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
> 
> Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices")
> Signed-off-by: Mikhail Lobanov <m.lobanov@rosalinux.ru>

Jeff, what do you think?

Jeff Johnson Sept. 19, 2024, 7:42 p.m. UTC | #2

On 9/19/2024 9:46 AM, Kalle Valo wrote:
> Mikhail Lobanov <m.lobanov@rosalinux.ru> wrote:
> 
>> The previous logic in ath11k_ce_rx_post_pipe() incorrectly required both 
>> dest_ring and status_ring to be NULL in order to exit the function. 
>> This caused the function to continue even if only one of the pointers 
>> was NULL, potentially leading to null pointer dereferences in 
>> ath11k_ce_rx_buf_enqueue_pipe().
>>
>> Fix the condition by modifying the logic so that the function returns 
>> early if either dest_ring or status_ring is NULL.
>>
>> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>>
>> Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices")
>> Signed-off-by: Mikhail Lobanov <m.lobanov@rosalinux.ru>
> 
> Jeff, what do you think?
> 
Acked-by: Jeff Johnson <quic_jjohnson@quicinc.com>

(could have just s/||/&&/ but this change is also ok)

diff --git a/drivers/net/wireless/ath/ath11k/ce.c b/drivers/net/wireless/ath/ath11k/ce.c
index e66e86bdec20..9d4246d65d68 100644
--- a/drivers/net/wireless/ath/ath11k/ce.c
+++ b/drivers/net/wireless/ath/ath11k/ce.c
@@ -324,7 +324,7 @@  static int ath11k_ce_rx_post_pipe(struct ath11k_ce_pipe *pipe)
 	dma_addr_t paddr;
 	int ret = 0;
 
-	if (!(pipe->dest_ring || pipe->status_ring))
+	if (!pipe->dest_ring || !pipe->status_ring)
 		return 0;
 
 	spin_lock_bh(&ab->ce.ce_lock);

ath11k: modify null check logic in ath11k_ce_rx_post_pipe()

Commit Message

Comments

Patch