diff options
| author | Daniil Dulov <d.dulov@aladdin.ru> | 2025-06-26 14:46:19 +0300 |
|---|---|---|
| committer | Johannes Berg <johannes.berg@intel.com> | 2025-06-30 16:34:43 +0300 |
| commit | 74b1ec9f5d627d2bdd5e5b6f3f81c23317657023 (patch) | |
| tree | ec8f247bcfc1ba140e3a2d7f7723ba9a1dd96cbb /scripts/gdb/linux/interrupts.py | |
| parent | 1fe44a86ff0ff483aa1f1332f2b08f431fa51ce8 (diff) | |
| download | linux-74b1ec9f5d627d2bdd5e5b6f3f81c23317657023.tar.xz | |
wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev()
There is a potential NULL pointer dereference in zd_mac_tx_to_dev(). For
example, the following is possible:
T0 T1
zd_mac_tx_to_dev()
/* len == skb_queue_len(q) */
while (len > ZD_MAC_MAX_ACK_WAITERS) {
filter_ack()
spin_lock_irqsave(&q->lock, flags);
/* position == skb_queue_len(q) */
for (i=1; i<position; i++)
skb = __skb_dequeue(q)
if (mac->type == NL80211_IFTYPE_AP)
skb = __skb_dequeue(q);
spin_unlock_irqrestore(&q->lock, flags);
skb_dequeue() -> NULL
Since there is a small gap between checking skb queue length and skb being
unconditionally dequeued in zd_mac_tx_to_dev(), skb_dequeue() can return NULL.
Then the pointer is passed to zd_mac_tx_status() where it is dereferenced.
In order to avoid potential NULL pointer dereference due to situations like
above, check if skb is not NULL before passing it to zd_mac_tx_status().
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 459c51ad6e1f ("zd1211rw: port to mac80211")
Signed-off-by: Daniil Dulov <d.dulov@aladdin.ru>
Link: https://patch.msgid.link/20250626114619.172631-1-d.dulov@aladdin.ru
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Diffstat (limited to 'scripts/gdb/linux/interrupts.py')
0 files changed, 0 insertions, 0 deletions