On Sun, Apr 24, 2022 at 12:17:48AM +0530, Vihas Makwana wrote:
> recvframe_chk_defrag() performs a NULL check on psta, but if that check
> fails then it dereferences it, which it shouldn't do as psta is NULL.
>
> Set pdefrag_q to NULL if above check fails and let the code after it handle
> that case.
>
> Fixes: 1cc18a22b96b ("staging: r8188eu: Add files for new driver - part 5")
> Signed-off-by: Vihas Makwana <makvihas@xxxxxxxxx>
> ---
> drivers/staging/r8188eu/core/rtw_recv.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/staging/r8188eu/core/rtw_recv.c b/drivers/staging/r8188eu/core/rtw_recv.c
> index c1005ddaa..db54bceff 100644
> --- a/drivers/staging/r8188eu/core/rtw_recv.c
> +++ b/drivers/staging/r8188eu/core/rtw_recv.c
> @@ -1244,7 +1244,7 @@ struct recv_frame *recvframe_chk_defrag(struct adapter *padapter, struct recv_fr
> pdefrag_q = NULL;
> }
> } else {
> - pdefrag_q = &psta->sta_recvpriv.defrag_q;
> + pdefrag_q = NULL;
What? "psta" is valid pointer on the else path.
(Also this isn't really a dereference, this is just pointer math. It's
taking the address. The Oops would happen later if psta were NULL.)
regards,
dan carpenter
