[mac80211-next:rtnl 1/1] net/wireless/nl80211.c:3105 nl80211_set_wiphy() error: we previously assumed 'rdev' could be null (see line 3085)

Dan Carpenter <dan.carpenter@xxxxxxxxxx> · Mon, 24 Aug 2020 14:18:07 +0300

tree:   https://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211-next.git rtnl
head:   7f96dd365770550bef6f09757774788e87b5f92e
commit: 7f96dd365770550bef6f09757774788e87b5f92e [1/1] cfg80211: avoid holding the RTNL when calling the driver
config: i386-randconfig-m021-20200820 (attached as .config)
compiler: gcc-9 (Debian 9.3.0-15) 9.3.0

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@xxxxxxxxx>
Reported-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>

New smatch warnings:
net/wireless/nl80211.c:3105 nl80211_set_wiphy() error: we previously assumed 'rdev' could be null (see line 3085)
net/wireless/nl80211.c:8999 nl80211_channel_switch() error: uninitialized symbol 'csa_attrs'.

# https://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211-next.git/commit/?id=7f96dd365770550bef6f09757774788e87b5f92e
git remote add mac80211-next https://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211-next.git
git fetch --no-tags mac80211-next rtnl
git checkout 7f96dd365770550bef6f09757774788e87b5f92e
vim +/rdev +3105 net/wireless/nl80211.c

556829657397b9b Johannes Berg          2007-09-20  3038  static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
556829657397b9b Johannes Berg          2007-09-20  3039  {
7f96dd365770550 Johannes Berg          2019-08-01  3040  	struct cfg80211_registered_device *rdev = NULL;
f444de05d20e27c Johannes Berg          2010-05-05  3041  	struct net_device *netdev = NULL;
f444de05d20e27c Johannes Berg          2010-05-05  3042  	struct wireless_dev *wdev;
a1e567c83f54143 Bill Jordan            2010-09-10  3043  	int result = 0, rem_txq_params = 0;
318884875bdddca Jouni Malinen          2008-10-30  3044  	struct nlattr *nl_txq_params;
b9a5f8cab751d36 Jouni Malinen          2009-04-20  3045  	u32 changed;
b9a5f8cab751d36 Jouni Malinen          2009-04-20  3046  	u8 retry_short = 0, retry_long = 0;
b9a5f8cab751d36 Jouni Malinen          2009-04-20  3047  	u32 frag_threshold = 0, rts_threshold = 0;
81077e82c3f5915 Lukáš Turek            2009-12-21  3048  	u8 coverage_class = 0;
52539ca89f365d3 Toke Høiland-Jørgensen 2018-05-08  3049  	u32 txq_limit = 0, txq_memory_limit = 0, txq_quantum = 0;
556829657397b9b Johannes Berg          2007-09-20  3050  
7f96dd365770550 Johannes Berg          2019-08-01  3051  	rtnl_lock();
f444de05d20e27c Johannes Berg          2010-05-05  3052  	/*
f444de05d20e27c Johannes Berg          2010-05-05  3053  	 * Try to find the wiphy and netdev. Normally this
f444de05d20e27c Johannes Berg          2010-05-05  3054  	 * function shouldn't need the netdev, but this is
f444de05d20e27c Johannes Berg          2010-05-05  3055  	 * done for backward compatibility -- previously
f444de05d20e27c Johannes Berg          2010-05-05  3056  	 * setting the channel was done per wiphy, but now
f444de05d20e27c Johannes Berg          2010-05-05  3057  	 * it is per netdev. Previous userland like hostapd
f444de05d20e27c Johannes Berg          2010-05-05  3058  	 * also passed a netdev to set_wiphy, so that it is
f444de05d20e27c Johannes Berg          2010-05-05  3059  	 * possible to let that go to the right netdev!
f444de05d20e27c Johannes Berg          2010-05-05  3060  	 */
4bbf4d56583dd52 Johannes Berg          2009-03-24  3061  
f444de05d20e27c Johannes Berg          2010-05-05  3062  	if (info->attrs[NL80211_ATTR_IFINDEX]) {
f444de05d20e27c Johannes Berg          2010-05-05  3063  		int ifindex = nla_get_u32(info->attrs[NL80211_ATTR_IFINDEX]);
f444de05d20e27c Johannes Berg          2010-05-05  3064  
7f2b8562c2ee6e2 Ying Xue               2014-01-15  3065  		netdev = __dev_get_by_index(genl_info_net(info), ifindex);
5fe231e873729fa Johannes Berg          2013-05-08  3066  		if (netdev && netdev->ieee80211_ptr)
f26cbf401be935e Zhao, Gang             2014-04-21  3067  			rdev = wiphy_to_rdev(netdev->ieee80211_ptr->wiphy);
5fe231e873729fa Johannes Berg          2013-05-08  3068  		else
f444de05d20e27c Johannes Berg          2010-05-05  3069  			netdev = NULL;
f444de05d20e27c Johannes Berg          2010-05-05  3070  	}
f444de05d20e27c Johannes Berg          2010-05-05  3071  
f444de05d20e27c Johannes Berg          2010-05-05  3072  	if (!netdev) {
878d9ec7367816d Johannes Berg          2012-06-15  3073  		rdev = __cfg80211_rdev_from_attrs(genl_info_net(info),
878d9ec7367816d Johannes Berg          2012-06-15  3074  						  info->attrs);
7f96dd365770550 Johannes Berg          2019-08-01  3075  		if (IS_ERR(rdev)) {
7f96dd365770550 Johannes Berg          2019-08-01  3076  			rtnl_unlock();
4c476991062a0a5 Johannes Berg          2010-10-04  3077  			return PTR_ERR(rdev);
7f96dd365770550 Johannes Berg          2019-08-01  3078  		}
f444de05d20e27c Johannes Berg          2010-05-05  3079  		wdev = NULL;
f444de05d20e27c Johannes Berg          2010-05-05  3080  		netdev = NULL;
f444de05d20e27c Johannes Berg          2010-05-05  3081  		result = 0;
71fe96bf9db8b11 Johannes Berg          2012-10-24  3082  	} else
f444de05d20e27c Johannes Berg          2010-05-05  3083  		wdev = netdev->ieee80211_ptr;
f444de05d20e27c Johannes Berg          2010-05-05  3084  
7f96dd365770550 Johannes Berg          2019-08-01 @3085  	if (rdev)
                                                                    ^^^^
Check for NULL

7f96dd365770550 Johannes Berg          2019-08-01  3086  		mutex_lock(&rdev->wiphy.mtx);
7f96dd365770550 Johannes Berg          2019-08-01  3087  	rtnl_unlock();
7f96dd365770550 Johannes Berg          2019-08-01  3088  
f444de05d20e27c Johannes Berg          2010-05-05  3089  	/*
f444de05d20e27c Johannes Berg          2010-05-05  3090  	 * end workaround code, by now the rdev is available
f444de05d20e27c Johannes Berg          2010-05-05  3091  	 * and locked, and wdev may or may not be NULL.
f444de05d20e27c Johannes Berg          2010-05-05  3092  	 */
4bbf4d56583dd52 Johannes Berg          2009-03-24  3093  
4bbf4d56583dd52 Johannes Berg          2009-03-24  3094  	if (info->attrs[NL80211_ATTR_WIPHY_NAME])
318884875bdddca Jouni Malinen          2008-10-30  3095  		result = cfg80211_dev_rename(
318884875bdddca Jouni Malinen          2008-10-30  3096  			rdev, nla_data(info->attrs[NL80211_ATTR_WIPHY_NAME]));
4bbf4d56583dd52 Johannes Berg          2009-03-24  3097  
318884875bdddca Jouni Malinen          2008-10-30  3098  	if (result)
7f96dd365770550 Johannes Berg          2019-08-01  3099  		goto out;
318884875bdddca Jouni Malinen          2008-10-30  3100  
318884875bdddca Jouni Malinen          2008-10-30  3101  	if (info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS]) {
318884875bdddca Jouni Malinen          2008-10-30  3102  		struct ieee80211_txq_params txq_params;
318884875bdddca Jouni Malinen          2008-10-30  3103  		struct nlattr *tb[NL80211_TXQ_ATTR_MAX + 1];
318884875bdddca Jouni Malinen          2008-10-30  3104  
7f96dd365770550 Johannes Berg          2019-08-01 @3105  		if (!rdev->ops->set_txq_params) {
                                                                             ^^^^^^^^^
Unchecked dereference

7f96dd365770550 Johannes Berg          2019-08-01  3106  			result = -EOPNOTSUPP;
7f96dd365770550 Johannes Berg          2019-08-01  3107  			goto out;
7f96dd365770550 Johannes Berg          2019-08-01  3108  		}
318884875bdddca Jouni Malinen          2008-10-30  3109  
7f96dd365770550 Johannes Berg          2019-08-01  3110  		if (!netdev) {
7f96dd365770550 Johannes Berg          2019-08-01  3111  			result = -EINVAL;
7f96dd365770550 Johannes Berg          2019-08-01  3112  			goto out;
7f96dd365770550 Johannes Berg          2019-08-01  3113  		}

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@xxxxxxxxxxxx
Attachment:
.config.gz

Description: application/gzip