Search Linux Wireless

Re: mt76: mt7921: add MCU support

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

> Hi,
> 

Hi Colin,

a fix for this issue has been already posted upstream:

https://patchwork.kernel.org/project/linux-wireless/patch/857ff74f736d4e593f5ad602cee7ac67ebfca5ca.1612867656.git.lorenzo@xxxxxxxxxx/

Regards,
Lorenzo

> Static analysis with Coverity on linux-next has found an issue with the
> following commit:
> 
> commit 1c099ab44727c8e42fe4de4d91b53cec3ef02860
> Author: Sean Wang <sean.wang@xxxxxxxxxxxx>
> Date:   Thu Jan 28 03:33:39 2021 +0800
> 
>     mt76: mt7921: add MCU support
> 
> The analysis is as follows:
> 
> 390 static void
> 391 mt7921_mcu_tx_rate_report(struct mt7921_dev *dev, struct sk_buff *skb,
> 392                          u16 wlan_idx)
> 393 {
> 394        struct mt7921_mcu_wlan_info_event *wtbl_info =
> 395                (struct mt7921_mcu_wlan_info_event *)(skb->data);
> 396        struct rate_info rate = {};
> 397        u8 curr_idx = wtbl_info->rate_info.rate_idx;
> 398        u16 curr = le16_to_cpu(wtbl_info->rate_info.rate[curr_idx]);
> 399        struct mt7921_mcu_peer_cap peer = wtbl_info->peer_cap;
> 400        struct mt76_phy *mphy = &dev->mphy;
> 
>    1. var_decl: Declaring variable stats without initializer.
> 
> 401        struct mt7921_sta_stats *stats;
> 402        struct mt7921_sta *msta;
> 403        struct mt76_wcid *wcid;
> 404
> 
>    2. Condition wlan_idx >= 288, taking false branch.
> 
> 405        if (wlan_idx >= MT76_N_WCIDS)
> 406                return;
> 
>    3. Condition 0 /* !((((sizeof ((*dev).mt76.wcid[wlan_idx]) == sizeof
> (char) || sizeof ((*dev).mt76.wcid[wlan_idx]) == sizeof (short)) ||
> sizeof ((*dev).mt76.wcid[wlan_idx]) == sizeof (int)) || sizeof
> ((*dev).mt76.wcid[wlan_idx]) == sizeof (long)) || sizeof
> ((*dev).mt76.wcid[wlan_idx]) == sizeof (long long)) */, taking false branch.
> 
>    4. Condition debug_lockdep_rcu_enabled(), taking true branch.
>    5. Condition !__warned, taking true branch.
>    6. Condition 0, taking false branch.
>    7. Condition rcu_read_lock_held(), taking false branch.
> 407        wcid = rcu_dereference(dev->mt76.wcid[wlan_idx]);
>    8. Condition !wcid, taking true branch.
> 408        if (!wcid) {
> 
> Uninitialized pointer write (UNINIT)
>    9. uninit_use: Using uninitialized value stats.
> 
> 409                stats->tx_rate = rate;
> 410                return;
> 411        }
> 
> Line 409 dereferences pointer stats, however, this pointer has not yet
> been initialized.  The initialization occurs later:
> 
> 413        msta = container_of(wcid, struct mt7921_sta, wcid);
> 414        stats = &msta->stats;
> 
> Colin

Attachment: signature.asc
Description: PGP signature

[Index of Archives]     [Linux Host AP]     [ATH6KL]     [Linux Wireless Personal Area Network]     [Linux Bluetooth]     [Wireless Regulations]     [Linux Netdev]     [Kernel Newbies]     [Linux Kernel]     [IDE]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite Hiking]     [MIPS Linux]     [ARM Linux]     [Linux RAID]

  Powered by Linux