Re: [PATCH v8 mac80211-next 2/3] mac80211: add support for BSS color change

Dan Carpenter <dan.carpenter@xxxxxxxxxx> · Fri, 2 Jul 2021 11:50:37 +0300

Hi Lorenzo,

url:    https://github.com/0day-ci/linux/commits/Lorenzo-Bianconi/mac80211-add-BSS-color-change-support/20210628-172723
base:   https://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211-next.git master
config: i386-randconfig-m021-20210630 (attached as .config)
compiler: gcc-9 (Debian 9.3.0-22) 9.3.0

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@xxxxxxxxx>
Reported-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>

New smatch warnings:
net/mac80211/tx.c:4819 ieee80211_set_beacon_cntdwn() warn: variable dereferenced before check 'resp' (see line 4805)

Old smatch warnings:
net/mac80211/tx.c:1820 invoke_tx_handlers_late() warn: variable dereferenced before check 'tx->skb' (see line 1795)
net/mac80211/tx.c:3444 ieee80211_xmit_fast_finish() error: we previously assumed 'key' could be null (see line 3412)

vim +/resp +4819 net/mac80211/tx.c

8552a434b6a05c John Crispin          2020-08-11  4775  static void ieee80211_set_beacon_cntdwn(struct ieee80211_sub_if_data *sdata,
73da7d5bab79ad Simon Wunderlich      2013-07-11  4776  					struct beacon_data *beacon)
73da7d5bab79ad Simon Wunderlich      2013-07-11  4777  {
726d30f004a276 John Crispin          2021-06-28  4778  	u8 *beacon_data, count, max_count = 1;
726d30f004a276 John Crispin          2021-06-28  4779  	u16 *bcn_offsets, *resp_offsets;
73da7d5bab79ad Simon Wunderlich      2013-07-11  4780  	struct probe_resp *resp;
cd7760e62c2ac8 Simon Wunderlich      2013-08-28  4781  	size_t beacon_data_len;
0d06d9ba93ad42 Andrei Otcheretianski 2014-05-09  4782  	int i;
cd7760e62c2ac8 Simon Wunderlich      2013-08-28  4783  
cd7760e62c2ac8 Simon Wunderlich      2013-08-28  4784  	switch (sdata->vif.type) {
cd7760e62c2ac8 Simon Wunderlich      2013-08-28  4785  	case NL80211_IFTYPE_AP:
cd7760e62c2ac8 Simon Wunderlich      2013-08-28  4786  		beacon_data = beacon->tail;
cd7760e62c2ac8 Simon Wunderlich      2013-08-28  4787  		beacon_data_len = beacon->tail_len;
cd7760e62c2ac8 Simon Wunderlich      2013-08-28  4788  		break;
cd7760e62c2ac8 Simon Wunderlich      2013-08-28  4789  	case NL80211_IFTYPE_ADHOC:
cd7760e62c2ac8 Simon Wunderlich      2013-08-28  4790  		beacon_data = beacon->head;
cd7760e62c2ac8 Simon Wunderlich      2013-08-28  4791  		beacon_data_len = beacon->head_len;
cd7760e62c2ac8 Simon Wunderlich      2013-08-28  4792  		break;
b8456a14e9d277 Chun-Yeow Yeoh        2013-10-17  4793  	case NL80211_IFTYPE_MESH_POINT:
b8456a14e9d277 Chun-Yeow Yeoh        2013-10-17  4794  		beacon_data = beacon->head;
b8456a14e9d277 Chun-Yeow Yeoh        2013-10-17  4795  		beacon_data_len = beacon->head_len;
b8456a14e9d277 Chun-Yeow Yeoh        2013-10-17  4796  		break;
cd7760e62c2ac8 Simon Wunderlich      2013-08-28  4797  	default:
cd7760e62c2ac8 Simon Wunderlich      2013-08-28  4798  		return;
cd7760e62c2ac8 Simon Wunderlich      2013-08-28  4799  	}
0d06d9ba93ad42 Andrei Otcheretianski 2014-05-09  4800  
73da7d5bab79ad Simon Wunderlich      2013-07-11  4801  	rcu_read_lock();
73da7d5bab79ad Simon Wunderlich      2013-07-11  4802  	resp = rcu_dereference(sdata->u.ap.probe_resp);
73da7d5bab79ad Simon Wunderlich      2013-07-11  4803  
726d30f004a276 John Crispin          2021-06-28  4804  	bcn_offsets = beacon->cntdwn_counter_offsets;
726d30f004a276 John Crispin          2021-06-28 @4805  	resp_offsets = resp->cntdwn_counter_offsets;
                                                                       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
This code assumes "resp" is non-NULL

726d30f004a276 John Crispin          2021-06-28  4806  	count = beacon->cntdwn_current_counter;
726d30f004a276 John Crispin          2021-06-28  4807  	if (sdata->vif.csa_active)
726d30f004a276 John Crispin          2021-06-28  4808  		max_count = IEEE80211_MAX_CNTDWN_COUNTERS_NUM;
726d30f004a276 John Crispin          2021-06-28  4809  
726d30f004a276 John Crispin          2021-06-28  4810  	for (i = 0; i < max_count; ++i) {
726d30f004a276 John Crispin          2021-06-28  4811  		if (bcn_offsets[i]) {
726d30f004a276 John Crispin          2021-06-28  4812  			if (WARN_ON_ONCE(bcn_offsets[i] >= beacon_data_len)) {
73da7d5bab79ad Simon Wunderlich      2013-07-11  4813  				rcu_read_unlock();
73da7d5bab79ad Simon Wunderlich      2013-07-11  4814  				return;
73da7d5bab79ad Simon Wunderlich      2013-07-11  4815  			}
726d30f004a276 John Crispin          2021-06-28  4816  			beacon_data[bcn_offsets[i]] = count;
73da7d5bab79ad Simon Wunderlich      2013-07-11  4817  		}
af296bdb8da4d0 Michal Kazior         2014-06-05  4818  
af296bdb8da4d0 Michal Kazior         2014-06-05 @4819  		if (sdata->vif.type == NL80211_IFTYPE_AP && resp)
                                                                                                            ^^^^
Old code assumes "resp" can be NULL

726d30f004a276 John Crispin          2021-06-28  4820  			resp->data[resp_offsets[i]] = count;
73da7d5bab79ad Simon Wunderlich      2013-07-11  4821  	}
af296bdb8da4d0 Michal Kazior         2014-06-05  4822  	rcu_read_unlock();
1af586c9116cdf Andrei Otcheretianski 2014-05-09  4823  }

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@xxxxxxxxxxxx