Hi, On Fri, Jul 30, 2021 at 9:13 PM Li Tuo <islituo@xxxxxxxxx> wrote: > Our static analysis tool finds a possible null-pointer dereference in > the mwifiex driver in Linux 5.14.0-rc3: Wouldn't be the first time a static analysis tool tripped up over excessively redundant "safety" checks :) For example: https://lore.kernel.org/linux-wireless/20210731163546.10753-1-len.baker@xxxxxxx/T/#u > The variable cmd_node->cmd_skb->data is assigned to the variable > host_cmd, and host_cmd is checked in: > 190: if (host_cmd == NULL || host_cmd->size == 0) > > This indicates that host_cmd can be NULL. > If so, the function mwifiex_recycle_cmd_node() will be called with the > argument cmd_node: > 196: mwifiex_recycle_cmd_node(adapter, cmd_node); > > In this called function, the variable cmd_node->cmd_skb->data is > assigned to the variable host_cmd, too. > Thus the variable host_cmd in the function mwifiex_recycle_cmd_node() > can be also NULL. > However, it is dereferenced when calling le16_to_cpu(): > 144: le16_to_cpu(host_cmd->command) > > I am not quite sure whether this possible null-pointer dereference is > real and how to fix it if it is real. > Any feedback would be appreciated, thanks! I doubt it's real; the NULL check is probably excessive. I don't think there's any case in which such skb's will have no ->data. If you're interested, you could test and submit a "fix" to drop the excess check. Brian
