releases/5.4.160/ath-dfs_pattern_detector-fix-possible-null-pointer-d.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From 015bc2ad06ae0855ac6f19c470fcc17eb5c0dfa7 Mon Sep 17 00:00:00 2001
 From: Sasha Levin <sashal@kernel.org>
 Date: Thu, 5 Aug 2021 08:38:53 -0700
 Subject: ath: dfs_pattern_detector: Fix possible null-pointer dereference in
  channel_detector_create()

 From: Tuo Li <islituo@gmail.com>

 [ Upstream commit 4b6012a7830b813799a7faf40daa02a837e0fd5b ]

 kzalloc() is used to allocate memory for cd->detectors, and if it fails,
 channel_detector_exit() behind the label fail will be called:
   channel_detector_exit(dpd, cd);

 In channel_detector_exit(), cd->detectors is dereferenced through:
   struct pri_detector *de = cd->detectors[i];

 To fix this possible null-pointer dereference, check cd->detectors before
 the for loop to dereference cd->detectors.

 Reported-by: TOTE Robot <oslab@tsinghua.edu.cn>
 Signed-off-by: Tuo Li <islituo@gmail.com>
 Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
 Link: https://lore.kernel.org/r/20210805153854.154066-1-islituo@gmail.com
 Signed-off-by: Sasha Levin <sashal@kernel.org>
 ---
  drivers/net/wireless/ath/dfs_pattern_detector.c | 10 ++++++----
  1 file changed, 6 insertions(+), 4 deletions(-)

 diff --git a/drivers/net/wireless/ath/dfs_pattern_detector.c b/drivers/net/wireless/ath/dfs_pattern_detector.c
 index a274eb0d19688..a0ad6e48a35b4 100644
 --- a/drivers/net/wireless/ath/dfs_pattern_detector.c
 +++ b/drivers/net/wireless/ath/dfs_pattern_detector.c
 @@ -182,10 +182,12 @@ static void channel_detector_exit(struct dfs_pattern_detector *dpd,
  	if (cd == NULL)
  		return;
  	list_del(&cd->head);
 -	for (i = 0; i < dpd->num_radar_types; i++) {
 -		struct pri_detector *de = cd->detectors[i];
 -		if (de != NULL)
 -			de->exit(de);
 +	if (cd->detectors) {
 +		for (i = 0; i < dpd->num_radar_types; i++) {
 +			struct pri_detector *de = cd->detectors[i];
 +			if (de != NULL)
 +				de->exit(de);
 +		}
  	}
  	kfree(cd->detectors);
  	kfree(cd);
 --
 2.33.0
	From 015bc2ad06ae0855ac6f19c470fcc17eb5c0dfa7 Mon Sep 17 00:00:00 2001
	From: Sasha Levin <sashal@kernel.org>
	Date: Thu, 5 Aug 2021 08:38:53 -0700
	Subject: ath: dfs_pattern_detector: Fix possible null-pointer dereference in
	channel_detector_create()

	From: Tuo Li <islituo@gmail.com>

	[ Upstream commit 4b6012a7830b813799a7faf40daa02a837e0fd5b ]

	kzalloc() is used to allocate memory for cd->detectors, and if it fails,
	channel_detector_exit() behind the label fail will be called:
	channel_detector_exit(dpd, cd);

	In channel_detector_exit(), cd->detectors is dereferenced through:
	struct pri_detector *de = cd->detectors[i];

	To fix this possible null-pointer dereference, check cd->detectors before
	the for loop to dereference cd->detectors.

	Reported-by: TOTE Robot <oslab@tsinghua.edu.cn>
	Signed-off-by: Tuo Li <islituo@gmail.com>
	Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
	Link: https://lore.kernel.org/r/20210805153854.154066-1-islituo@gmail.com
	Signed-off-by: Sasha Levin <sashal@kernel.org>
	---
	drivers/net/wireless/ath/dfs_pattern_detector.c \| 10 ++++++----
	1 file changed, 6 insertions(+), 4 deletions(-)

	diff --git a/drivers/net/wireless/ath/dfs_pattern_detector.c b/drivers/net/wireless/ath/dfs_pattern_detector.c
	index a274eb0d19688..a0ad6e48a35b4 100644
	--- a/drivers/net/wireless/ath/dfs_pattern_detector.c
	+++ b/drivers/net/wireless/ath/dfs_pattern_detector.c
	@@ -182,10 +182,12 @@ static void channel_detector_exit(struct dfs_pattern_detector *dpd,
	if (cd == NULL)
	return;
	list_del(&cd->head);
	- for (i = 0; i < dpd->num_radar_types; i++) {
	- struct pri_detector *de = cd->detectors[i];
	- if (de != NULL)
	- de->exit(de);
	+ if (cd->detectors) {
	+ for (i = 0; i < dpd->num_radar_types; i++) {
	+ struct pri_detector *de = cd->detectors[i];
	+ if (de != NULL)
	+ de->exit(de);
	+ }
	}
	kfree(cd->detectors);
	kfree(cd);
	--
	2.33.0