| From 015bc2ad06ae0855ac6f19c470fcc17eb5c0dfa7 Mon Sep 17 00:00:00 2001 |
| From: Sasha Levin <sashal@kernel.org> |
| Date: Thu, 5 Aug 2021 08:38:53 -0700 |
| Subject: ath: dfs_pattern_detector: Fix possible null-pointer dereference in |
| channel_detector_create() |
| |
| From: Tuo Li <islituo@gmail.com> |
| |
| [ Upstream commit 4b6012a7830b813799a7faf40daa02a837e0fd5b ] |
| |
| kzalloc() is used to allocate memory for cd->detectors, and if it fails, |
| channel_detector_exit() behind the label fail will be called: |
| channel_detector_exit(dpd, cd); |
| |
| In channel_detector_exit(), cd->detectors is dereferenced through: |
| struct pri_detector *de = cd->detectors[i]; |
| |
| To fix this possible null-pointer dereference, check cd->detectors before |
| the for loop to dereference cd->detectors. |
| |
| Reported-by: TOTE Robot <oslab@tsinghua.edu.cn> |
| Signed-off-by: Tuo Li <islituo@gmail.com> |
| Signed-off-by: Kalle Valo <kvalo@codeaurora.org> |
| Link: https://lore.kernel.org/r/20210805153854.154066-1-islituo@gmail.com |
| Signed-off-by: Sasha Levin <sashal@kernel.org> |
| --- |
| drivers/net/wireless/ath/dfs_pattern_detector.c | 10 ++++++---- |
| 1 file changed, 6 insertions(+), 4 deletions(-) |
| |
| diff --git a/drivers/net/wireless/ath/dfs_pattern_detector.c b/drivers/net/wireless/ath/dfs_pattern_detector.c |
| index a274eb0d19688..a0ad6e48a35b4 100644 |
| --- a/drivers/net/wireless/ath/dfs_pattern_detector.c |
| +++ b/drivers/net/wireless/ath/dfs_pattern_detector.c |
| @@ -182,10 +182,12 @@ static void channel_detector_exit(struct dfs_pattern_detector *dpd, |
| if (cd == NULL) |
| return; |
| list_del(&cd->head); |
| - for (i = 0; i < dpd->num_radar_types; i++) { |
| - struct pri_detector *de = cd->detectors[i]; |
| - if (de != NULL) |
| - de->exit(de); |
| + if (cd->detectors) { |
| + for (i = 0; i < dpd->num_radar_types; i++) { |
| + struct pri_detector *de = cd->detectors[i]; |
| + if (de != NULL) |
| + de->exit(de); |
| + } |
| } |
| kfree(cd->detectors); |
| kfree(cd); |
| -- |
| 2.33.0 |
| |