MIRRORS/linux-yocto
1
0
Fork 0
mirror of git://git.yoctoproject.org/linux-yocto.git synced 2025-08-21 16:31:14 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity
v6.1.146
linux-yocto/drivers/net/wireless
History
Daniil Dulov adf08c96b9 wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev() 
[ Upstream commit 74b1ec9f5d ]

There is a potential NULL pointer dereference in zd_mac_tx_to_dev(). For
example, the following is possible:

    	T0			    		T1
zd_mac_tx_to_dev()
  /* len == skb_queue_len(q) */
  while (len > ZD_MAC_MAX_ACK_WAITERS) {

					  filter_ack()
					    spin_lock_irqsave(&q->lock, flags);
					    /* position == skb_queue_len(q) */
					    for (i=1; i<position; i++)
				    	      skb = __skb_dequeue(q)

					    if (mac->type == NL80211_IFTYPE_AP)
					      skb = __skb_dequeue(q);
					    spin_unlock_irqrestore(&q->lock, flags);

    skb_dequeue() -> NULL

Since there is a small gap between checking skb queue length and skb being
unconditionally dequeued in zd_mac_tx_to_dev(), skb_dequeue() can return NULL.
Then the pointer is passed to zd_mac_tx_status() where it is dereferenced.

In order to avoid potential NULL pointer dereference due to situations like
above, check if skb is not NULL before passing it to zd_mac_tx_status().

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: 459c51ad6e ("zd1211rw: port to mac80211")
Signed-off-by: Daniil Dulov <d.dulov@aladdin.ru>
Link: https://patch.msgid.link/20250626114619.172631-1-d.dulov@aladdin.ru
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2025-07-17 18:32:11 +02:00
..
admtek
ath wifi: ath6kl: remove WARN on bad firmware input 2025-07-10 15:59:50 +02:00
atmel wifi: at76c50x: fix use after free access in at76_disconnect 2025-04-25 10:43:47 +02:00
broadcom wifi: brcm80211: fmac: Add error handling for brcmf_usb_dl_writeimage() 2025-05-09 09:41:35 +02:00
cisco
intel wifi: iwlwifi: add support for Killer on MTL 2025-06-04 14:40:18 +02:00
intersil wifi: p54: prevent buffer-overflow in p54_rx_eeprom_readback() 2025-06-27 11:07:26 +01:00
marvell wifi: mwifiex: Fix memcpy() field-spanning write warning in mwifiex_config_scan() 2024-12-14 19:53:28 +01:00
mediatek wifi: mt76: mt7921: add 160 MHz AP for mt7922 device 2025-06-27 11:07:33 +01:00
microchip wifi: wilc1000: fix potential RCU dereference issue in wilc_parse_join_bss_param 2024-10-17 15:20:42 +02:00
purelifi wireless: purelifi: plfxlc: fix memory leak in plfxlc_usb_wreq_asyn() 2025-06-27 11:07:34 +01:00
quantenna
ralink
realtek wifi: rtlwifi: disable ASPM for RTL8723BE with subsystem ID 11ad:1723 2025-06-27 11:07:27 +01:00
rsi
silabs wifi: wfx: Fix error handling in wfx_core_init() 2024-12-14 19:53:31 +01:00
st
ti wifi: wl1251: fix memory leak in wl1251_tx_work 2025-04-25 10:43:48 +02:00
zydas wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev() 2025-07-17 18:32:11 +02:00
Kconfig
mac80211_hwsim.c wifi: mac80211_hwsim: Prevent tsf from setting if beacon is disabled 2025-06-27 11:07:34 +01:00
mac80211_hwsim.h
Makefile
ray_cs.c
ray_cs.h
rayctl.h
rndis_wlan.c
virt_wifi.c
wl3501_cs.c
wl3501.h