[bug report] wifi: mt76: Check link_conf pointer in mt76_connac_mcu_sta_basic_tlv()

Lorenzo Bianconi lorenzo at kernel.org
Tue Mar 25 06:44:51 PDT 2025 

On Mar 24, Shayne Chen wrote:
> On Fri, 2025-03-21 at 17:29 +0100, Lorenzo Bianconi wrote:
> > > Hello Shayne Chen,
> > > 
> > > This is a semi-automatic email about new static checker warnings.
> > > 
> > > Commit 9890624c1b39 ("wifi: mt76: Check link_conf pointer in
> > > mt76_connac_mcu_sta_basic_tlv()") from Mar 11, 2025, leads to the
> > > following Smatch complaint:
> > > 
> > >     drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c:394
> > > mt76_connac_mcu_sta_basic_tlv()
> > >     warn: variable dereferenced before check 'link_conf' (see line
> > > 376)
> > > 
> > > drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c
> > >    375	{
> > >    376		struct ieee80211_vif *vif = link_conf->vif;
> > >                                             ^^^^^^^^^^^^^^
> > 
> > Reviewing the codebase, it seems to me it is safe to revert
> > 9890624c1b39 since
> > link_conf is always not NULL running mt76_connac_mcu_sta_basic_tlv().
> > @Shayne Chen: agree?
> > 
> link_conf won't be NULL in this function at the moment, but it could be
> NULL after adding "MLO reconfiguration" support. So in our internal
> tree, we directly pass struct ieee80211_vif to this function.

ack, but at the moment in mt76_connac_mcu_sta_basic_tlv() assumes link_conf is
not NULL since we dereference it to get vif pointer.

> 
> Both methods are fine to me, what do you think?

I would prefer the revert for the moment and modify the signature when it is
necessary.

Regards,
Lorenzo

> 
> Regards,
> Shayne
> 
> > Regards,
> > Lorenzo
> > 
> > > Dereferenced.
> > > 
> > >    377		struct sta_rec_basic *basic;
> > >    378		struct tlv *tlv;
> > >    379		int conn_type;
> > >    380	
> > >    381		tlv = mt76_connac_mcu_add_tlv(skb, STA_REC_BASIC,
> > > sizeof(*basic));
> > >    382	
> > >    383		basic = (struct sta_rec_basic *)tlv;
> > >    384		basic->extra_info = cpu_to_le16(EXTRA_INFO_VER);
> > >    385	
> > >    386		if (newly && conn_state != CONN_STATE_DISCONNECT)
> > >    387			basic->extra_info |=
> > > cpu_to_le16(EXTRA_INFO_NEW);
> > >    388		basic->conn_state = conn_state;
> > >    389	
> > >    390		if (!link_sta) {
> > >    391			basic->conn_type =
> > > cpu_to_le32(CONNECTION_INFRA_BC);
> > >    392	
> > >    393			if (vif->type == NL80211_IFTYPE_STATION &&
> > >    394			    link_conf &&
> > > !is_zero_ether_addr(link_conf->bssid)) {
> > >                             ^^^^^^^^^
> > > The patch adds a NULL dereference but it's too late.
> > > 
> > >    395				memcpy(basic->peer_addr,
> > > link_conf->bssid, ETH_ALEN);
> > >    396				basic->aid = cpu_to_le16(vif-
> > > >cfg.aid);
> > > 
> > > regards,
> > > dan carpenter
> > > 
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/linux-mediatek/attachments/20250325/670dd620/attachment-0001.sig>

More information about the Linux-mediatek mailing list