[PATCH Linux-next] ioctl_linux: fix a potential NULL pointer dereference bug

[PATCH Linux-next] ioctl_linux: fix a potential NULL pointer dereference bug

[cgel.zte]

From: xu xin <xu.xin16@zte.com.cn>

The pointer might be NULL, but it is dereferenced.

Reported-by: Zeal Robot <zealci@zte.com.cn>
Signed-off-by: xu xin <xu.xin16@zte.com.cn>
---
 drivers/staging/r8188eu/os_dep/ioctl_linux.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/staging/r8188eu/os_dep/ioctl_linux.c b/drivers/staging/r8188eu/os_dep/ioctl_linux.c
index a3e6d761e748..ce4ce9190f5f 100644
--- a/drivers/staging/r8188eu/os_dep/ioctl_linux.c
+++ b/drivers/staging/r8188eu/os_dep/ioctl_linux.c
@@ -4389,7 +4389,8 @@ static int rtw_dbg_port(struct net_device *dev,
 				pregpriv->rx_stbc = extra_arg;
 				DBG_88E("set rx_stbc =%d\n", pregpriv->rx_stbc);
 			} else {
-				DBG_88E("get rx_stbc =%d\n", pregpriv->rx_stbc);
+				if (pregpriv)
+					DBG_88E("get rx_stbc =%d\n", pregpriv->rx_stbc);
 			}
 		}
 			break;
@@ -4401,7 +4402,8 @@ static int rtw_dbg_port(struct net_device *dev,
 				pregpriv->ampdu_enable = extra_arg;
 				DBG_88E("set ampdu_enable =%d\n", pregpriv->ampdu_enable);
 			} else {
-				DBG_88E("get ampdu_enable =%d\n", pregpriv->ampdu_enable);
+				if (pregpriv)
+					DBG_88E("get ampdu_enable =%d\n", pregpriv->ampdu_enable);
 			}
 		}
 			break;
-- 
2.25.1

Re: [PATCH Linux-next] ioctl_linux: fix a potential NULL pointer dereference bug

[Pavel Skripkin]

On 8/23/21 6:06 AM, cgel.zte@gmail.com wrote:
> From: xu xin <xu.xin16@zte.com.cn>
> 
> The pointer might be NULL, but it is dereferenced.
> 
> Reported-by: Zeal Robot <zealci@zte.com.cn>
> Signed-off-by: xu xin <xu.xin16@zte.com.cn>
> ---
>   drivers/staging/r8188eu/os_dep/ioctl_linux.c | 6 ++++--
>   1 file changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/staging/r8188eu/os_dep/ioctl_linux.c b/drivers/staging/r8188eu/os_dep/ioctl_linux.c
> index a3e6d761e748..ce4ce9190f5f 100644
> --- a/drivers/staging/r8188eu/os_dep/ioctl_linux.c
> +++ b/drivers/staging/r8188eu/os_dep/ioctl_linux.c
> @@ -4389,7 +4389,8 @@ static int rtw_dbg_port(struct net_device *dev,
>   				pregpriv->rx_stbc = extra_arg;
>   				DBG_88E("set rx_stbc =%d\n", pregpriv->rx_stbc);
>   			} else {
> -				DBG_88E("get rx_stbc =%d\n", pregpriv->rx_stbc);
> +				if (pregpriv)
> +					DBG_88E("get rx_stbc =%d\n", pregpriv->rx_stbc);
>   			}
>   		}
>   			break;
> @@ -4401,7 +4402,8 @@ static int rtw_dbg_port(struct net_device *dev,
>   				pregpriv->ampdu_enable = extra_arg;
>   				DBG_88E("set ampdu_enable =%d\n", pregpriv->ampdu_enable);
>   			} else {
> -				DBG_88E("get ampdu_enable =%d\n", pregpriv->ampdu_enable);
> +				if (pregpriv)
> +					DBG_88E("get ampdu_enable =%d\n", pregpriv->ampdu_enable);
>   			}
>   		}
>   			break;
> 


Hi, Xu!

I can't see how pregpriv can be NULL:

	struct registry_priv *pregpriv = &padapter->registrypriv;

It can be NULL in case of completely wrong padapter pointer, but I can't 
see how it's possible. Do you have a calltrace?

I guess, your robot reported this, because there is useless check in 
same code block:

	if (pregpriv &&
		(extra_arg == 0 ||
		 extra_arg == 1 ||
		 extra_arg == 2 ||
		 extra_arg == 3))


So, I think, "pregpriv &&" part should be removed, instead of adding 2 
branches.


Also, subject line should be "staging: r8118eu: <subject>". Thank you!



With regards,
Pavel Skripkin