Re: [PATCH] rtlwifi: Fix null-pointer dereferences in error handling code of rtl_pci_probe()

From: Kalle Valo
Date: Tue May 28 2019 - 09:13:11 EST

Larry Finger <Larry.Finger@xxxxxxxxxxxx> writes:

> On 5/28/19 6:55 AM, Kalle Valo wrote:
>> Jia-Ju Bai <baijiaju1990@xxxxxxxxx> wrote:
>>> *BUG 1:
>>> In rtl_pci_probe(), when rtlpriv->cfg->ops->init_sw_vars() fails,
>>> rtl_deinit_core() in the error handling code is executed.
>>> rtl_deinit_core() calls rtl_free_entries_from_scan_list(), which uses
>>> rtlpriv->scan_list.list in list_for_each_entry_safe(), but it has been
>>> initialized. Thus a null-pointer dereference occurs.
>>> The reason is that rtlpriv->scan_list.list is initialized by
>>> INIT_LIST_HEAD() in rtl_init_core(), which has not been called.
>>> To fix this bug, rtl_deinit_core() should not be called when
>>> rtlpriv->cfg->ops->init_sw_vars() fails.
>>> *BUG 2:
>>> In rtl_pci_probe(), rtl_init_core() can fail when rtl_regd_init() in
>>> this function fails, and rtlpriv->scan_list.list has not been
>>> initialized by INIT_LIST_HEAD(). Then, rtl_deinit_core() in the error
>>> handling code of rtl_pci_probe() is executed. Finally, a null-pointer
>>> dereference occurs due to the same reason of the above bug.
>>> To fix this bug, the initialization of lists in rtl_init_core() are
>>> performed before the call to rtl_regd_init().
>>> These bugs are found by a runtime fuzzing tool named FIZZER written by
>>> us.
>>> Signed-off-by: Jia-Ju Bai <baijiaju1990@xxxxxxxxx>
>> Ping & Larry, is this ok to take?
> Kalle,
> Not at the moment. In reviewing the code, I was unable to see how this
> situation could develop, and his backtrace did not mention any rtlwifi
> code. For that reason, I asked him to add printk stat4ements to show
> the last part of rtl_pci that executed correctly. In
>, he promised
> to do that, but I have not seen the result.

Ok, thanks. I'll then drop this, please resubmit once everything is
understood and the patch is ready to be applied.

Kalle Valo