[v2] mac80211: Add null pointer check for ieee80211_link_get_chanctx()

The function ieee80211_chsw_switch_vifs() calls the function
ieee80211_link_get_chanctx(), but does not check its return value.
The return value is a null pointer if the ieee80211_link_get_chanctx()
fails. This will lead to a null pointer dereference in the following
code "&old_ctx->conf". A proper implementation can be found in
ieee80211_link_use_reserved_assign().

Add a null pointer check and goto error handling path if the
function fails.

Fixes: 5d52ee811019 ("mac80211: allow reservation of a running chanctx")
Cc: stable@vger.kernel.org # v3.16
Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
---
v2: Fix code error.

 net/mac80211/chan.c | 4 ++++
 1 file changed, 4 insertions(+)

On Mon, 2025-05-26 at 17:19 +0800, Wentao Liang wrote:
> The function ieee80211_chsw_switch_vifs() calls the function
> ieee80211_link_get_chanctx(), but does not check its return value.
> The return value is a null pointer if the ieee80211_link_get_chanctx()
> fails. This will lead to a null pointer dereference in the following
> code "&old_ctx->conf". A proper implementation can be found in
> ieee80211_link_use_reserved_assign().
> 
> Add a null pointer check and goto error handling path if the
> function fails.

How do you propose it can fail?

johannes

On Mon, 2025-05-26 at 11:44 +0200, Greg KH wrote:
> 
> >  			old_ctx = ieee80211_link_get_chanctx(link);
> > +			if (WARN_ON(!old_ctx)) {
> 
> You just caused the machine to crash and reboot on billions of Linux
> systems if this ever is triggered.  So please never do that :(

I still very much disagree with you and _will_ keep adding warnings to
the wireless stack. This would be one of those places where it's totally
warranted, because it's actually impossible that this happens, for it to
something else would have to be changed to go wrong in how this is
called, for example.

Also, it already crashes anyway if it were NULL.

(And also, the poor patch submitter has no idea what you were talking
about.)

johannes

On Mon, May 26, 2025 at 11:56:16AM +0200, Johannes Berg wrote:
> On Mon, 2025-05-26 at 11:50 +0200, Johannes Berg wrote:
> > 
> > I still very much disagree with you and _will_ keep adding warnings to
> > the wireless stack. This would be one of those places where it's totally
> > warranted, because it's actually impossible that this happens, for it to
> > something else would have to be changed to go wrong in how this is
> > called, for example.
> 
> And come to think of it, cases like this are exactly why some people
> decide to crash the system on warnings. It's things that the developers
> thought were impossible, but should be double-checked. If we stop
> putting warnings on such places, then the decision to crash on warnings
> becomes entirely meaningless. So seems to me that just lashing out
> against warnings all the time is actually detrimental to the intent of
> such configurations?

If you can detect a problem, like this, and properly handle the issue,
handle the issue, do NOT crash the machine which causes the issue to be
uable to be noticed at all (all that is noticed is that the machine
rebooted.)

Only do a WARN() if this is something that you can not recover from for
whatever reason (data is lost anyway, system is hosed, etc.)  If you
just sprinkle these WARN_ON() calls around to be defensive in the
programming, that's counter-productive as you are setting yourself up to
make angry users of the system if they ever fire.

I have no problem with logging the error/issue in the kernel log, but if
a wifi driver decides to panic the box for something that it did
properly detect and could handle just fine, that's just not nice.

thanks,

greg k-h