ath: dfs_pattern_detector: Fix possible null-pointer dereference in channel_detector_...

kzalloc() is used to allocate memory for cd->detectors, and if it fails,
channel_detector_exit() behind the label fail will be called:
  channel_detector_exit(dpd, cd);

In channel_detector_exit(), cd->detectors is dereferenced through:
  struct pri_detector *de = cd->detectors[i];

To fix this possible null-pointer dereference, check cd->detectors before
the for loop to dereference cd->detectors.

Reported-by: TOTE Robot <oslab@tsinghua.edu.cn>
Signed-off-by: Tuo Li <islituo@gmail.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/20210805153854.154066-1-islituo@gmail.com

diff --git a/drivers/net/wireless/ath/dfs_pattern_detector.c b/drivers/net/wireless/ath/dfs_pattern_detector.c
index 8039049..75cb53a 100644 (file)
--- a/drivers/net/wireless/ath/dfs_pattern_detector.c
+++ b/drivers/net/wireless/ath/dfs_pattern_detector.c
@@ -183,10 +183,12 @@ static void channel_detector_exit(struct dfs_pattern_detector *dpd,
        if (cd == NULL)
                return;
        list_del(&cd->head);
-       for (i = 0; i < dpd->num_radar_types; i++) {
-               struct pri_detector *de = cd->detectors[i];
-               if (de != NULL)
-                       de->exit(de);
+       if (cd->detectors) {
+               for (i = 0; i < dpd->num_radar_types; i++) {
+                       struct pri_detector *de = cd->detectors[i];
+                       if (de != NULL)
+                               de->exit(de);
+               }
        }
        kfree(cd->detectors);
        kfree(cd);