All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] ath11k: Fix NULL pointer dereference in sta_statistics() callback
@ 2019-06-25  5:18 Vasanthakumar Thiagarajan
  2019-06-26  7:55 ` Kalle Valo
  0 siblings, 1 reply; 2+ messages in thread
From: Vasanthakumar Thiagarajan @ 2019-06-25  5:18 UTC (permalink / raw)
  To: ath11k

It is possible to dereference NULL arsta->rx_stats memory to get
rssi information after STA disconnection. Instead of dereferencing
a memory which is allocated/freed in sta_state() callback, add a
new member for rssi in arsta itself and use it in sta_statistics().

	ath11k c000000.wifi1: Station 8c:fd:f0:0a:90:f3 moved to disassociated state
	ath11k c000000.wifi1: Removed peer: 8c:fd:f0:0a:90:f3 for VDEV: 0
	Unable to handle kernel NULL pointer dereference at virtual address 00000218
	Internal error: Oops: 5 [#1] PREEMPT SMP ARM
	PC is at ath11k_sta_statistics+0x90/0xa0 [ath11k]
	LR is at sta_set_sinfo+0xb8/0xcb4 [mac80211]

Fixes: ecdb3adeda5c ("ath11k: Fix Rx signal strength reporting")
Reported-by: Pradeep Kumar Chitrapu <pradeepc@codeaurora.org>
Signed-off-by: Vasanthakumar Thiagarajan <vthiagar@codeaurora.org>
---
 drivers/net/wireless/ath/ath11k/core.h  | 2 +-
 drivers/net/wireless/ath/ath11k/dp_rx.c | 2 +-
 drivers/net/wireless/ath/ath11k/mac.c   | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/net/wireless/ath/ath11k/core.h b/drivers/net/wireless/ath/ath11k/core.h
index 65c1a6d..ff73ccf 100644
--- a/drivers/net/wireless/ath/ath11k/core.h
+++ b/drivers/net/wireless/ath/ath11k/core.h
@@ -237,7 +237,6 @@ struct ath11k_rx_peer_stats {
 	u64 tid_count[IEEE80211_NUM_TIDS + 1];
 	u64 pream_cnt[HAL_RX_PREAMBLE_MAX];
 	u64 reception_type[HAL_RX_RECEPTION_TYPE_MAX];
-	u32 rssi_comb;
 };
 
 #define ATH11K_HE_MCS_NUM       12
@@ -330,6 +329,7 @@ struct ath11k_sta {
 	struct rate_info txrate;
 	struct rate_info last_txrate;
 	u64 rx_duration;
+	u8 rssi_comb;
 	struct ath11k_htt_tx_stats *tx_stats;
 	struct ath11k_rx_peer_stats *rx_stats;
 };
diff --git a/drivers/net/wireless/ath/ath11k/dp_rx.c b/drivers/net/wireless/ath/ath11k/dp_rx.c
index afe8399..0467753 100644
--- a/drivers/net/wireless/ath/ath11k/dp_rx.c
+++ b/drivers/net/wireless/ath/ath11k/dp_rx.c
@@ -2373,7 +2373,7 @@ static void ath11k_dp_rx_update_peer_stats(struct ath11k_sta *arsta,
 	rx_stats->num_mpdu_fcs_ok += ppdu_info->num_mpdu_fcs_ok;
 	rx_stats->num_mpdu_fcs_err += ppdu_info->num_mpdu_fcs_err;
 
-	rx_stats->rssi_comb = ppdu_info->rssi_comb;
+	arsta->rssi_comb = ppdu_info->rssi_comb;
 }
 
 static struct sk_buff *ath11k_dp_rx_alloc_mon_status_buf(struct ath11k_base *ab,
diff --git a/drivers/net/wireless/ath/ath11k/mac.c b/drivers/net/wireless/ath/ath11k/mac.c
index 7a6c927..ada1dde 100644
--- a/drivers/net/wireless/ath/ath11k/mac.c
+++ b/drivers/net/wireless/ath/ath11k/mac.c
@@ -5110,7 +5110,7 @@ static void ath11k_sta_statistics(struct ieee80211_hw *hw,
 	sinfo->filled |= BIT_ULL(NL80211_STA_INFO_TX_BITRATE);
 
 	/* TODO: Use real NF instead of default one. */
-	sinfo->signal = arsta->rx_stats->rssi_comb + ATH11K_DEFAULT_NOISE_FLOOR;
+	sinfo->signal = arsta->rssi_comb + ATH11K_DEFAULT_NOISE_FLOOR;
 }
 
 static const struct ieee80211_ops ath11k_ops = {
-- 
1.9.1


_______________________________________________
ath11k mailing list
ath11k@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/ath11k

^ permalink raw reply related	[flat|nested] 2+ messages in thread
* Re: [PATCH] ath11k: Fix NULL pointer dereference in sta_statistics() callback
  2019-06-25  5:18 [PATCH] ath11k: Fix NULL pointer dereference in sta_statistics() callback Vasanthakumar Thiagarajan
@ 2019-06-26  7:55 ` Kalle Valo
  0 siblings, 0 replies; 2+ messages in thread
From: Kalle Valo @ 2019-06-26  7:55 UTC (permalink / raw)
  To: Vasanthakumar Thiagarajan; +Cc: ath11k

Vasanthakumar Thiagarajan <vthiagar@codeaurora.org> wrote:

> It is possible to dereference NULL arsta->rx_stats memory to get
> rssi information after STA disconnection. Instead of dereferencing
> a memory which is allocated/freed in sta_state() callback, add a
> new member for rssi in arsta itself and use it in sta_statistics().
> 
> 	ath11k c000000.wifi1: Station 8c:fd:f0:0a:90:f3 moved to disassociated state
> 	ath11k c000000.wifi1: Removed peer: 8c:fd:f0:0a:90:f3 for VDEV: 0
> 	Unable to handle kernel NULL pointer dereference at virtual address 00000218
> 	Internal error: Oops: 5 [#1] PREEMPT SMP ARM
> 	PC is at ath11k_sta_statistics+0x90/0xa0 [ath11k]
> 	LR is at sta_set_sinfo+0xb8/0xcb4 [mac80211]
> 
> Fixes: ecdb3adeda5c ("ath11k: Fix Rx signal strength reporting")
> Reported-by: Pradeep Kumar Chitrapu <pradeepc@codeaurora.org>
> Signed-off-by: Vasanthakumar Thiagarajan <vthiagar@codeaurora.org>
> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>

Patch applied to ath11k-bringup branch of ath.git, thanks.

38934d6b0c2c ath11k: Fix NULL pointer dereference in sta_statistics() callback

-- 
https://patchwork.kernel.org/patch/11014709/

https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches


_______________________________________________
ath11k mailing list
ath11k@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/ath11k

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2019-06-26  7:55 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-06-25  5:18 [PATCH] ath11k: Fix NULL pointer dereference in sta_statistics() callback Vasanthakumar Thiagarajan
2019-06-26  7:55 ` Kalle Valo

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.