From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Miri Korenblit <miriam.rachel.korenblit@intel.com>,
Johannes Berg <johannes.berg@intel.com>,
Sasha Levin <sashal@kernel.org>,
kvalo@kernel.org, gregory.greenman@intel.com,
davem@davemloft.net, edumazet@google.com,
emmanuel.grumbach@intel.com, daniel.gabay@intel.com,
shaul.triebitz@intel.com, linux-wireless@vger.kernel.org
Subject: [PATCH AUTOSEL 6.11 060/244] wifi: iwlwifi: mvm: avoid NULL pointer dereference
Date: Wed, 25 Sep 2024 07:24:41 -0400 [thread overview]
Message-ID: <20240925113641.1297102-60-sashal@kernel.org> (raw)
In-Reply-To: <20240925113641.1297102-1-sashal@kernel.org>
From: Miri Korenblit <miriam.rachel.korenblit@intel.com>
[ Upstream commit 557a6cd847645e667f3b362560bd7e7c09aac284 ]
iwl_mvm_tx_skb_sta() and iwl_mvm_tx_mpdu() verify that the mvmvsta
pointer is not NULL.
It retrieves this pointer using iwl_mvm_sta_from_mac80211, which is
dereferencing the ieee80211_sta pointer.
If sta is NULL, iwl_mvm_sta_from_mac80211 will dereference a NULL
pointer.
Fix this by checking the sta pointer before retrieving the mvmsta
from it. If sta is not NULL, then mvmsta isn't either.
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
Reviewed-by: Johannes Berg <johannes.berg@intel.com>
Link: https://patch.msgid.link/20240825191257.880921ce23b7.I340052d70ab6d3410724ce955eb00da10e08188f@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/intel/iwlwifi/mvm/tx.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
index 7ff5ea5e7aca5..db926b2f4d8d5 100644
--- a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
@@ -1203,6 +1203,9 @@ static int iwl_mvm_tx_mpdu(struct iwl_mvm *mvm, struct sk_buff *skb,
bool is_ampdu = false;
int hdrlen;
+ if (WARN_ON_ONCE(!sta))
+ return -1;
+
mvmsta = iwl_mvm_sta_from_mac80211(sta);
fc = hdr->frame_control;
hdrlen = ieee80211_hdrlen(fc);
@@ -1210,9 +1213,6 @@ static int iwl_mvm_tx_mpdu(struct iwl_mvm *mvm, struct sk_buff *skb,
if (IWL_MVM_NON_TRANSMITTING_AP && ieee80211_is_probe_resp(fc))
return -1;
- if (WARN_ON_ONCE(!mvmsta))
- return -1;
-
if (WARN_ON_ONCE(mvmsta->deflink.sta_id == IWL_MVM_INVALID_STA))
return -1;
@@ -1343,7 +1343,7 @@ static int iwl_mvm_tx_mpdu(struct iwl_mvm *mvm, struct sk_buff *skb,
int iwl_mvm_tx_skb_sta(struct iwl_mvm *mvm, struct sk_buff *skb,
struct ieee80211_sta *sta)
{
- struct iwl_mvm_sta *mvmsta = iwl_mvm_sta_from_mac80211(sta);
+ struct iwl_mvm_sta *mvmsta;
struct ieee80211_tx_info info;
struct sk_buff_head mpdus_skbs;
struct ieee80211_vif *vif;
@@ -1352,9 +1352,11 @@ int iwl_mvm_tx_skb_sta(struct iwl_mvm *mvm, struct sk_buff *skb,
struct sk_buff *orig_skb = skb;
const u8 *addr3;
- if (WARN_ON_ONCE(!mvmsta))
+ if (WARN_ON_ONCE(!sta))
return -1;
+ mvmsta = iwl_mvm_sta_from_mac80211(sta);
+
if (WARN_ON_ONCE(mvmsta->deflink.sta_id == IWL_MVM_INVALID_STA))
return -1;
--
2.43.0
next prev parent reply other threads:[~2024-09-25 11:38 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20240925113641.1297102-1-sashal@kernel.org>
2024-09-25 11:23 ` [PATCH AUTOSEL 6.11 002/244] wifi: ath9k: fix possible integer overflow in ath9k_get_et_stats() Sasha Levin
2024-09-25 11:23 ` [PATCH AUTOSEL 6.11 003/244] wifi: rtw89: avoid to add interface to list twice when SER Sasha Levin
2024-09-25 11:23 ` [PATCH AUTOSEL 6.11 004/244] wifi: ath9k_htc: Use __skb_set_length() for resetting urb before resubmit Sasha Levin
2024-09-25 11:23 ` [PATCH AUTOSEL 6.11 010/244] wifi: iwlwifi: mvm: Fix a race in scan abort flow Sasha Levin
2024-09-25 11:23 ` [PATCH AUTOSEL 6.11 011/244] wifi: iwlwifi: mvm: drop wrong STA selection in TX Sasha Levin
2024-09-25 11:23 ` [PATCH AUTOSEL 6.11 012/244] wifi: cfg80211: Set correct chandef when starting CAC Sasha Levin
2024-09-25 11:24 ` [PATCH AUTOSEL 6.11 024/244] wifi: mt76: mt7915: disable tx worker during tx BA session enable/disable Sasha Levin
2024-09-25 11:24 ` [PATCH AUTOSEL 6.11 033/244] wifi: ath12k: fix array out-of-bound access in SoC stats Sasha Levin
2024-09-25 11:24 ` [PATCH AUTOSEL 6.11 034/244] wifi: ath11k: " Sasha Levin
2024-09-25 11:24 ` [PATCH AUTOSEL 6.11 035/244] wifi: rtw88: select WANT_DEV_COREDUMP Sasha Levin
2024-09-25 11:24 ` [PATCH AUTOSEL 6.11 039/244] wifi: rtw89: 885xb: reset IDMEM mode to prevent download firmware failure Sasha Levin
2024-09-25 11:24 ` [PATCH AUTOSEL 6.11 047/244] wifi: rtw89: correct base HT rate mask for firmware Sasha Levin
2024-09-25 11:24 ` [PATCH AUTOSEL 6.11 058/244] wifi: iwlwifi: mvm: use correct key iteration Sasha Levin
2024-09-25 11:24 ` [PATCH AUTOSEL 6.11 059/244] wifi: iwlwifi: allow only CN mcc from WRDD Sasha Levin
2024-09-25 11:24 ` Sasha Levin [this message]
2024-09-25 11:24 ` [PATCH AUTOSEL 6.11 062/244] wifi: mac80211: fix RCU list iterations Sasha Levin
2024-09-25 11:24 ` [PATCH AUTOSEL 6.11 070/244] wifi: wilc1000: Do not operate uninitialized hardware during suspend/resume Sasha Levin
2024-09-25 11:24 ` [PATCH AUTOSEL 6.11 076/244] wifi: rtw89: avoid reading out of bounds when loading TX power FW elements Sasha Levin
2024-09-25 11:25 ` [PATCH AUTOSEL 6.11 082/244] wifi: mt76: mt7915: add dummy HW offload of IEEE 802.11 fragmentation Sasha Levin
2024-09-25 11:25 ` [PATCH AUTOSEL 6.11 083/244] wifi: mt76: mt7915: hold dev->mt76.mutex while disabling tx worker Sasha Levin
2024-09-25 11:25 ` [PATCH AUTOSEL 6.11 085/244] wifi: mwifiex: Fix memcpy() field-spanning write warning in mwifiex_cmd_802_11_scan_ext() Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240925113641.1297102-60-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=daniel.gabay@intel.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=emmanuel.grumbach@intel.com \
--cc=gregory.greenman@intel.com \
--cc=johannes.berg@intel.com \
--cc=kvalo@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=miriam.rachel.korenblit@intel.com \
--cc=shaul.triebitz@intel.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).