[PATCH AUTOSEL 6.6 045/139] wifi: iwlwifi: mvm: avoid NULL pointer dereference

linux-wireless.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Miri Korenblit <miriam.rachel.korenblit@intel.com>,
	Johannes Berg <johannes.berg@intel.com>,
	Sasha Levin <sashal@kernel.org>,
	kvalo@kernel.org, gregory.greenman@intel.com,
	edumazet@google.com, davem@davemloft.net,
	shaul.triebitz@intel.com, daniel.gabay@intel.com,
	linux-wireless@vger.kernel.org
Subject: [PATCH AUTOSEL 6.6 045/139] wifi: iwlwifi: mvm: avoid NULL pointer dereference
Date: Wed, 25 Sep 2024 08:07:45 -0400	[thread overview]
Message-ID: <20240925121137.1307574-45-sashal@kernel.org> (raw)
In-Reply-To: <20240925121137.1307574-1-sashal@kernel.org>

From: Miri Korenblit <miriam.rachel.korenblit@intel.com>

[ Upstream commit 557a6cd847645e667f3b362560bd7e7c09aac284 ]

iwl_mvm_tx_skb_sta() and iwl_mvm_tx_mpdu() verify that the mvmvsta
pointer is not NULL.
It retrieves this pointer using iwl_mvm_sta_from_mac80211, which is
dereferencing the ieee80211_sta pointer.
If sta is NULL, iwl_mvm_sta_from_mac80211 will dereference a NULL
pointer.
Fix this by checking the sta pointer before retrieving the mvmsta
from it. If sta is not NULL, then mvmsta isn't either.

Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
Reviewed-by: Johannes Berg <johannes.berg@intel.com>
Link: https://patch.msgid.link/20240825191257.880921ce23b7.I340052d70ab6d3410724ce955eb00da10e08188f@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/wireless/intel/iwlwifi/mvm/tx.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
index 3adb1acc07191..ce5f2bdde1388 100644
--- a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
@@ -1145,6 +1145,9 @@ static int iwl_mvm_tx_mpdu(struct iwl_mvm *mvm, struct sk_buff *skb,
 	bool is_ampdu = false;
 	int hdrlen;
 
+	if (WARN_ON_ONCE(!sta))
+		return -1;
+
 	mvmsta = iwl_mvm_sta_from_mac80211(sta);
 	fc = hdr->frame_control;
 	hdrlen = ieee80211_hdrlen(fc);
@@ -1152,9 +1155,6 @@ static int iwl_mvm_tx_mpdu(struct iwl_mvm *mvm, struct sk_buff *skb,
 	if (IWL_MVM_NON_TRANSMITTING_AP && ieee80211_is_probe_resp(fc))
 		return -1;
 
-	if (WARN_ON_ONCE(!mvmsta))
-		return -1;
-
 	if (WARN_ON_ONCE(mvmsta->deflink.sta_id == IWL_MVM_INVALID_STA))
 		return -1;
 
@@ -1285,7 +1285,7 @@ static int iwl_mvm_tx_mpdu(struct iwl_mvm *mvm, struct sk_buff *skb,
 int iwl_mvm_tx_skb_sta(struct iwl_mvm *mvm, struct sk_buff *skb,
 		       struct ieee80211_sta *sta)
 {
-	struct iwl_mvm_sta *mvmsta = iwl_mvm_sta_from_mac80211(sta);
+	struct iwl_mvm_sta *mvmsta;
 	struct ieee80211_tx_info info;
 	struct sk_buff_head mpdus_skbs;
 	struct ieee80211_vif *vif;
@@ -1294,9 +1294,11 @@ int iwl_mvm_tx_skb_sta(struct iwl_mvm *mvm, struct sk_buff *skb,
 	struct sk_buff *orig_skb = skb;
 	const u8 *addr3;
 
-	if (WARN_ON_ONCE(!mvmsta))
+	if (WARN_ON_ONCE(!sta))
 		return -1;
 
+	mvmsta = iwl_mvm_sta_from_mac80211(sta);
+
 	if (WARN_ON_ONCE(mvmsta->deflink.sta_id == IWL_MVM_INVALID_STA))
 		return -1;
 
-- 
2.43.0

next prev parent reply	other threads:[~2024-09-25 12:13 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-09-25 12:07 [PATCH AUTOSEL 6.6 001/139] wifi: ath9k: fix possible integer overflow in ath9k_get_et_stats() Sasha Levin
2024-09-25 12:07 ` [PATCH AUTOSEL 6.6 002/139] wifi: rtw89: avoid to add interface to list twice when SER Sasha Levin
2024-09-25 12:07 ` [PATCH AUTOSEL 6.6 003/139] wifi: ath9k_htc: Use __skb_set_length() for resetting urb before resubmit Sasha Levin
2024-09-25 12:07 ` [PATCH AUTOSEL 6.6 008/139] wifi: iwlwifi: mvm: Fix a race in scan abort flow Sasha Levin
2024-09-25 12:07 ` [PATCH AUTOSEL 6.6 009/139] wifi: iwlwifi: mvm: drop wrong STA selection in TX Sasha Levin
2024-09-25 12:07 ` [PATCH AUTOSEL 6.6 010/139] wifi: cfg80211: Set correct chandef when starting CAC Sasha Levin
2024-09-25 12:07 ` [PATCH AUTOSEL 6.6 019/139] wifi: mt76: mt7915: disable tx worker during tx BA session enable/disable Sasha Levin
2024-09-25 12:07 ` [PATCH AUTOSEL 6.6 027/139] wifi: ath12k: fix array out-of-bound access in SoC stats Sasha Levin
2024-09-25 12:07 ` [PATCH AUTOSEL 6.6 028/139] wifi: ath11k: " Sasha Levin
2024-09-25 12:07 ` [PATCH AUTOSEL 6.6 029/139] wifi: rtw88: select WANT_DEV_COREDUMP Sasha Levin
2024-09-25 12:07 ` [PATCH AUTOSEL 6.6 037/139] wifi: rtw89: correct base HT rate mask for firmware Sasha Levin
2024-09-25 12:07 ` [PATCH AUTOSEL 6.6 044/139] wifi: iwlwifi: mvm: use correct key iteration Sasha Levin
2024-09-25 12:07 ` Sasha Levin [this message]
2024-09-25 12:07 ` [PATCH AUTOSEL 6.6 046/139] wifi: mac80211: fix RCU list iterations Sasha Levin
2024-09-25 12:07 ` [PATCH AUTOSEL 6.6 052/139] wifi: mt76: mt7915: add dummy HW offload of IEEE 802.11 fragmentation Sasha Levin
2024-09-25 12:07 ` [PATCH AUTOSEL 6.6 053/139] wifi: mt76: mt7915: hold dev->mt76.mutex while disabling tx worker Sasha Levin
2024-09-25 12:07 ` [PATCH AUTOSEL 6.6 055/139] wifi: mwifiex: Fix memcpy() field-spanning write warning in mwifiex_cmd_802_11_scan_ext() Sasha Levin
2024-10-05  8:57 ` [PATCH AUTOSEL 6.6 001/139] wifi: ath9k: fix possible integer overflow in ath9k_get_et_stats() Pavel Machek
2024-10-05  9:06   ` Greg KH
2024-10-05 12:03     ` Pavel Machek

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:3adb1acc0719 dfblob:ce5f2bdde138 )
 OR (
bs:"[PATCH AUTOSEL 6.6 045/139] wifi: iwlwifi: mvm: avoid NULL pointer dereference" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20240925121137.1307574-45-sashal@kernel.org \
    --to=sashal@kernel.org \
    --cc=daniel.gabay@intel.com \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=gregory.greenman@intel.com \
    --cc=johannes.berg@intel.com \
    --cc=kvalo@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-wireless@vger.kernel.org \
    --cc=miriam.rachel.korenblit@intel.com \
    --cc=shaul.triebitz@intel.com \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).