From: Ben Greear <greearb@candelatech.com>
To: "linux-wireless@vger.kernel.org" <linux-wireless@vger.kernel.org>
Cc: Miri Korenblit <miriam.rachel.korenblit@intel.com>
Subject: iwlwifi: Null deref in iwl_mld_reorder
Date: Wed, 4 Feb 2026 05:41:54 -0800 [thread overview]
Message-ID: <ed9ab029-a762-4666-85ed-7a67ec7c1b52@candelatech.com> (raw)
Hello,
While chasing what appears to be a different problem, I started checking for
NULL in iwl_mld_sta_from_mac80211. That showed a problem in the code below,
where mld_sta is assigned before sta is checked for null.
I guess the compiler optimized this somehow so that crashes are not actually
seen in this particular code path. Also possible that it is somehow exacerbated
by some local patch in our tree.
But, probably best to assign mld_sta after the NULL sta check.
/* Returns true if the MPDU was buffered\dropped, false if it should be passed
* to upper layer.
*/
enum iwl_mld_reorder_result
iwl_mld_reorder(struct iwl_mld *mld, struct napi_struct *napi,
int queue, struct ieee80211_sta *sta,
struct sk_buff *skb, struct iwl_rx_mpdu_desc *desc)
{
struct ieee80211_hdr *hdr = (void *)skb_mac_header(skb);
struct iwl_mld_baid_data *baid_data;
struct iwl_mld_reorder_buffer *buffer;
struct iwl_mld_reorder_buf_entry *entries;
struct iwl_mld_sta *mld_sta = iwl_mld_sta_from_mac80211(sta);
assignment before checking NULL sta. ^^^
struct iwl_mld_link_sta *mld_link_sta;
u32 reorder = le32_to_cpu(desc->reorder_data);
bool amsdu, last_subframe, is_old_sn, is_dup;
u8 tid = ieee80211_get_tid(hdr);
u8 baid;
u16 nssn, sn;
u32 sta_mask = 0;
int index;
u8 link_id;
baid = u32_get_bits(reorder, IWL_RX_MPDU_REORDER_BAID_MASK);
/* This also covers the case of receiving a Block Ack Request
* outside a BA session; we'll pass it to mac80211 and that
* then sends a delBA action frame.
* This also covers pure monitor mode, in which case we won't
* have any BA sessions.
*/
if (baid == IWL_RX_REORDER_DATA_INVALID_BAID)
return IWL_MLD_PASS_SKB;
/* no sta yet */
if (WARN_ONCE(!sta,
"Got valid BAID without a valid station assigned\n"))
return IWL_MLD_PASS_SKB;
Thanks,
Ben
--
Ben Greear <greearb@candelatech.com>
Candela Technologies Inc http://www.candelatech.com
next reply other threads:[~2026-02-04 13:42 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-04 13:41 Ben Greear [this message]
2026-02-04 15:32 ` iwlwifi: Null deref in iwl_mld_reorder Johannes Berg
2026-02-04 16:16 ` Ben Greear
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ed9ab029-a762-4666-85ed-7a67ec7c1b52@candelatech.com \
--to=greearb@candelatech.com \
--cc=linux-wireless@vger.kernel.org \
--cc=miriam.rachel.korenblit@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox