From mboxrd@z Thu Jan 1 00:00:00 1970 From: Kalle Valo Subject: Re: [PATCH] mt76: fix potential NULL pointer dereference in mt76_stop_tx_queues Date: Thu, 13 Dec 2018 14:20:26 +0000 (UTC) Message-ID: <20181213142026.3D8C86013C@smtp.codeaurora.org> References: <98cf4a8f8a7f7840803b91b7c9078d8b61febee9.1542384797.git.lorenzo.bianconi@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Cc: nbd-Vt+b4OUoWG0@public.gmane.org, linux-wireless-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, netdev-u79uwXL29TY76Z2rM5mHXA@public.gmane.org To: Lorenzo Bianconi Return-path: In-Reply-To: <98cf4a8f8a7f7840803b91b7c9078d8b61febee9.1542384797.git.lorenzo.bianconi-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> Sender: linux-wireless-owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org List-Id: netdev.vger.kernel.org Lorenzo Bianconi wrote: > Starting from mac80211 commit adf8ed01e4fd ("mac80211: add an optional > TXQ for other PS-buffered frames") and commit 0eeb2b674f05 ("mac80211: > add an option for station management TXQ") a new per-sta queue has been > introduced for bufferable management frames. > sta->txq[IEEE80211_NUM_TIDS] is initialized just if the driver reports > the following hw flags: > - IEEE80211_HW_STA_MMPDU_TXQ > - IEEE80211_HW_BUFF_MMPDU_TXQ > This can produce a NULL pointer dereference in mt76_stop_tx_queues > since mt76 iterates on all available sta tx queues assuming they are > initialized by mac80211. This issue has been spotted analyzing the code > (it has not triggered any crash yet) > > Signed-off-by: Lorenzo Bianconi Patch applied to wireless-drivers.git, thanks. 7c250f4612ae mt76: fix potential NULL pointer dereference in mt76_stop_tx_queues -- https://patchwork.kernel.org/patch/10686507/ https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches