From mboxrd@z Thu Jan 1 00:00:00 1970 From: Kalle Valo Subject: Re: [PATCH] mt76: fix potential NULL pointer dereference in mt76_stop_tx_queues Date: Sat, 17 Nov 2018 13:13:37 +0200 Message-ID: <87zhu83qji.fsf@codeaurora.org> References: <98cf4a8f8a7f7840803b91b7c9078d8b61febee9.1542384797.git.lorenzo.bianconi@redhat.com> Mime-Version: 1.0 Content-Type: text/plain Cc: nbd@nbd.name, linux-wireless@vger.kernel.org, netdev@vger.kernel.org To: Lorenzo Bianconi Return-path: Received: from smtp.codeaurora.org ([198.145.29.96]:35444 "EHLO smtp.codeaurora.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725929AbeKQVaB (ORCPT ); Sat, 17 Nov 2018 16:30:01 -0500 In-Reply-To: <98cf4a8f8a7f7840803b91b7c9078d8b61febee9.1542384797.git.lorenzo.bianconi@redhat.com> (Lorenzo Bianconi's message of "Fri, 16 Nov 2018 17:19:21 +0100") Sender: netdev-owner@vger.kernel.org List-ID: Lorenzo Bianconi writes: > Starting from mac80211 commit adf8ed01e4fd ("mac80211: add an optional > TXQ for other PS-buffered frames") and commit 0eeb2b674f05 ("mac80211: > add an option for station management TXQ") a new per-sta queue has been > introduced for bufferable management frames. > sta->txq[IEEE80211_NUM_TIDS] is initialized just if the driver reports > the following hw flags: > - IEEE80211_HW_STA_MMPDU_TXQ > - IEEE80211_HW_BUFF_MMPDU_TXQ > This can produce a NULL pointer dereference in mt76_stop_tx_queues > since mt76 iterates on all available sta tx queues assuming they are > initialized by mac80211. This issue has been spotted analyzing the code > (it has not triggered any crash yet) > > Signed-off-by: Lorenzo Bianconi A very good commit log, thanks for that! > This patch is for 4.20 Ok, I'll wait for review comments and then queue this for 4.20. BTW, it would make my patch sorting easier if you could add a release label in the subject: [PATCH 4.20] mt76: fix potential NULL pointer dereference in mt76_stop_tx_queues More info: https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches#tree_labels -- Kalle Valo