Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp6786823pxb; Wed, 17 Feb 2021 13:28:45 -0800 (PST) X-Google-Smtp-Source: ABdhPJwljaFR6IlKGzqrlSOP6mzOlR3OwqyCBrfVXYu7cCp9HavjiXXRXTpAhyja7JJcKcCf+0w1 X-Received: by 2002:a05:6402:a49:: with SMTP id bt9mr766492edb.127.1613597325559; Wed, 17 Feb 2021 13:28:45 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1613597325; cv=none; d=google.com; s=arc-20160816; b=CmK2pnN/g7zPrRUSPIeQRzOsLrLUFEI406EnZAQ2CRoTQI9r7vy0dTn4eK0Vjct+kY z7z2zjmlaalzxSPA2SIT2Rp78DyGDDH768hn6l7EB0xOjEa+3v72U9NvKwhnbHK3Lg7I nlDunx9YgnaQ8d17CNOHxNfXkbfPbTmJLn/hg139OSty6Mabd2JrPEH46Y+IEHP3NyMT 7+4p7D3PXd7QyPAa/4x04Op6+qmymfKelAl0OmQih1iXcw5/6p1V1DbyPIL1Wx+zhT62 qGiXlMN71MZzTTq+KFuw7RtGHgj5gaK2m8qsXeA76TOaxvYmRh7Vx8Qy72LpmVF4zbDL FSgw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=Pu/HI7/j8/NKE5Uf3Em92mkrENvyIcE8armO8V6c6ao=; b=QQgZGH+uKnahG0V5OOZ/gyFPfD1YJ5Xh1UOXQ2zXeVO/gmZ+ZmFJFZXZVzR/jstqTU fO+JDXcapeEhBCj5JidWs+bz3yWzcuBuLM5bAIeZbwTdY7l1sv4NvBIog/zeSFygyqZ9 p+MumRCB5oHO+4AEYNGb8bj4UtHZrM6+4q1AVuSbpNxZealxhVPkXtJLIwwP47klX9EL VSdAFvIXta9DDt8VZa5DNXbhS1l773vFn5ntipnqXfJ8eu4HlZN5q5S71ShtWFCFVsXA 1Dm9Tlaf2gD9Bsp8tiwJ4Uj7zUAZnAOl6fgOMcLNK4czWNyKmp3vvpq9p9t+DEaFVOIN 0bhg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=google header.b="L/TMDPON"; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id i12si2159851edk.461.2021.02.17.13.28.21; Wed, 17 Feb 2021 13:28:45 -0800 (PST) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=google header.b="L/TMDPON"; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232740AbhBQVSu (ORCPT + 99 others); Wed, 17 Feb 2021 16:18:50 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51590 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232435AbhBQVSq (ORCPT ); Wed, 17 Feb 2021 16:18:46 -0500 Received: from mail-io1-xd32.google.com (mail-io1-xd32.google.com [IPv6:2607:f8b0:4864:20::d32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 685B8C061756 for ; Wed, 17 Feb 2021 13:18:06 -0800 (PST) Received: by mail-io1-xd32.google.com with SMTP id i8so11131923iog.7 for ; Wed, 17 Feb 2021 13:18:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linuxfoundation.org; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=Pu/HI7/j8/NKE5Uf3Em92mkrENvyIcE8armO8V6c6ao=; b=L/TMDPONNuR6kUr29jUZByLEQ2KHg3DzccfhS3GwX7i3vLuyz9YIjtOGPglVEA7kpd p8+8dw82wrxsB2jvCvoEOvQ0bKdDtd3sjXK/TbH1NE9jVTMBY7G85w4lhZBYBX6G8owP prdAbzD6dfQBlBoTRjdqnqoFX1zDrvPRulV3w= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=Pu/HI7/j8/NKE5Uf3Em92mkrENvyIcE8armO8V6c6ao=; b=YC/1mGoyairX5zhqqx3Y8q48BRsjvQvQLH+t47wbuYpt4LAeeKZVae1a3ha1KqxukQ 1P3zy57gk3WI+Zb5h7rjcWy2ckXIjdtWtQUEV+3TJpYxsMbprWaARkOGFUobmrS75uts fZRAYXJk1v4Xw5gFo1dfkMrak80ae4Gk1EtIcIXcxgRCtFtY4hxUlHZYE8MuKkGxC8Bz sKAQXn1dNL87r3eLhsWTvuM+pPtuMhMT5iKdePO4qI8OwZbnBw/tXcutMDyMop82ch2b jrl5ukkaZx+cAe+44l8EOZPiHOHK82gzeVOjs5cJpsLMPjIXR7fbwHQJZ3JGTbO3fNZE 6yMQ== X-Gm-Message-State: AOAM532/wrPIHsgMDnaL02rNvyyNHAVVjQZz55tUBpvyn+UKKD9TiRhG Zm4GpQvKyZdyKn1lIYJkfDKCPDd3p2+Asw== X-Received: by 2002:a02:74a:: with SMTP id f71mr1367543jaf.30.1613596685786; Wed, 17 Feb 2021 13:18:05 -0800 (PST) Received: from shuah-t480s.internal (c-24-9-64-241.hsd1.co.comcast.net. [24.9.64.241]) by smtp.gmail.com with ESMTPSA id s9sm1885100ilt.77.2021.02.17.13.18.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 17 Feb 2021 13:18:05 -0800 (PST) From: Shuah Khan To: kvalo@codeaurora.org, davem@davemloft.net, kuba@kernel.org, nbd@nbd.name Cc: Shuah Khan , ath9k-devel@qca.qualcomm.com, linux-wireless@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] Revert "ath9k: fix ath_tx_process_buffer() potential null ptr dereference" Date: Wed, 17 Feb 2021 14:18:01 -0700 Message-Id: <20210217211801.22540-1-skhan@linuxfoundation.org> X-Mailer: git-send-email 2.27.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org ath_tx_process_buffer() doesn't dereference or check sta and passes it to ath_tx_complete_aggr() and ath_tx_complete_buf(). ath_tx_complete_aggr() checks the pointer before use. No problem here. ath_tx_complete_buf() doesn't check or dereference sta and passes it on to ath_tx_complete(). ath_tx_complete() doesn't check or dereference sta, but assigns it to tx_info->status.status_driver_data[0] ath_tx_complete_buf() is called from ath_tx_complete_aggr() passing null ieee80211_sta pointer. There is a potential for dereference later on, if and when the tx_info->status.status_driver_data[0]is referenced. In addition, the rcu read lock might be released before referencing the contents. ath_tx_complete_buf() should be fixed to check sta perhaps? Worth looking into. Reverting this patch because it doesn't solve the problem and introduces memory leak by skipping buffer completion if the pointer (sta) is NULL. Signed-off-by: Shuah Khan --- drivers/net/wireless/ath/ath9k/xmit.c | 28 ++++++++++++--------------- 1 file changed, 12 insertions(+), 16 deletions(-) diff --git a/drivers/net/wireless/ath/ath9k/xmit.c b/drivers/net/wireless/ath/ath9k/xmit.c index 735858144e3a..1d36aae3f7b6 100644 --- a/drivers/net/wireless/ath/ath9k/xmit.c +++ b/drivers/net/wireless/ath/ath9k/xmit.c @@ -711,24 +711,20 @@ static void ath_tx_process_buffer(struct ath_softc *sc, struct ath_txq *txq, ath_tx_count_airtime(sc, sta, bf, ts, tid->tidno); if (ts->ts_status & (ATH9K_TXERR_FILT | ATH9K_TXERR_XRETRY)) tid->clear_ps_filter = true; + } - if (!bf_isampdu(bf)) { - if (!flush) { - info = IEEE80211_SKB_CB(bf->bf_mpdu); - memcpy(info->control.rates, bf->rates, - sizeof(info->control.rates)); - ath_tx_rc_status(sc, bf, ts, 1, - txok ? 0 : 1, txok); - ath_dynack_sample_tx_ts(sc->sc_ah, - bf->bf_mpdu, ts, sta); - } - ath_tx_complete_buf(sc, bf, txq, bf_head, sta, - ts, txok); - } else { - ath_tx_complete_aggr(sc, txq, bf, bf_head, sta, - tid, ts, txok); + if (!bf_isampdu(bf)) { + if (!flush) { + info = IEEE80211_SKB_CB(bf->bf_mpdu); + memcpy(info->control.rates, bf->rates, + sizeof(info->control.rates)); + ath_tx_rc_status(sc, bf, ts, 1, txok ? 0 : 1, txok); + ath_dynack_sample_tx_ts(sc->sc_ah, bf->bf_mpdu, ts, + sta); } - } + ath_tx_complete_buf(sc, bf, txq, bf_head, sta, ts, txok); + } else + ath_tx_complete_aggr(sc, txq, bf, bf_head, sta, tid, ts, txok); if (!flush) ath_txq_schedule(sc, txq); -- 2.27.0