Received: by 2002:a05:6a10:6d10:0:0:0:0 with SMTP id gq16csp757282pxb; Thu, 21 Apr 2022 09:39:19 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwnW28Jh28pr4kcijoJlzLIQlnJ3hUdqsafdje9IqsAZfjdNa0EPX2vVyQtojokEpYmzZiy X-Received: by 2002:a05:6a00:803:b0:50a:9874:c204 with SMTP id m3-20020a056a00080300b0050a9874c204mr332369pfk.57.1650559158985; Thu, 21 Apr 2022 09:39:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1650559158; cv=none; d=google.com; s=arc-20160816; b=s7pcM0IXUvehUtnOP4NQ0gu9Jqr+LqWU+pXxDIRfoP+A/6kVQHFl9uykJLsmshkTpF MClPmPzo4ZU5IIiXMY52OUTHRJ1R16QQSAyiCp4xdyWWO5ddNMH4s7Wvs+lc7aHI6VOU xT2oNSJtOqqZAfjGRhDkv/cXPkVFitsiE7jqDFtP813tMCBc6mzQFMRYZMXpgCg0XA/L zJR15eYyUUOHiRzVJwFdlqRkiZ31+YpHqLJqVnanU4oE5eiOPno0nLwgIsyqIxjNJKEx Omh19HNmMKCz5StgZPwX+T1A/fOZVySrKWXOBlSBRRoOW4esabHnDpBbqV5nabX+uHzH zRSg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:message-id:date:subject:cc:to:from; bh=XFDTT4Qd23B2TsSLHT2/jPX6AyO5JiqJn4KiYrF6VXw=; b=teHbTMJVm4ORoO7w/MAZc0RssXpKkWnTGQaYlcUGJzbK/y/hPIwV1GyORbr7WWjonv C+VkU7Ab2famqUtMjkei+VPpZprhfjOfdTCbXjB9Z1KuVqWYWOZY5oHifjo0j7le+4Sr XIguSP9bwh2OrExf9uINuuJnQ3E32I08vsey4jSTJwGGVfi0YdMJZYCKlnXU2HFYCFei 4VnDO4wxHnZyzjGzx1s+3QaOjqMnyzA8120lfWd1iccPDCdl95G28taJUf2DXMxgUh0C Ie/1DZA/bBWgm8GPiwbv/Fd/xNNVfq+E9mHEXwx6w3DToVEVBlXAOv2IjmaGg6Ceflog sxpw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=mediatek.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id oc17-20020a17090b1c1100b001bd14e01fb8si10102673pjb.166.2022.04.21.09.39.05; Thu, 21 Apr 2022 09:39:18 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=mediatek.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1359195AbiDTDRv (ORCPT + 66 others); Tue, 19 Apr 2022 23:17:51 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46698 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1349010AbiDTDRt (ORCPT ); Tue, 19 Apr 2022 23:17:49 -0400 Received: from mailgw01.mediatek.com (unknown [60.244.123.138]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7826125F3 for ; Tue, 19 Apr 2022 20:15:01 -0700 (PDT) X-UUID: 48c836d13c884b87ac80a9f609018623-20220420 X-CID-P-RULE: Release_Ham X-CID-O-INFO: VERSION:1.1.4,REQID:0a728892-a66b-4844-88c3-be52cf917282,OB:0,LO B:0,IP:0,URL:0,TC:0,Content:0,EDM:0,RT:0,SF:100,FILE:0,RULE:Release_Ham,AC TION:release,TS:100 X-CID-INFO: VERSION:1.1.4,REQID:0a728892-a66b-4844-88c3-be52cf917282,OB:0,LOB: 0,IP:0,URL:0,TC:0,Content:0,EDM:0,RT:0,SF:100,FILE:0,RULE:Spam_GS981B3D,AC TION:quarantine,TS:100 X-CID-META: VersionHash:faefae9,CLOUDID:7c3774ef-06b0-4305-bfbf-554bfc9d151a,C OID:2b68c1424a01,Recheck:0,SF:12|15|28|16|19|48,TC:nil,Content:0,EDM:-3,Fi le:nil,QS:0,BEC:nil X-UUID: 48c836d13c884b87ac80a9f609018623-20220420 Received: from mtkmbs10n1.mediatek.inc [(172.21.101.34)] by mailgw01.mediatek.com (envelope-from ) (Generic MTA with TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 256/256) with ESMTP id 122441462; Wed, 20 Apr 2022 11:14:57 +0800 Received: from MTKMBS34N1.mediatek.inc (172.27.4.172) by mtkmbs10n2.mediatek.inc (172.21.101.183) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.2.792.3; Wed, 20 Apr 2022 11:14:55 +0800 Received: from MTKCAS36.mediatek.inc (172.27.4.186) by MTKMBS34N1.mediatek.inc (172.27.4.172) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 20 Apr 2022 11:14:54 +0800 Received: from mcddlt001.gcn.mediatek.inc (10.19.240.15) by MTKCAS36.mediatek.inc (172.27.4.170) with Microsoft SMTP Server id 15.0.1497.2 via Frontend Transport; Wed, 20 Apr 2022 11:14:54 +0800 From: Bo Jiao To: Felix Fietkau CC: linux-wireless , Ryder Lee , Sujuan Chen , Shayne Chen , Evelyn Tsai , linux-mediatek , Bo Jiao Subject: [PATCH] mt76: mt7915: fix msta->wcid use-after-free in mt76_tx_status_check() Date: Wed, 20 Apr 2022 11:14:51 +0800 Message-ID: <20220420031451.6770-1-bo.jiao@mediatek.com> X-Mailer: git-send-email 2.17.0 MIME-Version: 1.0 Content-Type: text/plain X-MTK: N X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE,UNPARSEABLE_RELAY autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org From: Bo Jiao fix msta->wcid use-after-free in mt76_tx_status_check when the sta has been removed. Signed-off-by: Bo Jiao --- drivers/net/wireless/mediatek/mt76/mt7915/main.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/main.c b/drivers/net/wireless/mediatek/mt76/mt7915/main.c index 800f720..160d80e 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7915/main.c +++ b/drivers/net/wireless/mediatek/mt76/mt7915/main.c @@ -701,6 +701,11 @@ void mt7915_mac_sta_remove(struct mt76_dev *mdev, struct ieee80211_vif *vif, if (!list_empty(&msta->rc_list)) list_del_init(&msta->rc_list); spin_unlock_bh(&dev->sta_poll_lock); + + spin_lock_bh(&mdev->status_lock); + if (!list_empty(&msta->wcid.list)) + list_del_init(&msta->wcid.list); + spin_unlock_bh(&mdev->status_lock); } static void mt7915_tx(struct ieee80211_hw *hw, -- 2.18.0