| From 49cba71cf6a56336fa4fa8a8b5876569a50a8cb2 Mon Sep 17 00:00:00 2001 |
| From: Sasha Levin <sashal@kernel.org> |
| Date: Tue, 27 Apr 2021 12:07:14 +0200 |
| Subject: mt76: mt7615: fix NULL pointer dereference in tx_prepare_skb() |
| |
| From: Lorenzo Bianconi <lorenzo@kernel.org> |
| |
| [ Upstream commit 8d3cdc1bbb1d355f0ebef973175ae5fd74286feb ] |
| |
| Fix theoretical NULL pointer dereference in mt7615_tx_prepare_skb and |
| mt7663_usb_sdio_tx_prepare_skb routines. This issue has been identified |
| by code analysis. |
| |
| Fixes: 6aa4ed7927f11 ("mt76: mt7615: implement DMA support for MT7622") |
| Fixes: 4bb586bc33b98 ("mt76: mt7663u: sync probe sampling with rate configuration") |
| Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org> |
| Signed-off-by: Felix Fietkau <nbd@nbd.name> |
| Signed-off-by: Sasha Levin <sashal@kernel.org> |
| --- |
| drivers/net/wireless/mediatek/mt76/mt7615/pci_mac.c | 5 +++-- |
| drivers/net/wireless/mediatek/mt76/mt7615/usb_sdio.c | 5 +++-- |
| 2 files changed, 6 insertions(+), 4 deletions(-) |
| |
| diff --git a/drivers/net/wireless/mediatek/mt76/mt7615/pci_mac.c b/drivers/net/wireless/mediatek/mt76/mt7615/pci_mac.c |
| index 4cf7c5d34325..490d55651de3 100644 |
| --- a/drivers/net/wireless/mediatek/mt76/mt7615/pci_mac.c |
| +++ b/drivers/net/wireless/mediatek/mt76/mt7615/pci_mac.c |
| @@ -133,20 +133,21 @@ int mt7615_tx_prepare_skb(struct mt76_dev *mdev, void *txwi_ptr, |
| struct mt76_tx_info *tx_info) |
| { |
| struct mt7615_dev *dev = container_of(mdev, struct mt7615_dev, mt76); |
| - struct mt7615_sta *msta = container_of(wcid, struct mt7615_sta, wcid); |
| struct ieee80211_tx_info *info = IEEE80211_SKB_CB(tx_info->skb); |
| struct ieee80211_key_conf *key = info->control.hw_key; |
| int pid, id; |
| u8 *txwi = (u8 *)txwi_ptr; |
| struct mt76_txwi_cache *t; |
| + struct mt7615_sta *msta; |
| void *txp; |
| |
| + msta = wcid ? container_of(wcid, struct mt7615_sta, wcid) : NULL; |
| if (!wcid) |
| wcid = &dev->mt76.global_wcid; |
| |
| pid = mt76_tx_status_skb_add(mdev, wcid, tx_info->skb); |
| |
| - if (info->flags & IEEE80211_TX_CTL_RATE_CTRL_PROBE) { |
| + if ((info->flags & IEEE80211_TX_CTL_RATE_CTRL_PROBE) && msta) { |
| struct mt7615_phy *phy = &dev->phy; |
| |
| if ((info->hw_queue & MT_TX_HW_QUEUE_EXT_PHY) && mdev->phy2) |
| diff --git a/drivers/net/wireless/mediatek/mt76/mt7615/usb_sdio.c b/drivers/net/wireless/mediatek/mt76/mt7615/usb_sdio.c |
| index 3b29a6d3dc64..18082b4ce7d3 100644 |
| --- a/drivers/net/wireless/mediatek/mt76/mt7615/usb_sdio.c |
| +++ b/drivers/net/wireless/mediatek/mt76/mt7615/usb_sdio.c |
| @@ -243,14 +243,15 @@ int mt7663_usb_sdio_tx_prepare_skb(struct mt76_dev *mdev, void *txwi_ptr, |
| struct ieee80211_sta *sta, |
| struct mt76_tx_info *tx_info) |
| { |
| - struct mt7615_sta *msta = container_of(wcid, struct mt7615_sta, wcid); |
| struct mt7615_dev *dev = container_of(mdev, struct mt7615_dev, mt76); |
| struct sk_buff *skb = tx_info->skb; |
| struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb); |
| + struct mt7615_sta *msta; |
| int pad; |
| |
| + msta = wcid ? container_of(wcid, struct mt7615_sta, wcid) : NULL; |
| if ((info->flags & IEEE80211_TX_CTL_RATE_CTRL_PROBE) && |
| - !msta->rate_probe) { |
| + msta && !msta->rate_probe) { |
| /* request to configure sampling rate */ |
| spin_lock_bh(&dev->mt76.lock); |
| mt7615_mac_set_rates(&dev->phy, msta, &info->control.rates[0], |
| -- |
| 2.30.2 |
| |