Linux-Wireless Archive on lore.kernel.org
 help / color / Atom feed
From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Andrei Otcheretianski <andrei.otcheretianski@intel.com>,
	Luca Coelho <luciano.coelho@intel.com>,
	Kalle Valo <kvalo@codeaurora.org>,
	Sasha Levin <sashal@kernel.org>,
	linux-wireless@vger.kernel.org, netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 5.5 518/542] iwlwifi: mvm: Check the sta is not NULL in iwl_mvm_cfg_he_sta()
Date: Fri, 14 Feb 2020 10:48:30 -0500
Message-ID: <20200214154854.6746-518-sashal@kernel.org> (raw)
In-Reply-To: <20200214154854.6746-1-sashal@kernel.org>

From: Andrei Otcheretianski <andrei.otcheretianski@intel.com>

[ Upstream commit 12d47f0ea5e0aa63f19ba618da55a7c67850ca10 ]

Fix a kernel panic by checking that the sta is not NULL.
This could happen during a reconfig flow, as mac80211 moves the sta
between all the states without really checking if the previous state was
successfully set. So, if for some reason we failed to add back the
station, subsequent calls to sta_state() callback will be done when the
station is NULL. This would result in a following panic:

BUG: unable to handle kernel NULL pointer dereference at
0000000000000040
IP: iwl_mvm_cfg_he_sta+0xfc/0x690 [iwlmvm]
[..]
Call Trace:
 iwl_mvm_mac_sta_state+0x629/0x6f0 [iwlmvm]
 drv_sta_state+0xf4/0x950 [mac80211]
 ieee80211_reconfig+0xa12/0x2180 [mac80211]
 ieee80211_restart_work+0xbb/0xe0 [mac80211]
 process_one_work+0x1e2/0x610
 worker_thread+0x4d/0x3e0
[..]

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
index 6717f25c46b1c..8ecd1f6875deb 100644
--- a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
@@ -5,10 +5,9 @@
  *
  * GPL LICENSE SUMMARY
  *
- * Copyright(c) 2012 - 2014 Intel Corporation. All rights reserved.
  * Copyright(c) 2013 - 2015 Intel Mobile Communications GmbH
  * Copyright(c) 2016 - 2017 Intel Deutschland GmbH
- * Copyright(c) 2018 - 2019 Intel Corporation
+ * Copyright(c) 2012 - 2014, 2018 - 2020 Intel Corporation
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of version 2 of the GNU General Public License as
@@ -28,10 +27,9 @@
  *
  * BSD LICENSE
  *
- * Copyright(c) 2012 - 2014 Intel Corporation. All rights reserved.
  * Copyright(c) 2013 - 2015 Intel Mobile Communications GmbH
  * Copyright(c) 2016 - 2017 Intel Deutschland GmbH
- * Copyright(c) 2018 - 2019 Intel Corporation
+ * Copyright(c) 2012 - 2014, 2018 - 2020 Intel Corporation
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -2037,7 +2035,7 @@ static void iwl_mvm_cfg_he_sta(struct iwl_mvm *mvm,
 	rcu_read_lock();
 
 	sta = rcu_dereference(mvm->fw_id_to_mac_id[sta_ctxt_cmd.sta_id]);
-	if (IS_ERR(sta)) {
+	if (IS_ERR_OR_NULL(sta)) {
 		rcu_read_unlock();
 		WARN(1, "Can't find STA to configure HE\n");
 		return;
-- 
2.20.1


  parent reply index

Thread overview: 30+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20200214154854.6746-1-sashal@kernel.org>
2020-02-14 15:39 ` [PATCH AUTOSEL 5.5 004/542] ath10k: Fix qmi init error handling Sasha Levin
2020-02-14 15:39 ` [PATCH AUTOSEL 5.5 005/542] wil6210: fix break that is never reached because of zero'ing of a retry counter Sasha Levin
2020-02-14 15:40 ` [PATCH AUTOSEL 5.5 026/542] brcmfmac: Fix memory leak in brcmf_p2p_create_p2pdev() Sasha Levin
2020-02-14 15:40 ` [PATCH AUTOSEL 5.5 027/542] brcmfmac: Fix use after free in brcmf_sdio_readframes() Sasha Levin
2020-02-14 15:41 ` [PATCH AUTOSEL 5.5 107/542] ath10k: Correct the DMA direction for management tx buffers Sasha Levin
2020-02-14 15:41 ` [PATCH AUTOSEL 5.5 109/542] rtw88: fix rate mask for 1SS chip Sasha Levin
2020-02-14 15:41 ` [PATCH AUTOSEL 5.5 110/542] brcmfmac: sdio: Fix OOB interrupt initialization on brcm43362 Sasha Levin
2020-02-14 15:41 ` [PATCH AUTOSEL 5.5 111/542] libertas: don't exit from lbs_ibss_join_existing() with RCU read lock held Sasha Levin
2020-02-14 15:41 ` [PATCH AUTOSEL 5.5 112/542] libertas: make lbs_ibss_join_existing() return error code on rates overflow Sasha Levin
2020-02-14 15:42 ` [PATCH AUTOSEL 5.5 132/542] mt76: mt7615: fix max_nss in mt7615_eeprom_parse_hw_cap Sasha Levin
2020-02-14 15:42 ` [PATCH AUTOSEL 5.5 167/542] ath10k: correct the tlv len of ath10k_wmi_tlv_op_gen_config_pno_start Sasha Levin
2020-02-14 15:43 ` [PATCH AUTOSEL 5.5 226/542] b43legacy: Fix -Wcast-function-type Sasha Levin
2020-02-14 15:43 ` [PATCH AUTOSEL 5.5 227/542] ipw2x00: " Sasha Levin
2020-02-14 15:43 ` [PATCH AUTOSEL 5.5 228/542] iwlegacy: " Sasha Levin
2020-02-14 15:43 ` [PATCH AUTOSEL 5.5 229/542] rtlwifi: rtl_pci: " Sasha Levin
2020-02-14 15:43 ` [PATCH AUTOSEL 5.5 230/542] bcma: remove set but not used variable 'sizel' Sasha Levin
2020-02-14 15:43 ` [PATCH AUTOSEL 5.5 231/542] orinoco: avoid assertion in case of NULL pointer Sasha Levin
2020-02-14 15:47 ` [PATCH AUTOSEL 5.5 471/542] ath10k: pci: Only dump ATH10K_MEM_REGION_TYPE_IOREG when safe Sasha Levin
2020-02-14 15:47 ` [PATCH AUTOSEL 5.5 472/542] hostap: Adjust indentation in prism2_hostapd_add_sta Sasha Levin
2020-02-14 15:47 ` [PATCH AUTOSEL 5.5 473/542] rtw88: fix potential NULL skb access in TX ISR Sasha Levin
2020-02-14 15:47 ` [PATCH AUTOSEL 5.5 474/542] rtlwifi: rtl8821ae: remove unused variables Sasha Levin
2020-02-14 15:47 ` [PATCH AUTOSEL 5.5 475/542] rtlwifi: rtl8192ee: " Sasha Levin
2020-02-14 15:47 ` [PATCH AUTOSEL 5.5 476/542] rtlwifi: rtl8723ae: " Sasha Levin
2020-02-14 15:47 ` [PATCH AUTOSEL 5.5 477/542] iwlegacy: ensure loop counter addr does not wrap and cause an infinite loop Sasha Levin
2020-02-14 15:47 ` [PATCH AUTOSEL 5.5 484/542] mwifiex: Fix possible buffer overflows in mwifiex_ret_wmm_get_status() Sasha Levin
2020-02-14 15:47 ` [PATCH AUTOSEL 5.5 485/542] mwifiex: Fix possible buffer overflows in mwifiex_cmd_append_vsie_tlv() Sasha Levin
2020-02-14 15:48 ` [PATCH AUTOSEL 5.5 516/542] iwlwifi: mvm: Fix thermal zone registration Sasha Levin
2020-02-14 15:48 ` [PATCH AUTOSEL 5.5 517/542] iwlwifi: mvm: avoid use after free for pmsr request Sasha Levin
2020-02-14 15:48 ` Sasha Levin [this message]
2020-02-14 15:48 ` [PATCH AUTOSEL 5.5 519/542] iwlwifi: mvm: fix TDLS discovery with the new firmware API Sasha Levin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200214154854.6746-518-sashal@kernel.org \
    --to=sashal@kernel.org \
    --cc=andrei.otcheretianski@intel.com \
    --cc=kvalo@codeaurora.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-wireless@vger.kernel.org \
    --cc=luciano.coelho@intel.com \
    --cc=netdev@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Linux-Wireless Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-wireless/0 linux-wireless/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-wireless linux-wireless/ https://lore.kernel.org/linux-wireless \
		linux-wireless@vger.kernel.org
	public-inbox-index linux-wireless

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-wireless


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git