linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: "Miaoqing Pan" <miaoqing@codeaurora.org>,
	"Toke Høiland-Jørgensen" <toke@redhat.com>,
	"Johannes Berg" <johannes.berg@intel.com>,
	"Sasha Levin" <sashal@kernel.org>,
	linux-wireless@vger.kernel.org, netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 4.14 15/21] mac80211: fix txq null pointer dereference
Date: Wed,  9 Oct 2019 13:06:08 -0400	[thread overview]
Message-ID: <20191009170615.32750-15-sashal@kernel.org> (raw)
In-Reply-To: <20191009170615.32750-1-sashal@kernel.org>

From: Miaoqing Pan <miaoqing@codeaurora.org>

[ Upstream commit 8ed31a264065ae92058ce54aa3cc8da8d81dc6d7 ]

If the interface type is P2P_DEVICE or NAN, read the file of
'/sys/kernel/debug/ieee80211/phyx/netdev:wlanx/aqm' will get a
NULL pointer dereference. As for those interface type, the
pointer sdata->vif.txq is NULL.

Unable to handle kernel NULL pointer dereference at virtual address 00000011
CPU: 1 PID: 30936 Comm: cat Not tainted 4.14.104 #1
task: ffffffc0337e4880 task.stack: ffffff800cd20000
PC is at ieee80211_if_fmt_aqm+0x34/0xa0 [mac80211]
LR is at ieee80211_if_fmt_aqm+0x34/0xa0 [mac80211]
[...]
Process cat (pid: 30936, stack limit = 0xffffff800cd20000)
[...]
[<ffffff8000b7cd00>] ieee80211_if_fmt_aqm+0x34/0xa0 [mac80211]
[<ffffff8000b7c414>] ieee80211_if_read+0x60/0xbc [mac80211]
[<ffffff8000b7ccc4>] ieee80211_if_read_aqm+0x28/0x30 [mac80211]
[<ffffff80082eff94>] full_proxy_read+0x2c/0x48
[<ffffff80081eef00>] __vfs_read+0x2c/0xd4
[<ffffff80081ef084>] vfs_read+0x8c/0x108
[<ffffff80081ef494>] SyS_read+0x40/0x7c

Signed-off-by: Miaoqing Pan <miaoqing@codeaurora.org>
Acked-by: Toke Høiland-Jørgensen <toke@redhat.com>
Link: https://lore.kernel.org/r/1569549796-8223-1-git-send-email-miaoqing@codeaurora.org
[trim useless data from commit message]
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/mac80211/debugfs_netdev.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/net/mac80211/debugfs_netdev.c b/net/mac80211/debugfs_netdev.c
index c813207bb1236..928b6b0464b82 100644
--- a/net/mac80211/debugfs_netdev.c
+++ b/net/mac80211/debugfs_netdev.c
@@ -490,9 +490,14 @@ static ssize_t ieee80211_if_fmt_aqm(
 	const struct ieee80211_sub_if_data *sdata, char *buf, int buflen)
 {
 	struct ieee80211_local *local = sdata->local;
-	struct txq_info *txqi = to_txq_info(sdata->vif.txq);
+	struct txq_info *txqi;
 	int len;
 
+	if (!sdata->vif.txq)
+		return 0;
+
+	txqi = to_txq_info(sdata->vif.txq);
+
 	spin_lock_bh(&local->fq.lock);
 	rcu_read_lock();
 
@@ -659,7 +664,9 @@ static void add_common_files(struct ieee80211_sub_if_data *sdata)
 	DEBUGFS_ADD(rc_rateidx_vht_mcs_mask_5ghz);
 	DEBUGFS_ADD(hw_queues);
 
-	if (sdata->local->ops->wake_tx_queue)
+	if (sdata->local->ops->wake_tx_queue &&
+	    sdata->vif.type != NL80211_IFTYPE_P2P_DEVICE &&
+	    sdata->vif.type != NL80211_IFTYPE_NAN)
 		DEBUGFS_ADD(aqm);
 }
 
-- 
2.20.1


  parent reply	other threads:[~2019-10-09 17:27 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-10-09 17:05 [PATCH AUTOSEL 4.14 01/21] KVM: arm/arm64: vgic: Use the appropriate TRACE_INCLUDE_PATH Sasha Levin
2019-10-09 17:05 ` [PATCH AUTOSEL 4.14 02/21] scsi: ufs: skip shutdown if hba is not powered Sasha Levin
2019-10-09 17:05 ` [PATCH AUTOSEL 4.14 03/21] scsi: megaraid: disable device when probe failed after enabled device Sasha Levin
2019-10-09 17:05 ` [PATCH AUTOSEL 4.14 04/21] scsi: qla2xxx: Fix unbound sleep in fcport delete path Sasha Levin
2019-10-09 17:05 ` [PATCH AUTOSEL 4.14 05/21] ARM: OMAP2+: Fix missing reset done flag for am3 and am43 Sasha Levin
2019-10-09 17:05 ` [PATCH AUTOSEL 4.14 06/21] kvm: x86: Improve emulation of CPUID leaves 0BH and 1FH Sasha Levin
2019-10-09 17:06 ` [PATCH AUTOSEL 4.14 07/21] kvm: x86: Use AMD CPUID semantics for AMD vCPUs Sasha Levin
2019-10-09 17:06 ` [PATCH AUTOSEL 4.14 08/21] ieee802154: ca8210: prevent memory leak Sasha Levin
2019-10-09 17:06 ` [PATCH AUTOSEL 4.14 09/21] ARM: dts: am4372: Set memory bandwidth limit for DISPC Sasha Levin
2019-10-09 17:06 ` [PATCH AUTOSEL 4.14 10/21] net: dsa: qca8k: Use up to 7 ports for all operations Sasha Levin
2019-10-09 17:06 ` [PATCH AUTOSEL 4.14 11/21] MIPS: dts: ar9331: fix interrupt-controller size Sasha Levin
2019-10-09 17:06 ` [PATCH AUTOSEL 4.14 12/21] xen/efi: Set nonblocking callbacks Sasha Levin
2019-10-09 17:06 ` [PATCH AUTOSEL 4.14 13/21] kvm: vmx: Limit guest PMCs to those supported on the host Sasha Levin
2019-10-09 17:06 ` [PATCH AUTOSEL 4.14 14/21] nl80211: fix null pointer dereference Sasha Levin
2019-10-09 17:06 ` Sasha Levin [this message]
2019-10-09 17:06 ` [PATCH AUTOSEL 4.14 16/21] mips: Loongson: Fix the link time qualifier of 'serial_exit()' Sasha Levin
2019-10-09 17:06 ` [PATCH AUTOSEL 4.14 17/21] net: hisilicon: Fix usage of uninitialized variable in function mdio_sc_cfg_reg_write() Sasha Levin
2019-10-09 17:06 ` [PATCH AUTOSEL 4.14 18/21] vfs: Fix EOVERFLOW testing in put_compat_statfs64 Sasha Levin
2019-10-09 17:06 ` [PATCH AUTOSEL 4.14 19/21] r8152: Set macpassthru in reset_resume callback Sasha Levin
2019-10-09 17:06 ` [PATCH AUTOSEL 4.14 20/21] namespace: fix namespace.pl script to support relative paths Sasha Levin
2019-10-09 17:06 ` [PATCH AUTOSEL 4.14 21/21] Make filldir[64]() verify the directory entry filename is valid Sasha Levin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20191009170615.32750-15-sashal@kernel.org \
    --to=sashal@kernel.org \
    --cc=johannes.berg@intel.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-wireless@vger.kernel.org \
    --cc=miaoqing@codeaurora.org \
    --cc=netdev@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=toke@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).