Lorenzo Bianconi <lorenzo.bianconi@xxxxxxxxxx> wrote:
> Starting from mac80211 commit adf8ed01e4fd ("mac80211: add an optional
> TXQ for other PS-buffered frames") and commit 0eeb2b674f05 ("mac80211:
> add an option for station management TXQ") a new per-sta queue has been
> introduced for bufferable management frames.
> sta->txq[IEEE80211_NUM_TIDS] is initialized just if the driver reports
> the following hw flags:
> - IEEE80211_HW_STA_MMPDU_TXQ
> - IEEE80211_HW_BUFF_MMPDU_TXQ
> This can produce a NULL pointer dereference in mt76_stop_tx_queues
> since mt76 iterates on all available sta tx queues assuming they are
> initialized by mac80211. This issue has been spotted analyzing the code
> (it has not triggered any crash yet)
>
> Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@xxxxxxxxxx>
Patch applied to wireless-drivers.git, thanks.
7c250f4612ae mt76: fix potential NULL pointer dereference in mt76_stop_tx_queues
--
https://patchwork.kernel.org/patch/10686507/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
