Shuah Khan <skhan@xxxxxxxxxxxxxxxxxxx> wrote:
> This reverts commit a56c14bb21b296fb6d395164ab62ef2e419e5069.
>
> ath_tx_process_buffer() doesn't dereference or check sta and passes it
> to ath_tx_complete_aggr() and ath_tx_complete_buf().
>
> ath_tx_complete_aggr() checks the pointer before use. No problem here.
>
> ath_tx_complete_buf() doesn't check or dereference sta and passes it on
> to ath_tx_complete(). ath_tx_complete() doesn't check or dereference sta,
> but assigns it to tx_info->status.status_driver_data[0]
>
> ath_tx_complete_buf() is called from ath_tx_complete_aggr() passing
> null ieee80211_sta pointer.
>
> There is a potential for dereference later on, if and when the
> tx_info->status.status_driver_data[0]is referenced. In addition, the
> rcu read lock might be released before referencing the contents.
>
> ath_tx_complete_buf() should be fixed to check sta perhaps? Worth
> looking into.
>
> Reverting this patch because it doesn't solve the problem and introduces
> memory leak by skipping buffer completion if the pointer (sta) is NULL.
>
> Fixes: a56c14bb21b2 ("ath9k: fix ath_tx_process_buffer() potential null ptr dereference")
> Signed-off-by: Shuah Khan <skhan@xxxxxxxxxxxxxxxxxxx>
> Signed-off-by: Kalle Valo <kvalo@xxxxxxxxxxxxxx>
Thanks. I added the commit id and Fixes tag to the commit log, see the new version above.
--
https://patchwork.kernel.org/project/linux-wireless/patch/20210217211801.22540-1-skhan@xxxxxxxxxxxxxxxxxxx/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
