From patchwork Wed Apr 20 03:14:51 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bo Jiao X-Patchwork-Id: 12819713 X-Patchwork-Delegate: nbd@nbd.name Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id D9B45C433F5 for ; Wed, 20 Apr 2022 03:15:09 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1359195AbiDTDRv (ORCPT ); Tue, 19 Apr 2022 23:17:51 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46698 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1349010AbiDTDRt (ORCPT ); Tue, 19 Apr 2022 23:17:49 -0400 Received: from mailgw01.mediatek.com (unknown [60.244.123.138]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7826125F3 for ; Tue, 19 Apr 2022 20:15:01 -0700 (PDT) X-UUID: 48c836d13c884b87ac80a9f609018623-20220420 X-CID-P-RULE: Release_Ham X-CID-O-INFO: VERSION:1.1.4,REQID:0a728892-a66b-4844-88c3-be52cf917282,OB:0,LO B:0,IP:0,URL:0,TC:0,Content:0,EDM:0,RT:0,SF:100,FILE:0,RULE:Release_Ham,AC TION:release,TS:100 X-CID-INFO: VERSION:1.1.4,REQID:0a728892-a66b-4844-88c3-be52cf917282,OB:0,LOB: 0,IP:0,URL:0,TC:0,Content:0,EDM:0,RT:0,SF:100,FILE:0,RULE:Spam_GS981B3D,AC TION:quarantine,TS:100 X-CID-META: VersionHash:faefae9,CLOUDID:7c3774ef-06b0-4305-bfbf-554bfc9d151a,C OID:2b68c1424a01,Recheck:0,SF:12|15|28|16|19|48,TC:nil,Content:0,EDM:-3,Fi le:nil,QS:0,BEC:nil X-UUID: 48c836d13c884b87ac80a9f609018623-20220420 Received: from mtkmbs10n1.mediatek.inc [(172.21.101.34)] by mailgw01.mediatek.com (envelope-from ) (Generic MTA with TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 256/256) with ESMTP id 122441462; Wed, 20 Apr 2022 11:14:57 +0800 Received: from MTKMBS34N1.mediatek.inc (172.27.4.172) by mtkmbs10n2.mediatek.inc (172.21.101.183) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.2.792.3; Wed, 20 Apr 2022 11:14:55 +0800 Received: from MTKCAS36.mediatek.inc (172.27.4.186) by MTKMBS34N1.mediatek.inc (172.27.4.172) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 20 Apr 2022 11:14:54 +0800 Received: from mcddlt001.gcn.mediatek.inc (10.19.240.15) by MTKCAS36.mediatek.inc (172.27.4.170) with Microsoft SMTP Server id 15.0.1497.2 via Frontend Transport; Wed, 20 Apr 2022 11:14:54 +0800 From: Bo Jiao To: Felix Fietkau CC: linux-wireless , Ryder Lee , Sujuan Chen , Shayne Chen , Evelyn Tsai , linux-mediatek , Bo Jiao Subject: [PATCH] mt76: mt7915: fix msta->wcid use-after-free in mt76_tx_status_check() Date: Wed, 20 Apr 2022 11:14:51 +0800 Message-ID: <20220420031451.6770-1-bo.jiao@mediatek.com> X-Mailer: git-send-email 2.17.0 MIME-Version: 1.0 X-MTK: N Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org From: Bo Jiao fix msta->wcid use-after-free in mt76_tx_status_check when the sta has been removed. Signed-off-by: Bo Jiao --- drivers/net/wireless/mediatek/mt76/mt7915/main.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/main.c b/drivers/net/wireless/mediatek/mt76/mt7915/main.c index 800f720..160d80e 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7915/main.c +++ b/drivers/net/wireless/mediatek/mt76/mt7915/main.c @@ -701,6 +701,11 @@ void mt7915_mac_sta_remove(struct mt76_dev *mdev, struct ieee80211_vif *vif, if (!list_empty(&msta->rc_list)) list_del_init(&msta->rc_list); spin_unlock_bh(&dev->sta_poll_lock); + + spin_lock_bh(&mdev->status_lock); + if (!list_empty(&msta->wcid.list)) + list_del_init(&msta->wcid.list); + spin_unlock_bh(&mdev->status_lock); } static void mt7915_tx(struct ieee80211_hw *hw,