]> git.ipfire.org Git - thirdparty/linux.git/commitdiff
projects / thirdparty / linux.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: dfb67ae)
wifi: mac80211: Add sta pointer sanity check in ieee80211_8023_xmit()
authorTamizh Chelvam Raja <tamizh.raja@oss.qualcomm.com>
Thu, 4 Jun 2026 16:24:01 +0000 (21:54 +0530)
committerJohannes Berg <johannes.berg@intel.com>
Fri, 5 Jun 2026 14:09:04 +0000 (16:09 +0200)
Currently ieee80211_8023_xmit() accesses the sta pointer without any
sanity check, assuming that only unicast packets for an authorized
station are processed. But the sta pointer could become NULL when
a framework to support 802.3 offload for the multicast packets is
added in the follow-up patches. Add the valid sta pointer sanity
check to avoid the invalid pointer access.

This aligns with some of the subordinate functions called by
ieee80211_8023_xmit() that already NULL-check 'sta' such as
ieee80211_select_queue() and ieee80211_aggr_check().

Signed-off-by: Tamizh Chelvam Raja <tamizh.raja@oss.qualcomm.com>
Link: https://patch.msgid.link/20260604162403.1563729-2-tamizh.raja@oss.qualcomm.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
net/mac80211/tx.c patch | blob | blame | history

diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index cf336e92c072edd7726bb23ee1961e258b9f7abc..15ec77255c3f5d30ca548885f800dc6210ba437c 100644 (file)
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -4660,7 +4660,7 @@ static void ieee80211_8023_xmit(struct ieee80211_sub_if_data *sdata,
 {
        struct ieee80211_tx_info *info;
        struct ieee80211_local *local = sdata->local;
-       struct tid_ampdu_tx *tid_tx;
+       struct tid_ampdu_tx *tid_tx = NULL;
        struct sk_buff *seg, *next;
        unsigned int skbs = 0, len = 0;
        u16 queue;
@@ -4680,7 +4680,9 @@ static void ieee80211_8023_xmit(struct ieee80211_sub_if_data *sdata,
        ieee80211_aggr_check(sdata, sta, skb);
 
        tid = skb->priority & IEEE80211_QOS_CTL_TAG1D_MASK;
-       tid_tx = rcu_dereference(sta->ampdu_mlme.tid_tx[tid]);
+
+       if (sta)
+               tid_tx = rcu_dereference(sta->ampdu_mlme.tid_tx[tid]);
        if (tid_tx) {
                if (!test_bit(HT_AGG_STATE_OPERATIONAL, &tid_tx->state)) {
                        /* fall back to non-offload slow path */
@@ -4728,8 +4730,11 @@ static void ieee80211_8023_xmit(struct ieee80211_sub_if_data *sdata,
        }
 
        dev_sw_netstats_tx_add(dev, skbs, len);
-       sta->deflink.tx_stats.packets[queue] += skbs;
-       sta->deflink.tx_stats.bytes[queue] += len;
+
+       if (sta) {
+               sta->deflink.tx_stats.packets[queue] += skbs;
+               sta->deflink.tx_stats.bytes[queue] += len;
+       }
 
        ieee80211_tpt_led_trig_tx(local, len);
 
A mirror of Linus' kernel repository