git: d89845f449da - stable/15 - LinuxKPI: 802.11: catch possible NULL pointer deref with mt76

Thu, 26 Feb 2026 18:34:07 -0800 

The branch stable/15 has been updated by bz:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=d89845f449da734a3d9893552c5b0da963c90819

commit d89845f449da734a3d9893552c5b0da963c90819
Author:     Bjoern A. Zeeb <[email protected]>
AuthorDate: 2026-02-04 22:46:47 +0000
Commit:     Bjoern A. Zeeb <[email protected]>
CommitDate: 2026-02-26 23:01:54 +0000

    LinuxKPI: 802.11: catch possible NULL pointer deref with mt76
    
    With mt76 we, for the first time, see that txstat->skb or
    txstat->info may not be filled in linuxkpi_ieee80211_tx_status_ext().
    Guard for these cases checking for skb and info to be not NULL and
    assume a TX failure in case info is NULL.
    
    Sponsored by:   The FreeBSD Foundation
    
    (cherry picked from commit 94be5dbdfd22de4ec9ad699803ae18d9d209d824)
---
 sys/compat/linuxkpi/common/src/linux_80211.c | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/sys/compat/linuxkpi/common/src/linux_80211.c 
b/sys/compat/linuxkpi/common/src/linux_80211.c
index 54571b28e2b8..0b732cb691c6 100644
--- a/sys/compat/linuxkpi/common/src/linux_80211.c
+++ b/sys/compat/linuxkpi/common/src/linux_80211.c
@@ -8304,6 +8304,9 @@ _lkpi_ieee80211_free_txskb(struct ieee80211_hw *hw, 
struct sk_buff *skb,
        struct ieee80211_node *ni;
        struct mbuf *m;
 
+       if (skb == NULL)
+               return;
+
        m = skb->m;
        skb->m = NULL;
 
@@ -8329,13 +8332,13 @@ linuxkpi_ieee80211_tx_status_ext(struct ieee80211_hw 
*hw,
     struct ieee80211_tx_status *txstat)
 {
        struct sk_buff *skb;
-       struct ieee80211_tx_info *info;
+       struct ieee80211_tx_info *info, _info = { };
        struct ieee80211_ratectl_tx_status txs;
        struct ieee80211_node *ni;
        int status;
 
        skb = txstat->skb;
-       if (skb->m != NULL) {
+       if (skb != NULL && skb->m != NULL) {
                struct mbuf *m;
 
                m = skb->m;
@@ -8345,7 +8348,13 @@ linuxkpi_ieee80211_tx_status_ext(struct ieee80211_hw *hw,
                ni = NULL;
        }
 
+       /*
+        * If we have no info information on tx, set info to an all-zero struct
+        * to make the code (and debug output) simpler.
+        */
        info = txstat->info;
+       if (info == NULL)
+               info = &_info;
        if (info->flags & IEEE80211_TX_STAT_ACK) {
                status = 0;     /* No error. */
                txs.status = IEEE80211_RATECTL_TX_SUCCESS;
@@ -8410,7 +8419,8 @@ linuxkpi_ieee80211_tx_status_ext(struct ieee80211_hw *hw,
 
        if (txstat->free_list) {
                _lkpi_ieee80211_free_txskb(hw, skb, status);
-               list_add_tail(&skb->list, txstat->free_list);
+               if (skb != NULL)
+                       list_add_tail(&skb->list, txstat->free_list);
        } else {
                linuxkpi_ieee80211_free_txskb(hw, skb, status);
        }

Reply via email to