ath_tx_process_buffer() references ieee80211_find_sta_by_ifaddr()
return pointer (sta) outside null check. Fix it by moving the code
block under the null check.
This problem was found while reviewing code to debug RCU warn from
ath10k_wmi_tlv_parse_peer_stats_info() and a subsequent manual audit
of other callers of ieee80211_find_sta_by_ifaddr() that don't hold
RCU read lock.
Signed-off-by: Shuah Khan <sk...@linuxfoundation.org>
---
- Note: This patch is compile tested. I don't have access to
hardware.
drivers/net/wireless/ath/ath9k/xmit.c | 28 +++++++++++++++------------
1 file changed, 16 insertions(+), 12 deletions(-)
diff --git a/drivers/net/wireless/ath/ath9k/xmit.c
b/drivers/net/wireless/ath/ath9k/xmit.c
index 1d36aae3f7b6..735858144e3a 100644
--- a/drivers/net/wireless/ath/ath9k/xmit.c
+++ b/drivers/net/wireless/ath/ath9k/xmit.c
@@ -711,20 +711,24 @@ static void ath_tx_process_buffer(struct ath_softc *sc,
struct ath_txq *txq,
ath_tx_count_airtime(sc, sta, bf, ts, tid->tidno);
if (ts->ts_status & (ATH9K_TXERR_FILT | ATH9K_TXERR_XRETRY))
tid->clear_ps_filter = true;
- }
- if (!bf_isampdu(bf)) {
- if (!flush) {
- info = IEEE80211_SKB_CB(bf->bf_mpdu);
- memcpy(info->control.rates, bf->rates,
- sizeof(info->control.rates));
- ath_tx_rc_status(sc, bf, ts, 1, txok ? 0 : 1, txok);
- ath_dynack_sample_tx_ts(sc->sc_ah, bf->bf_mpdu, ts,
- sta);
+ if (!bf_isampdu(bf)) {
+ if (!flush) {
+ info = IEEE80211_SKB_CB(bf->bf_mpdu);
+ memcpy(info->control.rates, bf->rates,
+ sizeof(info->control.rates));
+ ath_tx_rc_status(sc, bf, ts, 1,
+ txok ? 0 : 1, txok);
+ ath_dynack_sample_tx_ts(sc->sc_ah,
+ bf->bf_mpdu, ts, sta);
+ }
+ ath_tx_complete_buf(sc, bf, txq, bf_head, sta,
+ ts, txok);
+ } else {
+ ath_tx_complete_aggr(sc, txq, bf, bf_head, sta,
+ tid, ts, txok);
}
- ath_tx_complete_buf(sc, bf, txq, bf_head, sta, ts, txok);
- } else
- ath_tx_complete_aggr(sc, txq, bf, bf_head, sta, tid, ts, txok);
+ }
if (!flush)
ath_txq_schedule(sc, txq);
--
2.27.0
