ath9k: fix ath_tx_process_buffer() potential null ptr dereference

ath_tx_process_buffer() references ieee80211_find_sta_by_ifaddr()
return pointer (sta) outside null check. Fix it by moving the code
block under the null check.

This problem was found while reviewing code to debug RCU warn from
ath10k_wmi_tlv_parse_peer_stats_info() and a subsequent manual audit
of other callers of ieee80211_find_sta_by_ifaddr() that don't hold
RCU read lock.

Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/43ed9abb9e8d7112f3cc168c2f8c489e253635ba.1613090339.git.skhan@linuxfoundation.org

diff --git a/drivers/net/wireless/ath/ath9k/xmit.c b/drivers/net/wireless/ath/ath9k/xmit.c
index e60d473..828b96b 100644 (file)
--- a/drivers/net/wireless/ath/ath9k/xmit.c
+++ b/drivers/net/wireless/ath/ath9k/xmit.c
@@ -708,20 +708,24 @@ static void ath_tx_process_buffer(struct ath_softc *sc, struct ath_txq *txq,
                ath_tx_count_airtime(sc, sta, bf, ts, tid->tidno);
                if (ts->ts_status & (ATH9K_TXERR_FILT | ATH9K_TXERR_XRETRY))
                        tid->clear_ps_filter = true;
-       }
 
-       if (!bf_isampdu(bf)) {
-               if (!flush) {
-                       info = IEEE80211_SKB_CB(bf->bf_mpdu);
-                       memcpy(info->control.rates, bf->rates,
-                              sizeof(info->control.rates));
-                       ath_tx_rc_status(sc, bf, ts, 1, txok ? 0 : 1, txok);
-                       ath_dynack_sample_tx_ts(sc->sc_ah, bf->bf_mpdu, ts,
-                                               sta);
+               if (!bf_isampdu(bf)) {
+                       if (!flush) {
+                               info = IEEE80211_SKB_CB(bf->bf_mpdu);
+                               memcpy(info->control.rates, bf->rates,
+                                      sizeof(info->control.rates));
+                               ath_tx_rc_status(sc, bf, ts, 1,
+                                                txok ? 0 : 1, txok);
+                               ath_dynack_sample_tx_ts(sc->sc_ah,
+                                                       bf->bf_mpdu, ts, sta);
+                       }
+                       ath_tx_complete_buf(sc, bf, txq, bf_head, sta,
+                                           ts, txok);
+               } else {
+                       ath_tx_complete_aggr(sc, txq, bf, bf_head, sta,
+                                            tid, ts, txok);
                }
-               ath_tx_complete_buf(sc, bf, txq, bf_head, sta, ts, txok);
-       } else
-               ath_tx_complete_aggr(sc, txq, bf, bf_head, sta, tid, ts, txok);
+       }
 
        if (!flush)
                ath_txq_schedule(sc, txq);