[PATCH] wifi: mac80211: change initialize for sk_buff in ieee80211_tx_dequeue()

[Guenter Roeck]

On Mon, Dec 12, 2022 at 03:36:07AM -0500, Wen Gong wrote:
> The sk_buff is only set to NULL when initialize, sometimes it will goto
> label "begin" after ieee80211_free_txskb(), then it points to a sk_buff
> which is already freed. If it run into the "goto out" after arrived to
> label "begin", then it will return a sk_buff which is freed, it is a
> risk for use-after-free.
> 
> Fixes: ded4698b58cb ("mac80211: run late dequeue late tx handlers without holding fq->lock")
> Signed-off-by: Wen Gong <quic_wgong at quicinc.com>

I don't see any progress on this patch. Is there a problem with it ?
Did it get lost ?

Thanks,
Guenter

> ---
>  net/mac80211/tx.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> 
> base-commit: 922932ca02191a390f7f52fb6e21c44b50e14025
> 
> diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
> index 2171cd1ca807..0b23cc9ab9c7 100644
> --- a/net/mac80211/tx.c
> +++ b/net/mac80211/tx.c
> @@ -3776,7 +3776,7 @@ struct sk_buff *ieee80211_tx_dequeue(struct ieee80211_hw *hw,
>  	struct ieee80211_local *local = hw_to_local(hw);
>  	struct txq_info *txqi = container_of(txq, struct txq_info, txq);
>  	struct ieee80211_hdr *hdr;
> -	struct sk_buff *skb = NULL;
> +	struct sk_buff *skb;
>  	struct fq *fq = &local->fq;
>  	struct fq_tin *tin = &txqi->tin;
>  	struct ieee80211_tx_info *info;
> @@ -3790,6 +3790,8 @@ struct sk_buff *ieee80211_tx_dequeue(struct ieee80211_hw *hw,
>  		return NULL;
>  
>  begin:
> +	skb = NULL;
> +
>  	spin_lock_bh(&fq->lock);
>  
>  	if (test_bit(IEEE80211_TXQ_STOP, &txqi->flags) ||