In AP mode, 'sta' could be NULL if sending broadcast/multicast packets,
so we should check before accessing, or it causes crash:
BUG: kernel NULL pointer dereference, address: 0000000000000004
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: 0000 [#1] PREEMPT SMP PTI
CPU: 2 PID: 92 Comm: kworker/u33:0 Tainted: G OE
Workqueue: rtw89_tx_wq rtw89_core_txq_work [rtw89_core]
RIP: 0010:rtw89_core_tx_update_desc_info+0x2cc/0x7d0 [rtw89_core]
Code: e2 01 41 be 04 00 00 00 41 8b 84 c4 0c 01 00 00 75 0d 45 31 f6 ...
RSP: 0018:ffffb4cf807afce0 EFLAGS: 00010297
RAX: 0000000000000001 RBX: ffffb4cf807afd48 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000001
RBP: ffffb4cf807afd30 R08: ffff9b28c1e59808 R09: ffff9b28c0297100
R10: 00000000052cf7c4 R11: 00000000052cf7c4 R12: ffff9b28c1602040
R13: ffff9b28c07b3000 R14: 0000000000000004 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff9b2a73280000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000004 CR3: 00000001ca410003 CR4: 00000000000606e0
Call Trace:
<TASK>
rtw89_core_tx_write+0x7c/0x100 [rtw89_core]
rtw89_core_txq_work+0x1b4/0x530 [rtw89_core]
process_one_work+0x222/0x3f0
worker_thread+0x50/0x3f0
kthread+0x16b/0x190
? rescuer_thread+0x3a0/0x3a0
? set_kthread_struct+0x50/0x50
ret_from_fork+0x22/0x30
</TASK>
Fixes: e5307c9cd7ee ("wifi: rtw89: set data lowest rate according to AP supported rate")
Signed-off-by: Ping-Ke Shih <[email protected]>
---
drivers/net/wireless/realtek/rtw89/core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wireless/realtek/rtw89/core.c b/drivers/net/wireless/realtek/rtw89/core.c
index 56a13be2e2833..194f64e8a8468 100644
--- a/drivers/net/wireless/realtek/rtw89/core.c
+++ b/drivers/net/wireless/realtek/rtw89/core.c
@@ -707,7 +707,7 @@ static u16 rtw89_core_get_data_rate(struct rtw89_dev *rtwdev,
else
lowest_rate = RTW89_HW_RATE_OFDM6;
- if (!sta->deflink.supp_rates[chan->band_type])
+ if (!sta || !sta->deflink.supp_rates[chan->band_type])
return lowest_rate;
return __ffs(sta->deflink.supp_rates[chan->band_type]) + lowest_rate;
--
2.25.1
Ping-Ke Shih <[email protected]> wrote:
> In AP mode, 'sta' could be NULL if sending broadcast/multicast packets,
> so we should check before accessing, or it causes crash:
>
> BUG: kernel NULL pointer dereference, address: 0000000000000004
> #PF: supervisor read access in kernel mode
> #PF: error_code(0x0000) - not-present page
> PGD 0 P4D 0
> Oops: 0000 [#1] PREEMPT SMP PTI
> CPU: 2 PID: 92 Comm: kworker/u33:0 Tainted: G OE
> Workqueue: rtw89_tx_wq rtw89_core_txq_work [rtw89_core]
> RIP: 0010:rtw89_core_tx_update_desc_info+0x2cc/0x7d0 [rtw89_core]
> Code: e2 01 41 be 04 00 00 00 41 8b 84 c4 0c 01 00 00 75 0d 45 31 f6 ...
> RSP: 0018:ffffb4cf807afce0 EFLAGS: 00010297
> RAX: 0000000000000001 RBX: ffffb4cf807afd48 RCX: 0000000000000000
> RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000001
> RBP: ffffb4cf807afd30 R08: ffff9b28c1e59808 R09: ffff9b28c0297100
> R10: 00000000052cf7c4 R11: 00000000052cf7c4 R12: ffff9b28c1602040
> R13: ffff9b28c07b3000 R14: 0000000000000004 R15: 0000000000000000
> FS: 0000000000000000(0000) GS:ffff9b2a73280000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000000000004 CR3: 00000001ca410003 CR4: 00000000000606e0
> Call Trace:
> <TASK>
> rtw89_core_tx_write+0x7c/0x100 [rtw89_core]
> rtw89_core_txq_work+0x1b4/0x530 [rtw89_core]
> process_one_work+0x222/0x3f0
> worker_thread+0x50/0x3f0
> kthread+0x16b/0x190
> ? rescuer_thread+0x3a0/0x3a0
> ? set_kthread_struct+0x50/0x50
> ret_from_fork+0x22/0x30
> </TASK>
>
> Fixes: e5307c9cd7ee ("wifi: rtw89: set data lowest rate according to AP supported rate")
> Signed-off-by: Ping-Ke Shih <[email protected]>
Patch applied to wireless-next.git, thanks.
8551844d2c5b wifi: rtw89: fix crash due to null pointer of sta in AP mode
--
https://patchwork.kernel.org/project/linux-wireless/patch/[email protected]/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches