Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp1836976rwd; Sun, 28 May 2023 03:30:49 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ7X4haxSohtwoVJZ9JQ/8Sf/apMiPrYe/toGX1evJE3jTmumU0qH+8qa6LMWXUZl8sY7Its X-Received: by 2002:a17:902:f68a:b0:1b0:34a6:e0b6 with SMTP id l10-20020a170902f68a00b001b034a6e0b6mr2602456plg.31.1685269848997; Sun, 28 May 2023 03:30:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1685269848; cv=none; d=google.com; s=arc-20160816; b=Grc5sr7yyIdRSLGMDCVMK01gSUgYkM3WtBf2/Vu3UA1czRZYz/c7eV1W+zdjsZTy1Z 6/4kNmJR4d9IvP7eoauNyHRNVwGuqUMTzk+5Av7lwjovY8ri+qm5j4SfWl861M1dKZFC R5o4el1k+FCiyKDPMGni/gScD3k9o/Fchyl8P5cLIQoIFsoGg6AjZFD5lie4wRj93Odt xqPRQoFcUHX4ms3ASrnWshg0XggqPrBHnodnRAObqWgzdKyF5eSRJHLcoKbo7xaWu4hs dHkrSUu9jF+qUMa2v72V43itWyTXCDVJnYFuOiPTgurkUGb71qbSMTxLSd9z7TupjPS+ m7CA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=3w/jcseoAmUeRbMdy4WFyochnTLeNIG45+OMLZDvzNA=; b=XWpvBwOGKJ0aDjTaLnYajxFmu/sy+gdN7BjWMXbcsPMxzqwoH+VHRsYUvh9HB0bqlI lh1LWe910U6dsyfntpRDTKzb1naQxj8mp/TqvqQdf4sMAGEjucRGuIB9H/JxzSLFDU00 Kon9L3H8pygG+XAIvAl5xMBCceFQsECUjUZiQCUKNAwrStsJGqSaYMeeNTR5kOH0FJ9D O/HJoz09Km3u5k4VSWdMIVW/dwcxnblqJbUFCHqDNqnBn2zDQaCq4ecD5oPYzzAYAnbX bIiy80BWI4IrKjzWaRjWPHmxE0laNqiE2qDdfea5ErTgHE8YOPmU62+505Qt6O5ZGtwE Ybfg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=rlVKu3Is; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id s3-20020a170902b18300b001aaf62c76cesi2558926plr.129.2023.05.28.03.30.34; Sun, 28 May 2023 03:30:48 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=rlVKu3Is; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229485AbjE1K3D (ORCPT + 64 others); Sun, 28 May 2023 06:29:03 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57594 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229483AbjE1K3C (ORCPT ); Sun, 28 May 2023 06:29:02 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 57FC3BD for ; Sun, 28 May 2023 03:29:01 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id E100660919 for ; Sun, 28 May 2023 10:29:00 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 093B7C433EF; Sun, 28 May 2023 10:28:59 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1685269740; bh=8Hn+PyOhSn26dTziuGvswTgBnLsjvuNXsFUT8YkYeDU=; h=From:To:Cc:Subject:Date:From; b=rlVKu3IsI+C9cvIH/dP6oCwBPksvzq+y5EHfgkYFznQn1B3GEFMfTcCHh43fr3Mde wGD/SYfd1Uzh6IEy7wOtqvqE1/tFyIcawMRRCZLGuyPWa65I5Wwu2XeFBACR0pEcuj Fe7jWjNXjuDw43/mq4vKLFQzAgPAmvUNavDLA2+u87tVqKoxxy8orBtz0yrzPe1S0r ts/tmINNpW1Jw4XLTgI+BgoPwCDi4qmdAQy1kif05ldhe7E29cDhTkdfE2shmvFs/4 D6/rcnE6bAGwRHk/rXJInG9ILyDeZ2cSfrVe5V24XTfvmLcIaCUmwpTDcKDJu+5+lp 4JhFCQb6LIC5A== From: Lorenzo Bianconi To: kvalo@kernel.org Cc: nbd@nbd.name, lorenzo.bianconi@redhat.com, linux-wireless@vger.kernel.org Subject: [PATCH wireless] wifi: mt76: mt7996: fix possible NULL pointer dereference in mt7996_mac_write_txwi() Date: Sun, 28 May 2023 12:28:49 +0200 Message-Id: <2637628a84f42ad6d7b774e706f041d5b45c8cb5.1685269638.git.lorenzo@kernel.org> X-Mailer: git-send-email 2.40.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-4.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org Fix possible NULL pointer dereference on mvif pointer in mt7996_mac_write_txwi routine. Fixes: 15ee62e73705 ("wifi: mt76: mt7996: enable BSS_CHANGED_BASIC_RATES support") Signed-off-by: Lorenzo Bianconi --- .../net/wireless/mediatek/mt76/mt7996/mac.c | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c index 39a4a73ef8e6..9b0f6053e0fa 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c +++ b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c @@ -1004,10 +1004,10 @@ void mt7996_mac_write_txwi(struct mt7996_dev *dev, __le32 *txwi, { struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb); struct ieee80211_vif *vif = info->control.vif; - struct mt7996_vif *mvif = (struct mt7996_vif *)vif->drv_priv; u8 band_idx = (info->hw_queue & MT_TX_HW_QUEUE_PHY) >> 2; u8 p_fmt, q_idx, omac_idx = 0, wmm_idx = 0; bool is_8023 = info->flags & IEEE80211_TX_CTL_HW_80211_ENCAP; + struct mt7996_vif *mvif; u16 tx_count = 15; u32 val; bool beacon = !!(changed & (BSS_CHANGED_BEACON | @@ -1015,7 +1015,8 @@ void mt7996_mac_write_txwi(struct mt7996_dev *dev, __le32 *txwi, bool inband_disc = !!(changed & (BSS_CHANGED_UNSOL_BCAST_PROBE_RESP | BSS_CHANGED_FILS_DISCOVERY)); - if (vif) { + mvif = vif ? (struct mt7996_vif *)vif->drv_priv : NULL; + if (mvif) { omac_idx = mvif->mt76.omac_idx; wmm_idx = mvif->mt76.wmm_idx; band_idx = mvif->mt76.band_idx; @@ -1081,12 +1082,16 @@ void mt7996_mac_write_txwi(struct mt7996_dev *dev, __le32 *txwi, struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data; bool mcast = ieee80211_is_data(hdr->frame_control) && is_multicast_ether_addr(hdr->addr1); - u8 idx = mvif->basic_rates_idx; + u8 idx = MT7996_BASIC_RATES_TBL; - if (mcast && mvif->mcast_rates_idx) - idx = mvif->mcast_rates_idx; - else if (beacon && mvif->beacon_rates_idx) - idx = mvif->beacon_rates_idx; + if (mvif) { + if (mcast && mvif->mcast_rates_idx) + idx = mvif->mcast_rates_idx; + else if (beacon && mvif->beacon_rates_idx) + idx = mvif->beacon_rates_idx; + else + idx = mvif->basic_rates_idx; + } txwi[6] |= cpu_to_le32(FIELD_PREP(MT_TXD6_TX_RATE, idx)); txwi[3] |= cpu_to_le32(MT_TXD3_BA_DISABLE); -- 2.40.1