Message ID | 20230406093009.5869-1-pkshih@realtek.com |
---|---|
State | New |
Headers | show |
Series | wifi: rtw89: fix crash due to null pointer of sta in AP mode | expand |
Ping-Ke Shih <pkshih@realtek.com> wrote: > In AP mode, 'sta' could be NULL if sending broadcast/multicast packets, > so we should check before accessing, or it causes crash: > > BUG: kernel NULL pointer dereference, address: 0000000000000004 > #PF: supervisor read access in kernel mode > #PF: error_code(0x0000) - not-present page > PGD 0 P4D 0 > Oops: 0000 [#1] PREEMPT SMP PTI > CPU: 2 PID: 92 Comm: kworker/u33:0 Tainted: G OE > Workqueue: rtw89_tx_wq rtw89_core_txq_work [rtw89_core] > RIP: 0010:rtw89_core_tx_update_desc_info+0x2cc/0x7d0 [rtw89_core] > Code: e2 01 41 be 04 00 00 00 41 8b 84 c4 0c 01 00 00 75 0d 45 31 f6 ... > RSP: 0018:ffffb4cf807afce0 EFLAGS: 00010297 > RAX: 0000000000000001 RBX: ffffb4cf807afd48 RCX: 0000000000000000 > RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000001 > RBP: ffffb4cf807afd30 R08: ffff9b28c1e59808 R09: ffff9b28c0297100 > R10: 00000000052cf7c4 R11: 00000000052cf7c4 R12: ffff9b28c1602040 > R13: ffff9b28c07b3000 R14: 0000000000000004 R15: 0000000000000000 > FS: 0000000000000000(0000) GS:ffff9b2a73280000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 0000000000000004 CR3: 00000001ca410003 CR4: 00000000000606e0 > Call Trace: > <TASK> > rtw89_core_tx_write+0x7c/0x100 [rtw89_core] > rtw89_core_txq_work+0x1b4/0x530 [rtw89_core] > process_one_work+0x222/0x3f0 > worker_thread+0x50/0x3f0 > kthread+0x16b/0x190 > ? rescuer_thread+0x3a0/0x3a0 > ? set_kthread_struct+0x50/0x50 > ret_from_fork+0x22/0x30 > </TASK> > > Fixes: e5307c9cd7ee ("wifi: rtw89: set data lowest rate according to AP supported rate") > Signed-off-by: Ping-Ke Shih <pkshih@realtek.com> Patch applied to wireless-next.git, thanks. 8551844d2c5b wifi: rtw89: fix crash due to null pointer of sta in AP mode
diff --git a/drivers/net/wireless/realtek/rtw89/core.c b/drivers/net/wireless/realtek/rtw89/core.c index 56a13be2e2833..194f64e8a8468 100644 --- a/drivers/net/wireless/realtek/rtw89/core.c +++ b/drivers/net/wireless/realtek/rtw89/core.c @@ -707,7 +707,7 @@ static u16 rtw89_core_get_data_rate(struct rtw89_dev *rtwdev, else lowest_rate = RTW89_HW_RATE_OFDM6; - if (!sta->deflink.supp_rates[chan->band_type]) + if (!sta || !sta->deflink.supp_rates[chan->band_type]) return lowest_rate; return __ffs(sta->deflink.supp_rates[chan->band_type]) + lowest_rate;
In AP mode, 'sta' could be NULL if sending broadcast/multicast packets, so we should check before accessing, or it causes crash: BUG: kernel NULL pointer dereference, address: 0000000000000004 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 2 PID: 92 Comm: kworker/u33:0 Tainted: G OE Workqueue: rtw89_tx_wq rtw89_core_txq_work [rtw89_core] RIP: 0010:rtw89_core_tx_update_desc_info+0x2cc/0x7d0 [rtw89_core] Code: e2 01 41 be 04 00 00 00 41 8b 84 c4 0c 01 00 00 75 0d 45 31 f6 ... RSP: 0018:ffffb4cf807afce0 EFLAGS: 00010297 RAX: 0000000000000001 RBX: ffffb4cf807afd48 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000001 RBP: ffffb4cf807afd30 R08: ffff9b28c1e59808 R09: ffff9b28c0297100 R10: 00000000052cf7c4 R11: 00000000052cf7c4 R12: ffff9b28c1602040 R13: ffff9b28c07b3000 R14: 0000000000000004 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff9b2a73280000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000004 CR3: 00000001ca410003 CR4: 00000000000606e0 Call Trace: <TASK> rtw89_core_tx_write+0x7c/0x100 [rtw89_core] rtw89_core_txq_work+0x1b4/0x530 [rtw89_core] process_one_work+0x222/0x3f0 worker_thread+0x50/0x3f0 kthread+0x16b/0x190 ? rescuer_thread+0x3a0/0x3a0 ? set_kthread_struct+0x50/0x50 ret_from_fork+0x22/0x30 </TASK> Fixes: e5307c9cd7ee ("wifi: rtw89: set data lowest rate according to AP supported rate") Signed-off-by: Ping-Ke Shih <pkshih@realtek.com> --- drivers/net/wireless/realtek/rtw89/core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)