projects / linux.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 7360cde) | patch
mt76: connac: fix possible NULL pointer dereference in mt76_connac_get_phy_mode_v2
authorLorenzo Bianconi <lorenzo@kernel.org>
Thu, 14 Oct 2021 15:19:53 +0000 (17:19 +0200)
committerFelix Fietkau <nbd@nbd.name>
Wed, 20 Oct 2021 08:36:51 +0000 (10:36 +0200)
commitb5f2ba8a4c794e8349c0e30036352b9f685164c4
tree04385e4f97201e7cc4fd6aad586ccce8a7bbde5etree | snapshot
parent7360cdec1cb55ae1e9515ffffc496c5dd0cf861acommit | diff
mt76: connac: fix possible NULL pointer dereference in mt76_connac_get_phy_mode_v2

Fix the following NULL pointer dereference in mt76_connac_get_phy_mode_v2
routine triggered on mt7663s device when sta is NULL

[    5.490700] mt7663s mmc0:0001:1: N9 Firmware Version: 3.1.1, Build Time: 20200604161656
[    5.490815] mt7663s mmc0:0001:1: Region number: 0x4
[    5.490868] mt7663s mmc0:0001:1: Parsing tailer Region: 0
[    5.496251] mt7663s mmc0:0001:1: Region 0, override_addr = 0x00118000
[    5.496419] mt7663s mmc0:0001:1: Parsing tailer Region: 1
[    5.624027] mt7663s mmc0:0001:1: Parsing tailer Region: 2
[    5.656999] mt7663s mmc0:0001:1: Parsing tailer Region: 3
[    5.671876] mt7663s mmc0:0001:1: override_addr = 0x00118000, option = 3
[    9.358658] BUG: kernel NULL pointer dereference, address: 0000000000000000
[    9.358775] #PF: supervisor read access in kernel mode
[    9.358831] #PF: error_code(0x0000) - not-present page
[    9.358886] PGD 0 P4D 0
[    9.358917] Oops: 0000 [#1] SMP
[    9.358960] CPU: 0 PID: 235 Comm: NetworkManager Not tainted 5.15.0-rc4-kvm-02151-g39e333d657f4-dirty #769
[    9.359057] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-4.fc34 04/01/2014
[    9.359150] RIP: 0010:mt76_connac_get_phy_mode_v2+0xc9/0x11c
[    9.359473] RAX: 0000000000000013 RBX: 0000000000000000 RCX: 0000000000000027
[    9.359546] RDX: ffff8881f9c17358 RSI: 0000000000000001 RDI: ffff8881f9c17350
[    9.359624] RBP: ffff88810bac1ed4 R08: ffffffff822a4a48 R09: 0000000000000003
[    9.359697] R10: ffffffff82234a60 R11: ffffffff82234a60 R12: ffff88810bac1eec
[    9.359779] R13: 0000000000000000 R14: ffff88810bad1648 R15: ffff88810bac1eb8
[    9.359859] FS:  00007f5f1e45bbc0(0000) GS:ffff8881f9c00000(0000) knlGS:0000000000000000
[    9.359939] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[    9.360003] CR2: 0000000000000000 CR3: 0000000105d5d000 CR4: 00000000000006b0
[    9.360083] Call Trace:
[    9.360116]  mt76_connac_mcu_uni_add_bss.cold+0x21/0x250
[    9.360175]  ? schedule_preempt_disabled+0xa/0x10
[    9.360232]  ? __mutex_lock.constprop.0+0x2ab/0x460
[    9.360286]  mt7615_remove_interface+0x63/0x1d0
[    9.360342]  drv_remove_interface+0x32/0xe0
[    9.360385]  ieee80211_do_stop+0x5da/0x800
[    9.360428]  ? dev_reset_queue+0x30/0x90
[    9.360472]  ieee80211_stop+0x3b/0xb0
[    9.360516]  __dev_close_many+0x7a/0xd0
[    9.360559]  __dev_change_flags+0xd6/0x1f0
[    9.360604]  dev_change_flags+0x21/0x60
[    9.360648]  do_setlink+0x259/0xfb0
[    9.360686]  ? __nla_validate_parse+0x51/0xb80
[    9.360742]  __rtnl_newlink+0x5b3/0x960
[    9.360785]  ? inet6_fill_ifla6_attrs+0x41d/0x470
[    9.360841]  ? __kmalloc_track_caller+0x57/0x3c0
[    9.360905]  ? netlink_trim+0x8a/0xb0
[    9.360949]  ? skb_queue_tail+0x1b/0x50

Fixes: 67aa27431c7f8 ("mt76: mt7921: rely on mt76_connac_mcu common library")
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c diff | blob | history
ep93xx device tree rework repo: git://git.maquefel.me/linux.git