rtw89: fix null vif pointer when hw_scan fails

Add this check to avoid crash by dereferencing a null pointer. When hwscan
fails due to no memory or dma failure, the scan flag in ieee80211_local is
cleared. So mac80211 determine that it's not hw_scan then calls
sw_scan_complete() with null vif, which is also freed during the fail.

Signed-off-by: Po Hao Huang <phhuang@realtek.com>
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20220520071731.38563-3-pkshih@realtek.com

diff --git a/drivers/net/wireless/realtek/rtw89/core.c b/drivers/net/wireless/realtek/rtw89/core.c
index e24e133a94df60d21f5b2c7b755bcb1ed32af8b1..958fe2787c6a1f1349af8c9e6e7fcd5ca955a8b3 100644 (file)
--- a/drivers/net/wireless/realtek/rtw89/core.c
+++ b/drivers/net/wireless/realtek/rtw89/core.c
@@ -2875,7 +2875,10 @@ void rtw89_core_scan_start(struct rtw89_dev *rtwdev, struct rtw89_vif *rtwvif,
 void rtw89_core_scan_complete(struct rtw89_dev *rtwdev,
                              struct ieee80211_vif *vif, bool hw_scan)
 {
-       struct rtw89_vif *rtwvif = (struct rtw89_vif *)vif->drv_priv;
+       struct rtw89_vif *rtwvif = vif ? (struct rtw89_vif *)vif->drv_priv : NULL;
+
+       if (!rtwvif)
+               return;
 
        ether_addr_copy(rtwvif->mac_addr, vif->addr);
        rtw89_fw_h2c_cam(rtwdev, rtwvif, NULL, NULL);

diff --git a/drivers/net/wireless/realtek/rtw89/fw.c b/drivers/net/wireless/realtek/rtw89/fw.c
index 7fb4509a6c72a5fe96b303ce1956cb3d01182058..2d9c3157d878c229571228e26358c3ec5caf5ce2 100644 (file)
--- a/drivers/net/wireless/realtek/rtw89/fw.c
+++ b/drivers/net/wireless/realtek/rtw89/fw.c
@@ -2257,7 +2257,7 @@ static int rtw89_hw_scan_add_chan_list(struct rtw89_dev *rtwdev,
                list_add_tail(&ch_info->list, &chan_list);
                off_chan_time += ch_info->period;
        }
-       rtw89_fw_h2c_scan_list_offload(rtwdev, list_len, &chan_list);
+       ret = rtw89_fw_h2c_scan_list_offload(rtwdev, list_len, &chan_list);
 
 out:
        list_for_each_entry_safe(ch_info, tmp, &chan_list, list) {
@@ -2368,7 +2368,7 @@ int rtw89_hw_scan_offload(struct rtw89_dev *rtwdev, struct ieee80211_vif *vif,
                if (ret)
                        goto out;
        }
-       rtw89_fw_h2c_scan_offload(rtwdev, &opt, rtwvif);
+       ret = rtw89_fw_h2c_scan_offload(rtwdev, &opt, rtwvif);
 out:
        return ret;
 }