wifi: rtw89: fix null pointer access when abort scan

During cancel scan we might use vif that weren't scanning.
Fix this by using the actual scanning vif.

Signed-off-by: Po-Hao Huang <phhuang@realtek.com>
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://msgid.link/20240119081501.25223-6-pkshih@realtek.com

diff --git a/drivers/net/wireless/realtek/rtw89/mac80211.c b/drivers/net/wireless/realtek/rtw89/mac80211.c
index 21b42984fd8a46115d1b5e1bfc193d66df439cd3..b61c5be8cae3c2b10f93a0fc37de0c051f807c65 100644 (file)
--- a/drivers/net/wireless/realtek/rtw89/mac80211.c
+++ b/drivers/net/wireless/realtek/rtw89/mac80211.c
@@ -441,7 +441,7 @@ static void rtw89_ops_bss_info_changed(struct ieee80211_hw *hw,
                         * when disconnected by peer
                         */
                        if (rtwdev->scanning)
-                               rtw89_hw_scan_abort(rtwdev, vif);
+                               rtw89_hw_scan_abort(rtwdev, rtwdev->scan_info.scanning_vif);
                }
        }
 
@@ -994,7 +994,7 @@ static int rtw89_ops_remain_on_channel(struct ieee80211_hw *hw,
        }
 
        if (rtwdev->scanning)
-               rtw89_hw_scan_abort(rtwdev, vif);
+               rtw89_hw_scan_abort(rtwdev, rtwdev->scan_info.scanning_vif);
 
        if (type == IEEE80211_ROC_TYPE_MGMT_TX)
                roc->state = RTW89_ROC_MGMT;