wifi: rtw89: fix crash due to null pointer of sta in AP mode

In AP mode, 'sta' could be NULL if sending broadcast/multicast packets,
so we should check before accessing, or it causes crash:

  BUG: kernel NULL pointer dereference, address: 0000000000000004
  #PF: supervisor read access in kernel mode
  #PF: error_code(0x0000) - not-present page
  PGD 0 P4D 0
  Oops: 0000 [#1] PREEMPT SMP PTI
  CPU: 2 PID: 92 Comm: kworker/u33:0 Tainted: G           OE
  Workqueue: rtw89_tx_wq rtw89_core_txq_work [rtw89_core]
  RIP: 0010:rtw89_core_tx_update_desc_info+0x2cc/0x7d0 [rtw89_core]
  Code: e2 01 41 be 04 00 00 00 41 8b 84 c4 0c 01 00 00 75 0d 45 31 f6 ...
  RSP: 0018:ffffb4cf807afce0 EFLAGS: 00010297
  RAX: 0000000000000001 RBX: ffffb4cf807afd48 RCX: 0000000000000000
  RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000001
  RBP: ffffb4cf807afd30 R08: ffff9b28c1e59808 R09: ffff9b28c0297100
  R10: 00000000052cf7c4 R11: 00000000052cf7c4 R12: ffff9b28c1602040
  R13: ffff9b28c07b3000 R14: 0000000000000004 R15: 0000000000000000
  FS:  0000000000000000(0000) GS:ffff9b2a73280000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: 0000000000000004 CR3: 00000001ca410003 CR4: 00000000000606e0
  Call Trace:
   <TASK>
   rtw89_core_tx_write+0x7c/0x100 [rtw89_core]
   rtw89_core_txq_work+0x1b4/0x530 [rtw89_core]
   process_one_work+0x222/0x3f0
   worker_thread+0x50/0x3f0
   kthread+0x16b/0x190
   ? rescuer_thread+0x3a0/0x3a0
   ? set_kthread_struct+0x50/0x50
   ret_from_fork+0x22/0x30
   </TASK>

Fixes: e5307c9cd7ee ("wifi: rtw89: set data lowest rate according to AP supported rate")
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20230406093009.5869-1-pkshih@realtek.com

diff --git a/drivers/net/wireless/realtek/rtw89/core.c b/drivers/net/wireless/realtek/rtw89/core.c
index d6204e07a5b693d1a7163d83e2002d3393eaab5b..d144903c60b3d2e2a0e87ff64b0f2b394afcb1f4 100644 (file)
--- a/drivers/net/wireless/realtek/rtw89/core.c
+++ b/drivers/net/wireless/realtek/rtw89/core.c
@@ -707,7 +707,7 @@ static u16 rtw89_core_get_data_rate(struct rtw89_dev *rtwdev,
        else
                lowest_rate = RTW89_HW_RATE_OFDM6;
 
-       if (!sta->deflink.supp_rates[chan->band_type])
+       if (!sta || !sta->deflink.supp_rates[chan->band_type])
                return lowest_rate;
 
        return __ffs(sta->deflink.supp_rates[chan->band_type]) + lowest_rate;