Ping-Ke Shih <pkshih@xxxxxxxxxxx> wrote:
> In AP mode, 'sta' could be NULL if sending broadcast/multicast packets,
> so we should check before accessing, or it causes crash:
>
> BUG: kernel NULL pointer dereference, address: 0000000000000004
> #PF: supervisor read access in kernel mode
> #PF: error_code(0x0000) - not-present page
> PGD 0 P4D 0
> Oops: 0000 [#1] PREEMPT SMP PTI
> CPU: 2 PID: 92 Comm: kworker/u33:0 Tainted: G OE
> Workqueue: rtw89_tx_wq rtw89_core_txq_work [rtw89_core]
> RIP: 0010:rtw89_core_tx_update_desc_info+0x2cc/0x7d0 [rtw89_core]
> Code: e2 01 41 be 04 00 00 00 41 8b 84 c4 0c 01 00 00 75 0d 45 31 f6 ...
> RSP: 0018:ffffb4cf807afce0 EFLAGS: 00010297
> RAX: 0000000000000001 RBX: ffffb4cf807afd48 RCX: 0000000000000000
> RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000001
> RBP: ffffb4cf807afd30 R08: ffff9b28c1e59808 R09: ffff9b28c0297100
> R10: 00000000052cf7c4 R11: 00000000052cf7c4 R12: ffff9b28c1602040
> R13: ffff9b28c07b3000 R14: 0000000000000004 R15: 0000000000000000
> FS: 0000000000000000(0000) GS:ffff9b2a73280000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000000000004 CR3: 00000001ca410003 CR4: 00000000000606e0
> Call Trace:
> <TASK>
> rtw89_core_tx_write+0x7c/0x100 [rtw89_core]
> rtw89_core_txq_work+0x1b4/0x530 [rtw89_core]
> process_one_work+0x222/0x3f0
> worker_thread+0x50/0x3f0
> kthread+0x16b/0x190
> ? rescuer_thread+0x3a0/0x3a0
> ? set_kthread_struct+0x50/0x50
> ret_from_fork+0x22/0x30
> </TASK>
>
> Fixes: e5307c9cd7ee ("wifi: rtw89: set data lowest rate according to AP supported rate")
> Signed-off-by: Ping-Ke Shih <pkshih@xxxxxxxxxxx>
Patch applied to wireless-next.git, thanks.
8551844d2c5b wifi: rtw89: fix crash due to null pointer of sta in AP mode
--
https://patchwork.kernel.org/project/linux-wireless/patch/20230406093009.5869-1-pkshih@xxxxxxxxxxx/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
