In cfg80211_cqm_rssi_notify, when calling cfg80211_cqm_rssi_update, this might free the wdev->cqm_config . Check for this when it returns. This has been observed on brcmfmac, when a RSSI event is generated just right after disconnecting from AP. Then probing for STA details returns nothing, as evidenced i.e. by "ieee80211 phy0: brcmf_cfg80211_get_station: GET STA INFO failed, -52". Signed-off-by: Max Schulze <max.schulze@xxxxxxxxx> Tested-by: Max Schulze <max.schulze@xxxxxxxxx> Link: https://lore.kernel.org/linux-wireless/bc3bf8f6-7ad7-bf69-9227-f972dac4e66b@xxxxxxxxx/ --- I have deployed this to 22 systems without issues and eliminating those null-ptr deref. Example Trace from Problem: wpa_supplicant[332]: wlan0: CTRL-EVENT-DISCONNECTED bssid=XX:XX:XX:XX:74:1f reason=3 locally_generated=1 brcmfmac: brcmf_rx_event Enter: mmc1:0001:1: rxp=0000000017163222 brcmfmac: brcmf_fweh_event_worker event LINK (16) ifidx 0 bsscfg 0 addr xx:xx:xx:xx:74:1f brcmfmac: brcmf_fweh_event_worker version 2 flags 0 status 0 reason 2 brcmutil: event payload, len=0 brcmfmac: brcmf_is_linkdown Processing link down brcmfmac: brcmf_notify_connect_status Linkdown brcmfmac: brcmf_rx_event Enter: mmc1:0001:1: rxp=00000000dcf7c0c0 brcmfmac: brcmf_fweh_event_worker event RSSI (56) ifidx 0 bsscfg 0 addr 00:00:xx:xx:00:50 brcmfmac: brcmf_fweh_event_worker version 2 flags 0 status 0 reason 0 brcmutil: event payload, len=12 00000000: 00 00 00 00 00 00 00 00 00 00 00 00 ............ brcmfmac: brcmf_notify_rssi LOW rssi=0 brcmfmac: brcmf_cfg80211_del_key key index (0) brcmfmac: brcmf_cfg80211_del_key Ignore clearing of (never configured) key brcmfmac: brcmf_fil_cmd_data Firmware error: BCME_NOTFOUND (-30) brcmfmac: brcmf_fil_iovar_data_get ifidx=0, name=tdls_sta_info, len=296, err=-52 brcmfmac: brcmf_fil_cmd_data Firmware error: BCME_BADADDR (-21) brcmfmac: brcmf_fil_iovar_data_get ifidx=0, name=sta_info, len=296, err=-52 ieee80211 phy0: brcmf_cfg80211_get_station: GET STA INFO failed, -52 ================================================================== BUG: KASAN: null-ptr-deref in cfg80211_cqm_rssi_notify (/home/r/linux/net/wireless/nl80211.c:19089) cfg80211 net/wireless/nl80211.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c index 8bcf8e293..b12424382 100644 --- a/net/wireless/nl80211.c +++ b/net/wireless/nl80211.c @@ -19088,7 +19088,7 @@ void cfg80211_cqm_rssi_notify(struct net_device *dev, cfg80211_cqm_rssi_update(rdev, dev); - if (rssi_level == 0) + if (rssi_level == 0 && wdev->cqm_config) rssi_level = wdev->cqm_config->last_rssi_event_value; } -- 2.39.1
