Current implementation of `ath11k_ce_rx_post_pipe()` checks for NON-NULL of either `dest_ring` or `status_ring` using an OR (||). Both rings, especially `dest_ring`, should be ensured to be NON-NULL in this function. If only one of the rings is valid, such as `dest_ring` is NULL and `status_ring` is NON-NULL, the OR (||) check would not stop `ath11k_ce_rx_post_pipe()`, the subsequent call to `ath11k_ce_rx_buf_enqueue_pipe()` will access the NULL pointer, resulting in a driver crash. Fix the NON-NULL check by changing the OR (||) to AND (&&), and return an error code `-EIO` to indicate `ath11k_ce_rx_post_pipe()` is stopped with an NULL pointer error, ensuring that the function only proceeds when both `dest_ring` and `status_ring` are NON-NULL. Link: https://lore.kernel.org/ath11k/a9ccc947-20b2-4322-84e5-c96aaa604e63@xxxxxx Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices") Signed-off-by: Baichuan Qi <zghbqbc@xxxxxxxxx> --- V4 -> V5: add err code in NULL check V3 -> V4: reorder describe info V2 -> V3: add Link URL to mailing list archives V1 -> V2: rewrite commit message and fix tag drivers/net/wireless/ath/ath11k/ce.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/ath/ath11k/ce.c b/drivers/net/wireless/ath/ath11k/ce.c index e66e86bdec20..223dab928453 100644 --- a/drivers/net/wireless/ath/ath11k/ce.c +++ b/drivers/net/wireless/ath/ath11k/ce.c @@ -324,8 +324,10 @@ static int ath11k_ce_rx_post_pipe(struct ath11k_ce_pipe *pipe) dma_addr_t paddr; int ret = 0; - if (!(pipe->dest_ring || pipe->status_ring)) - return 0; + if (!(pipe->dest_ring && pipe->status_ring)) { + ret = -EIO; + return ret; + } spin_lock_bh(&ab->ce.ce_lock); while (pipe->rx_buf_needed) { -- 2.34.1
