Patch "wifi: iwlwifi: mvm: avoid NULL pointer dereference" has been added to the 6.12-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sat, 1 Feb 2025 23:39:13 -0500

This is a note to let you know that I've just added the patch titled

    wifi: iwlwifi: mvm: avoid NULL pointer dereference

to the 6.12-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     wifi-iwlwifi-mvm-avoid-null-pointer-dereference.patch
and it can be found in the queue-6.12 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit d20cd138bf9ca0bdf20812bce6b25de407a7afee
Author: Miri Korenblit <miriam.rachel.korenblit@xxxxxxxxx>
Date:   Sun Dec 29 16:44:36 2024 +0200

    wifi: iwlwifi: mvm: avoid NULL pointer dereference
    
    [ Upstream commit cf704a7624f99eb2ffca1a16c69183e85544a613 ]
    
    When iterating over the links of a vif, we need to make sure that the
    pointer is valid (in other words - that the link exists) before
    dereferncing it.
    Use for_each_vif_active_link that also does the check.
    
    Fixes: 2b7ee1a10a72 ("wifi: iwlwiif: mvm: handle the new BT notif")
    Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@xxxxxxxxx>
    Reviewed-by: Emmanuel Grumbach <emmanuel.grumbach@xxxxxxxxx>
    Link: https://patch.msgid.link/20241229164246.31d41f7d3eab.I7fb7036a0b187c1636b01970207259cb2327952c@changeid
    Signed-off-by: Johannes Berg <johannes.berg@xxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/coex.c b/drivers/net/wireless/intel/iwlwifi/mvm/coex.c
index b607961970e97..9b8624304fa30 100644
--- a/drivers/net/wireless/intel/iwlwifi/mvm/coex.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/coex.c
@@ -530,18 +530,15 @@ static void iwl_mvm_bt_coex_notif_iterator(void *_data, u8 *mac,
 					   struct ieee80211_vif *vif)
 {
 	struct iwl_mvm *mvm = _data;
+	struct ieee80211_bss_conf *link_conf;
+	unsigned int link_id;
 
 	lockdep_assert_held(&mvm->mutex);
 
 	if (vif->type != NL80211_IFTYPE_STATION)
 		return;
 
-	for (int link_id = 0;
-	     link_id < IEEE80211_MLD_MAX_NUM_LINKS;
-	     link_id++) {
-		struct ieee80211_bss_conf *link_conf =
-			rcu_dereference_check(vif->link_conf[link_id],
-					      lockdep_is_held(&mvm->mutex));
+	for_each_vif_active_link(vif, link_conf, link_id) {
 		struct ieee80211_chanctx_conf *chanctx_conf =
 			rcu_dereference_check(link_conf->chanctx_conf,
 					      lockdep_is_held(&mvm->mutex));







