From: Dan Carpenter <dan.carpenter@linaro.org>
To: Lorenzo Bianconi <lorenzo@kernel.org>
Cc: linux-wireless@vger.kernel.org, linux-mediatek@lists.infradead.org
Subject: [bug report] wifi: mt76: mt7996: Set proper link destination address in mt7996_tx()
Date: Tue, 23 Sep 2025 11:00:23 +0300 [thread overview]
Message-ID: <aNJTl89jpYob5XaR@stanley.mountain> (raw)
Hello Lorenzo Bianconi,
Commit f940c9b7aef6 ("wifi: mt76: mt7996: Set proper link destination
address in mt7996_tx()") from Jul 31, 2025 (linux-next), leads to the
following Smatch static checker warning:
drivers/net/wireless/mediatek/mt76/mt7996/main.c:1344 mt7996_tx()
error: testing array offset 'link_id' after use.
drivers/net/wireless/mediatek/mt76/mt7996/main.c
1288 static void mt7996_tx(struct ieee80211_hw *hw,
1289 struct ieee80211_tx_control *control,
1290 struct sk_buff *skb)
1291 {
1292 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
1293 struct mt7996_dev *dev = mt7996_hw_dev(hw);
1294 struct ieee80211_sta *sta = control->sta;
1295 struct mt7996_sta *msta = sta ? (void *)sta->drv_priv : NULL;
1296 struct mt76_phy *mphy = hw->priv;
1297 struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
1298 struct ieee80211_vif *vif = info->control.vif;
1299 struct mt7996_vif *mvif = vif ? (void *)vif->drv_priv : NULL;
1300 struct mt76_wcid *wcid = &dev->mt76.global_wcid;
1301 u8 link_id = u32_get_bits(info->control.flags,
1302 IEEE80211_TX_CTRL_MLO_LINK);
1303
1304 rcu_read_lock();
1305
1306 /* Use primary link_id if the value from mac80211 is set to
1307 * IEEE80211_LINK_UNSPECIFIED.
1308 */
1309 if (link_id == IEEE80211_LINK_UNSPECIFIED) {
1310 if (msta)
1311 link_id = msta->deflink_id;
1312 else if (mvif)
1313 link_id = mvif->mt76.deflink_id;
Can link_id be IEEE80211_LINK_UNSPECIFIED after this if statement?
1314 }
1315
1316 if (vif && ieee80211_vif_is_mld(vif)) {
1317 struct ieee80211_bss_conf *link_conf;
1318
1319 if (msta) {
1320 struct ieee80211_link_sta *link_sta;
1321
1322 link_sta = rcu_dereference(sta->link[link_id]);
Some unchecked uses. IEEE80211_LINK_UNSPECIFIED would be off-by-one.
1323 if (!link_sta)
1324 link_sta = rcu_dereference(sta->link[msta->deflink_id]);
1325
1326 if (link_sta) {
1327 memcpy(hdr->addr1, link_sta->addr, ETH_ALEN);
1328 if (ether_addr_equal(sta->addr, hdr->addr3))
1329 memcpy(hdr->addr3, link_sta->addr, ETH_ALEN);
1330 }
1331 }
1332
1333 link_conf = rcu_dereference(vif->link_conf[link_id]);
Here too.
1334 if (link_conf) {
1335 memcpy(hdr->addr2, link_conf->addr, ETH_ALEN);
1336 if (ether_addr_equal(vif->addr, hdr->addr3))
1337 memcpy(hdr->addr3, link_conf->addr, ETH_ALEN);
1338 }
1339 }
1340
1341 if (mvif) {
1342 struct mt76_vif_link *mlink = &mvif->deflink.mt76;
1343
--> 1344 if (link_id < IEEE80211_LINK_UNSPECIFIED)
Is this checker required?
1345 mlink = rcu_dereference(mvif->mt76.link[link_id]);
1346
1347 if (mlink->wcid)
1348 wcid = mlink->wcid;
1349
1350 if (mvif->mt76.roc_phy &&
1351 (info->flags & IEEE80211_TX_CTL_TX_OFFCHAN)) {
1352 mphy = mvif->mt76.roc_phy;
1353 if (mphy->roc_link)
1354 wcid = mphy->roc_link->wcid;
1355 } else {
1356 mphy = mt76_vif_link_phy(mlink);
1357 }
1358 }
1359
1360 if (!mphy) {
1361 ieee80211_free_txskb(hw, skb);
1362 goto unlock;
1363 }
1364
1365 if (msta && link_id < IEEE80211_LINK_UNSPECIFIED) {
And this?
1366 struct mt7996_sta_link *msta_link;
1367
1368 msta_link = rcu_dereference(msta->link[link_id]);
1369 if (msta_link)
1370 wcid = &msta_link->wcid;
1371 }
1372 mt76_tx(mphy, control->sta, wcid, skb);
1373 unlock:
1374 rcu_read_unlock();
1375 }
regards,
dan carpenter
next reply other threads:[~2025-09-23 8:00 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-23 8:00 Dan Carpenter [this message]
2025-09-23 21:17 ` [bug report] wifi: mt76: mt7996: Set proper link destination address in mt7996_tx() Lorenzo Bianconi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aNJTl89jpYob5XaR@stanley.mountain \
--to=dan.carpenter@linaro.org \
--cc=linux-mediatek@lists.infradead.org \
--cc=linux-wireless@vger.kernel.org \
--cc=lorenzo@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.