RE: [PATCH] wifi: rtw88: Add NULL check for chip->edcca_th

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Ping-Ke Shih <pkshih@realtek.com>
To: Panagiotis Petrakopoulos <npetrakopoulos2003@gmail.com>
Cc: "linux-wireless@vger.kernel.org" <linux-wireless@vger.kernel.org>,
	"goainwo@gmail.com" <goainwo@gmail.com>,
	Bitterblue Smith <rtl8821cerfe2@gmail.com>
Subject: RE: [PATCH] wifi: rtw88: Add NULL check for chip->edcca_th
Date: Tue, 14 Apr 2026 02:03:49 +0000	[thread overview]
Message-ID: <aa92a81841ec4d1da48916153e07f31d@realtek.com> (raw)
In-Reply-To: <20260413100249.28618-1-npetrakopoulos2003@gmail.com>

+ Bitterblue

Panagiotis Petrakopoulos <npetrakopoulos2003@gmail.com> wrote:
> It was recently reported that rtw_fw_adaptivity_result
> in fw.c dereferences rtwdev->chip->edcca_th without
> a null check. The issue appears to be that devices
> with the 8821CE chip don't define edcca_th in their
> chip info. As a result, when rtw_fw_adaptivity_result
> tries to dereference it, the kernel triggers an oops.
> 
> Add a NULL check for edcca_th before dereferencing
> it in rtw_fw_adaptivity_result() in fw.c and
> rtw_phy_set_edcca_th() in phy.c.
> 
> Tested on a 8822CE chip which defines edcca_th, so
> this issue is not present on it, but it still uses
> this driver and I can verify there are no regressions.
> 
> Reported-by: Oleksandr Havrylov <goainwo@gmail.com>
> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=221286
> Link:
> https://lore.kernel.org/linux-wireless/CALdGYqQriS7mP0vj_rm_xvisfzFVh0hbpy+---48r6bodZO7tg@mail.gm
> ail.com/
> Signed-off-by: Panagiotis Petrakopoulos <npetrakopoulos2003@gmail.com>
> ---
>  drivers/net/wireless/realtek/rtw88/fw.c  | 3 +++
>  drivers/net/wireless/realtek/rtw88/phy.c | 3 +++
>  2 files changed, 6 insertions(+)
> 
> diff --git a/drivers/net/wireless/realtek/rtw88/fw.c b/drivers/net/wireless/realtek/rtw88/fw.c
> index 48207052e3f8..c4819ef6d54d 100644
> --- a/drivers/net/wireless/realtek/rtw88/fw.c
> +++ b/drivers/net/wireless/realtek/rtw88/fw.c
> @@ -284,6 +284,9 @@ static void rtw_fw_adaptivity_result(struct rtw_dev *rtwdev, u8 *payload,
>                 result->density, result->igi, result->l2h_th_init, result->l2h,
>                 result->h2l, result->option);
> 
> +       if (!edcca_th)
> +               return;
> +

As Bitterblue analysis, this might be a garbage, so I'd return at the entry
of this function.

>         rtw_dbg(rtwdev, RTW_DBG_ADAPTIVITY, "Reg Setting: L2H %x H2L %x\n",
>                 rtw_read32_mask(rtwdev, edcca_th[EDCCA_TH_L2H_IDX].hw_reg.addr,
>                                 edcca_th[EDCCA_TH_L2H_IDX].hw_reg.mask),
> diff --git a/drivers/net/wireless/realtek/rtw88/phy.c b/drivers/net/wireless/realtek/rtw88/phy.c
> index e2ac5c6fd500..c10eb28e54ad 100644
> --- a/drivers/net/wireless/realtek/rtw88/phy.c
> +++ b/drivers/net/wireless/realtek/rtw88/phy.c
> @@ -161,6 +161,9 @@ void rtw_phy_set_edcca_th(struct rtw_dev *rtwdev, u8 l2h, u8 h2l)
>  {
>         const struct rtw_hw_reg_offset *edcca_th = rtwdev->chip->edcca_th;
> 
> +       if (!edcca_th)
> +               return;
> +

The callers of rtw_phy_set_edcca_th() are RTL8822B and RTL8822C, which both
define rtwdev->chip->edcca_th. How can edcca_th be NULL?

>         rtw_write32_mask(rtwdev,
>                          edcca_th[EDCCA_TH_L2H_IDX].hw_reg.addr,
>                          edcca_th[EDCCA_TH_L2H_IDX].hw_reg.mask,
> --
> 2.53.0

next prev parent reply	other threads:[~2026-04-14  2:03 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-04-13 10:02 [PATCH] wifi: rtw88: Add NULL check for chip->edcca_th Panagiotis Petrakopoulos
2026-04-13 12:35 ` LB F
2026-04-14  2:10   ` Ping-Ke Shih
2026-04-14  2:03 ` Ping-Ke Shih [this message]
2026-04-14  4:33   ` Panagiotis Petrakopoulos
2026-04-14 19:47 ` [PATCH v2] " Panagiotis Petrakopoulos
2026-04-15  0:36   ` Ping-Ke Shih
2026-04-15  5:29   ` [PATCH v3] wifi: rtw88: Add NULL check for chip->edcca_th in rtw_fw_adaptivity_result() Panagiotis Petrakopoulos
2026-04-15  5:54     ` Ping-Ke Shih
2026-04-15 17:03       ` LB F
2026-04-16 21:21         ` LB F
2026-04-17  5:48           ` Panagiotis Petrakopoulos
2026-04-29  3:08     ` Ping-Ke Shih

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=aa92a81841ec4d1da48916153e07f31d@realtek.com \
    --to=pkshih@realtek.com \
    --cc=goainwo@gmail.com \
    --cc=linux-wireless@vger.kernel.org \
    --cc=npetrakopoulos2003@gmail.com \
    --cc=rtl8821cerfe2@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.