[PATCH] wifi: mt76: mt7996: fix null pointer deref in mt7996_conf_tx()

[PATCH] wifi: mt76: mt7996: fix null pointer deref in mt7996_conf_tx()

[Felix Fietkau]

If a link does not have an assigned channel yet, mt7996_vif_link returns
NULL. We still need to store the updated queue settings in that case, and
apply them later.
Move the location of the queue params to within struct mt7996_vif_link.

Fixes: c0df2f0caa8d ("wifi: mt76: mt7996: prepare mt7996_mcu_set_tx for MLO support")
Signed-off-by: Felix Fietkau <nbd@nbd.name>
---
 drivers/net/wireless/mediatek/mt76/mt7996/main.c   | 6 +++---
 drivers/net/wireless/mediatek/mt76/mt7996/mcu.c    | 5 ++++-
 drivers/net/wireless/mediatek/mt76/mt7996/mt7996.h | 7 ++++++-
 3 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/main.c b/drivers/net/wireless/mediatek/mt76/mt7996/main.c
index 581314368c5b..b53ca702591c 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7996/main.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7996/main.c
@@ -665,8 +665,8 @@ mt7996_conf_tx(struct ieee80211_hw *hw, struct ieee80211_vif *vif,
 	       unsigned int link_id, u16 queue,
 	       const struct ieee80211_tx_queue_params *params)
 {
-	struct mt7996_dev *dev = mt7996_hw_dev(hw);
-	struct mt7996_vif_link *mlink = mt7996_vif_link(dev, vif, link_id);
+	struct mt7996_vif *mvif = (struct mt7996_vif *)vif->drv_priv;
+	struct mt7996_vif_link_info *link_info = &mvif->link_info[link_id];
 	static const u8 mq_to_aci[] = {
 		[IEEE80211_AC_VO] = 3,
 		[IEEE80211_AC_VI] = 2,
@@ -675,7 +675,7 @@ mt7996_conf_tx(struct ieee80211_hw *hw, struct ieee80211_vif *vif,
 	};
 
 	/* firmware uses access class index */
-	mlink->queue_params[mq_to_aci[queue]] = *params;
+	link_info->queue_params[mq_to_aci[queue]] = *params;
 	/* no need to update right away, we'll get BSS_CHANGED_QOS */
 
 	return 0;
diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c
index 0347ee0c2dd7..afa6a43bd51e 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c
@@ -3414,6 +3414,9 @@ int mt7996_mcu_set_tx(struct mt7996_dev *dev, struct ieee80211_vif *vif,
 #define WMM_PARAM_SET		(WMM_AIFS_SET | WMM_CW_MIN_SET | \
 				 WMM_CW_MAX_SET | WMM_TXOP_SET)
 	struct mt7996_vif_link *link = mt7996_vif_conf_link(dev, vif, link_conf);
+	struct mt7996_vif *mvif = (struct mt7996_vif *)vif->drv_priv;
+	unsigned int link_id = link_conf->link_id;
+	struct mt7996_vif_link_info *link_info = &mvif->link_info[link_id];
 	struct {
 		u8 bss_idx;
 		u8 __rsv[3];
@@ -3431,7 +3434,7 @@ int mt7996_mcu_set_tx(struct mt7996_dev *dev, struct ieee80211_vif *vif,
 	skb_put_data(skb, &hdr, sizeof(hdr));
 
 	for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) {
-		struct ieee80211_tx_queue_params *q = &link->queue_params[ac];
+		struct ieee80211_tx_queue_params *q = &link_info->queue_params[ac];
 		struct edca *e;
 		struct tlv *tlv;
 
diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mt7996.h b/drivers/net/wireless/mediatek/mt76/mt7996/mt7996.h
index 8ec2acdb3319..718e4d4ad85f 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7996/mt7996.h
+++ b/drivers/net/wireless/mediatek/mt76/mt7996/mt7996.h
@@ -253,16 +253,21 @@ struct mt7996_vif_link {
 	struct mt7996_sta_link msta_link;
 	struct mt7996_phy *phy;
 
-	struct ieee80211_tx_queue_params queue_params[IEEE80211_NUM_ACS];
 	struct cfg80211_bitrate_mask bitrate_mask;
 
 	u8 mld_idx;
 };
 
+struct mt7996_vif_link_info {
+	struct ieee80211_tx_queue_params queue_params[IEEE80211_NUM_ACS];
+};
+
 struct mt7996_vif {
 	struct mt7996_vif_link deflink; /* must be first */
 	struct mt76_vif_data mt76;
 
+	struct mt7996_vif_link_info link_info[IEEE80211_MLD_MAX_NUM_LINKS];
+
 	u8 mld_group_idx;
 	u8 mld_remap_idx;
 };
-- 
2.51.0

Re: [PATCH] wifi: mt76: mt7996: fix null pointer deref in mt7996_conf_tx()

[Lorenzo Bianconi]

[-- Attachment #1: Type: text/plain, Size: 4012 bytes --]

> If a link does not have an assigned channel yet, mt7996_vif_link returns
> NULL. We still need to store the updated queue settings in that case, and
> apply them later.
> Move the location of the queue params to within struct mt7996_vif_link.

Acked-by: Lorenzo Bianconi <lorenzo@kernel.org>

> 
> Fixes: c0df2f0caa8d ("wifi: mt76: mt7996: prepare mt7996_mcu_set_tx for MLO support")
> Signed-off-by: Felix Fietkau <nbd@nbd.name>
> ---
>  drivers/net/wireless/mediatek/mt76/mt7996/main.c   | 6 +++---
>  drivers/net/wireless/mediatek/mt76/mt7996/mcu.c    | 5 ++++-
>  drivers/net/wireless/mediatek/mt76/mt7996/mt7996.h | 7 ++++++-
>  3 files changed, 13 insertions(+), 5 deletions(-)
> 
> diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/main.c b/drivers/net/wireless/mediatek/mt76/mt7996/main.c
> index 581314368c5b..b53ca702591c 100644
> --- a/drivers/net/wireless/mediatek/mt76/mt7996/main.c
> +++ b/drivers/net/wireless/mediatek/mt76/mt7996/main.c
> @@ -665,8 +665,8 @@ mt7996_conf_tx(struct ieee80211_hw *hw, struct ieee80211_vif *vif,
>  	       unsigned int link_id, u16 queue,
>  	       const struct ieee80211_tx_queue_params *params)
>  {
> -	struct mt7996_dev *dev = mt7996_hw_dev(hw);
> -	struct mt7996_vif_link *mlink = mt7996_vif_link(dev, vif, link_id);
> +	struct mt7996_vif *mvif = (struct mt7996_vif *)vif->drv_priv;
> +	struct mt7996_vif_link_info *link_info = &mvif->link_info[link_id];
>  	static const u8 mq_to_aci[] = {
>  		[IEEE80211_AC_VO] = 3,
>  		[IEEE80211_AC_VI] = 2,
> @@ -675,7 +675,7 @@ mt7996_conf_tx(struct ieee80211_hw *hw, struct ieee80211_vif *vif,
>  	};
>  
>  	/* firmware uses access class index */
> -	mlink->queue_params[mq_to_aci[queue]] = *params;
> +	link_info->queue_params[mq_to_aci[queue]] = *params;
>  	/* no need to update right away, we'll get BSS_CHANGED_QOS */
>  
>  	return 0;
> diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c
> index 0347ee0c2dd7..afa6a43bd51e 100644
> --- a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c
> +++ b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c
> @@ -3414,6 +3414,9 @@ int mt7996_mcu_set_tx(struct mt7996_dev *dev, struct ieee80211_vif *vif,
>  #define WMM_PARAM_SET		(WMM_AIFS_SET | WMM_CW_MIN_SET | \
>  				 WMM_CW_MAX_SET | WMM_TXOP_SET)
>  	struct mt7996_vif_link *link = mt7996_vif_conf_link(dev, vif, link_conf);
> +	struct mt7996_vif *mvif = (struct mt7996_vif *)vif->drv_priv;
> +	unsigned int link_id = link_conf->link_id;
> +	struct mt7996_vif_link_info *link_info = &mvif->link_info[link_id];
>  	struct {
>  		u8 bss_idx;
>  		u8 __rsv[3];
> @@ -3431,7 +3434,7 @@ int mt7996_mcu_set_tx(struct mt7996_dev *dev, struct ieee80211_vif *vif,
>  	skb_put_data(skb, &hdr, sizeof(hdr));
>  
>  	for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) {
> -		struct ieee80211_tx_queue_params *q = &link->queue_params[ac];
> +		struct ieee80211_tx_queue_params *q = &link_info->queue_params[ac];
>  		struct edca *e;
>  		struct tlv *tlv;
>  
> diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mt7996.h b/drivers/net/wireless/mediatek/mt76/mt7996/mt7996.h
> index 8ec2acdb3319..718e4d4ad85f 100644
> --- a/drivers/net/wireless/mediatek/mt76/mt7996/mt7996.h
> +++ b/drivers/net/wireless/mediatek/mt76/mt7996/mt7996.h
> @@ -253,16 +253,21 @@ struct mt7996_vif_link {
>  	struct mt7996_sta_link msta_link;
>  	struct mt7996_phy *phy;
>  
> -	struct ieee80211_tx_queue_params queue_params[IEEE80211_NUM_ACS];
>  	struct cfg80211_bitrate_mask bitrate_mask;
>  
>  	u8 mld_idx;
>  };
>  
> +struct mt7996_vif_link_info {
> +	struct ieee80211_tx_queue_params queue_params[IEEE80211_NUM_ACS];
> +};
> +
>  struct mt7996_vif {
>  	struct mt7996_vif_link deflink; /* must be first */
>  	struct mt76_vif_data mt76;
>  
> +	struct mt7996_vif_link_info link_info[IEEE80211_MLD_MAX_NUM_LINKS];
> +
>  	u8 mld_group_idx;
>  	u8 mld_remap_idx;
>  };
> -- 
> 2.51.0
> 
> 

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]