RE: [PATCH] wifi: rtw88: Add NULL check for chip->edcca_th

public inbox for linux-wireless@vger.kernel.org
 help / color / mirror / Atom feed

From: Ping-Ke Shih <pkshih@realtek.com>
To: Panagiotis Petrakopoulos <npetrakopoulos2003@gmail.com>
Cc: "linux-wireless@vger.kernel.org" <linux-wireless@vger.kernel.org>,
	"goainwo@gmail.com" <goainwo@gmail.com>,
	Bitterblue Smith <rtl8821cerfe2@gmail.com>
Subject: RE: [PATCH] wifi: rtw88: Add NULL check for chip->edcca_th
Date: Tue, 14 Apr 2026 02:03:49 +0000	[thread overview]
Message-ID: <aa92a81841ec4d1da48916153e07f31d@realtek.com> (raw)
In-Reply-To: <20260413100249.28618-1-npetrakopoulos2003@gmail.com>

+ Bitterblue

Panagiotis Petrakopoulos <npetrakopoulos2003@gmail.com> wrote:
> It was recently reported that rtw_fw_adaptivity_result
> in fw.c dereferences rtwdev->chip->edcca_th without
> a null check. The issue appears to be that devices
> with the 8821CE chip don't define edcca_th in their
> chip info. As a result, when rtw_fw_adaptivity_result
> tries to dereference it, the kernel triggers an oops.
> 
> Add a NULL check for edcca_th before dereferencing
> it in rtw_fw_adaptivity_result() in fw.c and
> rtw_phy_set_edcca_th() in phy.c.
> 
> Tested on a 8822CE chip which defines edcca_th, so
> this issue is not present on it, but it still uses
> this driver and I can verify there are no regressions.
> 
> Reported-by: Oleksandr Havrylov <goainwo@gmail.com>
> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=221286
> Link:
> https://lore.kernel.org/linux-wireless/CALdGYqQriS7mP0vj_rm_xvisfzFVh0hbpy+---48r6bodZO7tg@mail.gm
> ail.com/
> Signed-off-by: Panagiotis Petrakopoulos <npetrakopoulos2003@gmail.com>
> ---
>  drivers/net/wireless/realtek/rtw88/fw.c  | 3 +++
>  drivers/net/wireless/realtek/rtw88/phy.c | 3 +++
>  2 files changed, 6 insertions(+)
> 
> diff --git a/drivers/net/wireless/realtek/rtw88/fw.c b/drivers/net/wireless/realtek/rtw88/fw.c
> index 48207052e3f8..c4819ef6d54d 100644
> --- a/drivers/net/wireless/realtek/rtw88/fw.c
> +++ b/drivers/net/wireless/realtek/rtw88/fw.c
> @@ -284,6 +284,9 @@ static void rtw_fw_adaptivity_result(struct rtw_dev *rtwdev, u8 *payload,
>                 result->density, result->igi, result->l2h_th_init, result->l2h,
>                 result->h2l, result->option);
> 
> +       if (!edcca_th)
> +               return;
> +

As Bitterblue analysis, this might be a garbage, so I'd return at the entry
of this function.

>         rtw_dbg(rtwdev, RTW_DBG_ADAPTIVITY, "Reg Setting: L2H %x H2L %x\n",
>                 rtw_read32_mask(rtwdev, edcca_th[EDCCA_TH_L2H_IDX].hw_reg.addr,
>                                 edcca_th[EDCCA_TH_L2H_IDX].hw_reg.mask),
> diff --git a/drivers/net/wireless/realtek/rtw88/phy.c b/drivers/net/wireless/realtek/rtw88/phy.c
> index e2ac5c6fd500..c10eb28e54ad 100644
> --- a/drivers/net/wireless/realtek/rtw88/phy.c
> +++ b/drivers/net/wireless/realtek/rtw88/phy.c
> @@ -161,6 +161,9 @@ void rtw_phy_set_edcca_th(struct rtw_dev *rtwdev, u8 l2h, u8 h2l)
>  {
>         const struct rtw_hw_reg_offset *edcca_th = rtwdev->chip->edcca_th;
> 
> +       if (!edcca_th)
> +               return;
> +

The callers of rtw_phy_set_edcca_th() are RTL8822B and RTL8822C, which both
define rtwdev->chip->edcca_th. How can edcca_th be NULL?

>         rtw_write32_mask(rtwdev,
>                          edcca_th[EDCCA_TH_L2H_IDX].hw_reg.addr,
>                          edcca_th[EDCCA_TH_L2H_IDX].hw_reg.mask,
> --
> 2.53.0

next prev parent reply	other threads:[~2026-04-14  2:03 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-04-13 10:02 [PATCH] wifi: rtw88: Add NULL check for chip->edcca_th Panagiotis Petrakopoulos
2026-04-13 12:35 ` LB F
2026-04-14  2:10   ` Ping-Ke Shih
2026-04-14  2:03 ` Ping-Ke Shih [this message]
2026-04-14  4:33   ` Panagiotis Petrakopoulos
2026-04-14 19:47 ` [PATCH v2] " Panagiotis Petrakopoulos
2026-04-15  0:36   ` Ping-Ke Shih
2026-04-15  5:29   ` [PATCH v3] wifi: rtw88: Add NULL check for chip->edcca_th in rtw_fw_adaptivity_result() Panagiotis Petrakopoulos
2026-04-15  5:54     ` Ping-Ke Shih
2026-04-15 17:03       ` LB F
2026-04-16 21:21         ` LB F
2026-04-17  5:48           ` Panagiotis Petrakopoulos

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=aa92a81841ec4d1da48916153e07f31d@realtek.com \
    --to=pkshih@realtek.com \
    --cc=goainwo@gmail.com \
    --cc=linux-wireless@vger.kernel.org \
    --cc=npetrakopoulos2003@gmail.com \
    --cc=rtl8821cerfe2@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox