[bug report] wifi: ath12k: Attach and detach ath12k_dp_link_peer to ath12k_dp_peer

Fri Dec 19 02:28:32 PST 2025

On 18-Dec-25 1:14 PM, Dan Carpenter wrote:
> Hello Harsh Kumar Bijlani,
> 
> Commit 5525f12fa671 ("wifi: ath12k: Attach and detach
> ath12k_dp_link_peer to ath12k_dp_peer") from Oct 24, 2025
> (linux-next), leads to the following Smatch static checker warning:
> 
> 	drivers/net/wireless/ath/ath12k/mac.c:1231 ath12k_mac_peer_cleanup_all()
> 	error: we previously assumed 'dp_peer' could be null (see line 1229)
> 
> drivers/net/wireless/ath/ath12k/mac.c
>      1206 void ath12k_mac_peer_cleanup_all(struct ath12k *ar)
>      1207 {
>      1208         struct ath12k_dp_link_peer *peer, *tmp;
>      1209         struct ath12k_base *ab = ar->ab;
>      1210         struct ath12k_dp *dp = ath12k_ab_to_dp(ab);
>      1211         struct ath12k_link_vif *arvif, *tmp_vif;
>      1212         struct ath12k_dp_hw *dp_hw = &ar->ah->dp_hw;
>      1213         struct ath12k_dp_peer *dp_peer = NULL;
>      1214         u16 peerid_index;
>      1215         struct list_head peers;
>      1216
>      1217         INIT_LIST_HEAD(&peers);
>      1218
>      1219         lockdep_assert_wiphy(ath12k_ar_to_hw(ar)->wiphy);
>      1220
>      1221         spin_lock_bh(&dp->dp_lock);
>      1222         list_for_each_entry_safe(peer, tmp, &dp->peers, list) {
>      1223                 /* Skip Rx TID cleanup for self peer */
>      1224                 if (peer->sta && peer->dp_peer)
>                                            ^^^^^^^^^^^^^
> This assumes that dp_peer can be NULL.
> 
>      1225                         ath12k_dp_rx_peer_tid_cleanup(ar, peer);
>      1226
>      1227                 /* cleanup dp peer */
>      1228                 spin_lock_bh(&dp_hw->peer_lock);
>      1229                 dp_peer = peer->dp_peer;
>                           ^^^^^^^^^^^^^^^^^^^^^^^
> 
>      1230                 peerid_index = ath12k_dp_peer_get_peerid_index(dp, peer->peer_id);
> --> 1231                 rcu_assign_pointer(dp_peer->link_peers[peer->link_id], NULL);
>                                              ^^^^^^^^^
> Unchecked dereference.  It's not clear if it can be NULL or not.

Ack, shall raise the fix for this.

> 
>      1232                 rcu_assign_pointer(dp_hw->dp_peers[peerid_index], NULL);
>      1233                 spin_unlock_bh(&dp_hw->peer_lock);
>      1234
>      1235                 ath12k_dp_link_peer_rhash_delete(dp, peer);
>      1236
>      1237                 list_move(&peer->list, &peers);
>      1238         }
>      1239         spin_unlock_bh(&dp->dp_lock);
>      1240
>      1241         synchronize_rcu();
>      1242
>      1243         list_for_each_entry_safe(peer, tmp, &peers, list) {
>      1244                 ath12k_dp_link_peer_free(peer);
>      1245         }
>      1246
>      1247         ar->num_peers = 0;
>      1248         ar->num_stations = 0;
>      1249
>      1250         /* Cleanup rhash table maintained for arsta by iterating over sta */
>      1251         ieee80211_iterate_stations_mtx(ar->ah->hw, ath12k_mac_link_sta_rhash_cleanup,
>      1252                                        ar);
>      1253
>      1254         /* Delete all the self dp_peers on asserted radio */
>      1255         list_for_each_entry_safe_reverse(arvif, tmp_vif, &ar->arvifs, list) {
>      1256                 if ((arvif->ahvif->vdev_type == WMI_VDEV_TYPE_AP) &&
>      1257                     (arvif->link_id < IEEE80211_MLD_MAX_NUM_LINKS)) {
>      1258                         ath12k_dp_peer_delete(dp_hw, arvif->bssid, NULL);
>      1259                         arvif->num_stations = 0;
>      1260                 }
>      1261         }
>      1262 }
> 
> regards,
> dan carpenter