[bug report] wifi: mt76: mt7925: add Mediatek Wi-Fi7 driver for mt7925 chips

Mon Jul 15 13:19:19 PDT 2024

Hello Deren Wu,

Commit c948b5da6bbe ("wifi: mt76: mt7925: add Mediatek Wi-Fi7 driver
for mt7925 chips") from Sep 18, 2023 (linux-next), leads to the
following Smatch static checker warning:

	drivers/net/wireless/mediatek/mt76/mt7925/mac.c:810 mt7925_mac_write_txwi()
	error: we previously assumed 'vif' could be null (see line 745)

drivers/net/wireless/mediatek/mt76/mt7925/mac.c
   728  mt7925_mac_write_txwi(struct mt76_dev *dev, __le32 *txwi,
   729                        struct sk_buff *skb, struct mt76_wcid *wcid,
   730                        struct ieee80211_key_conf *key, int pid,
   731                        enum mt76_txq_id qid, u32 changed)
   732  {
   733          struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
   734          struct ieee80211_vif *vif = info->control.vif;
   735          u8 p_fmt, q_idx, omac_idx = 0, wmm_idx = 0, band_idx = 0;
   736          u32 val, sz_txd = mt76_is_mmio(dev) ? MT_TXD_SIZE : MT_SDIO_TXD_SIZE;
   737          bool is_8023 = info->flags & IEEE80211_TX_CTL_HW_80211_ENCAP;
   738          struct mt76_vif *mvif;
   739          bool beacon = !!(changed & (BSS_CHANGED_BEACON |
   740                                      BSS_CHANGED_BEACON_ENABLED));
   741          bool inband_disc = !!(changed & (BSS_CHANGED_UNSOL_BCAST_PROBE_RESP |
   742                                           BSS_CHANGED_FILS_DISCOVERY));
   743          struct mt792x_bss_conf *mconf;
   744  
   745          mconf = vif ? mt792x_vif_to_link((struct mt792x_vif *)vif->drv_priv,
                        ^^^
This assumes vif can be NULL.

   746                                           wcid->link_id) : NULL;
   747          mvif = mconf ? (struct mt76_vif *)&mconf->mt76 : NULL;
   748  
   749          if (mvif) {
   750                  omac_idx = mvif->omac_idx;
   751                  wmm_idx = mvif->wmm_idx;
   752                  band_idx = mvif->band_idx;
   753          }
   754  
   755          if (inband_disc) {
   756                  p_fmt = MT_TX_TYPE_FW;
   757                  q_idx = MT_LMAC_ALTX0;
   758          } else if (beacon) {
   759                  p_fmt = MT_TX_TYPE_FW;
   760                  q_idx = MT_LMAC_BCN0;
   761          } else if (qid >= MT_TXQ_PSD) {
   762                  p_fmt = mt76_is_mmio(dev) ? MT_TX_TYPE_CT : MT_TX_TYPE_SF;
   763                  q_idx = MT_LMAC_ALTX0;
   764          } else {
   765                  p_fmt = mt76_is_mmio(dev) ? MT_TX_TYPE_CT : MT_TX_TYPE_SF;
   766                  q_idx = wmm_idx * MT76_CONNAC_MAX_WMM_SETS +
   767                          mt76_connac_lmac_mapping(skb_get_queue_mapping(skb));
   768  
   769                  /* counting non-offloading skbs */
   770                  wcid->stats.tx_bytes += skb->len;
   771                  wcid->stats.tx_packets++;
   772          }
   773  
   774          val = FIELD_PREP(MT_TXD0_TX_BYTES, skb->len + sz_txd) |
   775                FIELD_PREP(MT_TXD0_PKT_FMT, p_fmt) |
   776                FIELD_PREP(MT_TXD0_Q_IDX, q_idx);
   777          txwi[0] = cpu_to_le32(val);
   778  
   779          val = FIELD_PREP(MT_TXD1_WLAN_IDX, wcid->idx) |
   780                FIELD_PREP(MT_TXD1_OWN_MAC, omac_idx);
   781  
   782          if (band_idx)
   783                  val |= FIELD_PREP(MT_TXD1_TGID, band_idx);
   784  
   785          txwi[1] = cpu_to_le32(val);
   786          txwi[2] = 0;
   787  
   788          val = FIELD_PREP(MT_TXD3_REM_TX_COUNT, 15);
   789  
   790          if (key)
   791                  val |= MT_TXD3_PROTECT_FRAME;
   792          if (info->flags & IEEE80211_TX_CTL_NO_ACK)
   793                  val |= MT_TXD3_NO_ACK;
   794          if (wcid->amsdu)
   795                  val |= MT_TXD3_HW_AMSDU;
   796  
   797          txwi[3] = cpu_to_le32(val);
   798          txwi[4] = 0;
   799  
   800          val = FIELD_PREP(MT_TXD5_PID, pid);
   801          if (pid >= MT_PACKET_ID_FIRST) {
   802                  val |= MT_TXD5_TX_STATUS_HOST;
   803                  txwi[3] |= cpu_to_le32(MT_TXD3_BA_DISABLE);
   804                  txwi[3] &= ~cpu_to_le32(MT_TXD3_HW_AMSDU);
   805          }
   806  
   807          txwi[5] = cpu_to_le32(val);
   808  
   809          val = MT_TXD6_DAS | FIELD_PREP(MT_TXD6_MSDU_CNT, 1);
   810          if (!ieee80211_vif_is_mld(vif) ||
                                          ^^^
But here "vif" is dereferenced without checking

   811              (q_idx >= MT_LMAC_ALTX0 && q_idx <= MT_LMAC_BCN0))
   812                  val |= MT_TXD6_DIS_MAT;
   813          txwi[6] = cpu_to_le32(val);
   814          txwi[7] = 0;
   815  
   816          if (is_8023)
   817                  mt7925_mac_write_txwi_8023(txwi, skb, wcid);
   818          else
   819                  mt7925_mac_write_txwi_80211(dev, txwi, skb, key);
   820  
   821          if (txwi[1] & cpu_to_le32(MT_TXD1_FIXED_RATE)) {
   822                  struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
   823                  bool mcast = ieee80211_is_data(hdr->frame_control) &&
   824                               is_multicast_ether_addr(hdr->addr1);
   825                  u8 idx = MT792x_BASIC_RATES_TBL;
   826  
   827                  if (mvif) {
   828                          if (mcast && mvif->mcast_rates_idx)
   829                                  idx = mvif->mcast_rates_idx;
   830                          else if (beacon && mvif->beacon_rates_idx)
   831                                  idx = mvif->beacon_rates_idx;
   832                          else
   833                                  idx = mvif->basic_rates_idx;
   834                  }
   835  
   836                  txwi[6] |= cpu_to_le32(FIELD_PREP(MT_TXD6_TX_RATE, idx));
   837                  txwi[3] |= cpu_to_le32(MT_TXD3_BA_DISABLE);
   838          }
   839  }

regards,
dan carpenter