[bug report] wifi: mt76: mt7925: fix NULL deref check in mt7925_change_vif_links
Dan Carpenter
dan.carpenter at linaro.org
Mon Jan 20 01:30:18 PST 2025
Hello Charles Han,
Commit 5cd0bd815c8a ("wifi: mt76: mt7925: fix NULL deref check in
mt7925_change_vif_links") from Oct 25, 2024 (linux-next), leads to
the following Smatch static checker warning:
drivers/net/wireless/mediatek/mt76/mt7925/main.c:2053 mt7925_change_vif_links()
warn: inconsistent returns '&dev->mt76.mutex'.
drivers/net/wireless/mediatek/mt76/mt7925/main.c
1947 static int
1948 mt7925_change_vif_links(struct ieee80211_hw *hw, struct ieee80211_vif *vif,
1949 u16 old_links, u16 new_links,
1950 struct ieee80211_bss_conf *old[IEEE80211_MLD_MAX_NUM_LINKS])
1951 {
1952 struct mt792x_bss_conf *mconfs[IEEE80211_MLD_MAX_NUM_LINKS] = {}, *mconf;
1953 struct mt792x_link_sta *mlinks[IEEE80211_MLD_MAX_NUM_LINKS] = {}, *mlink;
1954 struct mt792x_vif *mvif = (struct mt792x_vif *)vif->drv_priv;
1955 unsigned long add = new_links & ~old_links;
1956 unsigned long rem = old_links & ~new_links;
1957 struct mt792x_dev *dev = mt792x_hw_dev(hw);
1958 struct mt792x_phy *phy = mt792x_hw_phy(hw);
1959 struct ieee80211_bss_conf *link_conf;
1960 unsigned int link_id;
1961 int err;
1962
1963 if (old_links == new_links)
1964 return 0;
1965
1966 mt792x_mutex_acquire(dev);
1967
1968 for_each_set_bit(link_id, &rem, IEEE80211_MLD_MAX_NUM_LINKS) {
1969 mconf = mt792x_vif_to_link(mvif, link_id);
1970 mlink = mt792x_sta_to_link(&mvif->sta, link_id);
1971
1972 if (!mconf || !mlink)
1973 continue;
1974
1975 if (mconf != &mvif->bss_conf) {
1976 mt792x_mac_link_bss_remove(dev, mconf, mlink);
1977 devm_kfree(dev->mt76.dev, mconf);
1978 devm_kfree(dev->mt76.dev, mlink);
1979 }
1980
1981 rcu_assign_pointer(mvif->link_conf[link_id], NULL);
1982 rcu_assign_pointer(mvif->sta.link[link_id], NULL);
1983 }
1984
1985 for_each_set_bit(link_id, &add, IEEE80211_MLD_MAX_NUM_LINKS) {
1986 if (!old_links) {
1987 mvif->deflink_id = link_id;
1988 mconf = &mvif->bss_conf;
1989 mlink = &mvif->sta.deflink;
1990 } else {
1991 mconf = devm_kzalloc(dev->mt76.dev, sizeof(*mconf),
1992 GFP_KERNEL);
1993 mlink = devm_kzalloc(dev->mt76.dev, sizeof(*mlink),
1994 GFP_KERNEL);
1995 if (!mconf || !mlink)
1996 return -ENOMEM;
Need to call mt792x_mutex_release(dev) before returning.
1997 }
1998
1999 mconfs[link_id] = mconf;
2000 mlinks[link_id] = mlink;
2001 mconf->link_id = link_id;
2002 mconf->vif = mvif;
2003 mlink->wcid.link_id = link_id;
2004 mlink->wcid.link_valid = !!vif->valid_links;
2005 mlink->wcid.def_wcid = &mvif->sta.deflink.wcid;
2006 }
2007
2008 if (hweight16(mvif->valid_links) == 0)
2009 mt792x_mac_link_bss_remove(dev, &mvif->bss_conf,
2010 &mvif->sta.deflink);
2011
2012 for_each_set_bit(link_id, &add, IEEE80211_MLD_MAX_NUM_LINKS) {
2013 mconf = mconfs[link_id];
2014 mlink = mlinks[link_id];
2015 link_conf = mt792x_vif_to_bss_conf(vif, link_id);
2016
2017 rcu_assign_pointer(mvif->link_conf[link_id], mconf);
2018 rcu_assign_pointer(mvif->sta.link[link_id], mlink);
2019
2020 err = mt7925_mac_link_bss_add(dev, link_conf, mlink);
2021 if (err < 0)
2022 goto free;
2023
2024 if (mconf != &mvif->bss_conf) {
2025 mt7925_mcu_set_bss_pm(dev, link_conf, true);
2026
2027 err = mt7925_set_mlo_roc(phy, &mvif->bss_conf,
2028 vif->active_links);
2029 if (err < 0)
2030 goto free;
2031 }
2032 }
2033
2034 mvif->valid_links = new_links;
2035
2036 mt792x_mutex_release(dev);
2037
2038 return 0;
2039
2040 free:
2041 for_each_set_bit(link_id, &add, IEEE80211_MLD_MAX_NUM_LINKS) {
2042 rcu_assign_pointer(mvif->link_conf[link_id], NULL);
2043 rcu_assign_pointer(mvif->sta.link[link_id], NULL);
2044
2045 if (mconf != &mvif->bss_conf)
2046 devm_kfree(dev->mt76.dev, mconfs[link_id]);
2047 if (mlink != &mvif->sta.deflink)
2048 devm_kfree(dev->mt76.dev, mlinks[link_id]);
2049 }
2050
2051 mt792x_mutex_release(dev);
2052
--> 2053 return err;
2054 }
regards,
dan carpenter
More information about the Linux-mediatek
mailing list