From nobody Sun Jun 8 18:28:35 2025 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4bFk8N2nFWz5xw86; Sun, 08 Jun 2025 18:28:36 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4bFk8N0Bfgz3tQb; Sun, 08 Jun 2025 18:28:36 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1749407316; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=zFZi+rSLNB1aRVJeN0cPd64xCjcOEJqHyeUI0Xuw0nw=; b=ByqyhGsr//oAF39+loxto3lP2e3vUgE6qjY/7Z/D1bAYTT/ADUKz+O8B2xpNPB1eA27iwF logIYa9aBkVA5A28WMHZCLJWbsppKwN+J476dMDrgPmKErSdBkeOg3QzmhAbSdcC231L/0 eMYQ1z0SqKsjhvPCKT3Ty2PKz40G0mYNvDZji1x0mD4iBQULSyuSbccEYOPcxrOAq/tMF9 HkparI9xAOpe4lIuqOo9lchLhoZpinKgK52V0qNjkVBKc/jXsDe9JVS3lY2x0Uey4MOiqc V9ckmWuSHxR9tV9vI9PGhSkJ0/iW0oxTC+28d3Hp7vRbqn95Oe/ICrFN7ePhuA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1749407316; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=zFZi+rSLNB1aRVJeN0cPd64xCjcOEJqHyeUI0Xuw0nw=; b=pVRjNw8vBEkEbTwEGJxA7InKympeL6gHGnGD1vUJN+NYJEZTAsSARxZ8V9DP6VQNZaMVou hQNUZhhWd3RjhTUd0tZKTycHY255d3zmUAXYwz6HUtOCR67m+1kJ77gNFBMD6hSGW1y09r cPU70M6tUYbd5x1lsAFdRANESojAIw8YDOYg5GHzx5OQkMmAI5WhtkkGGF3te63WQpYC/n ZYa+7exuBVwpoDRwF9ZDyesceXhQGPJO840ohAtW4bS1magrdSoab+zRRUln9edsxVBnaV vm279M8iRW/g5TcEZYeIIiKUNKgpilue55SkpZFKlXSMuqRggNhUuEs8pjsk/A== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1749407316; a=rsa-sha256; cv=none; b=Cn+MnJX/jMy/jjSOpJotllKoi8Nff20kXgDLKZRbXAanoSIwtnvO6aY60soWsspBuddXLj UnoFcoGllnR5JT/FuUhETEJvRCNw+jtpRpdwUSTtI+QEE/a4Gs/Oc9RuKLLs3kod9pHgrK Du+9YDvYld+cIi+UWEp1pqrgROyKRNPRnYuTlLgldt5f0IqaSx8MWNqmei9isYQOYVR2GU f2d0Jy473oDWmjt39WZ1nXylBoUlKcNctuTiqRio41QzaQH9HvtdXBFiHVAoP1/kGUkbaA On81dk67jEMz3xgqJGF1tE1HISmAGhIiXSlbMAk7sjaa9LPqyymf74O+EYEghQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4bFk8M6d1Fz68C; Sun, 08 Jun 2025 18:28:35 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 558ISZB3090360; Sun, 8 Jun 2025 18:28:35 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 558ISZSQ090357; Sun, 8 Jun 2025 18:28:35 GMT (envelope-from git) Date: Sun, 8 Jun 2025 18:28:35 GMT Message-Id: <202506081828.558ISZSQ090357@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: "Bjoern A. Zeeb" Subject: git: 3a427b832084 - main - rtw89: prevent a NULL pointer deref in rtw89_swap_chanctx() List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: bz X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 3a427b8320840f1e69779efeccc5898eb2972030 Auto-Submitted: auto-generated The branch main has been updated by bz: URL: https://cgit.FreeBSD.org/src/commit/?id=3a427b8320840f1e69779efeccc5898eb2972030 commit 3a427b8320840f1e69779efeccc5898eb2972030 Author: Bjoern A. Zeeb AuthorDate: 2025-06-08 18:05:54 +0000 Commit: Bjoern A. Zeeb CommitDate: 2025-06-08 18:19:36 +0000 rtw89: prevent a NULL pointer deref in rtw89_swap_chanctx() It is currently unclear if this is a result of the driver itself already or the way LinuxKPI drives channels and the driver simply accepting and acting on things it no longer should. For now put the bandaid into place to make the driver work and pass packets. For better resilience the check does not hurt anyway. The moment we enter rtw89_chanctx_ops_add() the first time, entity_map 0x00000001 has the lowest bit set and find_next_zero_bit() will return 1. As a result the driver will try to swap chanctxs and trip over a NULL pointer in rtw89_swap_chanctx(). See comment there for how to (likely) trigger it. Sponsored by: The FreeBSD Foundation Reported by: Axel Rau (Axel.Rau Chaos1.DE) with 8852CE MFC after: 3 days --- sys/contrib/dev/rtw89/chan.c | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/sys/contrib/dev/rtw89/chan.c b/sys/contrib/dev/rtw89/chan.c index 4df4e04c3e67..257331c2de2e 100644 --- a/sys/contrib/dev/rtw89/chan.c +++ b/sys/contrib/dev/rtw89/chan.c @@ -2612,6 +2612,27 @@ static void rtw89_swap_chanctx(struct rtw89_dev *rtwdev, if (idx1 == idx2) return; +#if defined(__FreeBSD__) + /* + * __rtw89_config_entity_chandef() might set RTW89_CHANCTX_0 but no + * cfg assigned. + * A mac80211 (*config)() with IEEE80211_CONF_CHANGE_CHANNEL could do + * that if rtw89_config_default_chandef() from rtw89_entity_init() does + * not already. + * A mac80211: (*assign_vif_chanctx)() following will find idx 0 filled + * and rtw89_chanctx_ops_add() will call here. Trying to swap results + * in a NULL pointer deref as hal->chanctx[idx1].cfg is NULL. + * Catch this for now until fully understood or a proper solution is + * found. + */ + if (hal->chanctx[idx1].cfg == NULL || hal->chanctx[idx2].cfg == NULL) { + rtw89_debug(rtwdev, RTW89_DBG_CHAN, + "%s: !swapping idx1 %d cfg %p, idx2 %d cfg %p\n", __func__, + idx1, hal->chanctx[idx1].cfg, idx2, hal->chanctx[idx2].cfg); + return; + } +#endif + hal->chanctx[idx1].cfg->idx = idx2; hal->chanctx[idx2].cfg->idx = idx1;