From nobody Wed Jun 11 09:14:29 2025
X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4bHKjf4ZGMz60018;
	Wed, 11 Jun 2025 09:14:30 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4bHKjd6Zk0z3m6S;
	Wed, 11 Jun 2025 09:14:29 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1749633270;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=uzezQGCNBYZNgekIDioAJ2ZccZXcyIm/Uuo93WpTRfI=;
	b=LYVv05hDTysH2CBZHtVw+2ypGNahBKjK2jII+Q3iq5ByoJHTmuOFgCJkB7g+V0QQUaOseV
	YvrMkgPLII4yLCKYb7woUzXW8sV15JioVEnIQ7fJRSnY9N8dM45nT5zWM5Z7CSgG2fJFf8
	dGl/uWBY0YtUPCuRhQcMglIt3++Lnd3ZPccU+3nYAgCl9UWf2lZb046er57XzSzXCEWeHp
	9ZUDz46694zbbO8r2KtG+uAvDWKhr0oGpsbuoeUQXQz5nseU5tApNQ9ZFlnSyQfPT/NEaC
	pVhf1jK7RLBPBqbXVmTItw66PL8t7WUvfQMNtGGoLy2vvQy78p0dOj5YOebnyw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1749633270;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=uzezQGCNBYZNgekIDioAJ2ZccZXcyIm/Uuo93WpTRfI=;
	b=D/uAw3ffKlHGcoVclRLM7B5hjN6r8NXOXoatqnHFn59iH8W6Rk9NjHHxa+XFGgFIdWI60J
	cbEqXoVluYWCcrIWHzzvERGjN57zeJyaPFcXASLQMdOjBjUK4iBRzqru+VKWg3mWNJBqc5
	9YCu3VxGGN/C44mw75QBMIVwINCpeUH4o9GH3oeFk+or6ZemjMCOnTXTtLcUMBOCc7UCSN
	sj8Udxdap0yb9wLi6+7crJAybsVJvtbXPhkoUPZGry0oGlBYUGxxm7RbG0rSK+NGjGVD7x
	TJUXa+HiIowHXNHTWXuZ+SWo00O0gEeHOcZZpYn1ld37oL75Me4PwRYt+oRKfg==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1749633270; a=rsa-sha256; cv=none;
	b=Buz33vnpMUj/mCJoCeEtiBAKMQzOO0m+q7n5tqGrKsJ/fTgunJ3s6bzcrYHwdQxGaW7cGe
	DAe3MbV3nfmR3drPQkdYuixBxwSGjgzhAPBbL14608jB/g/N7HlAGqHtFUpwW/NjJ6zNAE
	UyGVTaZeWpxduMw4mAKjApPosR3kp6ZWHrWRchzGBqYMOYEHh/AY3RLftVstCqnVKllzrD
	ZZAaHayJg7/+lZ2UpA1a5NbO9G+L03MOaFYX3CpxXefkSBlhDpvFBQWrcrId1W8Ztg7glV
	bIUUS8xIjffD01z6aaHM4DML1vNddtwu6LBYvPaV8VU5DRHXyUhH9iFf/f/vPA==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4bHKjd5kWbz5SX;
	Wed, 11 Jun 2025 09:14:29 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 55B9ETNv062427;
	Wed, 11 Jun 2025 09:14:29 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 55B9ETxD062424;
	Wed, 11 Jun 2025 09:14:29 GMT
	(envelope-from git)
Date: Wed, 11 Jun 2025 09:14:29 GMT
Message-Id: <202506110914.55B9ETxD062424@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-branches@FreeBSD.org
From: "Bjoern A. Zeeb" <bz@FreeBSD.org>
Subject: git: a118aa0c307f - stable/14 - rtw89: prevent a NULL
  pointer deref in rtw89_swap_chanctx()
List-Id: Commits to the stable branches of the FreeBSD src repository <dev-commits-src-branches.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches
List-Help: <mailto:dev-commits-src-branches+help@freebsd.org>
List-Post: <mailto:dev-commits-src-branches@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-branches+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-branches+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-branches@freebsd.org
Sender: owner-dev-commits-src-branches@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: bz
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/14
X-Git-Reftype: branch
X-Git-Commit: a118aa0c307f402ce22a0411822e1d5965795cf6
Auto-Submitted: auto-generated

The branch stable/14 has been updated by bz:

URL: https://cgit.FreeBSD.org/src/commit/?id=a118aa0c307f402ce22a0411822e1d5965795cf6

commit a118aa0c307f402ce22a0411822e1d5965795cf6
Author:     Bjoern A. Zeeb <bz@FreeBSD.org>
AuthorDate: 2025-06-08 18:05:54 +0000
Commit:     Bjoern A. Zeeb <bz@FreeBSD.org>
CommitDate: 2025-06-10 23:40:56 +0000

    rtw89: prevent a NULL pointer deref in rtw89_swap_chanctx()
    
    It is currently unclear if this is a result of the driver itself already
    or the way LinuxKPI drives channels and the driver simply accepting and
    acting on things it no longer should.
    For now put the bandaid into place to make the driver work and pass
    packets.  For better resilience the check does not hurt anyway.
    
    The moment we enter rtw89_chanctx_ops_add() the first time,
    entity_map 0x00000001 has the lowest bit set and find_next_zero_bit()
    will return 1. As a result the driver will try to swap chanctxs and
    trip over a NULL pointer in rtw89_swap_chanctx().  See comment there
    for how to (likely) trigger it.
    
    Sponsored by:   The FreeBSD Foundation
    Reported by:    Axel Rau (Axel.Rau Chaos1.DE) with 8852CE
    
    (cherry picked from commit 3a427b8320840f1e69779efeccc5898eb2972030)
---
 sys/contrib/dev/rtw89/chan.c | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/sys/contrib/dev/rtw89/chan.c b/sys/contrib/dev/rtw89/chan.c
index 4df4e04c3e67..257331c2de2e 100644
--- a/sys/contrib/dev/rtw89/chan.c
+++ b/sys/contrib/dev/rtw89/chan.c
@@ -2612,6 +2612,27 @@ static void rtw89_swap_chanctx(struct rtw89_dev *rtwdev,
 	if (idx1 == idx2)
 		return;
 
+#if defined(__FreeBSD__)
+	/*
+	 * __rtw89_config_entity_chandef() might set RTW89_CHANCTX_0 but no
+	 * cfg assigned.
+	 * A mac80211 (*config)() with IEEE80211_CONF_CHANGE_CHANNEL could do
+	 * that if rtw89_config_default_chandef() from rtw89_entity_init() does
+	 * not already.
+	 * A mac80211: (*assign_vif_chanctx)() following will find idx 0 filled
+	 * and rtw89_chanctx_ops_add() will call here.  Trying to swap results
+	 * in a NULL pointer deref as hal->chanctx[idx1].cfg is NULL.
+	 * Catch this for now until fully understood or a proper solution is
+	 * found.
+	 */
+	if (hal->chanctx[idx1].cfg == NULL || hal->chanctx[idx2].cfg == NULL) {
+		rtw89_debug(rtwdev, RTW89_DBG_CHAN,
+		    "%s: !swapping idx1 %d cfg %p, idx2 %d cfg %p\n", __func__,
+		    idx1, hal->chanctx[idx1].cfg, idx2, hal->chanctx[idx2].cfg);
+		return;
+	}
+#endif
+
 	hal->chanctx[idx1].cfg->idx = idx2;
 	hal->chanctx[idx2].cfg->idx = idx1;