wlan-ap-Telecominfraproject/feeds/ipq95xx/mac80211/patches/qca/685-ath12k-fix-null-pointer-access-when-vdev-creation-fa.patch

From b123da8d55223cac57011aaba7adecac81fc29db Mon Sep 17 00:00:00 2001
From: P Praneesh <quic_ppranees@quicinc.com>
Date: Sat, 19 Nov 2022 16:49:33 +0530
Subject: [PATCH] ath12k: fix null pointer access when vdev creation fails

vdev create fails when driver gets request for MAC address which is
already presents. If this failure observed for tx VAP in the MBSSID,
while sending beacon for non transmitted VAP, tx VAP arvif is
getting accessed which is not initialised properly during vdev creation.

Fix it by allowing beacon template updation process only when the
mbssid tx arvif is created otherwise return failure.

[  412.918052] ath12k_pci 0003:01:00.0: failed to vdev 3 create peer for AP: -22
[  412.918055] ath12k_pci 0003:01:00.0: WMI vdev delete id 3 num_peers : 4
[  412.918058] ath12k_pci 0003:01:00.0: failed to create vdev 0 ret -22
...
...
[  414.256946] Unable to handle kernel access to user memory outside uaccess routines at virtual address 0000000000000008
[  414.257188] Call trace:
[  414.257193]  ath12k_mac_tx_mgmt_pending_free+0x5d88/0x8370 [ath12k]
[  414.257198]  ath12k_mac_ap_ps_recalc+0x210/0x310c [ath12k]
[  414.257202]  ath12k_mac_ap_ps_recalc+0x1124/0x310c [ath12k]
[  414.257211]  ieee80211_bss_info_change_notify+0xa4/0xe4 [mac80211]
[  414.257217]  ieee80211_nan_func_match+0x37ec/0x3aa0 [mac80211]
[  414.257222]  nl80211_parse_chandef+0x28f8/0x2a5c [cfg80211]
[  414.257226]  genl_family_rcv_msg+0x314/0x3b0
[  414.257227]  genl_rcv_msg+0x58/0x84
[  414.257229]  netlink_rcv_skb+0x94/0x10c
[  414.257231]  genl_rcv+0x34/0x48
[  414.257232]  netlink_unicast+0x138/0x1f8
[  414.257233]  netlink_sendmsg+0x28c/0x328

Signed-off-by: P Praneesh <quic_ppranees@quicinc.com>
---
 drivers/net/wireless/ath/ath12k/mac.c  | 16 +++++++++++++---
 drivers/net/wireless/ath/ath12k/peer.c |  2 ++
 2 files changed, 15 insertions(+), 3 deletions(-)

--- a/drivers/net/wireless/ath/ath12k/mac.c
+++ b/drivers/net/wireless/ath/ath12k/mac.c
@@ -1385,6 +1385,11 @@ static int ath12k_mac_setup_bcn_tmpl_ema
 		return -1;
 
 	tx_arvif = (void *)arvif->vif->mbssid_tx_vif->drv_priv;
+	if (!tx_arvif->is_created) {
+		ath12k_warn(arvif->ar->ab, "mbssid tx VIF is not yet created\n");
+		return -EPERM;
+	}
+
 	beacons = ieee80211_beacon_get_template_ema_list(tx_arvif->ar->ah->hw,
 							 tx_arvif->vif);
 	if (!beacons || !beacons->cnt) {
@@ -1430,8 +1435,14 @@ static int ath12k_mac_setup_bcn_tmpl_non
 	struct sk_buff *bcn;
 	int ret;
 
-	if (arvif->vif->mbssid_tx_vif)
+	if (arvif->vif->mbssid_tx_vif) {
 		tx_arvif = (void *)arvif->vif->mbssid_tx_vif->drv_priv;
+		if (!tx_arvif->is_created) {
+			ath12k_warn(arvif->ar->ab,
+				    "For non ema bcn setup, mbssid_tx_vif is not yet created\n");
+			tx_arvif = arvif;
+		}
+	}
 
 	bcn = ieee80211_beacon_get_template(tx_arvif->ar->ah->hw, tx_arvif->vif,
 					    &offs);
@@ -7628,7 +7639,6 @@ static struct ath12k *ath12k_mac_assign_
 	struct ath12k *ar;
 	struct ath12k_base *ab;
 	struct ath12k_vif *arvif = (void *)vif->drv_priv;
-	u8 bit;
 	int ret;
 
 	lockdep_assert_held(&ah->conf_mutex);
@@ -7664,7 +7674,7 @@ static struct ath12k *ath12k_mac_assign_
 
 	ret = ath12k_mac_vdev_create(ar, vif);
 	if (ret) {
-		ath12k_warn(ab, "failed to create vdev %d ret %d", bit, ret);
+		ath12k_warn(ab, "failed to create vdev %d ret %d", arvif->vdev_id, ret);
 		goto unlock;
 	}
 
--- a/drivers/net/wireless/ath/ath12k/peer.c
+++ b/drivers/net/wireless/ath/ath12k/peer.c
@@ -283,6 +283,8 @@ int ath12k_peer_create(struct ath12k *ar
 	spin_lock_bh(&ar->ab->base_lock);
 	peer = ath12k_peer_find_by_pdev_idx(ar->ab, ar->pdev_idx, param->peer_addr);
 	if (peer) {
+		ath12k_warn(ar->ab,
+			    "peer %pM already present in ab\n", param->peer_addr);
 		spin_unlock_bh(&ar->ab->base_lock);
 		return -EINVAL;
 	}