]> git.ipfire.org Git - thirdparty/kernel/stable.git/commitdiff
wifi: mt76: mt7996: avoid null deref in mt7996_stop_phy()
authorQasim Ijaz <qasdev00@gmail.com>
Mon, 21 Apr 2025 11:13:44 +0000 (12:13 +0100)
committerFelix Fietkau <nbd@nbd.name>
Wed, 21 May 2025 12:49:39 +0000 (14:49 +0200)
In mt7996_stop_phy() the mt7996_phy structure is
dereferenced before the null sanity check which could
lead to a null deref.

Fix by moving the dereference operation after the
sanity check.

Fixes: 69d54ce7491d ("wifi: mt76: mt7996: switch to single multi-radio wiphy")
Signed-off-by: Qasim Ijaz <qasdev00@gmail.com>
Link: https://patch.msgid.link/20250421111344.11484-1-qasdev00@gmail.com
Signed-off-by: Felix Fietkau <nbd@nbd.name>
drivers/net/wireless/mediatek/mt76/mt7996/main.c

index 5ec4f979328653284966b4c2d6afb827f344a1df..8698c4345af0c867571109c2ff2f3a447d77a579 100644 (file)
@@ -68,11 +68,13 @@ static int mt7996_start(struct ieee80211_hw *hw)
 
 static void mt7996_stop_phy(struct mt7996_phy *phy)
 {
-       struct mt7996_dev *dev = phy->dev;
+       struct mt7996_dev *dev;
 
        if (!phy || !test_bit(MT76_STATE_RUNNING, &phy->mt76->state))
                return;
 
+       dev = phy->dev;
+
        cancel_delayed_work_sync(&phy->mt76->mac_work);
 
        mutex_lock(&dev->mt76.mutex);