From: Feng Jiang <jiangfeng@kylinos.cn>
Date: Wed, 2 Apr 2025 06:24:15 +0000 (+0800)
Subject: wifi: mt76: scan: Fix 'mlink' dereferenced before IS_ERR_OR_NULL check
X-Git-Tag: v6.16-rc1~132^2~46^2^2~19
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7e1fcf687c2fb22ad25cf3fae322a37452f5f560;p=thirdparty%2Flinux.git

wifi: mt76: scan: Fix 'mlink' dereferenced before IS_ERR_OR_NULL check

Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
Closes: https://lore.kernel.org/r/202504011739.HvUKtUUe-lkp@intel.com/
Fixes: 3ba20af886d1 ("wifi: mt76: scan: set vif offchannel link for scanning/roc")
Signed-off-by: Feng Jiang <jiangfeng@kylinos.cn>
Link: https://patch.msgid.link/20250402062415.25434-1-jiangfeng@kylinos.cn
Signed-off-by: Felix Fietkau <nbd@nbd.name>
---

diff --git a/drivers/net/wireless/mediatek/mt76/channel.c b/drivers/net/wireless/mediatek/mt76/channel.c
index e7b839e742903..cc2d888e3f17a 100644
--- a/drivers/net/wireless/mediatek/mt76/channel.c
+++ b/drivers/net/wireless/mediatek/mt76/channel.c
@@ -302,11 +302,13 @@ void mt76_put_vif_phy_link(struct mt76_phy *phy, struct ieee80211_vif *vif,
 			   struct mt76_vif_link *mlink)
 {
 	struct mt76_dev *dev = phy->dev;
-	struct mt76_vif_data *mvif = mlink->mvif;
+	struct mt76_vif_data *mvif;
 
 	if (IS_ERR_OR_NULL(mlink) || !mlink->offchannel)
 		return;
 
+	mvif = mlink->mvif;
+
 	rcu_assign_pointer(mvif->offchannel_link, NULL);
 	dev->drv->vif_link_remove(phy, vif, &vif->bss_conf, mlink);
 	kfree(mlink);