wifi: iwlwifi: mld: add NULL check for channel in DW end handler

ieee80211_get_channel() can return NULL if the frequency is not
registered in the wiphy (e.g. due to regulatory domain restrictions).
The returned channel pointer is passed directly to
cfg80211_next_nan_dw_notif() which dereferences it unconditionally
in both the tracepoint and the netlink message, causing a NULL
pointer dereference.

Add a NULL check before using the channel pointer.

Signed-off-by: Daniel Gabay <daniel.gabay@intel.com>
Reviewed-by: Ilan Peer <ilan.peer@intel.com>
Link: https://patch.msgid.link/20260512222731.a250203cd1c6.I1d807aab415da30a55dd89a974c3226adc547ebb@changeid
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>

diff --git a/drivers/net/wireless/intel/iwlwifi/mld/nan.c b/drivers/net/wireless/intel/iwlwifi/mld/nan.c
index 264ea7a9a896b997665748bc4353876786acd066..deb72e401e3c014a0b5a488078ca59fbda4f6fd8 100644 (file)
--- a/drivers/net/wireless/intel/iwlwifi/mld/nan.c
+++ b/drivers/net/wireless/intel/iwlwifi/mld/nan.c
@@ -305,6 +305,9 @@ void iwl_mld_handle_nan_dw_end_notif(struct iwl_mld *mld,
                return;
        }
 
+       if (WARN_ON_ONCE(!chan))
+               return;
+
        wdev = ieee80211_vif_to_wdev(mld->nan_device_vif);
        cfg80211_next_nan_dw_notif(wdev, chan, GFP_KERNEL);
 }