armbian_build/patch/kernel/archive/sunxi-5.18/patches.megous/rtw88-fix-null-vif-pointer-when-hw_scan-fails.patch

From bafd3eecaabac850ed27da95409dcf1268db3ced Mon Sep 17 00:00:00 2001
From: Po-Hao Huang <phhuang@realtek.com>
Date: Fri, 20 May 2022 16:15:23 +0800
Subject: [PATCH 527/533] rtw88: fix null vif pointer when hw_scan fails

Add this check to avoid crash by dereferencing a null pointer. When hwscan
fails due to no memory or dma failure, the scan flag in ieee80211_local is
cleared. So mac80211 determine that it's not hw_scan then calls
sw_scan_complete() with null vif, which is also freed during the fail.

Signed-off-by: Po-Hao Huang <phhuang@realtek.com>
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20220520081523.45987-1-pkshih@realtek.com
---
 drivers/net/wireless/realtek/rtw88/main.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/net/wireless/realtek/rtw88/main.c b/drivers/net/wireless/realtek/rtw88/main.c
index 4e03441f2fe7..f0931fdc713f 100644
--- a/drivers/net/wireless/realtek/rtw88/main.c
+++ b/drivers/net/wireless/realtek/rtw88/main.c
@@ -1383,9 +1383,12 @@ void rtw_core_scan_start(struct rtw_dev *rtwdev, struct rtw_vif *rtwvif,
 void rtw_core_scan_complete(struct rtw_dev *rtwdev, struct ieee80211_vif *vif,
 			    bool hw_scan)
 {
-	struct rtw_vif *rtwvif = (struct rtw_vif *)vif->drv_priv;
+	struct rtw_vif *rtwvif = vif ? (struct rtw_vif *)vif->drv_priv : NULL;
 	u32 config = 0;
 
+	if (!rtwvif)
+		return;
+
 	clear_bit(RTW_FLAG_SCANNING, rtwdev->flags);
 	clear_bit(RTW_FLAG_DIG_DISABLE, rtwdev->flags);
 
-- 
2.35.3