[PATCH iwlwifi-next] wifi: iwlwifi: mld: Fix iteration of uninitialized async handler list.

Rory Little <rory@xxxxxxxxxxxxxxx> · Wed, 30 Apr 2025 14:06:27 -0700

There were a few cases where iteration of the async_handlers_list would
be attempted before the list was initialized by async_handlers_wk. This
patch initializes that list during mld construction to guard against
that case.

This fixes a panic seen on boot:

BUG: kernel NULL pointer dereference, address: 0000000000000000
PGD 0 P4D 0
Oops: Oops: 0000 [#1] SMP
CPU: 1 UID: 0 PID: 910 Comm: modprobe Not tainted 6.15.0-rc2+ #3 PREEMPT(full)
Hardware name: Default string Default string/SKYBAY, BIOS 5.12 02/21/2023
RIP: 0010:iwl_mld_cancel_async_notifications+0x4a/0xd0 [iwlmld]
Code: ...
RSP: 0018:ffffc9000097fbf0 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000004000000
RDX: 0000000000000001 RSI: 0000000000000292 RDI: ffff888127d73d70
RBP: ffff888127d72028 R08: ffffffffa0fc9485 R09: ffffffffa0fc8b8a
R10: 0000000000000001 R11: 0000000000000000 R12: ffff888127d73d60
R13: 0000000000000003 R14: ffff888127d73150 R15: ffff888127d72020
FS:  00007f942ece3740(0000) GS:ffff8884da78e000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 0000000135bd6004 CR4: 00000000003726f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 iwl_mld_stop_fw+0x35/0x40 [iwlmld]
 iwl_op_mode_mld_start+0x3b6/0x4c0 [iwlmld]
 ? inode_set_ctime_current+0x185/0x220
 _iwl_op_mode_start+0x58/0xd0 [iwlwifi]
 iwl_opmode_register+0x69/0xc0 [iwlwifi]
 ? mt7996_init+0x1000/0x1000 [mt7996e]
 iwl_mld_init+0x19/0x1000 [iwlmld]
 ? mt7996_init+0x1000/0x1000 [mt7996e]
 do_one_initcall+0x3e/0x2e0
 ? do_init_module+0x22/0x210
 do_init_module+0x60/0x210
 init_module_from_file+0x85/0xc0
 idempotent_init_module+0xfe/0x2f0
 __x64_sys_finit_module+0x61/0xc0
 do_syscall_64+0x4b/0xf50
 entry_SYSCALL_64_after_hwframe+0x4b/0x53

Fixes: d1e879ec600f ("wifi: iwlwifi: add iwlmld sub-driver")
Signed-off-by: Rory Little <rory@xxxxxxxxxxxxxxx>
---
 drivers/net/wireless/intel/iwlwifi/mld/mld.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/net/wireless/intel/iwlwifi/mld/mld.c b/drivers/net/wireless/intel/iwlwifi/mld/mld.c
index 87624730fb50..d78d1b4334de 100644
--- a/drivers/net/wireless/intel/iwlwifi/mld/mld.c
+++ b/drivers/net/wireless/intel/iwlwifi/mld/mld.c
@@ -77,6 +77,7 @@ void iwl_construct_mld(struct iwl_mld *mld, struct iwl_trans *trans,
 
 	/* Setup async RX handling */
 	spin_lock_init(&mld->async_handlers_lock);
+	INIT_LIST_HEAD(&mld->async_handlers_list);
 	wiphy_work_init(&mld->async_handlers_wk,
 			iwl_mld_async_handlers_wk);
 
-- 
2.45.2








