When iPhones query network information via the WiFi settings "i" button, the brcmfmac driver crashes with a NULL pointer dereference. This occurs because the P2P device vif is not initialized when handling certain action frames. Add NULL check for vif before dereferencing in brcmf_p2p_tx_action_frame() and return -ENODEV when vif is NULL. Also modify the retry loop in brcmf_p2p_send_action_frame() to stop immediately on permanent failures rather than retrying. Tested on Raspberry Pi Zero 2 W with kernel 6.1.21-v8+ Signed-off-by: Richard Reigh --- .../wireless/broadcom/brcm80211/brcmfmac/p2p.c | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c index 10d9d9c63..2c73156fa 100644 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c @@ -1559,6 +1559,12 @@ static s32 brcmf_p2p_tx_action_frame(struct brcmf_p2p_info *p2p, else vif = p2p->bss_idx[P2PAPI_BSSCFG_DEVICE].vif; + /* add NULL check */ + if (!vif) { + brcmf_err("vif is NULL, cannot send action frame\n"); + return -ENODEV; + } + err = brcmf_fil_bsscfg_data_set(vif->ifp, "actframe", af_params, sizeof(*af_params)); if (err) { @@ -1857,7 +1863,15 @@ bool brcmf_p2p_send_action_frame(struct brcmf_cfg80211_info *cfg, if (af_params->channel) msleep(P2P_AF_RETRY_DELAY_TIME); - ack = !brcmf_p2p_tx_action_frame(p2p, af_params); + int result = brcmf_p2p_tx_action_frame(p2p, af_params); + + /* if it's a permanent failure (like NULL vif), stop retrying */ + if (result == -ENODEV) { + brcmf_err("Permanent failure, stop retries\n"); + break; + } + + ack = !result; tx_retry++; dwell_overflow = brcmf_p2p_check_dwell_overflow(requested_dwell, dwell_jiffies); -- 2.34.1