wifi: rtw89: fix null pointer access when abort scan

[ Upstream commit 7e11a2966f51695c0af0b1f976a32d64dee243b2 ]

During cancel scan we might use vif that weren't scanning.
Fix this by using the actual scanning vif.

Signed-off-by: Po-Hao Huang <phhuang@realtek.com>
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://msgid.link/20240119081501.25223-6-pkshih@realtek.com
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/drivers/net/wireless/realtek/rtw89/mac80211.c b/drivers/net/wireless/realtek/rtw89/mac80211.c
index 93889d2fface11d75512ca2c763273ffbf68ef55..956a06c8cdaab3a974987e8cf93219b94490f703 100644 (file)
--- a/drivers/net/wireless/realtek/rtw89/mac80211.c
+++ b/drivers/net/wireless/realtek/rtw89/mac80211.c
@@ -441,7 +441,7 @@ static void rtw89_ops_bss_info_changed(struct ieee80211_hw *hw,
                         * when disconnected by peer
                         */
                        if (rtwdev->scanning)
-                               rtw89_hw_scan_abort(rtwdev, vif);
+                               rtw89_hw_scan_abort(rtwdev, rtwdev->scan_info.scanning_vif);
                }
        }
 
@@ -990,7 +990,7 @@ static int rtw89_ops_remain_on_channel(struct ieee80211_hw *hw,
        }
 
        if (rtwdev->scanning)
-               rtw89_hw_scan_abort(rtwdev, vif);
+               rtw89_hw_scan_abort(rtwdev, rtwdev->scan_info.scanning_vif);
 
        if (type == IEEE80211_ROC_TYPE_MGMT_TX)
                roc->state = RTW89_ROC_MGMT;