From nobody Sat Feb 7 17:55:53 2026 Received: from mail-pg1-f172.google.com (mail-pg1-f172.google.com [209.85.215.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 53F788634C for ; Thu, 1 Jan 2026 06:20:28 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.172 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767248429; cv=none; b=cMMVnVIl9gKJpc3KscLv8h33FEX3McXOMR3gnk7BFm1k+sn+l2q+uLpqJ52RdYjPkolPvKR56zFvyYAvKhA8FzLQ2e/2roaWigfZHqsXdwjxtQS8Zjyt7E+Z+nBFVbuZ/q5FyaWWFN201RS2+vODKAs3mhLGAwAiDygyUyAXbt0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767248429; c=relaxed/simple; bh=ZMjkQ2oEVaMus7T4ec0PlJQ/SINBc3xpFQWSs4HAiGw=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=ewNdKDMENUjJ0bmWc+X7gvXUwMyCF6yxLqpOwR8DDURD74AenWLLCGOueUwU9MdD7EfG8FT3KAJib3I2GVAHrKGqTwzv1A1iDxrHMfmSdUMDCK2fhyzOQcGrg/mVfP86xrV+lJC4ooVJe6QdxgbDlgyKxnPwcAv6WYA+Aea3yAQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=HjLbc3YC; arc=none smtp.client-ip=209.85.215.172 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="HjLbc3YC" Received: by mail-pg1-f172.google.com with SMTP id 41be03b00d2f7-c1cf2f0523eso7836591a12.3 for ; Wed, 31 Dec 2025 22:20:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767248427; x=1767853227; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=F7OVxpcjzhJ36YO0FCMfAYe7gUj9JaKUB98nBjP7Gi8=; b=HjLbc3YCHgHK/2gEAWgkRhR+LaBZLLmsMHEUKEoxB4YDtXzPLgHERvpPn3Krm5PzPP vPWCGPnm0PeDyyU7TwNWCI0EoP6TNg8xW/OnTl7sHzF7XmYWEm+PrTCNx4O13lQdHd0u n2s03AJyig72SksPhSdsU26kiJxf9IPEgAQGfI05/cTXF6VmcTlF9YPR5JNs5AWSS8mE MN0VQY7sewcfU54UQgDb/IK7KyqxQKagXfzHPeqLAMCsaC6dxYCSO6R2ZNTMY6ZyvUpM r5K68HSJ1iubC9C3xpiGsWZK278kww1ed0HDY1fpay0kSR/GlVxi6pAamrz4aAAMyk3i kX1g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767248427; x=1767853227; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=F7OVxpcjzhJ36YO0FCMfAYe7gUj9JaKUB98nBjP7Gi8=; b=jksvhUhTW4RvjcptVubfKfLrnLwdQJ6mVDoECyBJiLvzYGFzbE7x1PIU2IP1xaqFB+ W243UeUSCa9v0FKhMGoIUTAq46/YNQRzhe+2istVCijz/S7RTORxXOHI9moVGzxji/vP FOEkh54FMmuJKLjK3QMpxVK/sRB4tC0GaXFizJCGjGuhDyju2HBk6x9cQ0vrLwK2xyR/ wf/LjoDPd2jdrEg43NS62n3E+opSbM34Gh+c28vQ+vfSgYNqtiezuX/3YSk9cPhVjYDB p54AMb74vVhCk8p09P05SBHaW79tK/Engm2DGK/8f9rIudr9tfiYs51VpfKroaCl6YyC nFWQ== X-Forwarded-Encrypted: i=1; AJvYcCVkWaBHkxIqeOE9Ra+aaZatOBy6qbLDbMDhQSarZm1S/dRVJrTqaYGn0tH7OrWt6L6ofXisnbsbJxk+Dpo=@vger.kernel.org X-Gm-Message-State: AOJu0YwLjqEwKs3fTaQyXY5vminrOmxJdzeyAtENvVuCyNblOLCHCJwy Zqz+1TCSGBhg9itWwK2+ZmSVJkh4Q1fxJZeWW2L2FyZjzgUQyP6+6LpK X-Gm-Gg: AY/fxX76aqggj25FO3dazUf072MCvHfz5+wYA1aYxu90dwiSdfa2NhyGSUoZc6yRVFZ cpNU++SrYbE5ySkFqYhu0P9JvjN74ZYCKQohEt2cnfGZEmk/J88yOPnWh20Ip3sBdwmVd2moE1J fMLw6WlKwxTtCWo2DQkvHEpwdtPD3Qly+3Ao7atGqRjEsBMbvW/x9dHf1wMErEH6Li5cNdAhCfB DVmXAmYCe0u7o9YbUzW+SrCBHj5GO1FBKTuq4xw6I8pToVZMbQ9OEXOIOErTlsRME2p3XxCPD7b ro4z6VQunLUgbXeGlbnMMiufeGXmmbaj4bf+0mJMogJYgZgDZtjBaM6vbpkd6aQZMTdp9a/3COn GhMrs7eKbnplMKYc4o4loN2zlouM3rkZchjqbvLvdW77PnEFHMXV/a28Q2M8oZ/1K4X9okD5At/ BOGn+euJsfKdbPAwE7xYWOuefRQgTsCMK9Q0KH9DASYNwEkjyioaVzCcej9kooFwvucx/jn+zw X-Google-Smtp-Source: AGHT+IFcNyD5xwVxRzRa1qB3GJNdE3L/hyCnyksDrjw+mHu292ZOJvkzX/ysi8HBo7Uasfom1wxTCQ== X-Received: by 2002:a05:7022:6983:b0:11b:9386:8273 with SMTP id a92af1059eb24-12172312cc6mr32852067c88.48.1767248427458; Wed, 31 Dec 2025 22:20:27 -0800 (PST) Received: from zubuntu.home.zacbowling.com ([2001:5a8:60d:bc9:9ebf:dff:fe00:f8f2]) by smtp.gmail.com with ESMTPSA id a92af1059eb24-121724de25dsm108662883c88.7.2025.12.31.22.20.26 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 31 Dec 2025 22:20:26 -0800 (PST) From: Zac Bowling To: linux-wireless@vger.kernel.org Cc: linux-mediatek@lists.infradead.org, linux-kernel@vger.kernel.org, kvalo@kernel.org, lorenzo@kernel.org, nbd@nbd.name, sean.wang@mediatek.com, deren.wu@mediatek.com, ryder.lee@mediatek.com Subject: [PATCH] wifi: mt76: mt792x: fix NULL pointer dereference in TX path Date: Wed, 31 Dec 2025 22:20:23 -0800 Message-ID: <20260101062024.181697-1-zbowling@gmail.com> X-Mailer: git-send-email 2.51.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Zac Bowling Add NULL pointer checks in mt792x_tx() to prevent kernel crashes when transmitting packets during MLO link removal. The function calls mt792x_sta_to_link() which can return NULL if the link is being removed, but the return value was dereferenced without checking. Similarly, the RCU-protected link_conf and link_sta pointers were used without NULL validation. This race can occur when: 1. A packet is queued for transmission 2. Concurrently, the link is being removed (mt7925_mac_link_sta_remove) 3. mt792x_sta_to_link() returns NULL for the removed link 4. Kernel crashes on wcid =3D &mlink->wcid dereference Fix by: - Check mlink return value before dereferencing wcid - Check RCU-dereferenced conf and link_sta before use - Free the SKB and return early if any pointer is NULL This affects both MT7921 and MT7925 drivers as mt792x_core.c is shared. Reported-by: Zac Bowling Signed-off-by: Zac Bowling --- drivers/net/wireless/mediatek/mt76/mt792x_core.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/mediatek/mt76/mt792x_core.c b/drivers/net= /wireless/mediatek/mt76/mt792x_core.c index f2ed16feb6c1..9dc768aa8b9c 100644 --- a/drivers/net/wireless/mediatek/mt76/mt792x_core.c +++ b/drivers/net/wireless/mediatek/mt76/mt792x_core.c @@ -95,6 +95,8 @@ void mt792x_tx(struct ieee80211_hw *hw, struct ieee80211_= tx_control *control, IEEE80211_TX_CTRL_MLO_LINK); sta =3D (struct mt792x_sta *)control->sta->drv_priv; mlink =3D mt792x_sta_to_link(sta, link_id); + if (!mlink) + goto free_skb; wcid =3D &mlink->wcid; } =20 @@ -113,9 +115,12 @@ void mt792x_tx(struct ieee80211_hw *hw, struct ieee802= 11_tx_control *control, link_id =3D wcid->link_id; rcu_read_lock(); conf =3D rcu_dereference(vif->link_conf[link_id]); - memcpy(hdr->addr2, conf->addr, ETH_ALEN); - link_sta =3D rcu_dereference(control->sta->link[link_id]); + if (!conf || !link_sta) { + rcu_read_unlock(); + goto free_skb; + } + memcpy(hdr->addr2, conf->addr, ETH_ALEN); memcpy(hdr->addr1, link_sta->addr, ETH_ALEN); =20 if (vif->type =3D=3D NL80211_IFTYPE_STATION) @@ -136,6 +141,10 @@ void mt792x_tx(struct ieee80211_hw *hw, struct ieee802= 11_tx_control *control, } =20 mt76_connac_pm_queue_skb(hw, &dev->pm, wcid, skb); + return; + +free_skb: + ieee80211_free_txskb(hw, skb); } EXPORT_SYMBOL_GPL(mt792x_tx); =20 --=20 2.51.0