From nobody Sat Feb 7 21:24:06 2026 Received: from mail-pl1-f169.google.com (mail-pl1-f169.google.com [209.85.214.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CC3BA21B9C1 for ; Thu, 1 Jan 2026 06:25:17 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.169 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767248719; cv=none; b=PSb9glpaf6O1g55Fdp9u6fyV7/NhSVz5ny0tcpGSMDb4EyqdQnwlf7nIqS9qhkkIxaHJrzACRrb4GR2AG/e5jTCqLH8ZpxfbncEssqPtM4Ju3FsZWp21oiC27yCCMJQbSECDTuwpx6kwF1fEBx7lulLonv0oLMnDblLTl7kj5Jk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767248719; c=relaxed/simple; bh=khNV5aB+o9A8jl+FGzbHU4fG4yVNjom9idU80qJGfUM=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=DDwuvpNMlJ1zHSPYjkZXZzjFuuSyYDoE7WgHeQD9ipMTDUWtKHJMXwozRt19GAqYvNe2X7XF8BITHiKwLi972Ka7I5OsscSxoT4zu/fZUt/REijjxAtQoJzL9QR9dqtQylEMQr6cScdXaNZYDuM2ZdGgKz1JXljXEct1mUSFxcE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=aLNhwuqJ; arc=none smtp.client-ip=209.85.214.169 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="aLNhwuqJ" Received: by mail-pl1-f169.google.com with SMTP id d9443c01a7336-2a0d5c365ceso149671445ad.3 for ; Wed, 31 Dec 2025 22:25:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767248717; x=1767853517; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=SE0rI5P7eKNbejouiqbb/lEDUIGRekIUepADcT1rcR4=; b=aLNhwuqJ0lJlivlWDjwK38jqRJOWnZX074EjxLEd1LY41Z7Utdh9MP45vnGocCqZ/i Cckk8+4qxEpxkJv+tJCLQFR1RJlJ+QRhOr40Q+VRm54BUg2NwwXaYtKRdPzbnOo3Q117 lN6rl6UdN6pex7f/D6pWMod6/3bh8oaVC7+mumOnZBUlEZB81WEXA9hkVXRn0xfaL/GL 3S23gp6LnkbkN4zvl6cVFruMSJLh9ABzfi/y9Lt1G8vRUNGJyZUTfhEXGI+rAG/8BRea OwsWu225Bda6jlR11J3k+G394tJZWIZVhY3Fvvy2/fEJxtVxorTgJQSo9xVGyGSosMyH ewZg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767248717; x=1767853517; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=SE0rI5P7eKNbejouiqbb/lEDUIGRekIUepADcT1rcR4=; b=RMgiGMSM/MML6btN70oOwV+WDhPuGovlJW0UPrrh4aybRg7mn2ctFmMMV03yZH3rJG zZtnL9WHCUhqPedmPWpeqEoM/sNg4cYMh0SVkCgm3Hl+Ux1k0a/P15rgdD2o9WCw8Q5/ QZMJ6CMyROwC6qsm1x8OJzDdj+6wstx9OTi8tFmDQHTLPjZLNHu8ax5qbYHZKGFy7a8L ruJ+RBpqiP77LK1rgkB2F3i/h+KRDLhSCFuu295X753VJUstzr7rV+x89ykXcZfLvB6n 3YS9/81IXXVNz2fjf7ru93+ldkEEOtAMC8vvY+eUZLA4XVi5WA5N+TWGDYZxDtKleeuC W3ew== X-Forwarded-Encrypted: i=1; AJvYcCUT8TIxA3jBn62WGxwjaD5IjjmQSh5j8r3JwZQbXsOVkrj0rcjEbHKXSwkv26QXqnKtem0c5zwpjO+nQd8=@vger.kernel.org X-Gm-Message-State: AOJu0YzknjmWN/SJCdKwisjSoxousZGFhTOiPuhfw8U7Ocx5NWAA4pJQ o+8eXupVxW9isEJaZV6iViShmHiJCjPRSHs94Of3r/udJEaZZ28d7HooDYWXFoKM X-Gm-Gg: AY/fxX7Lzn3cOd/vfq6anDG794+TOF0GRsCgN+NRNXrYOzgqrIG4plTEjPUM/Gmlg5/ RMLJa72eTX4Tv5A5lQOgigHxEDInrVNhIerZbEAcTWqHQvjKZbAFN8wmwm9/6Q9X6wF8IVGSS4f S+TdaWi9DrBecfZzpug511Xk/JriRA0xeK0wkh96KOp9DVoCKJVgY30HKrm6lLXr1pn2pA+7vCY uu/DZV8gxyw48nCWjEctg5yuYFXrWGXovKRzuFsIzN7RYImRXQz4ygbSZ4FMWx/iXHCiCfrlBZR F4LknkjvoiSBeTTIV/EO/bzcTHKAzc2fsAsE8MX+s/C/C0HeXvhKYQAM6ZFXEbbTG7gXQ2O91r8 zviUl2E6pjGXEGAPLlqATqeX8fjxzS4Z3coYh+Q+o6Z7EjBQ7evmbPYSEmFkXL6OixrA2wHlC2G Q1v88mBcrCKzTz/kIi+5WUmoQRJUnSWqp5pgAunUI0aaLbeNLIO5+YVl350Tyskw== X-Google-Smtp-Source: AGHT+IGRnYMQUKgIm6YN48+hICeeanP0w+GQDI9J6UXpl+np4+nuvCPHeQpD6aFl/O7XmVnhvN3Beg== X-Received: by 2002:a05:7022:3c06:b0:119:e569:f258 with SMTP id a92af1059eb24-121721acc08mr31579034c88.1.1767248716890; Wed, 31 Dec 2025 22:25:16 -0800 (PST) Received: from zubuntu.home.zacbowling.com ([2001:5a8:60d:bc9:9ebf:dff:fe00:f8f2]) by smtp.gmail.com with ESMTPSA id a92af1059eb24-121725548b5sm147035158c88.17.2025.12.31.22.25.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 31 Dec 2025 22:25:16 -0800 (PST) From: Zac Bowling To: linux-wireless@vger.kernel.org Cc: linux-mediatek@lists.infradead.org, linux-kernel@vger.kernel.org, kvalo@kernel.org, lorenzo@kernel.org, nbd@nbd.name, sean.wang@mediatek.com, deren.wu@mediatek.com, ryder.lee@mediatek.com Subject: [PATCH] wifi: mt76: mt7925: add NULL checks for link_conf and mlink in main.c Date: Wed, 31 Dec 2025 22:25:13 -0800 Message-ID: <20260101062514.186040-2-zbowling@gmail.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20260101062514.186040-1-zbowling@gmail.com> References: <20260101062514.186040-1-zbowling@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Zac Bowling Add NULL pointer checks throughout main.c for functions that call mt792x_vif_to_bss_conf(), mt792x_vif_to_link(), and mt792x_sta_to_link() without verifying the return value before dereferencing. Functions fixed: - mt7925_set_key(): Check link_conf, mconf, and mlink before use - mt7925_mac_link_sta_add(): Check link_conf before BSS info update - mt7925_mac_link_sta_assoc(): Check mlink and link_conf before use - mt7925_mac_link_sta_remove(): Check mlink and link_conf, add goto label for proper cleanup path - mt7925_change_vif_links(): Check link_conf before adding BSS These functions can receive NULL when the link configuration in mac80211 is not yet synchronized with the driver's link tracking during MLO operations or state transitions. Without these checks, the driver will crash with NULL pointer dereferences during station add/remove/association operations. Reported-by: Zac Bowling Signed-off-by: Zac Bowling --- .../net/wireless/mediatek/mt76/mt7925/main.c | 27 ++++++++++++++++--- 1 file changed, 23 insertions(+), 4 deletions(-) diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/main.c b/drivers/net= /wireless/mediatek/mt76/mt7925/main.c index 9f17b21aef1c..7d3322461bcf 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7925/main.c +++ b/drivers/net/wireless/mediatek/mt76/mt7925/main.c @@ -604,6 +604,10 @@ static int mt7925_set_link_key(struct ieee80211_hw *hw= , enum set_key_cmd cmd, link_sta =3D sta ? mt792x_sta_to_link_sta(vif, sta, link_id) : NULL; mconf =3D mt792x_vif_to_link(mvif, link_id); mlink =3D mt792x_sta_to_link(msta, link_id); + + if (!link_conf || !mconf || !mlink) + return -EINVAL; + wcid =3D &mlink->wcid; wcid_keyidx =3D &wcid->hw_key_idx; =20 @@ -889,6 +893,8 @@ static int mt7925_mac_link_sta_add(struct mt76_dev *mde= v, MT_WTBL_UPDATE_ADM_COUNT_CLEAR); =20 link_conf =3D mt792x_vif_to_bss_conf(vif, link_id); + if (!link_conf) + return -EINVAL; =20 /* should update bss info before STA add */ if (vif->type =3D=3D NL80211_IFTYPE_STATION && !link_sta->sta->tdls) { @@ -1034,6 +1040,8 @@ static void mt7925_mac_link_sta_assoc(struct mt76_dev= *mdev, =20 msta =3D (struct mt792x_sta *)link_sta->sta->drv_priv; mlink =3D mt792x_sta_to_link(msta, link_sta->link_id); + if (!mlink) + return; =20 mt792x_mutex_acquire(dev); =20 @@ -1043,12 +1051,13 @@ static void mt7925_mac_link_sta_assoc(struct mt76_d= ev *mdev, link_conf =3D mt792x_vif_to_bss_conf(vif, vif->bss_conf.link_id); } =20 - if (vif->type =3D=3D NL80211_IFTYPE_STATION && !link_sta->sta->tdls) { + if (link_conf && vif->type =3D=3D NL80211_IFTYPE_STATION && !link_sta->st= a->tdls) { struct mt792x_bss_conf *mconf; =20 mconf =3D mt792x_link_conf_to_mconf(link_conf); - mt7925_mcu_add_bss_info(&dev->phy, mconf->mt76.ctx, - link_conf, link_sta, true); + if (mconf) + mt7925_mcu_add_bss_info(&dev->phy, mconf->mt76.ctx, + link_conf, link_sta, true); } =20 ewma_avg_signal_init(&mlink->avg_ack_signal); @@ -1095,6 +1104,8 @@ static void mt7925_mac_link_sta_remove(struct mt76_de= v *mdev, =20 msta =3D (struct mt792x_sta *)link_sta->sta->drv_priv; mlink =3D mt792x_sta_to_link(msta, link_id); + if (!mlink) + return; =20 mt7925_roc_abort_sync(dev); =20 @@ -1108,10 +1119,12 @@ static void mt7925_mac_link_sta_remove(struct mt76_= dev *mdev, =20 link_conf =3D mt792x_vif_to_bss_conf(vif, link_id); =20 - if (vif->type =3D=3D NL80211_IFTYPE_STATION && !link_sta->sta->tdls) { + if (link_conf && vif->type =3D=3D NL80211_IFTYPE_STATION && !link_sta->st= a->tdls) { struct mt792x_bss_conf *mconf; =20 mconf =3D mt792x_link_conf_to_mconf(link_conf); + if (!mconf) + goto out; =20 if (ieee80211_vif_is_mld(vif)) mt792x_mac_link_bss_remove(dev, mconf, mlink); @@ -1119,6 +1132,7 @@ static void mt7925_mac_link_sta_remove(struct mt76_de= v *mdev, mt7925_mcu_add_bss_info(&dev->phy, mconf->mt76.ctx, link_conf, link_sta, false); } +out: =20 spin_lock_bh(&mdev->sta_poll_lock); if (!list_empty(&mlink->wcid.poll_list)) @@ -2031,6 +2045,11 @@ mt7925_change_vif_links(struct ieee80211_hw *hw, str= uct ieee80211_vif *vif, mlink =3D mlinks[link_id]; link_conf =3D mt792x_vif_to_bss_conf(vif, link_id); =20 + if (!link_conf) { + err =3D -EINVAL; + goto free; + } + rcu_assign_pointer(mvif->link_conf[link_id], mconf); rcu_assign_pointer(mvif->sta.link[link_id], mlink); =20 --=20 2.51.0