From nobody Sat Feb 7 17:20:15 2026 Received: from mail-pj1-f50.google.com (mail-pj1-f50.google.com [209.85.216.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 09DB42D3A75 for ; Fri, 2 Jan 2026 20:03:21 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.50 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767384203; cv=none; b=HE4snT4PJnwTF3xY8bOx8yuIXK2Qv3RalSj+YO4FdLpGVKnf+vV10tNVKZPYALD8tPfmgvd0hATcg/eLwJXOBY9vpcEq+n7dRMAAIXDU8/7E97VPaOB+HuqmPOx0V4sjJFJkOyCu6BIvRnLsX0dDT4ZvdJO3nv68PWxbdtaKucs= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767384203; c=relaxed/simple; bh=+gGzc4/H75U+8Zhckcv6hSXOd3V0U/RP7kZaO73v5iM=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=smty0BhucPRN2Y99dgjfglmLGp94x10og6QzbddQwSs5FFunpo+X5xaFaR4DYGY0AeA7PJPZdBqBbMujU75kg2GDe3KaprZcOapw7J4lbgJ4xi54eSv1X2wY+sIE53qOI1/xfQdMt6NVfnUTi4FB54rwJ0l5/8ef/IIA18q0nK8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=fGcXoc6U; arc=none smtp.client-ip=209.85.216.50 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="fGcXoc6U" Received: by mail-pj1-f50.google.com with SMTP id 98e67ed59e1d1-34e730f5fefso13765708a91.0 for ; Fri, 02 Jan 2026 12:03:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767384201; x=1767989001; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=JAEbXECWEgivnkQD0xtzzqIp3unNQs37uaq9tRUxuXg=; b=fGcXoc6UALj1jEJoGZYuIkbIf0gn3PAdTm4Lhh4TWh1Tj5b44wqKqfPNSiQFUChT7J eFGgSMEdeIb7k3CkCdPhv0Da+CYKP8g6gf2YUTXw4ld4sHw8S4C7RyHB42HUHGuljdfI i/2HxWvm+usgzbUWRCFyWXISPsv+ed/Edp/1/9GL/vEKwZAxxZNO0V9Ffk5uxvl0e9Pt BQ/iiuOgtpZSTWlCgfhFn3pdbrk9SSVMKbdlPBe4FzdWfewMeHDE5ixVbP8OcdLniQah 5Am3WloMubrytQzR8jolzppNOQ7kfZ/4XCu6+2761G8iNPKx1sCN8X4dvHwTpaW3vcTr gtTg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767384201; x=1767989001; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=JAEbXECWEgivnkQD0xtzzqIp3unNQs37uaq9tRUxuXg=; b=YMtZufn4izQV8ElFYCb725JA56wvTQbmKYxseUmBpK40jqYr96BVi2zV6HQgiSnqRM HRQjoijo587dJsiThbTFbVjSqFX5NR6KCt0zjvjZV2MlJWlgQmYR+RDd33l+DkW7HmUl xLjfnNAxzuQG3LwYLyDsOcfrVsGMjgB/ktN7pLizrl+r4nr4FpF9DfGVJ1oDydEdW5IE BYBMzFCLFZsjEc+qgrGjDIR+3d3sGrTrAA2ducWBaDkjLVXehrWAnofwStbDu73cPHAc 2106octga6Mut4mFyA4NZL9Goj6LQOsdrrCeEakpVHF9bSiuL0uEiLWy+kz327QT0G1k DrVA== X-Forwarded-Encrypted: i=1; AJvYcCV7UdZRerwcQHiZS/DJhRocd2JjtF5RW8C/omr/MwAURg6TPPe/BoxihAnS2FDlrOlyaPJaDJYodltPdxY=@vger.kernel.org X-Gm-Message-State: AOJu0Yw7XNnvU9XuuaDjjr+/jpegqpYjczU8GGJpPSCaAKq9wQWYLUNd W9bfXOKUFv5ZuCT9+41pN6NnyzSdcdqgcCEdZYC4sus3KyKNwnNSG6Nq X-Gm-Gg: AY/fxX68MFmHnq+rH6nL//S56pFhwlmt1BGwO1q55RIfXRAE5969iwmLUOtS6RkLBBu HFYLBVRlCbPyZyXlWyDQYrhaf3zWuvRiCe+PjqQZU4bYnnDsFnQUA93jOk+yyB3E5nwUVHerHc2 /LOICt4hOfCKYmOkviDZkTZkI305eU7O6i1M5FVLoNN7ckyB1qHwVyccDQO6FSNLFbjKLJzfNgV XtNpvispYNyrJt1Zchmrojf2ACLiWtUIjC8eaY+Vo0h5VIk3behQh52oJNrLBM7c8CWR041LInD O1lFpU1zAIx4tJrFCS41LH0sTR0geCZS9YbeqZzIi3fbYOGtevIEP9jPQ73qGwlAZzYlgrhTLNY GWEiaDyqsxWqRBSPaqp1Icz9Q/Ifzrr+9u8mHNTUSqYvUxHLxizRAIBNU2Yp5n31WCQAyRMH1fI DuxLXTE5zIxCnTLkp5xHQHBmF/2vPRCZuSHlyKcB4E26T6/ANkAVHTS8i+VrSQlp3Spyw3KJX6M g== X-Google-Smtp-Source: AGHT+IFlZFMjgiDvsStkZqvxdbjcHI5mtZO0RX7CoRLkYWt7/vu6esI08DiqdmO+npuzhi414kAkog== X-Received: by 2002:a05:7022:6722:b0:119:e56b:c73d with SMTP id a92af1059eb24-121722a761amr39576353c88.2.1767384201003; Fri, 02 Jan 2026 12:03:21 -0800 (PST) Received: from zubuntu.bengal-mercat.ts.net ([2001:5a8:60d:bc9:9ebf:dff:fe00:f8f2]) by smtp.gmail.com with ESMTPSA id a92af1059eb24-1217253bfe2sm120203795c88.10.2026.01.02.12.03.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 02 Jan 2026 12:03:20 -0800 (PST) From: Zac Bowling To: zbowling@gmail.com Cc: deren.wu@mediatek.com, kvalo@kernel.org, linux-kernel@vger.kernel.org, linux-mediatek@lists.infradead.org, linux-wireless@vger.kernel.org, lorenzo@kernel.org, nbd@nbd.name, ryder.lee@mediatek.com, sean.wang@mediatek.com Subject: [PATCH] wifi: mt76: mt7925: add NULL checks for MLO link pointers in MCU functions Date: Fri, 2 Jan 2026 12:03:12 -0800 Message-ID: <20260102200315.290015-4-zbowling@gmail.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20260102200315.290015-1-zbowling@gmail.com> References: <20260101062543.186499-1-zbowling@gmail.com> <20260102200315.290015-1-zbowling@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Several MCU functions dereference pointers returned by mt792x_sta_to_link() and mt792x_vif_to_link() without checking for NULL. During MLO state transitions, these functions can return NULL when link state is being set up or torn down, causing kernel NULL pointer dereferences. Add NULL checks in the following functions: - mt7925_mcu_sta_hdr_trans_tlv(): Check mlink before dereferencing wcid - mt7925_mcu_wtbl_update_hdr_trans(): Check mlink and mconf before use - mt7925_mcu_sta_amsdu_tlv(): Check mlink before setting amsdu flag - mt7925_mcu_sta_mld_tlv(): Check mconf and mlink in link iteration loop - mt7925_mcu_sta_update(): Initialize mlink to NULL and check both link_sta and mlink in the ternary condition These race conditions can occur during: - MLO link setup/teardown - Station add/remove operations - Firmware command generation during state transitions The fixes follow the pattern used in mt7996 and ath12k drivers for similar MLO link state handling. Signed-off-by: Zac Bowling --- mt7925/mcu.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/mt7925/mcu.c b/mt7925/mcu.c index bd38807e..b9c4b99d 100644 --- a/mt7925/mcu.c +++ b/mt7925/mcu.c @@ -1087,6 +1087,8 @@ mt7925_mcu_sta_hdr_trans_tlv(struct sk_buff *skb, struct mt792x_link_sta *mlink; =20 mlink =3D mt792x_sta_to_link(msta, link_sta->link_id); + if (!mlink) + return; wcid =3D &mlink->wcid; } else { wcid =3D &mvif->sta.deflink.wcid; @@ -1120,6 +1122,9 @@ int mt7925_mcu_wtbl_update_hdr_trans(struct mt792x_de= v *dev, link_sta =3D mt792x_sta_to_link_sta(vif, sta, link_id); mconf =3D mt792x_vif_to_link(mvif, link_id); =20 + if (!mlink || !mconf) + return -EINVAL; + skb =3D __mt76_connac_mcu_alloc_sta_req(&dev->mt76, &mconf->mt76, &mlink->wcid, MT7925_STA_UPDATE_MAX_SIZE); @@ -1741,6 +1746,8 @@ mt7925_mcu_sta_amsdu_tlv(struct sk_buff *skb, amsdu->amsdu_en =3D true; =20 mlink =3D mt792x_sta_to_link(msta, link_sta->link_id); + if (!mlink) + return; mlink->wcid.amsdu =3D true; =20 switch (link_sta->agg.max_amsdu_len) { @@ -1935,6 +1942,9 @@ mt7925_mcu_sta_mld_tlv(struct sk_buff *skb, =20 mconf =3D mt792x_vif_to_link(mvif, i); mlink =3D mt792x_sta_to_link(msta, i); + if (!mconf || !mlink) + continue; + mld->link[cnt].wlan_id =3D cpu_to_le16(mlink->wcid.idx); mld->link[cnt++].bss_idx =3D mconf->mt76.idx; =20 @@ -2027,13 +2037,13 @@ int mt7925_mcu_sta_update(struct mt792x_dev *dev, .rcpi =3D to_rcpi(rssi), }; struct mt792x_sta *msta; - struct mt792x_link_sta *mlink; + struct mt792x_link_sta *mlink =3D NULL; =20 if (link_sta) { msta =3D (struct mt792x_sta *)link_sta->sta->drv_priv; mlink =3D mt792x_sta_to_link(msta, link_sta->link_id); } - info.wcid =3D link_sta ? &mlink->wcid : &mvif->sta.deflink.wcid; + info.wcid =3D (link_sta && mlink) ? &mlink->wcid : &mvif->sta.deflink.wci= d; info.newly =3D state !=3D MT76_STA_INFO_STATE_ASSOC; =20 return mt7925_mcu_sta_cmd(&dev->mphy, &info); --=20 2.51.0