From nobody Wed Jan 7 23:01:13 2026 Received: from mail-pf1-f180.google.com (mail-pf1-f180.google.com [209.85.210.180]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E403818C33 for ; Mon, 5 Jan 2026 00:26:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.180 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767572813; cv=none; b=uEpm62SeoOVSfOa14u7FPRTt6Kqqp5NF6FkmeO4SmSKfu2gY0tYY+sCxfC/M4IyO7L1+FkCGYyUVo55O6GrB642FfNXZtZzauVBOd0tT8RW1LieWaZoo3eUu9Zpt2G1rmChyfmk5LfldAvvtQaZ6Dc/KfabbYxdv/Re9VX93Jv0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767572813; c=relaxed/simple; bh=/6QfKpPidHpDqvGcmuwJUfCyH+4jBNFqQ0+6iItk0sI=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=YvVvqrDFLLzg+ForB18iUyCNGU37sUuthG7lNyf6uPV86AFF+Ql6gvhGUw8AeC35aSrWK1bJR97eWaEl2qxLpBDS9jPe+r9ft8vogqS7jmGQhLFFW/AoSCwuLPBMe3Dwn20rw1dnJbDa/rSyL26vURaA4Q3JhKnrdcEbjJKZWUI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=kUoeFAnt; arc=none smtp.client-ip=209.85.210.180 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="kUoeFAnt" Received: by mail-pf1-f180.google.com with SMTP id d2e1a72fcca58-7b22ffa2a88so12562229b3a.1 for ; Sun, 04 Jan 2026 16:26:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767572811; x=1768177611; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=nx+S5z3h6030ObTHHh0B/SCcYrL7BGZ5wBUiVpgW8C8=; b=kUoeFAntXDurCwykSojKmZQ4/wBezsSCCDlgyTHC0p+TZmUCiBcoJnMTWmzcakDHiO tN3PiZOu4yQ9BhWi2LvRFE2I2/mKu/a8lqRXkhYiqlf5RJlb9qY3MHjfpbfcqF5I0gq+ oDgPTHaSnEFlijDgz8lrLmKxrObI3blyyk2/Wj0rkkjJI8qrGIAV2TNWSbFqQTt3kN4T 1/bhVnHVfBWhemgBX0r8k/Dx4To06DVTuIZCBmt7ccSNvYyWFC4jG8clPCBruSUnYMD2 NkYdb/wllI1jERgvn9v9izFckcCTQXISObPM7AOX3HyllRkqKIpTVfv9aAsRpaWHNTuH Je+A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767572811; x=1768177611; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=nx+S5z3h6030ObTHHh0B/SCcYrL7BGZ5wBUiVpgW8C8=; b=sbc3j/E2k5P479IKFD7rpLdqUd0JaCRbgVCrl0gxfrGA24eUZw0yDill+eyMczYqmb Y/vFzP3knMSROxkk4GeJRLf5NIyhpf0YKI4uoavSqgEmbbZX0amMi/jGUqdqJ8xo3njw PHlJWoAOV8YiO2V9qhnbH3uT6pDMpZivoPbSGzZZnKXc7rq/h2B7lKbg7c8uyruk2/No 9ruFDDYHly/zyXU/UAdr4XgYISYnqSIsLFXTy4/vAY8HMo5t/T6jdVQPF3Bjpn3PNk0H SKtElcbbUvBX6THrzmnPE1Hrj+AYbetlrGYTtmdiZNtKNySQFmXiuDhfWUpLWvlMbHzF rxgQ== X-Forwarded-Encrypted: i=1; AJvYcCUfdgShqEvv6veNbB0ixk3hjNd/WsYppzDf4mZs1R+7Bk+eOdrL66n9pzWuXq/jTTzeTWuhqKXhI8mF6aE=@vger.kernel.org X-Gm-Message-State: AOJu0YwYFs6sivl9cTRETjh9P9u18KUIcPT2OmpZkbyrygZFkeoUTNbx 4AC6rTi6D5dKzT3yLcb9gvDfmBxeEkzLT+MOZRKV3GjtYtsbJLf7ISIT X-Gm-Gg: AY/fxX4yax+KRykWVpDAEg3lPV0KlQeZl/tV1nHFBScfojZyQsLM5fIUMXbN6KBW+Sw R/uG30ggN+j+O+P1O0fyxIMzSaPMG6PDoMq24fo1MqaJCk876keyx/MxZ2KLMOp6RUso4sG0Tjg PXDZVjHsBcKm8XOz++SqM0HMwP1egZzufvMc/ij3frQcDhJLxeqx+qU7lH4b25QUVidQ/KvFdDY M1pakatj7c5x6LAMD+oL21Q+N/vcoUx7YX7Zuq/XjjX9RUse8CFn5YoS2xxRDMSHtbg4UmCR51v +y6nvAJrpHZHqAosb91/hgHJ7hDJbOBwg5EWJS0nddXH6UTEbgRDUycHued9feg7r9f5TU+JfpA IDuw1bcSiYfGRKiN3EvrVI1TBoZIMerzIozVZT53dVmut4BEpPtFwNVrl7TJjkmIqmUIg7D0oVZ RhGPCjtSGqdedW9BQSIA/qLdLYqDnOwxa9YbR/f3Kb343zw8bUzeApXE2qWL/nZ+E= X-Google-Smtp-Source: AGHT+IG07f4+BWjJlbqJDdFUMO7Ft/315N9xOwOmVA0qQn17sAgscoR34CTnkVLXsA8WiWEJB7CjHQ== X-Received: by 2002:a05:7023:883:b0:11d:f890:6751 with SMTP id a92af1059eb24-121721acc21mr46191919c88.10.1767572811084; Sun, 04 Jan 2026 16:26:51 -0800 (PST) Received: from zubuntu.bengal-mercat.ts.net ([2001:5a8:60d:bc9:9ebf:dff:fe00:f8f2]) by smtp.gmail.com with ESMTPSA id a92af1059eb24-121724de268sm133378109c88.8.2026.01.04.16.26.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 04 Jan 2026 16:26:50 -0800 (PST) From: Zac Bowling To: zbowling@gmail.com Cc: deren.wu@mediatek.com, kvalo@kernel.org, linux-kernel@vger.kernel.org, linux-mediatek@lists.infradead.org, linux-wireless@vger.kernel.org, lorenzo@kernel.org, nbd@nbd.name, ryder.lee@mediatek.com, sean.wang@mediatek.com Subject: [PATCH 01/17] wifi: mt76: mt7925: fix NULL pointer dereference in vif iteration Date: Sun, 4 Jan 2026 16:26:22 -0800 Message-ID: <20260105002638.668723-2-zbowling@gmail.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20260105002638.668723-1-zbowling@gmail.com> References: <20260102200524.290779-1-zbowling@gmail.com> <20260105002638.668723-1-zbowling@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" mt792x_vif_to_bss_conf() can return NULL when iterating over valid_links during HW reset or other state transitions, because the link configuration in mac80211 may not be set up yet even though the driver's valid_links bitmap has the link marked as valid. This causes a NULL pointer dereference in mt76_connac_mcu_uni_add_dev() when it tries to access bss_conf->vif->type, and similar crashes in other functions that use bss_conf without checking. This crash was observed on Framework Desktop (AMD Ryzen AI Max 300) with MT7925 (RZ717) running kernel 6.17. The panic occurs during BSSID roaming when the adapter attempts to switch to a better access point: BUG: kernel NULL pointer dereference, address: 0000000000000010 CPU: 1 UID: 0 PID: 8362 Comm: kworker/u128:10 Tainted: G OE Workqueue: mt76 mt7925_mac_reset_work [mt7925_common] RIP: 0010:mt76_connac_mcu_uni_add_dev+0x9c/0x780 [mt76_connac_lib] Call Trace: mt7925_vif_connect_iter+0xcb/0x240 [mt7925_common] __iterate_interfaces+0x92/0x130 [mac80211] ieee80211_iterate_interfaces+0x3d/0x60 [mac80211] mt7925_mac_reset_work+0x105/0x190 [mt7925_common] process_one_work+0x18b/0x370 worker_thread+0x317/0x450 The issue manifests approximately every 5 minutes when the adapter tries to hop to a better BSSID, causing system-wide hangs where network commands (ip, ifconfig, etc.) hang indefinitely. Add NULL checks for bss_conf before using it in: - mt7925_vif_connect_iter() - mt7925_change_vif_links() - mt7925_mac_sta_assoc() - mt7925_mac_sta_remove_links() Fixes: c948b5da6bbe ("wifi: mt76: mt7925: add Mediatek Wi-Fi7 driver for mt= 7925 chips") Link: https://community.frame.work/t/kernel-panic-from-wifi-mediatek-mt7925= -nullptr-dereference/79301 Reported-by: Zac Bowling Tested-by: Zac Bowling Signed-off-by: Zac Bowling --- drivers/net/wireless/mediatek/mt76/mt7925/mac.c | 6 ++++++ drivers/net/wireless/mediatek/mt76/mt7925/main.c | 8 ++++++++ 2 files changed, 14 insertions(+) diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/mac.c b/drivers/net/= wireless/mediatek/mt76/mt7925/mac.c index 871b67101976..184efe8afa10 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7925/mac.c +++ b/drivers/net/wireless/mediatek/mt76/mt7925/mac.c @@ -1271,6 +1271,12 @@ mt7925_vif_connect_iter(void *priv, u8 *mac, bss_conf =3D mt792x_vif_to_bss_conf(vif, i); mconf =3D mt792x_vif_to_link(mvif, i); =20 + /* Skip links that don't have bss_conf set up yet in mac80211. + * This can happen during HW reset when link state is inconsistent. + */ + if (!bss_conf) + continue; + mt76_connac_mcu_uni_add_dev(&dev->mphy, bss_conf, &mconf->mt76, &mvif->sta.deflink.wcid, true); mt7925_mcu_set_tx(dev, bss_conf); diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/main.c b/drivers/net= /wireless/mediatek/mt76/mt7925/main.c index 2d358a96640c..3001a62a8b67 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7925/main.c +++ b/drivers/net/wireless/mediatek/mt76/mt7925/main.c @@ -1304,6 +1304,8 @@ mt7925_mlo_pm_iter(void *priv, u8 *mac, struct ieee80= 211_vif *vif) mt792x_mutex_acquire(dev); for_each_set_bit(i, &valid, IEEE80211_MLD_MAX_NUM_LINKS) { bss_conf =3D mt792x_vif_to_bss_conf(vif, i); + if (!bss_conf) + continue; mt7925_mcu_uni_bss_ps(dev, bss_conf); } mt792x_mutex_release(dev); @@ -1630,6 +1632,8 @@ static void mt7925_ipv6_addr_change(struct ieee80211_= hw *hw, =20 for_each_set_bit(i, &valid, IEEE80211_MLD_MAX_NUM_LINKS) { bss_conf =3D mt792x_vif_to_bss_conf(vif, i); + if (!bss_conf) + continue; __mt7925_ipv6_addr_change(hw, bss_conf, idev); } } @@ -1861,6 +1865,8 @@ static void mt7925_vif_cfg_changed(struct ieee80211_h= w *hw, if (changed & BSS_CHANGED_ARP_FILTER) { for_each_set_bit(i, &valid, IEEE80211_MLD_MAX_NUM_LINKS) { bss_conf =3D mt792x_vif_to_bss_conf(vif, i); + if (!bss_conf) + continue; mt7925_mcu_update_arp_filter(&dev->mt76, bss_conf); } } @@ -1876,6 +1882,8 @@ static void mt7925_vif_cfg_changed(struct ieee80211_h= w *hw, } else if (mvif->mlo_pm_state =3D=3D MT792x_MLO_CHANGED_PS) { for_each_set_bit(i, &valid, IEEE80211_MLD_MAX_NUM_LINKS) { bss_conf =3D mt792x_vif_to_bss_conf(vif, i); + if (!bss_conf) + continue; mt7925_mcu_uni_bss_ps(dev, bss_conf); } } --=20 2.51.0 From nobody Wed Jan 7 23:01:13 2026 Received: from mail-pl1-f169.google.com (mail-pl1-f169.google.com [209.85.214.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1FB843BB48 for ; Mon, 5 Jan 2026 00:26:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.169 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767572814; cv=none; b=ceg1/6oev3kokhBOQAukOU1IzZ30cPkr3KDxuUn/iaXPJz58x5kww5UZ8FxjgQdAoezv9V1oN9cXSo4z4C4wky3Vx0dskWTqMxFJrJX5+a270TbWA2hu1f2FvpEpP44Entpt7glBy+/8fYAsv0LYcNia8QJFnw4sEli4LtnwAFA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767572814; c=relaxed/simple; bh=QsR5/OKd7dRBwCFTqGC5Zw+i/++FftRL2ti6sVT5Ug4=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=gbqQpq4LiDXEYyOQf+4tjooqoh75JFx9xFHkJjLaIElDIjR3x4awxWtdhiNSg52jb7lsl30ksOdhrhbXuR2kDKQfBsl8DjTihRn+3kUAORW4tg1gmZcXGCp/wHc0psvfrjYWU44Kz9kwhKFUEJTQrMdwmKn3R0r5ZlIWiGHa/oY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=IZdAMv82; arc=none smtp.client-ip=209.85.214.169 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="IZdAMv82" Received: by mail-pl1-f169.google.com with SMTP id d9443c01a7336-2a0d06ffa2aso166446825ad.3 for ; Sun, 04 Jan 2026 16:26:52 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767572812; x=1768177612; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=xAgVTP0BzLqwfWTeezG65MLKR0/RKkukMTGhqy2j9so=; b=IZdAMv82tfl08bSCZUB3niKU/tbTIZqnIffZeJkpLUQqP3goaB3XQLH+/YZXV597sx Trs977YuGQXm6AeGJ6nKc3Yq3XC6iQYnUHcSZwJEXr5pKB40mteWTbtcBjnF1LLPWe8A xV2yk1Cxmcg4CSludJ4uj8VYl+u7hVcYXIFgK3WGj4zvfoa4HMx4L+gt5fy7GTro6EyQ SzmVwNCGf+uzjbStrWvBtZrg/li4JYN7ybuQQGV2YBM7pgr4Cmr/cbxG/ApumnHTurhw VV+8N6OorKl5eWfY4dklhSVkngYS5ELtGOt0OmiZunwEU4BOY/HKVtNW5pRNtnFmUCG6 /8RQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767572812; x=1768177612; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=xAgVTP0BzLqwfWTeezG65MLKR0/RKkukMTGhqy2j9so=; b=tuSj81ruIOuY7yN17cu0ly40NyFrZnSOUrChoNXNmLtkOnt1y2aBjMVfoH6X2aZ57s Osb1DOG8WL8OdLUFm0jOORM9UAUXj9rDVt9K4H0TK+fApijLs3qQU7vlg4dGtvKT/bff 6PZx3wOM1JjUFfvnjt4x/s4PcbDGBnlOmaneLbXPN+lrtqWG/N1bNOWvfGPhTQxv9dQ2 mqo+EeRAGpkxdSuZsFLI1GBMLsZUuZTrCe3/jTwksx2xEx8yDuHM38PH9Cv18nf+XhMe e03mElFO/2e2GKmM+a2qWKYYqZrc9DrxAk/dZg3qgyiErF7vY5olZbG0bvvFR42NE2fV rPOQ== X-Forwarded-Encrypted: i=1; AJvYcCXhsybHeiOpnnZ2NNj5+CPIPhj0y0b/wt7JBeIwoPtBiJHp3b+UaKCVI6A8XC6MRWdog+Q4GCSlleH9iGk=@vger.kernel.org X-Gm-Message-State: AOJu0Ywke16/Bs/8b2sSw6S1gGUDoQy3E2GyHciiO7GCDTgYYH+JuW64 Fb3a3YQKETqcWA1WftROrGrt/bBie543dRkNGkdv7mzLPTjIULbZLT3x X-Gm-Gg: AY/fxX42uwP+ydMwc+p+JCYjqrvj2HrrM8AdCbiZ398fUEucwjuQ+A/NBtNWPT02ocX FUlQlnJ3agJ87SgCstBPH8O037L92wDWKdog/hcq3CeYCbdmnaw5xvNaIQVshElHOs4l+63z/WZ IeB5QfQdJEWj6yttniqjn8vBFNsfhsZZmXPDy6jlxVvXVVO5AUqT0B1qczde3BdrZ4i4JDNaYcL NZzaoDJWXIzQaVEkghICKBIAVXnTgXkKEP47/CtReHpnlYGvBydXYebpQvR2I8knXgM2ww5qGAI MLXBsmbef5XN+DxTqpk9rxayFO+s0GQfX1vMcssBkBGtvFuhCI7gp/iK5TXIk+4seUf1FBGsSiW OVcwkpG7auzzKlwwmcy5pjf5ThImcp/Zma61OzgHAyJfSyq+eI7otMFpASDsgi10hl9/6RFITxv vfbZQoWq4fPGUg9MDMu4lV4yDYxtqlheQ/1IeRDpA1DjmIAez9ZRz2HknghGq+z5w= X-Google-Smtp-Source: AGHT+IFKYGpXpbeOzNKq3w85a9004NHjGaMx7/DnJGknvJa/Jb0muU+WLPE3Jt6/U31pHd5HhFvK7A== X-Received: by 2002:a05:7022:f902:20b0:11c:b3ad:1fe1 with SMTP id a92af1059eb24-121722b1a7bmr41061173c88.11.1767572812230; Sun, 04 Jan 2026 16:26:52 -0800 (PST) Received: from zubuntu.bengal-mercat.ts.net ([2001:5a8:60d:bc9:9ebf:dff:fe00:f8f2]) by smtp.gmail.com with ESMTPSA id a92af1059eb24-121724de268sm133378109c88.8.2026.01.04.16.26.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 04 Jan 2026 16:26:51 -0800 (PST) From: Zac Bowling To: zbowling@gmail.com Cc: deren.wu@mediatek.com, kvalo@kernel.org, linux-kernel@vger.kernel.org, linux-mediatek@lists.infradead.org, linux-wireless@vger.kernel.org, lorenzo@kernel.org, nbd@nbd.name, ryder.lee@mediatek.com, sean.wang@mediatek.com Subject: [PATCH 02/17] wifi: mt76: mt7925: fix missing mutex protection in reset and ROC abort Date: Sun, 4 Jan 2026 16:26:23 -0800 Message-ID: <20260105002638.668723-3-zbowling@gmail.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20260105002638.668723-1-zbowling@gmail.com> References: <20260102200524.290779-1-zbowling@gmail.com> <20260105002638.668723-1-zbowling@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" During firmware recovery and ROC (Remain On Channel) abort operations, the driver iterates over active interfaces and calls MCU functions that require the device mutex to be held, but the mutex was not acquired. This causes system-wide deadlocks where the system becomes completely unresponsive. From logs on affected systems: INFO: task kworker/u128:0:48737 blocked for more than 122 seconds. Workqueue: mt76 mt7925_mac_reset_work [mt7925_common] Call Trace: __schedule+0x426/0x12c0 schedule+0x27/0xf0 schedule_preempt_disabled+0x15/0x30 __mutex_lock.constprop.0+0x3d0/0x6d0 mt7925_mac_reset_work+0x85/0x170 [mt7925_common] The deadlock manifests approximately every 5 minutes when the adapter tries to hop to a better BSSID, triggering firmware reset. Network commands (ip, ifconfig, etc.) hang indefinitely, processes get stuck in uninterruptible sleep (D state), and reboot hangs as well. Add mutex protection around interface iteration in: - mt7925_mac_reset_work(): Called during firmware recovery after MCU timeouts to reconnect all interfaces - mt7925_roc_abort_sync() in suspend path: Called during suspend to clean up Remain On Channel operations This matches the pattern used in mt7615 and other MediaTek drivers where interface iteration callbacks invoke MCU functions with mutex held: // mt7615/main.c - roc_work has mutex protection mt7615_mutex_acquire(phy->dev); ieee80211_iterate_active_interfaces(...); mt7615_mutex_release(phy->dev); Note: Sean Wang from MediaTek has submitted an alternative fix for the ROC path using cancel_delayed_work() instead of cancel_delayed_work_sync(). Both approaches address the deadlock; this one adds explicit mutex protection which may be superseded by the upstream fix. Fixes: c948b5da6bbe ("wifi: mt76: mt7925: add Mediatek Wi-Fi7 driver for mt= 7925 chips") Link: https://community.frame.work/t/kernel-panic-from-wifi-mediatek-mt7925= -nullptr-dereference/79301 Reported-by: Zac Bowling Tested-by: Zac Bowling Signed-off-by: Zac Bowling --- drivers/net/wireless/mediatek/mt76/mt7925/mac.c | 2 ++ drivers/net/wireless/mediatek/mt76/mt7925/pci.c | 2 ++ 2 files changed, 4 insertions(+) diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/mac.c b/drivers/net/= wireless/mediatek/mt76/mt7925/mac.c index 184efe8afa10..06420ac6ed55 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7925/mac.c +++ b/drivers/net/wireless/mediatek/mt76/mt7925/mac.c @@ -1331,9 +1331,11 @@ void mt7925_mac_reset_work(struct work_struct *work) dev->hw_full_reset =3D false; pm->suspended =3D false; ieee80211_wake_queues(hw); + mt792x_mutex_acquire(dev); ieee80211_iterate_active_interfaces(hw, IEEE80211_IFACE_ITER_RESUME_ALL, mt7925_vif_connect_iter, NULL); + mt792x_mutex_release(dev); mt76_connac_power_save_sched(&dev->mt76.phy, pm); =20 mt7925_regd_change(&dev->phy, "00"); diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/pci.c b/drivers/net/= wireless/mediatek/mt76/mt7925/pci.c index c4161754c01d..e9d62c6aee91 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7925/pci.c +++ b/drivers/net/wireless/mediatek/mt76/mt7925/pci.c @@ -455,7 +455,9 @@ static int mt7925_pci_suspend(struct device *device) cancel_delayed_work_sync(&pm->ps_work); cancel_work_sync(&pm->wake_work); =20 + mt792x_mutex_acquire(dev); mt7925_roc_abort_sync(dev); + mt792x_mutex_release(dev); =20 err =3D mt792x_mcu_drv_pmctrl(dev); if (err < 0) --=20 2.51.0 From nobody Wed Jan 7 23:01:13 2026 Received: from mail-pf1-f170.google.com (mail-pf1-f170.google.com [209.85.210.170]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 53B5C13B293 for ; Mon, 5 Jan 2026 00:26:54 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.170 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767572815; cv=none; b=B99HWQ0Xj7TTgPU5L4tVstB66Sj4EM2UCNgbUMDLNqyDDTBovRA1zEdK6M79bWnr/iM1AHF+bfB4stKFoeukqrPRCG0F86asP/ZB2UYN0LBQn5ktjgXWBSwZVc2IdcIjKminUqREpvlDexxW2OYUTFme623RhuuT7StM5ClIXXI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767572815; c=relaxed/simple; bh=ewxIszwEuo5ZkFcIxg7prkQR1SS9mN/+WvL9hST/bx0=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=T3z6ZdEc0POsamykYwpPIgpqZoH5GfQasm1OTiPnkhiMZpKCwvRrAQ4Vnxnm9e0kfUMHBlxVsSDS7zTrcEudvzpKjMOhtNxYYF04Z3QYN3EJpptcQYkul6f3Adc6ydtjK6VO8vUxBY5Yj138B1eZGGIvtTb4Yixs6Sn0hUgWZtE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=MZd/WSEZ; arc=none smtp.client-ip=209.85.210.170 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="MZd/WSEZ" Received: by mail-pf1-f170.google.com with SMTP id d2e1a72fcca58-7acd9a03ba9so13871338b3a.1 for ; Sun, 04 Jan 2026 16:26:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767572813; x=1768177613; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=SKmv9Qie7cHueSzyzaZ+QRp9Y7zf25ySeMeR1g7IWf4=; b=MZd/WSEZ9I/R25CCoCQzrL4kw7XWM6VDRD9lkwpZGmGr4mogMVthuNi181CNusTVAr jqm7+2W+BXBgqF2xAvVDY1uhBD7p0AIcmhi5DHI6o3hGbL4FWbwC5TZBuTHnaVNEzIe8 YXbfL3os7TkskT+kDoONjRPqZEFmiXIA3d2mvi3vcy+FJzKR4AMhQ2U77+oGhz6ozlyR YjM22cri3IwVuWMsnqExCaKWMeB0B/M7JsEx9Pj1NPhdCRUpPJQ6nLjzqy2IZXJlKJRE NXXaSyIAuukIPK92tK5E78fpn3Fj/j+uClIbpwzkSQQELKo8n+lVwp0jAq30ECTAsOQ8 QZAA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767572813; x=1768177613; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=SKmv9Qie7cHueSzyzaZ+QRp9Y7zf25ySeMeR1g7IWf4=; b=rJHqF2b1livSPbuJP2+BOQC5b/jqhRagcZc7+DrEC/QXYgJVVsEVNjpKtVM5gsgcpU IPQeD667VVZ6Ro1GV76y/moN9yEz9iegRL25enrCpYzijdRTS0EmuKonNkWFHZEPJ0d/ 77xcpSFKt2VYeztdmUjA3/hrQrfmmg0zBbxoFOWiogHPeLEvrmGdSyb2BelEosQWtL3G oI/hOWyF8ayoijZrGWdu0R/Ipu/EC8hPLrpsMsE5+eOFeqC3Kqhk9ubvyYkrJRCNMr3H 4XYLZzNDaF5Ynasz/grlBndyEyovBBWjNYa0sbrLyXZGBpWxzfFifAIOj1rQpZz75Ryk xHJw== X-Forwarded-Encrypted: i=1; AJvYcCUBxxpeEhp/67THDUdonDrn300HfAMtAkJFDVLi0QGhx5JQXgw1AAMAHUssp0R/BQOxJlsOUBotyO5IeNo=@vger.kernel.org X-Gm-Message-State: AOJu0YyUdZhQNbrp76zG235AvG0OvDrBD2EqxE7ZqnGIQjNFqVG/f9dc And9Vs5/iQ12gsPgboNyj2m7mwBXrzYvV8DSRlRPLeN+V3Gn6dq/IyTC X-Gm-Gg: AY/fxX7a7gIEb7FwwGfuoTTADVFF3ExwVkTFRz+7WP3Za9LqDscwdY2NyAXHCon4BRX oSLfDc1Kq+ujFV9WZKUXH9rDSbe0UOcnBJhXTir70pxK64t8NEaIyO0bS+nUpOQD1sHvmbj38MN 6VJoHZND0QRsyqFcDc/TC0BzPIFJlPpo7XFJrBTl2VNIvnABZeqbB9BCSH38o/aPcvhERyYsPyW Z/R5yjKrLwxlj2TDrCBQCkDqHpA7GlEszYEoYWF28ai5S9Q/BhYVOebaVMwHlKDyhreuWIAxn3Z 2/ce5FO2XGFGgFmAfC+I2tycV3wFdiMdhTYuvzckwJzkQsf/A1sq2gdGF/rzjVysebtrbg5phU/ krk4pqlyC1sJ13bLZBSsw1CnYKHhV+GapHm5VDc27U5EvY0VPBP0ufWjquGomrMLSiNXTVz/SAf EALZzq6A+LJc2mi1VXBfcbgwqVAcwdZKSgftyS1PUTkA7Q1cfnD0QdfAaveq9hAYc= X-Google-Smtp-Source: AGHT+IHPaxepL+KOGt5lEUs7jq6bBXnQPyHoe1Q+qdF+4qNFKzLPWnvGSkSBMjp0qzTTzzBqY19MxA== X-Received: by 2002:a05:7022:ef0b:b0:11b:8161:5cfc with SMTP id a92af1059eb24-12172306ccfmr47077126c88.36.1767572813355; Sun, 04 Jan 2026 16:26:53 -0800 (PST) Received: from zubuntu.bengal-mercat.ts.net ([2001:5a8:60d:bc9:9ebf:dff:fe00:f8f2]) by smtp.gmail.com with ESMTPSA id a92af1059eb24-121724de268sm133378109c88.8.2026.01.04.16.26.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 04 Jan 2026 16:26:52 -0800 (PST) From: Zac Bowling To: zbowling@gmail.com Cc: deren.wu@mediatek.com, kvalo@kernel.org, linux-kernel@vger.kernel.org, linux-mediatek@lists.infradead.org, linux-wireless@vger.kernel.org, lorenzo@kernel.org, nbd@nbd.name, ryder.lee@mediatek.com, sean.wang@mediatek.com Subject: [PATCH 03/17] wifi: mt76: mt7925: fix missing mutex protection in runtime PM and MLO PM Date: Sun, 4 Jan 2026 16:26:24 -0800 Message-ID: <20260105002638.668723-4-zbowling@gmail.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20260105002638.668723-1-zbowling@gmail.com> References: <20260102200524.290779-1-zbowling@gmail.com> <20260105002638.668723-1-zbowling@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Two additional code paths iterate over active interfaces and call MCU functions without proper mutex protection: 1. mt7925_set_runtime_pm(): Called when runtime PM settings change. The callback mt7925_pm_interface_iter() calls mt7925_mcu_set_beacon_filt= er() which in turn calls mt7925_mcu_set_rxfilter(). These MCU functions requi= re the device mutex to be held. 2. mt7925_mlo_pm_work(): A workqueue function for MLO power management. The callback mt7925_mlo_pm_iter() was acquiring mutex internally, which is inconsistent with the rest of the driver where the caller holds the mutex during interface iteration. These bugs can cause deadlocks when: - Power management settings are changed while WiFi is active - MLO power save state transitions occur during roaming Move the mutex to the caller in mt7925_mlo_pm_work() for consistency with the rest of the driver, and add mutex protection in mt7925_set_runtime_pm(). Found through static analysis (clang-tidy) and comparison with the MT7615 driver which correctly acquires mutex before interface iteration. Fixes: c948b5da6bbe ("wifi: mt76: mt7925: add Mediatek Wi-Fi7 driver for mt= 7925 chips") Reported-by: Zac Bowling Tested-by: Zac Bowling Signed-off-by: Zac Bowling --- drivers/net/wireless/mediatek/mt76/mt7925/main.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/main.c b/drivers/net= /wireless/mediatek/mt76/mt7925/main.c index 3001a62a8b67..9f17b21aef1c 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7925/main.c +++ b/drivers/net/wireless/mediatek/mt76/mt7925/main.c @@ -751,9 +751,11 @@ void mt7925_set_runtime_pm(struct mt792x_dev *dev) bool monitor =3D !!(hw->conf.flags & IEEE80211_CONF_MONITOR); =20 pm->enable =3D pm->enable_user && !monitor; + mt792x_mutex_acquire(dev); ieee80211_iterate_active_interfaces(hw, IEEE80211_IFACE_ITER_RESUME_ALL, mt7925_pm_interface_iter, dev); + mt792x_mutex_release(dev); pm->ds_enable =3D pm->ds_enable_user && !monitor; mt7925_mcu_set_deep_sleep(dev, pm->ds_enable); } @@ -1301,14 +1303,12 @@ mt7925_mlo_pm_iter(void *priv, u8 *mac, struct ieee= 80211_vif *vif) if (mvif->mlo_pm_state !=3D MT792x_MLO_CHANGED_PS) return; =20 - mt792x_mutex_acquire(dev); for_each_set_bit(i, &valid, IEEE80211_MLD_MAX_NUM_LINKS) { bss_conf =3D mt792x_vif_to_bss_conf(vif, i); if (!bss_conf) continue; mt7925_mcu_uni_bss_ps(dev, bss_conf); } - mt792x_mutex_release(dev); } =20 void mt7925_mlo_pm_work(struct work_struct *work) @@ -1317,9 +1317,11 @@ void mt7925_mlo_pm_work(struct work_struct *work) mlo_pm_work.work); struct ieee80211_hw *hw =3D mt76_hw(dev); =20 + mt792x_mutex_acquire(dev); ieee80211_iterate_active_interfaces(hw, IEEE80211_IFACE_ITER_RESUME_ALL, mt7925_mlo_pm_iter, dev); + mt792x_mutex_release(dev); } =20 void mt7925_scan_work(struct work_struct *work) --=20 2.51.0 From nobody Wed Jan 7 23:01:13 2026 Received: from mail-pl1-f173.google.com (mail-pl1-f173.google.com [209.85.214.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5A01A1D6AA for ; Mon, 5 Jan 2026 00:26:55 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.173 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767572816; cv=none; b=kvI3Ge13DVRsNEhb9Zf69J8MgRyRo5HjuIwO5LfLL0b9AumCFv7NsRqnsiLizewc0nhPrleBUSd+hW28hlgwE+eDY2zVUvfgTfWyClvx/OGWxI5Gho6reAiQ31JPTxjX5m+yWxaXDZ+hhb/ol2qg9vLwSKJVJHPYI4B3d288zog= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767572816; c=relaxed/simple; bh=GenBBIdoaeGrNuDXWpewI+FWlcSedQ3dzL6cf8SnKio=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=igdPO0IgSOWncQWwjv4szMlRXvFDaHCu0G9ZB09z271ON4L9mvVW9w3+9pRohGJJnKx/K4wUgHzApLRRSdZG9NTRl23NiA+Vagmh22WKkJBJYzawUf7X78l8znJN1rjpCKXlOfyO4/Mc+/5X4RqMrOQN+QBh78HlGC5bQMIstQ8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=OJR8GJWE; arc=none smtp.client-ip=209.85.214.173 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="OJR8GJWE" Received: by mail-pl1-f173.google.com with SMTP id d9443c01a7336-29f0f875bc5so201261775ad.3 for ; Sun, 04 Jan 2026 16:26:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767572815; x=1768177615; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=4A75z2eUdNK91diKdVTUHzH8dkd/SHqnoNMun1BNbA8=; b=OJR8GJWEh15AhZV5KdBfjUfXlKgQeVQDFYF4B60z+YIBzvb+/lc1AzSwhuXM1MRiT1 tk8dhrjd89nWhUL8ocwhCuAYy9c2qdewFpNvoQxs5bmARx0WGGoLhUpGT5E+dKQzcKu4 J/YatftFo8M16Wipl8ZF0zeg3ukGQ22GzNXTMPJx2qO3/BpmknvF9c2nSDxE9M0+KTJ4 WcWggn9/ECynGdItlV1szELvavFd/PlottCG4wB0SvCCOe845crJNsRkLUs+0vQN2gNw 0WCX9wgaLtaZGpZbGluiB9AToF4LfVv0npFjKc6o6WTCZDv8G6QkWETWb+gwy9NHnBHU psuQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767572815; x=1768177615; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=4A75z2eUdNK91diKdVTUHzH8dkd/SHqnoNMun1BNbA8=; b=CV0oWiUm076mmw9OsP+zW6WCIV3BgB6kfcZPN1TpHK8o4BbRvU1UFc9FxMS+j72Wkz C2+qZx2mNwBDPuwEm6uLWK4t/UIDi23o0tTEzAxCA5CbQRzFXcXFIJXhMazvCDRI/Dt1 ere/fg1Wwp9UA2W8HMLJYnr2rWLlY5bQtl6VQ9O3eR3rV6sLovLZ+ggDLHjzbljSam55 wxART4JizkEcyHWsavS74VnQKhL/08mmymZWZC3kLZr+XG9QfmCs6PuZn9pL9iYPiMh1 rfxWctAZr+3olA6y4HVj1ssUAW3Me1hK/sTtX2+rLpjnmZ1Lkz7jkDd4Dlv27tty0rEH tlFw== X-Forwarded-Encrypted: i=1; AJvYcCUzS3gQh4ETZ9IVT04FWVgavEmVh0itAldbimHYuj0yyQ3P+svsfsupERuiBksdupW2JodOCMgX1ypbDeQ=@vger.kernel.org X-Gm-Message-State: AOJu0YyhhXmlOR1S9HbR2GRqXDWmDoPPSnhaG1tWb9nyJzJOuwqRVxlV 99rh0SmjDvLm8qlfKDyY06i8PKX9V4SabsVxLMjwjqvysjivoFRca2ku X-Gm-Gg: AY/fxX7YZIA+6dTe6sfqLWsRQtr4ZzO1gahyIOejSU/c9+Ow7J33go77/TPjkqmPJZd gHLj8bKYCwwtuNmyLH6knmTLAgi4EygeYy0AttE7PQ3HjT/CdhFH74q79AhPty5FWITPqrjY7a3 5RbgFCBeHQNXyZTGaO48ssUmBU4hOU1Tbu1Fa6wO9glfXbaXciXLL0mS1+XSzUGNLXNzn7yl3gm UuGEhao8DXUvJT0v9FI3k2VL7P6mUPq4gt+TyV8RxPRV5sRMKTcQ48WOtA79A9ozlCdYr+kpdV9 Bdes420BrZe+RnYLryqaroBrMRXqc/FT0mpGJYYNC+4YlSg9LQJqc6kgmzwQFQD2W8wDoPPKL3n 3urqLG8HQbndhaPs5VpOKsaS7Td3SaiT7VSiGnJ/aNXioHtpckWT5t5Tiz2YUZWI6+tW+4TQQOK /ULrYMEDdHtzOtKLUfW9rkUoVtyo8Tft98ATVxMF7PKSiBUrfELdf/N4hmc5Xwltw= X-Google-Smtp-Source: AGHT+IFBK3F0/2RgdN/ZpBCzCmAP/zg/RkfAb+km8zi3yK6Guq4CtpKQC9B+fW+51Yj7xBIyBIQ59g== X-Received: by 2002:a05:7022:6190:b0:119:e56b:9585 with SMTP id a92af1059eb24-121722ac504mr52295722c88.10.1767572814538; Sun, 04 Jan 2026 16:26:54 -0800 (PST) Received: from zubuntu.bengal-mercat.ts.net ([2001:5a8:60d:bc9:9ebf:dff:fe00:f8f2]) by smtp.gmail.com with ESMTPSA id a92af1059eb24-121724de268sm133378109c88.8.2026.01.04.16.26.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 04 Jan 2026 16:26:53 -0800 (PST) From: Zac Bowling To: zbowling@gmail.com Cc: deren.wu@mediatek.com, kvalo@kernel.org, linux-kernel@vger.kernel.org, linux-mediatek@lists.infradead.org, linux-wireless@vger.kernel.org, lorenzo@kernel.org, nbd@nbd.name, ryder.lee@mediatek.com, sean.wang@mediatek.com Subject: [PATCH 04/17] wifi: mt76: mt7925: add NULL checks in MCU STA TLV functions Date: Sun, 4 Jan 2026 16:26:25 -0800 Message-ID: <20260105002638.668723-5-zbowling@gmail.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20260105002638.668723-1-zbowling@gmail.com> References: <20260102200524.290779-1-zbowling@gmail.com> <20260105002638.668723-1-zbowling@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Add NULL pointer checks for link_conf and mconf in: - mt7925_mcu_sta_phy_tlv(): builds PHY capability TLV for station record - mt7925_mcu_sta_rate_ctrl_tlv(): builds rate control TLV for station record Both functions call mt792x_vif_to_bss_conf() and mt792x_vif_to_link() which can return NULL during MLO link state transitions when the link configuration in mac80211 is not yet synchronized with the driver's link tracking. Without these checks, the driver will crash with a NULL pointer dereference when accessing link_conf->chanreq.oper or link_conf->basic_rate= s. Found through static analysis (clang-tidy pattern matching for unchecked return values from functions known to return NULL). Reported-by: Zac Bowling Fixes: c948b5da6bbe ("wifi: mt76: mt7925: add Mediatek Wi-Fi7 driver for mt= 7925 chips") Signed-off-by: Zac Bowling --- drivers/net/wireless/mediatek/mt76/mt7925/mcu.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c b/drivers/net/= wireless/mediatek/mt76/mt7925/mcu.c index cf0fdea45cf7..d61a7fbda745 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c +++ b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c @@ -1773,6 +1773,10 @@ mt7925_mcu_sta_phy_tlv(struct sk_buff *skb, =20 link_conf =3D mt792x_vif_to_bss_conf(vif, link_sta->link_id); mconf =3D mt792x_vif_to_link(mvif, link_sta->link_id); + + if (!link_conf || !mconf) + return; + chandef =3D mconf->mt76.ctx ? &mconf->mt76.ctx->def : &link_conf->chanreq.oper; =20 @@ -1851,6 +1855,10 @@ mt7925_mcu_sta_rate_ctrl_tlv(struct sk_buff *skb, =20 link_conf =3D mt792x_vif_to_bss_conf(vif, link_sta->link_id); mconf =3D mt792x_vif_to_link(mvif, link_sta->link_id); + + if (!link_conf || !mconf) + return; + chandef =3D mconf->mt76.ctx ? &mconf->mt76.ctx->def : &link_conf->chanreq.oper; band =3D chandef->chan->band; --=20 2.51.0 From nobody Wed Jan 7 23:01:13 2026 Received: from mail-pf1-f169.google.com (mail-pf1-f169.google.com [209.85.210.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 977401A08AF for ; Mon, 5 Jan 2026 00:26:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.169 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767572818; cv=none; b=C+CZf6gRbWXMk6BRNBQp1lDKpJtimxHdBlhW+XQqExzwD5zIupu9ti6FLYobOvZnJ8b41Qixww1EKfH3V8jLTuu1MddMKgQcwrXAmBiLv4VEWagRzLU+mVNGAWdRMwqvEPorp4km58hlQyrDVX0ubkj2F7mHoZdazoXEF3a2Tk8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767572818; c=relaxed/simple; bh=RSD9Leh3i2WeCr2It/CLzKSgKmadqV+MfdmnklJ6q6s=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=UTWHucGkm5Pj2JKZvQLLnlW6XWy9+aycB2LNKZlnNH2z+entTWN+/5LOQqIvosvUE+Jq8eRDA9bZ8uw8Vjkpm2BBDphauvbOn0qXS4FbQ84ISJLHe3H8cto8+/54kVSE19HitqGn4/Eh280OpsQlFDzVWbWdteuNisc53FeHsx4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=QLlPDz6G; arc=none smtp.client-ip=209.85.210.169 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="QLlPDz6G" Received: by mail-pf1-f169.google.com with SMTP id d2e1a72fcca58-81345800791so1266257b3a.0 for ; Sun, 04 Jan 2026 16:26:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767572816; x=1768177616; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=wgqDXjaM/W6rmb9gEVa1xwOmm1cgdSOfo0YYoA6k0dI=; b=QLlPDz6GdOSzqlP1HrZyeZLE8K17CI6TV4gkGr+a1v0f1jWaU4RT0qi9dz4Mp/lEkF l2exSX9gZrk32YQbTowm9J/RFoQE1eMPGXzdjQ6uyE7Q9imyukVJ5pG6A79HM6gUAmXv C2psh93TVjdamqWbdIYch3LTQiacF5x6fIy09lqJ5ra82QneR7gR/KKxBymZ95jVNU+T uiPrj/HRVSfX1/U+pTBzgpqE3iuPUzsUkfvbe49jNJx650I7G19ltxl+b6ASTU1y+3T0 wSGsFaHbn/JcGnFCMxsR4+AL6+Rvb+5ReY9omh82km4Y6hdftQoZGh6X7EETF0LuURVN 5xfQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767572816; x=1768177616; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=wgqDXjaM/W6rmb9gEVa1xwOmm1cgdSOfo0YYoA6k0dI=; b=p/wp3LiNL2XccPNsdOGw0vMoZ1GmlQmUykr8j5BURAyXmLp4cwm14o1RdNAs34ojLc IDtwDrnjT2AKj8QMzEFfm9RpqKnFth9Ti9OrfizuFaaYuUPLz/tGNrL61FnnVXxwm3NM 6OO7ZR8vSw3FtarCbNq+nDnNKQxmwLLfaxD0mUGuZEoRAYMso9uspIPicAOtlc1juima NMF5ShOd7/nPPbcrEjXH5t/brknn1qlVyMTif0Oylzg2K4yIp+71c0eyPE5+Msp+0vwL 0IPFb1vNcRC77QtSApDj7/pBcNpzdkO+q0pTNx4McosR7tLXFot+dDmGEuW5PTorQeTB rSOg== X-Forwarded-Encrypted: i=1; AJvYcCWdIi7F0vSJQxJNnhVwXpkv5WKbxD3OnWtl+YXORHWwCRiyFZ8cp0uMSmNh91+Q26nB96Qz6QInqf9Tnu0=@vger.kernel.org X-Gm-Message-State: AOJu0YxUkrT1yJqwUzCEOkrZHSbU0YROucHGEpYjPmGiq7ot6tnGNkpG 0Nr+PBHZ9QNujF2EdXHfy6Dg6rceHA4RG/FGsQe8Mf2TftDbm4f3byjW X-Gm-Gg: AY/fxX4l4m/A7yliROB2uDzKcJVSee2dqTfY8rMPvwnxi4w2LJ61KDte+hDl6p9HBRa P53aScZx56iYEPPBqR45Nqgu/mwzBGpn/V6kpPJE61RJ7DSRRWBnig4LP06v24G/uo8dvfq4vwj j64BQcqFJsuh0/Ky6PQNmRadwN9ff5Me+VvdzlcJ+JkCkKp/7R0wkg42FpEo2KR5QIvUQSL5M58 DtSKxiQip2sOVIiDNBlcaI9oaT1UcABT3EsjIgQ0/nzziQiVP2mqBiBg4u245DMtnagqH6ar0fo pxzwlPO4pfDw/lPl0m3MfhYL43nXG4jnThv5actlY+vzdKaaIkZ5FN0cZCld3uAA2UZiyrF7c14 72QGjGGyjtBuIASnIjVTFN1mACsPWECug2I6eErdB2k/xWtHNixPIAAKbCXDui/0HrJBZJlgXfI lARxqQ4gGRHtzuba+S045GP+UYdct7lBgjCg87YLazOpERnitIGVostqUhOT6/Urg= X-Google-Smtp-Source: AGHT+IGbpxhkkCFfYLFi2pkEmN+VY/Htmin9lmOYyGyF+HoewIO2bfL2isyMIVIopnCZQfJHgUOXEA== X-Received: by 2002:a05:701a:ca08:b0:11b:9386:825b with SMTP id a92af1059eb24-12172302a23mr38510813c88.48.1767572815709; Sun, 04 Jan 2026 16:26:55 -0800 (PST) Received: from zubuntu.bengal-mercat.ts.net ([2001:5a8:60d:bc9:9ebf:dff:fe00:f8f2]) by smtp.gmail.com with ESMTPSA id a92af1059eb24-121724de268sm133378109c88.8.2026.01.04.16.26.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 04 Jan 2026 16:26:55 -0800 (PST) From: Zac Bowling To: zbowling@gmail.com Cc: deren.wu@mediatek.com, kvalo@kernel.org, linux-kernel@vger.kernel.org, linux-mediatek@lists.infradead.org, linux-wireless@vger.kernel.org, lorenzo@kernel.org, nbd@nbd.name, ryder.lee@mediatek.com, sean.wang@mediatek.com Subject: [PATCH 05/17] wifi: mt76: mt7925: add NULL checks for link_conf and mlink in main.c Date: Sun, 4 Jan 2026 16:26:26 -0800 Message-ID: <20260105002638.668723-6-zbowling@gmail.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20260105002638.668723-1-zbowling@gmail.com> References: <20260102200524.290779-1-zbowling@gmail.com> <20260105002638.668723-1-zbowling@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Add NULL pointer checks throughout main.c for functions that call mt792x_vif_to_bss_conf(), mt792x_vif_to_link(), and mt792x_sta_to_link() without verifying the return value before dereferencing. Functions fixed: - mt7925_set_key(): Check link_conf, mconf, and mlink before use - mt7925_mac_link_sta_add(): Check link_conf before BSS info update - mt7925_mac_link_sta_assoc(): Check mlink and link_conf before use - mt7925_mac_link_sta_remove(): Check mlink and link_conf, add goto label for proper cleanup path - mt7925_change_vif_links(): Check link_conf before adding BSS These functions can receive NULL when the link configuration in mac80211 is not yet synchronized with the driver's link tracking during MLO operations or state transitions. Without these checks, the driver crashes during station add/remove/ association operations with NULL pointer dereference: BUG: kernel NULL pointer dereference, address: 0000000000000010 Call Trace: mt7925_mac_link_sta_add+0x... ... Found through static analysis and triggered during BSSID roaming on systems with multiple access points. Reported-by: Zac Bowling Fixes: c948b5da6bbe ("wifi: mt76: mt7925: add Mediatek Wi-Fi7 driver for mt= 7925 chips") Signed-off-by: Zac Bowling --- .../net/wireless/mediatek/mt76/mt7925/main.c | 27 ++++++++++++++++--- 1 file changed, 23 insertions(+), 4 deletions(-) diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/main.c b/drivers/net= /wireless/mediatek/mt76/mt7925/main.c index 9f17b21aef1c..7d3322461bcf 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7925/main.c +++ b/drivers/net/wireless/mediatek/mt76/mt7925/main.c @@ -604,6 +604,10 @@ static int mt7925_set_link_key(struct ieee80211_hw *hw= , enum set_key_cmd cmd, link_sta =3D sta ? mt792x_sta_to_link_sta(vif, sta, link_id) : NULL; mconf =3D mt792x_vif_to_link(mvif, link_id); mlink =3D mt792x_sta_to_link(msta, link_id); + + if (!link_conf || !mconf || !mlink) + return -EINVAL; + wcid =3D &mlink->wcid; wcid_keyidx =3D &wcid->hw_key_idx; =20 @@ -889,6 +893,8 @@ static int mt7925_mac_link_sta_add(struct mt76_dev *mde= v, MT_WTBL_UPDATE_ADM_COUNT_CLEAR); =20 link_conf =3D mt792x_vif_to_bss_conf(vif, link_id); + if (!link_conf) + return -EINVAL; =20 /* should update bss info before STA add */ if (vif->type =3D=3D NL80211_IFTYPE_STATION && !link_sta->sta->tdls) { @@ -1034,6 +1040,8 @@ static void mt7925_mac_link_sta_assoc(struct mt76_dev= *mdev, =20 msta =3D (struct mt792x_sta *)link_sta->sta->drv_priv; mlink =3D mt792x_sta_to_link(msta, link_sta->link_id); + if (!mlink) + return; =20 mt792x_mutex_acquire(dev); =20 @@ -1043,12 +1051,13 @@ static void mt7925_mac_link_sta_assoc(struct mt76_d= ev *mdev, link_conf =3D mt792x_vif_to_bss_conf(vif, vif->bss_conf.link_id); } =20 - if (vif->type =3D=3D NL80211_IFTYPE_STATION && !link_sta->sta->tdls) { + if (link_conf && vif->type =3D=3D NL80211_IFTYPE_STATION && !link_sta->st= a->tdls) { struct mt792x_bss_conf *mconf; =20 mconf =3D mt792x_link_conf_to_mconf(link_conf); - mt7925_mcu_add_bss_info(&dev->phy, mconf->mt76.ctx, - link_conf, link_sta, true); + if (mconf) + mt7925_mcu_add_bss_info(&dev->phy, mconf->mt76.ctx, + link_conf, link_sta, true); } =20 ewma_avg_signal_init(&mlink->avg_ack_signal); @@ -1095,6 +1104,8 @@ static void mt7925_mac_link_sta_remove(struct mt76_de= v *mdev, =20 msta =3D (struct mt792x_sta *)link_sta->sta->drv_priv; mlink =3D mt792x_sta_to_link(msta, link_id); + if (!mlink) + return; =20 mt7925_roc_abort_sync(dev); =20 @@ -1108,10 +1119,12 @@ static void mt7925_mac_link_sta_remove(struct mt76_= dev *mdev, =20 link_conf =3D mt792x_vif_to_bss_conf(vif, link_id); =20 - if (vif->type =3D=3D NL80211_IFTYPE_STATION && !link_sta->sta->tdls) { + if (link_conf && vif->type =3D=3D NL80211_IFTYPE_STATION && !link_sta->st= a->tdls) { struct mt792x_bss_conf *mconf; =20 mconf =3D mt792x_link_conf_to_mconf(link_conf); + if (!mconf) + goto out; =20 if (ieee80211_vif_is_mld(vif)) mt792x_mac_link_bss_remove(dev, mconf, mlink); @@ -1119,6 +1132,7 @@ static void mt7925_mac_link_sta_remove(struct mt76_de= v *mdev, mt7925_mcu_add_bss_info(&dev->phy, mconf->mt76.ctx, link_conf, link_sta, false); } +out: =20 spin_lock_bh(&mdev->sta_poll_lock); if (!list_empty(&mlink->wcid.poll_list)) @@ -2031,6 +2045,11 @@ mt7925_change_vif_links(struct ieee80211_hw *hw, str= uct ieee80211_vif *vif, mlink =3D mlinks[link_id]; link_conf =3D mt792x_vif_to_bss_conf(vif, link_id); =20 + if (!link_conf) { + err =3D -EINVAL; + goto free; + } + rcu_assign_pointer(mvif->link_conf[link_id], mconf); rcu_assign_pointer(mvif->sta.link[link_id], mlink); =20 --=20 2.51.0 From nobody Wed Jan 7 23:01:13 2026 Received: from mail-pl1-f169.google.com (mail-pl1-f169.google.com [209.85.214.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B5F2E1CDFD5 for ; Mon, 5 Jan 2026 00:26:57 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.169 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767572819; cv=none; b=oacAXwKdrkWIERTlwLaF/wdTW6rc4q4DW2pozuKo7XBLoToSTRNI3npOlnO6C5ng2AC/WutxMnZZBU9lp67S82MH/3sUbqY9g+sfsABxSk4v7lvCb2fIAgQuIpsWS+hYCiS4DplUT3uJHOKHK20wFijO8sNH+NfV5Ku02qx4qVI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767572819; c=relaxed/simple; bh=HZI8ymIlizZf5k6vodhsTUYOlmMNs3DVqGzzKTE1rMQ=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=VZRddDtxL/rgDovFDbjH5id1uJ0K0U/2plX2KQnlP4R5K0BQIurLgXBPquGvrK/ezR48XgerUWa8+fAZhOXUQlfm8iMWtrFShSwHLWitAjYdOPUTFOJRqisBCokiqF8+ILes9EXm574rznYNKHaqYd2AxfqyJLXPDc59EvzdNGg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Hvotf3Vg; arc=none smtp.client-ip=209.85.214.169 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Hvotf3Vg" Received: by mail-pl1-f169.google.com with SMTP id d9443c01a7336-2a0b4320665so209994775ad.1 for ; Sun, 04 Jan 2026 16:26:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767572817; x=1768177617; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=9ZnhjhyPQPCObFdQCf0DoFdJ2rk+AgcVn/BEbBcwfpQ=; b=Hvotf3Vgv7fqZOl+wTmsUAKHzOm95uY4wf+lsMCVGD27Ut4didIHgaDD70lIqGq1np iXmn4YXamN6K+tOcSVDJfMMSd2x6TVsN3r599s8z+00H07ZekM7DNF9T11NsKjVrEfZS rGJGxH9Ag9noJfR+cDi0XOhUN0zPEUEc3gVi/iwt+46ygjyK1WH/LoM7UdkD2WBpZTgn QAGGiG6Ch+eZr2HFMtAdwKePiq9h82OgRmYw8jpbdC/gdVn/ffS/d3eNoom1W+1X9z6h r+ULX1XF9jfkhAymN/72q7lysALtbOjusV0Uy3M3XTpXVZT5Jcv1jUPaUd3brQZONU6K kZvw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767572817; x=1768177617; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=9ZnhjhyPQPCObFdQCf0DoFdJ2rk+AgcVn/BEbBcwfpQ=; b=ee9oW96W8S2oHOIRy5c+EyyzHUkMzomfUap8bDcJ6ZhIoKA6bhHPJe/JRCtBiOineD 5wdmJ/URdSGXk+lb3sOQ1r1iEzlNAuOyrzqPNT2qIgeyOx+LiRwe/xs8oVSEEgwIcC+S gHOEODbewo9V46AG5QhcVD8D5eGlMiPiWOv9QJQ6R8p8K1uWNGsI//ibtH0/Qk5kDAtr GwjHwae9YNiOKk+4BuCoG/WZAXePH3Z5s2Rh5zWI0p1b4wrS33XDqe/9SHIBJFPxUaJm nnpfp5kOc58qUpaMvDWMtBFFjDtTWA4EpaZk7FW6nsX0fUiNdXDckRNofol1jKCo0m+/ hQ9g== X-Forwarded-Encrypted: i=1; AJvYcCX3yQoPqHmC5WqVPr2DgszughLEc23FGYPA6diF9gItNByML8tjfQBxf3+XNMA6KZzjWwT/O+kSL3GE1jI=@vger.kernel.org X-Gm-Message-State: AOJu0YxanHDudbIdAcUyItRsMV3o3/ZI1lJqT6lqnOLh10kk6VzeHDcF vo3KpRxBAkaK1IPgum8XlMlJ9F4PCo7+fYCHdJwhWMcNlFIi3fkv3NX3/pndiwtm X-Gm-Gg: AY/fxX59k6s0tFlWLGEsX8+mtUDFZI1xNkc4sgq+JfX5LiiN7cYogx7p1KGOgpFvQhH KS6KCV45+cfdEgejQbe2mSyflGywbtn0BKJKVmewct+J2tix/b9Rnjw/xWd30gzjBO+KaKHfdb/ KxUuWDE9vh+jgvmZNGtJXoTZuER9KumXD6m24KwfPEqm5kGH/RJyYX64Pc3qWdFXZMOyFSYjA8B R0Eb5reb/DhFfA999yjA4M9CAnORz9FHyRuNxJym7uMTR384NL21JL+16Iv5FdSvefzPm14P9xB zM7/SFXeLeWxXpLuogCMetRwlOVvwZd51+KJdWHs+wtchQiXlSLFawbzHdworjJdUsZR5Y3jtX9 nTyWDQ2lvTL/j29rTEZtBZKsF1rdeCnZ+b6rDC84pJPbEhp7KzVrR2bd89MuMa5NgWLwPynZbLB VTDxB7j5Md3vhEdS+FxV8zYHnSePgXrjUf8KmHAXTFbWlouUSIrE+PY35bL3JciQw= X-Google-Smtp-Source: AGHT+IGN/67FaErtupyToYrJxzBUIYkl4OUOnnfqPdZ+eJIg4lHjFzD7t9gZZl1LJK6SGTTybmCpRQ== X-Received: by 2002:a05:7022:3708:b0:11b:9386:a37d with SMTP id a92af1059eb24-1217230eaa7mr24870293c88.44.1767572816910; Sun, 04 Jan 2026 16:26:56 -0800 (PST) Received: from zubuntu.bengal-mercat.ts.net ([2001:5a8:60d:bc9:9ebf:dff:fe00:f8f2]) by smtp.gmail.com with ESMTPSA id a92af1059eb24-121724de268sm133378109c88.8.2026.01.04.16.26.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 04 Jan 2026 16:26:56 -0800 (PST) From: Zac Bowling To: zbowling@gmail.com Cc: deren.wu@mediatek.com, kvalo@kernel.org, linux-kernel@vger.kernel.org, linux-mediatek@lists.infradead.org, linux-wireless@vger.kernel.org, lorenzo@kernel.org, nbd@nbd.name, ryder.lee@mediatek.com, sean.wang@mediatek.com Subject: [PATCH 06/17] wifi: mt76: mt7925: add error handling for AMPDU MCU commands Date: Sun, 4 Jan 2026 16:26:27 -0800 Message-ID: <20260105002638.668723-7-zbowling@gmail.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20260105002638.668723-1-zbowling@gmail.com> References: <20260102200524.290779-1-zbowling@gmail.com> <20260105002638.668723-1-zbowling@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Check return values of mt7925_mcu_uni_rx_ba() and mt7925_mcu_uni_tx_ba() in mt7925_ampdu_action() and propagate errors to the caller. Previously, failures in these MCU commands were silently ignored, which could leave block aggregation in an inconsistent state between the driver and firmware. For IEEE80211_AMPDU_TX_STOP_CONT, only call the completion callback ieee80211_stop_tx_ba_cb_irqsafe() if the MCU command succeeded, to avoid signaling completion when the firmware operation failed. Found through code review - pattern of ignored return values throughout AMPDU handling. Reported-by: Zac Bowling Fixes: c948b5da6bbe ("wifi: mt76: mt7925: add Mediatek Wi-Fi7 driver for mt= 7925 chips") Signed-off-by: Zac Bowling --- drivers/net/wireless/mediatek/mt76/mt7925/main.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/main.c b/drivers/net= /wireless/mediatek/mt76/mt7925/main.c index 7d3322461bcf..d966e5ab50ff 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7925/main.c +++ b/drivers/net/wireless/mediatek/mt76/mt7925/main.c @@ -1271,22 +1271,22 @@ mt7925_ampdu_action(struct ieee80211_hw *hw, struct= ieee80211_vif *vif, case IEEE80211_AMPDU_RX_START: mt76_rx_aggr_start(&dev->mt76, &msta->deflink.wcid, tid, ssn, params->buf_size); - mt7925_mcu_uni_rx_ba(dev, params, true); + ret =3D mt7925_mcu_uni_rx_ba(dev, params, true); break; case IEEE80211_AMPDU_RX_STOP: mt76_rx_aggr_stop(&dev->mt76, &msta->deflink.wcid, tid); - mt7925_mcu_uni_rx_ba(dev, params, false); + ret =3D mt7925_mcu_uni_rx_ba(dev, params, false); break; case IEEE80211_AMPDU_TX_OPERATIONAL: mtxq->aggr =3D true; mtxq->send_bar =3D false; - mt7925_mcu_uni_tx_ba(dev, params, true); + ret =3D mt7925_mcu_uni_tx_ba(dev, params, true); break; case IEEE80211_AMPDU_TX_STOP_FLUSH: case IEEE80211_AMPDU_TX_STOP_FLUSH_CONT: mtxq->aggr =3D false; clear_bit(tid, &msta->deflink.wcid.ampdu_state); - mt7925_mcu_uni_tx_ba(dev, params, false); + ret =3D mt7925_mcu_uni_tx_ba(dev, params, false); break; case IEEE80211_AMPDU_TX_START: set_bit(tid, &msta->deflink.wcid.ampdu_state); @@ -1295,8 +1295,9 @@ mt7925_ampdu_action(struct ieee80211_hw *hw, struct i= eee80211_vif *vif, case IEEE80211_AMPDU_TX_STOP_CONT: mtxq->aggr =3D false; clear_bit(tid, &msta->deflink.wcid.ampdu_state); - mt7925_mcu_uni_tx_ba(dev, params, false); - ieee80211_stop_tx_ba_cb_irqsafe(vif, sta->addr, tid); + ret =3D mt7925_mcu_uni_tx_ba(dev, params, false); + if (!ret) + ieee80211_stop_tx_ba_cb_irqsafe(vif, sta->addr, tid); break; } mt792x_mutex_release(dev); --=20 2.51.0 From nobody Wed Jan 7 23:01:13 2026 Received: from mail-pl1-f182.google.com (mail-pl1-f182.google.com [209.85.214.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 17349136358 for ; Mon, 5 Jan 2026 00:26:58 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.182 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767572821; cv=none; b=XTgX3axTPaTvUknq0hq4nmemSSafeRWbtD1FpEpplYn+F6DnkprE9q6HvzXMs7TST++gaLuhkkGQiguDuJoGI0dAqvxE9JpGHxBh5jEjidlPkgyelsY8HBnAo0dba7PURZjpZ2QuseR2AnpGlblnbBsULGuF5Utv7YflXNOg1uA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767572821; c=relaxed/simple; bh=hY1b17MNfyuOvTeTzkddBgwbu8t+mTinNbwGGmZk7zU=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=FIru+ujlDS/gJgFSG1tCW/EJTEDo3biDm3Rxp3T7+h31jIrBNr+hxNe18MCGhKTI4rFsCwxe/Ln0FzNtnN5ztUVsnOJDTsfSqCzif8Mo/Wtmes0IexX8tNe0cFGDceVkTNejhSLaJ4n0elIlbCnFEOGkaT8cnz+t+EvAS0I6/oc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=XHLJ4wB+; arc=none smtp.client-ip=209.85.214.182 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="XHLJ4wB+" Received: by mail-pl1-f182.google.com with SMTP id d9443c01a7336-2a0ac29fca1so112640795ad.2 for ; Sun, 04 Jan 2026 16:26:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767572818; x=1768177618; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=9Q69CcxdhkUBHE6WLrwVRfN6aM9r49U1wpvLGX5O/w0=; b=XHLJ4wB+Cu2qjsX71IK+SS9y9yx5znuggfhhVfiIzC6GtsnWUMQ3+suoaUOh58ZHrS CAsc8/cWOsNVlzktt4Jz4sIVM1qnW8EucZIDF+1rQQKrdA9LMBSAMyVWYlcg9lSZyRl3 cnAn8GHy5uNwPid2r51meUeqnSv1RLtKH3plKx5nt7Hib+ElQxHc1oJg5XIQS6PEJ+qI K/Wr34FecsVBtVsdT9+I7dyhjXHjSSLjwCmwn/+YwFV7H3F5OWocUJU79+L1FqR3It8Q ZnKA7thEZqK40oAwFdji07fFi+9qfWuSm/+VlfUBn3A91L7p78/3hKbFwSTc2skxxY65 lQZw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767572818; x=1768177618; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=9Q69CcxdhkUBHE6WLrwVRfN6aM9r49U1wpvLGX5O/w0=; b=jfteZQNxpcBNKFipjQL0Jd5Coq0AFxEiNswp3K4do4LpSUE+pVjl0j9boVkiHpGSCS y0tPR6VDHUFZLzg+mEB/5djIQ0tLENsJ06uPXIj9uQ3QRD7kA7jMfKmnyPO5vh1oK/UC ms3/RFlvlYUFe2W2VrFpEWkt42WGKxXZM2EVuxYyqkAo5ryvULvbGt4YTalpDSJe7AfN LDo9OTP60o1C9ZVx1i8cPcElSvfbcKNJmkUP2P7ceeHhBb2kheSIQGA27GH1QRq4XbCh kfrN4Zn23iY74/eHEq8nyU8K9PPPwhm08i2xB1cEsZVvh6Ryn2gSQWJB5r5rSgESuQYb CI1w== X-Forwarded-Encrypted: i=1; AJvYcCVs7A6Fi621AXLSUbQeTBBX4HTBaiPkDf49x1Qc2m0xQ1dSAfFBJcJg6WJFUhfzlZnSY3BFSISam6CO7LU=@vger.kernel.org X-Gm-Message-State: AOJu0Yy+XFt0SUU0Snw15uLpMNLkBlWoAY584gh016EpL1DHjTwNsJoD 1iW+0jWsjgPfOfWhu3jRfn3wdDp+6TSEd2SrwaACJASEgooPc/yGXerG X-Gm-Gg: AY/fxX65HzgJF+uJyrrjYuK9Bc27w5d7Z9rr18exhMdh+n++dngawK+Ca7y8GWyqZdA yNA7MRJv6i46agZ8Haw+EyLXmHOr6/HT55IeVlNwUpO9W+58QrM2oAqbS4BQt85B7HvJ+dEIOGn oPAnEeXxYuoXs0gsGduy+7Oma2x92J4L5gr6SgVzEB+B2F0UeV2PYmZKoLv5fhCEmEpANwpvqoq IZM2qEyVzknHh3gCZqVQMHTKS9IAnFQh6rZESsIw6fdtGXGzJDBUrcm9YUAjMa2gtwqrWti/bBv kaT8VBvCbfdK0KJsT7TZv+gI2LWpA0FMTee+rqTv2NFyON9annX5zo0Fqk5j7o7ATcNEfn4x5kJ ry4r35RN2g28pdpFdx2+fnhLl7vGo8dJvgQiQ8FzgQpaa0UFbJS8AJEQQW+DB/pg/ILSuLRVDBy iOg3sw4K7hjojRU2pAidvnH2LlXxn4L1PW89yjirN+18FWwc1g+WYazNBJMf5XUpw= X-Google-Smtp-Source: AGHT+IH/HpfDxf451qZ290MLqPE8eNuLqEV5xYgUPjCo4qWea89lQLz9YeD33hrqDQkNgFdV0y3U8A== X-Received: by 2002:a05:7022:6ab:b0:11b:c0db:a5ea with SMTP id a92af1059eb24-121722d3a98mr46215436c88.26.1767572818082; Sun, 04 Jan 2026 16:26:58 -0800 (PST) Received: from zubuntu.bengal-mercat.ts.net ([2001:5a8:60d:bc9:9ebf:dff:fe00:f8f2]) by smtp.gmail.com with ESMTPSA id a92af1059eb24-121724de268sm133378109c88.8.2026.01.04.16.26.57 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 04 Jan 2026 16:26:57 -0800 (PST) From: Zac Bowling To: zbowling@gmail.com Cc: deren.wu@mediatek.com, kvalo@kernel.org, linux-kernel@vger.kernel.org, linux-mediatek@lists.infradead.org, linux-wireless@vger.kernel.org, lorenzo@kernel.org, nbd@nbd.name, ryder.lee@mediatek.com, sean.wang@mediatek.com Subject: [PATCH 07/17] wifi: mt76: mt7925: add error handling for BSS info MCU command in sta_add Date: Sun, 4 Jan 2026 16:26:28 -0800 Message-ID: <20260105002638.668723-8-zbowling@gmail.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20260105002638.668723-1-zbowling@gmail.com> References: <20260102200524.290779-1-zbowling@gmail.com> <20260105002638.668723-1-zbowling@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Check return value of mt7925_mcu_add_bss_info() in mt7925_mac_link_sta_add() and propagate errors to the caller. BSS info must be set up before adding a station record. If this MCU command fails, continuing with station add would leave the firmware in an inconsistent state with a station but no BSS configuration. This can cause undefined behavior in the firmware, particularly during MLO link setup where multiple BSS configurations are being programmed. Reported-by: Zac Bowling Fixes: c948b5da6bbe ("wifi: mt76: mt7925: add Mediatek Wi-Fi7 driver for mt= 7925 chips") Signed-off-by: Zac Bowling --- drivers/net/wireless/mediatek/mt76/mt7925/main.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/main.c b/drivers/net= /wireless/mediatek/mt76/mt7925/main.c index d966e5ab50ff..a7e1e673c4bc 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7925/main.c +++ b/drivers/net/wireless/mediatek/mt76/mt7925/main.c @@ -899,11 +899,14 @@ static int mt7925_mac_link_sta_add(struct mt76_dev *m= dev, /* should update bss info before STA add */ if (vif->type =3D=3D NL80211_IFTYPE_STATION && !link_sta->sta->tdls) { if (ieee80211_vif_is_mld(vif)) - mt7925_mcu_add_bss_info(&dev->phy, mconf->mt76.ctx, - link_conf, link_sta, link_sta !=3D mlink->pri_link); + ret =3D mt7925_mcu_add_bss_info(&dev->phy, mconf->mt76.ctx, + link_conf, link_sta, + link_sta !=3D mlink->pri_link); else - mt7925_mcu_add_bss_info(&dev->phy, mconf->mt76.ctx, - link_conf, link_sta, false); + ret =3D mt7925_mcu_add_bss_info(&dev->phy, mconf->mt76.ctx, + link_conf, link_sta, false); + if (ret) + return ret; } =20 if (ieee80211_vif_is_mld(vif) && --=20 2.51.0 From nobody Wed Jan 7 23:01:13 2026 Received: from mail-pf1-f178.google.com (mail-pf1-f178.google.com [209.85.210.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0805F1DDC35 for ; Mon, 5 Jan 2026 00:26:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.178 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767572821; cv=none; b=MNvwQsJmpkGmAOs6j7T/zzCyKa2cpRbGQtNQEoiQvOHxab5JLhgCgWp0ya7VbqwT7zorhx/yvhBofuH2sv9PyWvvsUiY0LRBY35VH4Dfaf/dFJP/IJviEXxGMQ1mfL9X64v2FSZ1Mqt1RAeh6R3O7fNAc3r3rY3kYdvML6IyPfA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767572821; c=relaxed/simple; bh=9wMw4Xb04PSrFVmyO0HNqMXeSWHTRirn2UmUmWfZAjc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=gEhuxtIT2GrMAoM3D1dmryhbdz1qL1gvRrRIYjTNhZFHFQIbNGmn+CDllvK93kURMD4Se1Vvp1R5jtNzjjxztCJB/c/30LCocld8gFM+ZYNAFPlWxizrJs/7E4+Knjz/6jIWQvZMUKdxVuv7VD4HjJisCTaqKTvG0UFt691/WP8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=JrKDTdW8; arc=none smtp.client-ip=209.85.210.178 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="JrKDTdW8" Received: by mail-pf1-f178.google.com with SMTP id d2e1a72fcca58-7baf61be569so13946079b3a.3 for ; Sun, 04 Jan 2026 16:26:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767572819; x=1768177619; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=NDFNq4JsZcxs1GGsQxpxUqJ7LLS5xEhchca1DSQB1FY=; b=JrKDTdW87ouCu11jxBsHZrm8ZJ8/xwwuK5sVYPxty10TmbLMh1x9LfWqPUCWjQHS7R vlF9hN3myb8o9Olt6kkVDPOPjhnQKQifnbmnYt0+6GGiNUF6xCWjCwT4cNsNxv6AaS0c TqDKKISmRbMafyRULdI916iwJVTkP+FW8b7DF4UFqhgtjfO7+EdmBArGCohnZYee/Sqm rmqvRm8+y0ZG6bmb+A+PlCOsw1BF//XOhd7/SdbYkX0FOBHYss3ZnbrOgp77hLvmLgiB dhplydhGK36tmoxg40Yc2wqbdqTo3BmvnVojqJjQ/m89NPxeXqpml00YuI8WS4+KzzH7 Thow== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767572819; x=1768177619; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=NDFNq4JsZcxs1GGsQxpxUqJ7LLS5xEhchca1DSQB1FY=; b=WhJTAPEO8Isyk2SUAFftAbNUD+CBbaYeGi55Xn9wXMmR599tLHYPyUx4ASuJhsFYN5 bjxq1wdawF3b0XTZK8/Towvax81hy70DzzL80vdSNI/M7igtDyEa27Uuy9BOKBCyDsbu Hvj7EIUi9tyx2kxEsSjTw+MVAvDD7xj0ypGKdEeWa9s8eEz1h/gvlLm9G9l9BYTpAFgS fJDu9QPk0cck5TIIFccjZY6goil/abPYwZlNvcndYFPGBe67SCxbC6hfMZP2QiOVgr7b O37i6mXbnyQ22nabJN5NkZGqzjCF/izbUZRBk76TWULqdJK0mdXXVeiGNNO3bO2Ijd5o zn3w== X-Forwarded-Encrypted: i=1; AJvYcCXcytcT/6tyycNaYBV3nvs1QGB5XEbcf0kT0OgDtxHKd3TOBoJdSr3u6OHioqRdUugrBLbbPFLMmFYTQtg=@vger.kernel.org X-Gm-Message-State: AOJu0Yz7N0lRFFllPvR4XFAAAftr25WiKErMMyYrf7Xv5t6nN5G/q+Fo QYrfOk6AfVB96z0YqKYomagWPKbZCzAevf8IQW1tRMUhRvRh7N2IDA3D X-Gm-Gg: AY/fxX5VY4krKbmXLfGcndfgWy1NxnWX6oCxtkVGHFLPNYDlrvxbTsB/HU9LyjzeX79 uD//kOMzM32QNxKoUdpU0I8YNRt5HhalLFremwUQbShGMxhzLH5/CZzdxqGIVnVu6DYHk2Sn1pS /NoeDomxaCVN7laX7k2nRLHNG7oeyxRJB+5+eLkWtWM2rs0yMzvzmZjZDa/SJ2Ywcq2rS92Ab1u l/H7sq3dQb1OVcZvpqLiLM5zUPvVbwXOScoU/FBznD7VLi6XQcm0PTr1LkTHN23Mi9xVdigwnNn CWbf2Dpsh5SHS0OzlmtYlSh6tgDI93Urrutgt8VtuO0ZRegJEmdRqQhaedBnq5eanwAD0eIXex/ 4bpu3dG1xoAQoe/Iub03Jt3IbLGoMJbOEufDXEEq3zIveBdxsDBbtWsPUqZC8Fr1C/6IGPTxlG6 +PMZaN4w68TRZRUm6R9gSyLJAkyfYzJrGWgVxVQNr/nJd7WX7M+5Mu9v0xnavmzWgelfguOWiis w== X-Google-Smtp-Source: AGHT+IGeeKmkZlgIpVZni90ulNKu2CTVrD//QHX+vZIPY7voqHaSNcphqKMalZRbGAYUw9J3u9/Low== X-Received: by 2002:a05:7022:eac1:b0:11d:c91e:3b58 with SMTP id a92af1059eb24-121722e9e26mr38779723c88.39.1767572819190; Sun, 04 Jan 2026 16:26:59 -0800 (PST) Received: from zubuntu.bengal-mercat.ts.net ([2001:5a8:60d:bc9:9ebf:dff:fe00:f8f2]) by smtp.gmail.com with ESMTPSA id a92af1059eb24-121724de268sm133378109c88.8.2026.01.04.16.26.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 04 Jan 2026 16:26:58 -0800 (PST) From: Zac Bowling To: zbowling@gmail.com Cc: deren.wu@mediatek.com, kvalo@kernel.org, linux-kernel@vger.kernel.org, linux-mediatek@lists.infradead.org, linux-wireless@vger.kernel.org, lorenzo@kernel.org, nbd@nbd.name, ryder.lee@mediatek.com, sean.wang@mediatek.com Subject: [PATCH 08/17] wifi: mt76: mt7925: add error handling for BSS info in key setup Date: Sun, 4 Jan 2026 16:26:29 -0800 Message-ID: <20260105002638.668723-9-zbowling@gmail.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20260105002638.668723-1-zbowling@gmail.com> References: <20260102200524.290779-1-zbowling@gmail.com> <20260105002638.668723-1-zbowling@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Check return value of mt7925_mcu_add_bss_info() in mt7925_set_link_key() when setting up cipher for the first time and propagate errors. The BSS info update with cipher information must succeed before key programming can proceed. If this MCU command fails, continuing with key setup would program keys into the firmware for a BSS that does not have the correct cipher configuration. SECURITY NOTE: Silent failure here is particularly dangerous because the user would believe encryption is active when the firmware may not have the cipher properly configured, potentially resulting in unencrypted or incorrectly encrypted traffic. This ensures the error is propagated up the stack rather than silently ignored. Reported-by: Zac Bowling Fixes: c948b5da6bbe ("wifi: mt76: mt7925: add Mediatek Wi-Fi7 driver for mt= 7925 chips") Signed-off-by: Zac Bowling --- drivers/net/wireless/mediatek/mt76/mt7925/main.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/main.c b/drivers/net= /wireless/mediatek/mt76/mt7925/main.c index a7e1e673c4bc..058394b2e067 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7925/main.c +++ b/drivers/net/wireless/mediatek/mt76/mt7925/main.c @@ -637,8 +637,10 @@ static int mt7925_set_link_key(struct ieee80211_hw *hw= , enum set_key_cmd cmd, struct mt792x_phy *phy =3D mt792x_hw_phy(hw); =20 mconf->mt76.cipher =3D mt7925_mcu_get_cipher(key->cipher); - mt7925_mcu_add_bss_info(phy, mconf->mt76.ctx, link_conf, - link_sta, true); + err =3D mt7925_mcu_add_bss_info(phy, mconf->mt76.ctx, link_conf, + link_sta, true); + if (err) + goto out; } =20 if (cmd =3D=3D SET_KEY) --=20 2.51.0 From nobody Wed Jan 7 23:01:13 2026 Received: from mail-pl1-f174.google.com (mail-pl1-f174.google.com [209.85.214.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3506B1EA7CB for ; Mon, 5 Jan 2026 00:27:00 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.174 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767572823; cv=none; b=K0l6TeNSN5gTUSob484pHqbjxtruM4XaA5V6JZF3OyZDr7D7MzZJrK5aPM695Hrwwds9Wd+mBKZWdhK0U4v/PFT6f7tOi2gPgn6+Z7N7uhJ0PXjx91Dv+/NfkKfZ0rvoS2PFkzaDfjZxiUgxrAwYaI6vCqhws+htytE+CWDETWA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767572823; c=relaxed/simple; bh=okEPcwgetydhi6CjB9gPnDTD93VrrmmPij1wmDYyiRo=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=t3xj9bcVWmWcTZldcoIRAgboMebDXtP/6s7QDbNs2XEKo8FUuccd5eEtvAU9ntsLcsyG0wzZOwipsgveArbSBeO/6eZFloB4UtWMsPMdfuaQ+8fba/WD9zXKLKUQK9nVODe/1dtZ9v/IMjAi8V2YRhU7P8goEH3pnZwDA83Q2xc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=f6/A8X0Q; arc=none smtp.client-ip=209.85.214.174 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="f6/A8X0Q" Received: by mail-pl1-f174.google.com with SMTP id d9443c01a7336-2a0d6f647e2so220251735ad.1 for ; Sun, 04 Jan 2026 16:27:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767572820; x=1768177620; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=qAUwSXTcbTdlZ05tKagbWIWR8etmGqco3VAQevRh9HA=; b=f6/A8X0QcwIeVVDgYgmodgBtSbe6nYPECYXbwZg2ulS5mLXCL1K+XwjBGndJLhDjR2 lzuQdZ0a+LT2hjcZ2WRaaDkCIZgu/vSLTS8tkf4N9x3hVqgrMX7/hoij6kEUvqN6YpG5 +u0D1cAcpFQzmMPHNNTuCO71F+jbf/ttzKTOXLzYgf6UrKWdU8naU0gJewIJ8tngKz0H 8q/iGIq50qxxVo1wYbybMpIOUXt1jnkdkwzEUYfRhMtNfoxwtDZ5xvaGd+Ima7iJ6yxR iVqOoLN/b7EaUa6/6fQGwJGZDbJwBgWL+xLsLKTHbhDWUTlOwglpzGwhHUWqzTdpgB0R mcZg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767572820; x=1768177620; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=qAUwSXTcbTdlZ05tKagbWIWR8etmGqco3VAQevRh9HA=; b=XYT0+242DGzRRSqOGR7/VleFboINHPRSE3qdColm7oSyWG8XJVfel69Im0HcunnTAV Qd67pvoOfx8j1a9On+y1Tf2i4fa+1pjGnshqP5xsri4wgEPsEgoHMUeZKSQMrMjuT8R7 SLuf/NZvM5bHojjdc3NprxA0pPqJEr/COapeuB6Je2yq7LCc8tkHZbkeH+04F+9Tpbqx puhSh50Ogdv7vMdZe0rnHcBL9S8qv7pC2yTcc4n5pc1bz2YayOhPjjl0hTJmSL7cL6+l 4m26xN7Wt6nD3ScMY0h3dVngFsLif5z2IPwcoYfbHGuhgBIfBFRJ+LPY34o6mEhvHQWr Dtpw== X-Forwarded-Encrypted: i=1; AJvYcCWcvu5JW5fDxhezAVHBaFpCwBLn8ONmlnhd7EJ4DEjTgD4WxX3SpMQlcgnKnUKtssSA+2J8z76M1YYwe6A=@vger.kernel.org X-Gm-Message-State: AOJu0YxXQglgZug658rIXn5eM089KU1cQY+S9tVD0Sqecv9ALADNdBmT Yq/aU12nTWdE1vwzPgXQOS1lse9yPdd82ZhsT7GGHJ0wAIGkveNDKMwx X-Gm-Gg: AY/fxX4v07srYFaoDWASGbL8CuXdBiDoAR7qkbZAPZY4uj7wLbqRRevCmfjpER7sXfJ 9Fb00nXq/qJph0gIPpw8UBd5UOLvyASFYLFne5IMESJhnqajN6UpKKUKYfBTf+yWLiv2G6CgT+o tJoroVJET0YYhe4OLJtqWJrd8n9K14OhsVMiIH2T4ktV/e1RHt1WZxaHOxdugPVN1VdnUnupQZo tjsUbvK/5FK71ddXdK6EjLstGBAtYb1QWZYLm2HZ3RAgWttJbjb3tIJBsZbJDEhzgdRAZfRN+iq srqyPNV0RIV5UElQe/9kmMPHhAl4SFU2lnav381z2ocSjk6+c+YgBb9rjI9RgEq10N5Blf1aqJA /XfsalscNlW8FZbf80Do6NOl5pJrJl53uh4A7vQ2NBnwVK5oE36oyKHSFQMibLn4+sQGZmF2hVt 2UvobtIu2PHMMRDxFUiFx7T54HW//vZ/nKkotp/iExszj5GLWlE49o0FMAbFz+ngQ= X-Google-Smtp-Source: AGHT+IEg+0O/U6jFKiIyTWm00cf6Hb3sWob6ISMuhNcfPkGZ9TORICaTgtXbn0sRqNiFULYdjJHR4w== X-Received: by 2002:a05:7022:6b92:b0:11a:4525:5361 with SMTP id a92af1059eb24-121722a5f18mr45266378c88.6.1767572820373; Sun, 04 Jan 2026 16:27:00 -0800 (PST) Received: from zubuntu.bengal-mercat.ts.net ([2001:5a8:60d:bc9:9ebf:dff:fe00:f8f2]) by smtp.gmail.com with ESMTPSA id a92af1059eb24-121724de268sm133378109c88.8.2026.01.04.16.26.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 04 Jan 2026 16:26:59 -0800 (PST) From: Zac Bowling To: zbowling@gmail.com Cc: deren.wu@mediatek.com, kvalo@kernel.org, linux-kernel@vger.kernel.org, linux-mediatek@lists.infradead.org, linux-wireless@vger.kernel.org, lorenzo@kernel.org, nbd@nbd.name, ryder.lee@mediatek.com, sean.wang@mediatek.com Subject: [PATCH 09/17] wifi: mt76: mt7925: add NULL checks in MLO link and chanctx functions Date: Sun, 4 Jan 2026 16:26:30 -0800 Message-ID: <20260105002638.668723-10-zbowling@gmail.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20260105002638.668723-1-zbowling@gmail.com> References: <20260102200524.290779-1-zbowling@gmail.com> <20260105002638.668723-1-zbowling@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Add NULL pointer checks for mconf and link_conf in several functions that were missing validation after calling mt792x_vif_to_link() and mt792x_vif_to_bss_conf(). Functions fixed: - mt7925_mac_set_links(): Check both primary and secondary link_conf before dereferencing chanreq.oper for band selection - mt7925_link_info_changed(): Check mconf before using it to get link_conf, prevents NULL dereference chain - mt7925_assign_vif_chanctx(): Check mconf before use, return -EINVAL if NULL; check pri_link_conf before passing to MCU function - mt7925_unassign_vif_chanctx(): Check mconf before dereferencing, return early if NULL during MLO cleanup These functions handle MLO (Multi-Link Operation) scenarios where link configurations may not be fully set up when called, particularly during rapid link state transitions or error recovery paths. Prevents panics during WiFi 7 MLO link setup and teardown sequences. Reported-by: Zac Bowling Fixes: c948b5da6bbe ("wifi: mt76: mt7925: add Mediatek Wi-Fi7 driver for mt= 7925 chips") Signed-off-by: Zac Bowling --- .../net/wireless/mediatek/mt76/mt7925/main.c | 39 +++++++++++++++---- 1 file changed, 32 insertions(+), 7 deletions(-) diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/main.c b/drivers/net= /wireless/mediatek/mt76/mt7925/main.c index 058394b2e067..852cf8ff842f 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7925/main.c +++ b/drivers/net/wireless/mediatek/mt76/mt7925/main.c @@ -1006,18 +1006,29 @@ mt7925_mac_set_links(struct mt76_dev *mdev, struct = ieee80211_vif *vif) { struct mt792x_dev *dev =3D container_of(mdev, struct mt792x_dev, mt76); struct mt792x_vif *mvif =3D (struct mt792x_vif *)vif->drv_priv; - struct ieee80211_bss_conf *link_conf =3D - mt792x_vif_to_bss_conf(vif, mvif->deflink_id); - struct cfg80211_chan_def *chandef =3D &link_conf->chanreq.oper; - enum nl80211_band band =3D chandef->chan->band, secondary_band; + struct ieee80211_bss_conf *link_conf; + struct cfg80211_chan_def *chandef; + enum nl80211_band band, secondary_band; + u16 sel_links; + u8 secondary_link_id; + + link_conf =3D mt792x_vif_to_bss_conf(vif, mvif->deflink_id); + if (!link_conf) + return; =20 - u16 sel_links =3D mt76_select_links(vif, 2); - u8 secondary_link_id =3D __ffs(~BIT(mvif->deflink_id) & sel_links); + chandef =3D &link_conf->chanreq.oper; + band =3D chandef->chan->band; + + sel_links =3D mt76_select_links(vif, 2); + secondary_link_id =3D __ffs(~BIT(mvif->deflink_id) & sel_links); =20 if (!ieee80211_vif_is_mld(vif) || hweight16(sel_links) < 2) return; =20 link_conf =3D mt792x_vif_to_bss_conf(vif, secondary_link_id); + if (!link_conf) + return; + secondary_band =3D link_conf->chanreq.oper.chan->band; =20 if (band =3D=3D NL80211_BAND_2GHZ || @@ -1927,7 +1938,12 @@ static void mt7925_link_info_changed(struct ieee8021= 1_hw *hw, struct ieee80211_bss_conf *link_conf; =20 mconf =3D mt792x_vif_to_link(mvif, info->link_id); + if (!mconf) + return; + link_conf =3D mt792x_vif_to_bss_conf(vif, mconf->link_id); + if (!link_conf) + return; =20 mt792x_mutex_acquire(dev); =20 @@ -2136,9 +2152,14 @@ static int mt7925_assign_vif_chanctx(struct ieee8021= 1_hw *hw, =20 if (ieee80211_vif_is_mld(vif)) { mconf =3D mt792x_vif_to_link(mvif, link_conf->link_id); + if (!mconf) { + mutex_unlock(&dev->mt76.mutex); + return -EINVAL; + } + pri_link_conf =3D mt792x_vif_to_bss_conf(vif, mvif->deflink_id); =20 - if (vif->type =3D=3D NL80211_IFTYPE_STATION && + if (pri_link_conf && vif->type =3D=3D NL80211_IFTYPE_STATION && mconf =3D=3D &mvif->bss_conf) mt7925_mcu_add_bss_info(&dev->phy, NULL, pri_link_conf, NULL, true); @@ -2167,6 +2188,10 @@ static void mt7925_unassign_vif_chanctx(struct ieee8= 0211_hw *hw, =20 if (ieee80211_vif_is_mld(vif)) { mconf =3D mt792x_vif_to_link(mvif, link_conf->link_id); + if (!mconf) { + mutex_unlock(&dev->mt76.mutex); + return; + } =20 if (vif->type =3D=3D NL80211_IFTYPE_STATION && mconf =3D=3D &mvif->bss_conf) --=20 2.51.0 From nobody Wed Jan 7 23:01:13 2026 Received: from mail-pf1-f176.google.com (mail-pf1-f176.google.com [209.85.210.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5F0B814F9FB for ; Mon, 5 Jan 2026 00:27:02 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.176 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767572824; cv=none; b=WH/szKJVS/m+XKs2f6LCSRvn7D/igkBkruo6YEmJh82uO8/MGH0XT4PD0Gwt3U4qWwmHIcnTkzjw3PfJHJ7XXK7If7Tz7brajHSkHxaPA/TGM99rSDIG0nlpPl9VFbLN9NjX7KzrkFE4/2Xn9SYfbFD9qAr5AejVj90NpqY1xvs= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767572824; c=relaxed/simple; bh=UI9JtUEuEslTaP4rLaUkTohz7iGmINe7yYsfOHt6CR0=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=k8d9iQX/3Pk636Ckc3fm7HbJR/HPwsBw4uPzjElpL72jUFrfvTSoqo2cZJ7tpvmuY/nWXw9uOaND//BS7yYcSgN6i2sEfnRSEvTPTZS1zNCXr2nSsbVHi+IXvU3NRVa7Q+HYoB9k5uaEdwMt5O7dJFhLNuFhwaoON+RCAzU7L74= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=kB1Rx9pG; arc=none smtp.client-ip=209.85.210.176 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="kB1Rx9pG" Received: by mail-pf1-f176.google.com with SMTP id d2e1a72fcca58-7b9387df58cso21747571b3a.3 for ; Sun, 04 Jan 2026 16:27:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767572821; x=1768177621; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Xc3vtf8nV55Q+3v5tcb1BiSqe6gDU9FJGry7raEU0u4=; b=kB1Rx9pGQfv3N4pZPlIkVc5APrtLza9R6tdij4xdynm5SNMv8eTJJ+0Ar+OqRfHAAA ialJdXhVzRVpzqQg+4jqpBJKSR0IdvCYvrJk0Yq9huiCzRxMj2JAlHqljrxkcru8fqZL pt+YqHymn4Qk/3/Ivrex/lsqlQI6g21mbMMveEJFEq5gbJ34tXGCkZmM2OV6UaFo3lr7 a8H5K61/hyK2VQK1zBwBrIm7UVnZRQGenwWuXpNWufVewb2a4zujyi5DEV5lRtgFmInV Vza4ejAfc65Ob0xHYzCx75uvDtNM0hERvS/z0XcbHjy7AP1tMjOCP7Mca1EH/mTkMm5x 7HtQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767572821; x=1768177621; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=Xc3vtf8nV55Q+3v5tcb1BiSqe6gDU9FJGry7raEU0u4=; b=YEJOqWThctLlQTCGRB1C6/Hz4hyPwEVoIor0G/3WzsxZYGDasFm9PQzULyFjZeGV0E duIIy4fJLRYDnWfaI41TElLKMT0j/r5tbVNk5R1Bl8OoeHuRNZ2YqGlUyyrsXu0A5SxU 1lbveW6fGWdbApPPbAZJxMmvGRkvXPKRDAUnECb/VNNjXTi3NlJ/HAkgMwqLTvhFIYbO 1mDi02ekyNYs+udGnSIKYxfKLJsbp14XAYXsgGCNs5SVb9BWwscy+GiRTXgi9UbGbfGt cgPprbEnhSDxDIFjbXKSfVOiLT5zT7gA52lK30aFwgCeoezs6NZvgHdhxo13CkZOt9Zu eJ+A== X-Forwarded-Encrypted: i=1; AJvYcCXgXMlryyHEyXbMMejEVoZAEtCqYZmafxU5HarsF3YtXF9g4GWW6cAKNWD2BbFCXEcIJxofQb/LfFS8cKU=@vger.kernel.org X-Gm-Message-State: AOJu0YxVZes11Nt8inTR/TEfVwxVntMpt7JKrBvPlxKy28vO5g+ozW/X 1rJ1q9IY1k3eo/DUXMDLRUkeG5IY/povjIBlmm16ReT8NZibDoNHjs4i X-Gm-Gg: AY/fxX6kgScVQlnD+tpwj5n6YE/MFEIUgtEX0UKhUegrf7X6PxYJaEA5hDhOJU0AdZf LeqX810/8fzCqsg+GKks2flgSY4qHjg9+8ShwcYmOL5qBa1OdVz2EFN78Me3PQZbMZxQjlKOXlC BC9XGMEBptozVNqoal7SZetizAeuUkJeFWVPiHs8VzRd9k8bCIOG7CjoOF4k5qWmjs+7i3KC8LS +csAr1ltFmPTEhB+SnYLSvN6UesBGc1U1MNFhYG/ep56cIbg4XWlW2HbAmGhOivQIflOvNXlv/F x98q4QfOmls8154WDpmKuz4qfEkl/fo9Y9u3U80jDrhxAtk2emrJhqt7jAlgBnE2OZjBXYNRVbK V1AlZobKyjzQc8t81SZXafhSXnGW7VHPWLNfUJ1YPTdGMhIzLSNV3M1UtS0wTMwcFbOGcol3LPq skk4+1hdWpkPlFX5B0I8+gEq2tXD6WiP21mL0I4fsw39bcksQno1C0mMtoFms1H0E= X-Google-Smtp-Source: AGHT+IEU2h/tWNXbABrCcQmKu0PD8p87Gpp0+pw1A9lE8jv1PWOQX4Lsqm7CqNoXiBV7IUAHXXZutw== X-Received: by 2002:a05:7022:82:b0:11a:126f:ee7d with SMTP id a92af1059eb24-121722f57bamr30029316c88.35.1767572821365; Sun, 04 Jan 2026 16:27:01 -0800 (PST) Received: from zubuntu.bengal-mercat.ts.net ([2001:5a8:60d:bc9:9ebf:dff:fe00:f8f2]) by smtp.gmail.com with ESMTPSA id a92af1059eb24-121724de268sm133378109c88.8.2026.01.04.16.27.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 04 Jan 2026 16:27:00 -0800 (PST) From: Zac Bowling To: zbowling@gmail.com Cc: deren.wu@mediatek.com, kvalo@kernel.org, linux-kernel@vger.kernel.org, linux-mediatek@lists.infradead.org, linux-wireless@vger.kernel.org, lorenzo@kernel.org, nbd@nbd.name, ryder.lee@mediatek.com, sean.wang@mediatek.com Subject: [PATCH 10/17] wifi: mt76: mt792x: fix NULL pointer dereference in TX path Date: Sun, 4 Jan 2026 16:26:31 -0800 Message-ID: <20260105002638.668723-11-zbowling@gmail.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20260105002638.668723-1-zbowling@gmail.com> References: <20260102200524.290779-1-zbowling@gmail.com> <20260105002638.668723-1-zbowling@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Add NULL pointer checks in mt792x_tx() to prevent kernel crashes when transmitting packets during MLO link removal. The function calls mt792x_sta_to_link() which can return NULL if the link is being removed, but the return value was dereferenced without checking. Similarly, the RCU-protected link_conf and link_sta pointers were used without NULL validation. This race can occur when: 1. A packet is queued for transmission 2. Concurrently, the link is being removed (mt7925_mac_link_sta_remove) 3. mt792x_sta_to_link() returns NULL for the removed link 4. Kernel crashes on wcid =3D &mlink->wcid dereference Example crash trace: BUG: kernel NULL pointer dereference RIP: mt792x_tx+0x... Call Trace: ieee80211_tx+0x... __ieee80211_subif_start_xmit+0x... Fix by: - Check mlink return value before dereferencing wcid - Check RCU-dereferenced conf and link_sta before use - Free the SKB and return early if any pointer is NULL This affects both MT7921 and MT7925 drivers as mt792x_core.c is shared. Fixes: c74df1c067f2 ("wifi: mt76: mt792x: introduce mt792x-lib module") Reported-by: Zac Bowling Signed-off-by: Zac Bowling --- drivers/net/wireless/mediatek/mt76/mt792x_core.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/mediatek/mt76/mt792x_core.c b/drivers/net= /wireless/mediatek/mt76/mt792x_core.c index f2ed16feb6c1..9dc768aa8b9c 100644 --- a/drivers/net/wireless/mediatek/mt76/mt792x_core.c +++ b/drivers/net/wireless/mediatek/mt76/mt792x_core.c @@ -95,6 +95,8 @@ void mt792x_tx(struct ieee80211_hw *hw, struct ieee80211_= tx_control *control, IEEE80211_TX_CTRL_MLO_LINK); sta =3D (struct mt792x_sta *)control->sta->drv_priv; mlink =3D mt792x_sta_to_link(sta, link_id); + if (!mlink) + goto free_skb; wcid =3D &mlink->wcid; } =20 @@ -113,9 +115,12 @@ void mt792x_tx(struct ieee80211_hw *hw, struct ieee802= 11_tx_control *control, link_id =3D wcid->link_id; rcu_read_lock(); conf =3D rcu_dereference(vif->link_conf[link_id]); - memcpy(hdr->addr2, conf->addr, ETH_ALEN); - link_sta =3D rcu_dereference(control->sta->link[link_id]); + if (!conf || !link_sta) { + rcu_read_unlock(); + goto free_skb; + } + memcpy(hdr->addr2, conf->addr, ETH_ALEN); memcpy(hdr->addr1, link_sta->addr, ETH_ALEN); =20 if (vif->type =3D=3D NL80211_IFTYPE_STATION) @@ -136,6 +141,10 @@ void mt792x_tx(struct ieee80211_hw *hw, struct ieee802= 11_tx_control *control, } =20 mt76_connac_pm_queue_skb(hw, &dev->pm, wcid, skb); + return; + +free_skb: + ieee80211_free_txskb(hw, skb); } EXPORT_SYMBOL_GPL(mt792x_tx); =20 --=20 2.51.0 From nobody Wed Jan 7 23:01:13 2026 Received: from mail-pl1-f195.google.com (mail-pl1-f195.google.com [209.85.214.195]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 42C8121D3F8 for ; Mon, 5 Jan 2026 00:27:03 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.195 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767572824; cv=none; b=BI26KmsEvJMsm6rSNyYVlbc7vw4Hr2hka5/c1Byjsn66bci386Q6OQlspZhdVof8Q67w1KQW6RSXi7QhpEr9RvbMrq3RQCAbLvz9WHAteBqIL98vWqLzgdXFCAkaVu5GjF2ivcPMUfNZcAN/H4IDIM5c41F71Lij4GHkFeTbrfw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767572824; c=relaxed/simple; bh=qQiL7A5UoXk1yN80eddElOmaXjRK+jDnvWEcU4/4Qzs=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=a1jxChu1vU3nQ4YJBJDMNVwyLwjBkKv71ZZkhW2Xbinl9mXMvJhqlkG+M6GQNq+ZUgkAH90Zj1D6LSS/Ifliks36Ex8MfrV86Vg/H5emondlfuutPova6QnAZdJv9LGB9as3tny45w4Xc0dWLAXl2Gyog8LJureTwoVYHxk4Z7c= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=SPvVzD4U; arc=none smtp.client-ip=209.85.214.195 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="SPvVzD4U" Received: by mail-pl1-f195.google.com with SMTP id d9443c01a7336-2a0bae9aca3so191923025ad.3 for ; Sun, 04 Jan 2026 16:27:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767572822; x=1768177622; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=otlGSXdgNZb8EYSsQOqh3OBybZYoKcQg4yihKraf1p0=; b=SPvVzD4U6t55YPGOgvElsKDwKobMnc8ZErMwUidWI4YmOLqhZ5Ua7NrHsow2800EbY T6X+ag7s2F/rz4Lm1FzcZpB0RUskBcoQvnd+xrLyN9oaAenlBVPfZ5YVOkZjdfmvJkWP dYeZxjiPUsYgxIOvYoAHZj28DsqbzTpU+B6gZfpIsU/3izpT9mfFDhTirC1KzeTarvmn op5Snc7BLKu6FB/pS38PM9A3E6389Xo2AJdiXrk9SteohsdWZo9vB6mFcckKWJTeydqw rW6Gs9jkQN8DoX65LCEl91tOgVoHsnayqvJL//26KJZm1PWvK1BO+964G3htKRfja0Ka /NvA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767572822; x=1768177622; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=otlGSXdgNZb8EYSsQOqh3OBybZYoKcQg4yihKraf1p0=; b=mO5k9GjsJDbeHFgulgJIJ4zHSbsRqiNjigyXSZQUYQdK3PUsWC4+IeST5FS7hRWvyW jueDPHLGSI8Tno3dNGIBBcdf/EriXkf9xPpTcHiUOIu1PqUR24BNDa5SwWJc4c5ZYVI3 XY410BzuoycwR6MNFyJz47ODXS2t2T3WJpDNsaxMuKsddV9A3pFpvO1iZGw+Qtb0NVZZ npDaXG2+LfFvDa5Jfl+z+/ztgFPkl19/MStkwwZU7LPjg3DRdzHlStc2bZmnZQf1pJst GAloZFrlPd93Sr/ftSe66WhdmWBWfjJLC3OTxXrdDBI/cbMqsCX3dtt8aTHiw0WsC62p YKhQ== X-Forwarded-Encrypted: i=1; AJvYcCUPNt1Q171CydN+CpPuDnldPQONzy6h2jX99LXLq+x81BcSGDkyfb10aJNYQEI0smov0bP57CVK0Nm9sxA=@vger.kernel.org X-Gm-Message-State: AOJu0YzDthfmTo/L+/BkUgVW3KGpL7PRUDk2RIV5ZyHhf+p0vtj6MGX9 h50u01uQApnlgyV785/9stRtGMS+AzNVQ/RrBjn/QBS6kf1KmpmcNHLA X-Gm-Gg: AY/fxX6p5A96vC3ODi2J92UbEixSb7L2oclg+mR9VcaR6iQsvfH3dvXwmwJgSum65hZ /qPx4NNOsyeVRApyQzPG+FgYtW9+/nkOV3HzVRalTmMzAL1XsRMMYI8CkYuJhqg6kEH3RLTi0PL VIvaNpfGvhCCyEiCdYPiBBjD64/JqRFE+5FUbcR9Yf4yxeBtq/pa9vcMfUBbxZwa/X1gu01BK0p HcYoldbrQwQl4ufMT7j1kvhHV4RvT2Q2B3O1v5Ib/j8CnC487YU1Q82JuljVRXZpRnhbxaQoLFr X9Ihk82dguC+n1jLnBOaqZnMTL5m+97GiszNxaULDO5E0gg8kTG7XSmZA85Yr6+nEzQNHfXPf6Z gH5oKK3hwDQwc5wp9MnD9QIgl9S4A7ordnrNW7V2H+xnX381BakxwUrC8n7h6BZ5vTdeTU+lVRh Mcl7ySo+xRdgzT8WqgSUx7KZt4VSdxEP6db2yQ6FiwaWfH/iY0fHQbuoOJ2iFpTqM= X-Google-Smtp-Source: AGHT+IGoBnLyCx81MR6DWCg6Vhwj+2ECjH4n4qm3rwpzsNEJebHAQdFrXPLCsGc5oHn3E1w7jHt4DQ== X-Received: by 2002:a05:7022:428b:b0:119:e569:fb96 with SMTP id a92af1059eb24-121722ab2c3mr48491836c88.5.1767572822470; Sun, 04 Jan 2026 16:27:02 -0800 (PST) Received: from zubuntu.bengal-mercat.ts.net ([2001:5a8:60d:bc9:9ebf:dff:fe00:f8f2]) by smtp.gmail.com with ESMTPSA id a92af1059eb24-121724de268sm133378109c88.8.2026.01.04.16.27.01 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 04 Jan 2026 16:27:01 -0800 (PST) From: Zac Bowling To: zbowling@gmail.com Cc: deren.wu@mediatek.com, kvalo@kernel.org, linux-kernel@vger.kernel.org, linux-mediatek@lists.infradead.org, linux-wireless@vger.kernel.org, lorenzo@kernel.org, nbd@nbd.name, ryder.lee@mediatek.com, sean.wang@mediatek.com Subject: [PATCH 11/17] wifi: mt76: mt7925: add lockdep assertions for mutex verification Date: Sun, 4 Jan 2026 16:26:32 -0800 Message-ID: <20260105002638.668723-12-zbowling@gmail.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20260105002638.668723-1-zbowling@gmail.com> References: <20260102200524.290779-1-zbowling@gmail.com> <20260105002638.668723-1-zbowling@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Add lockdep_assert_held() calls to critical MCU functions to help catch mutex violations during development and debugging. This follows the pattern used in other mt76 drivers (mt7996, mt7915, mt7615). Functions with new assertions: - mt7925_mcu_add_bss_info(): Core BSS configuration MCU command - mt7925_mcu_sta_update(): Station record update MCU command - mt7925_mcu_uni_bss_ps(): Power save state MCU command These functions modify firmware state and must be called with the device mutex held to prevent race conditions. The lockdep assertions will trigger warnings at runtime if code paths exist that call these functions without proper mutex protection. This aids in detecting the class of bugs fixed by patches in this series. Signed-off-by: Zac Bowling --- drivers/net/wireless/mediatek/mt76/mt7925/mcu.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c b/drivers/net/= wireless/mediatek/mt76/mt7925/mcu.c index d61a7fbda745..958ff9da9f01 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c +++ b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c @@ -1527,6 +1527,8 @@ int mt7925_mcu_uni_bss_ps(struct mt792x_dev *dev, }, }; =20 + lockdep_assert_held(&dev->mt76.mutex); + if (link_conf->vif->type !=3D NL80211_IFTYPE_STATION) return -EOPNOTSUPP; =20 @@ -2037,6 +2039,8 @@ int mt7925_mcu_sta_update(struct mt792x_dev *dev, struct mt792x_sta *msta; struct mt792x_link_sta *mlink; =20 + lockdep_assert_held(&dev->mt76.mutex); + if (link_sta) { msta =3D (struct mt792x_sta *)link_sta->sta->drv_priv; mlink =3D mt792x_sta_to_link(msta, link_sta->link_id); @@ -2843,6 +2847,8 @@ int mt7925_mcu_add_bss_info(struct mt792x_phy *phy, struct mt792x_link_sta *mlink_bc; struct sk_buff *skb; =20 + lockdep_assert_held(&dev->mt76.mutex); + skb =3D __mt7925_mcu_alloc_bss_req(&dev->mt76, &mconf->mt76, MT7925_BSS_UPDATE_MAX_SIZE); if (IS_ERR(skb)) --=20 2.51.0 From nobody Wed Jan 7 23:01:13 2026 Received: from mail-pf1-f170.google.com (mail-pf1-f170.google.com [209.85.210.170]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B766A19D08F for ; Mon, 5 Jan 2026 00:27:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.170 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767572826; cv=none; b=ZMvg+LrjMIc1yDLVGNWNKtyIFOl0S04g9GzZRj0K41sNyXfOx01/UlpjtcjL1al1QTVRlhQ2zympVso7JeFTgql7u8t22yO6ywaOMko3hy9OGVL6ouSX9b+wggl8iARiXxiujFuG/gP8nJgMaTU64AWMHEwJekAEMkt6O3bmbyQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767572826; c=relaxed/simple; bh=vz3x+77kdQ8P9steLlJ4yD4DGKBh00DAeJdBPKKnDns=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=kvucFxGXPytNOARyi3o0t0QIC+aYr8rb4s683iMG2FlnZAAgVVHRGGOinE/M5ONZful02mBoamsixSb50ETNgs4Ug1qkWM+SgUfN4QpLDvqO9XDHQZgU1jtQYfVOv0yZ1VPkWiwfRr49FbSiLUSpeK63yM9xRB1Zh0PN9j8OaDc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=VV3N9+zX; arc=none smtp.client-ip=209.85.210.170 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="VV3N9+zX" Received: by mail-pf1-f170.google.com with SMTP id d2e1a72fcca58-7b7828bf7bcso15938987b3a.2 for ; Sun, 04 Jan 2026 16:27:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767572824; x=1768177624; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=XH+kUxxNmkYGglYPogPQvwZMB6lkd5MT/5/E1Mc/8s0=; b=VV3N9+zXrWQiKcuwE3S8bnYuenzhfPEwnKUkDk+8Q/a1D4DzVwK1NRRn8MVrfIMofo pRUMz564W88aak5BQ7GuVxQYy1AFxV6CtLWWZU4STX4tbxNLx5VrCgmK/5Xwa98OXEmP 3SdFmsTjsnOQEvfKw9Koy1yt3QP+2PIyt4RFx89SpegFNQqN2sQ9eEAzivzg2iKONfD0 D/4Q+/sthMh2VQ3kOU+Q9y8GecNKLsxQHU9+8MnvGFEU5UqYUcuFeK8gI+5T1JRk+ncz 29ShCQvy2W0RReiQN1cj5bme331XzV6VLHyK/EKjLJjRwNEUeBdTxf70oUDFS6EepQAg 52aQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767572824; x=1768177624; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=XH+kUxxNmkYGglYPogPQvwZMB6lkd5MT/5/E1Mc/8s0=; b=vSDTqtSgumKKe7vtBIclv+gQfsB2V1sffuolZHF5U6B3Hslg7IzLcjP0eLt403D7es q86o62L7h+paMIIVtqas7NxK3C30pc/nbzG53hZzaBedlGsNKKYEHms8BctCQc6Snz+Q nW88GDu1wXkakBRmJ4uIikW1IUwdNaD06F8G3+2kKH8Q8fTmCqnNuhp8iQ12qEhO0nPB lqdZe5YGXIgRHS1NN6mRB3A/MOD80Wnc5eBk/219ul7ia3kFrs9wBn0CAsVh9OFhJW57 lueD1UUtcPpmm9RFBZSXQ4rz3w1e3nlpjSuxYj/qkg/1gwZU5uYnb9cVqrjNGBfJIj81 PFDA== X-Forwarded-Encrypted: i=1; AJvYcCWYUsFn26nZcErgWUcTRJQznYP0gZrHTmT2kUYdHe/SjxzgsdgtMCXpHSjRoQarqToDQPQttvp4YV5Uf9o=@vger.kernel.org X-Gm-Message-State: AOJu0YyPLPSSXw0803ux++nzOoEW2MKrL1FPC0w1NN62D+zQYvAbmp7F wxGp2v5SbF/ObYy17fJlEc3wkhTGK8p2aMbjB3C4oFG0kEluQ9DBIrZK X-Gm-Gg: AY/fxX4/gv8XVhVyAvJojtb1dtPKf1Xjfj9Tbg9JFIyQc4leKzsFJwJ7fUY/T2AWYIc 1ZlhiWBvNvc6Be9Jx874R6voJc0/4Qh8Ysd9N2703TFt5e6QetNEVVe/oiJ6orEioUbp6AHCaN9 QuItlXkEMpOGcHmDERqqYl8OZbrUBgFopYVWCqsxCDSKohleIOiMUFBmHgTodEad6sXg2JsZIKR bEkbmoXqRA1pNWdQxMzrR0d1M7CKI+2cHfbFfrAydqLCBcz2KAOTrlk/engk0g9+D9acANQUgnt JPWgPPwp6yWZA1NBH2eSp/w0yj+9ft2pkXWuvEnE5RhECWqwUiuNLcpquEVdbT4waQoRXFew0vF ztsu1r/ByVOgMsVft7YuoZDDa8/aj2n81139KeGJSGsXuljw/ujCjFcO+EOIxCDxKClp9kQKz5K 6JNLR87LqeJyaPPBh42uFoTH1RsIL7q+Q/exB6y4tRFmVscekoDQyyDhM3iZCBbv/clpuFeRJrg g== X-Google-Smtp-Source: AGHT+IHlVitLt85bPnu8RzuCU7BAPGF8BkeHdJkRJzJ94cVKx159KPw5GrT2Tq1B7JMG8uWETW358Q== X-Received: by 2002:a05:7022:370f:b0:11a:b04b:3c2e with SMTP id a92af1059eb24-121722f3affmr27965097c88.29.1767572823527; Sun, 04 Jan 2026 16:27:03 -0800 (PST) Received: from zubuntu.bengal-mercat.ts.net ([2001:5a8:60d:bc9:9ebf:dff:fe00:f8f2]) by smtp.gmail.com with ESMTPSA id a92af1059eb24-121724de268sm133378109c88.8.2026.01.04.16.27.02 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 04 Jan 2026 16:27:03 -0800 (PST) From: Zac Bowling To: zbowling@gmail.com Cc: deren.wu@mediatek.com, kvalo@kernel.org, linux-kernel@vger.kernel.org, linux-mediatek@lists.infradead.org, linux-wireless@vger.kernel.org, lorenzo@kernel.org, nbd@nbd.name, ryder.lee@mediatek.com, sean.wang@mediatek.com Subject: [PATCH 12/17] wifi: mt76: mt7925: fix key removal failure during MLO roaming Date: Sun, 4 Jan 2026 16:26:33 -0800 Message-ID: <20260105002638.668723-13-zbowling@gmail.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20260105002638.668723-1-zbowling@gmail.com> References: <20260102200524.290779-1-zbowling@gmail.com> <20260105002638.668723-1-zbowling@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" During MLO roaming, mac80211 may request key removal after the link state has already been torn down. The current code returns -EINVAL when link_conf, mconf, or mlink is NULL, causing 'failed to remove key from hardware (-22)' errors in the kernel log. This is a race condition where: 1. MLO link teardown begins, cleaning up driver state 2. mac80211 requests group key removal for the old link 3. mt792x_vif_to_bss_conf() or related functions return NULL 4. Driver returns -EINVAL, confusing upper layers Observed kernel log errors during roaming: wlp192s0: failed to remove key (1, ff:ff:ff:ff:ff:ff) from hardware (-22) wlp192s0: failed to remove key (4, ff:ff:ff:ff:ff:ff) from hardware (-22) And associated wpa_supplicant warnings: nl80211: kernel reports: link ID must for MLO group key The fix: When removing a key (cmd !=3D SET_KEY), if the link state is already gone, return success (0) instead of error. The key is effectively removed when the link was torn down. Fixes: c948b5da6bbe ("wifi: mt76: mt7925: add Mediatek Wi-Fi7 driver for mt= 7925 chips") Reported-by: Zac Bowling Tested-by: Zac Bowling Signed-off-by: Zac Bowling --- drivers/net/wireless/mediatek/mt76/mt7925/main.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/main.c b/drivers/net= /wireless/mediatek/mt76/mt7925/main.c index 852cf8ff842f..7cf6faa1f6f4 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7925/main.c +++ b/drivers/net/wireless/mediatek/mt76/mt7925/main.c @@ -605,8 +605,15 @@ static int mt7925_set_link_key(struct ieee80211_hw *hw= , enum set_key_cmd cmd, mconf =3D mt792x_vif_to_link(mvif, link_id); mlink =3D mt792x_sta_to_link(msta, link_id); =20 - if (!link_conf || !mconf || !mlink) + if (!link_conf || !mconf || !mlink) { + /* During MLO roaming, link state may be torn down before + * mac80211 requests key removal. If removing a key and + * the link is already gone, consider it successfully removed. + */ + if (cmd !=3D SET_KEY) + return 0; return -EINVAL; + } =20 wcid =3D &mlink->wcid; wcid_keyidx =3D &wcid->hw_key_idx; --=20 2.51.0 From nobody Wed Jan 7 23:01:13 2026 Received: from mail-pg1-f172.google.com (mail-pg1-f172.google.com [209.85.215.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9BFC31A2C04 for ; Mon, 5 Jan 2026 00:27:05 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.172 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767572828; cv=none; b=YSLLf4cxRF5kD+4wa4XyLOTOjluWgKcCTjUkpRlXhWTjGA18vAbBCbNTqHGUEEQTAI3aSQOjtvBO3RDxoCPDFZHzDCy3Mwylv2RcxvkO8YX/As+wFoTDa9MAhPYn3zqMeJ833MmELOYTtvUddKVMwvUw8//5L0ZXKY42Cwypsec= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767572828; c=relaxed/simple; bh=Mn6R5G7/0GZb7sQn1kV9FKhJoDRPHViL8xHRuPLA7ic=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=MSqQQasNJU1yxFzrfmD3/Bem7sI5iOC1AcrVTF/tmr2fBnj1yn2QEfzbyICRFnEYnD0qree8loicg+JmDQUZ7lUvJmJhS/zFCFRSmYXeMaJLwNu04LVsdWyRbZYL/w1Gfg5UQL04eu2ZLOe2U55zwz0flWGFRM8jD950Uf76TUE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=KohLd1BW; arc=none smtp.client-ip=209.85.215.172 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="KohLd1BW" Received: by mail-pg1-f172.google.com with SMTP id 41be03b00d2f7-c2af7d09533so6144678a12.1 for ; Sun, 04 Jan 2026 16:27:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767572825; x=1768177625; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=j8HRHCajxeLrhtL1S291ZrvpdmCzir8N7qq8yDbrsMI=; b=KohLd1BWq8iHBoGztlipypYMP2gMmh+KRL4m61bDLPm5MFHRGPZ7CJmbTN/g8LfcAA fyzJFotxBmSy7jcfp04pAI1DxlKtW1uykoDjlKUgq/YZThHdkV1eWEVF2Ne+w7OA4w4E QmC3n9VG/vgELNC36p086pzNi2g4ZRFcqpMLdkGnM/fNk7qhs0wK06LyneqmG0G0vERV 4fjevZvEarfdKHBQjd17Bkq6tI+L6Hzowa1h1YzFRL/c21Dn0752ApeiKN7dDOmqStmg EhRrseM4WTT4cADF7BFKGLVriy2mtuxNDppO36sf9KC+TvT06L1jvA8mHiSdlVWtlX3i bXxg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767572825; x=1768177625; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=j8HRHCajxeLrhtL1S291ZrvpdmCzir8N7qq8yDbrsMI=; b=HrrTyCsROlita4Rixw0gFKpw8vopAlama4LKSdz3EVczOoTveYPyUM+azyEN+JR56L lBKU/HHDc7NYQcqgasCIoWDP5JeC/5aLO+M+vRYTQncEhZuVzarDonE1AnpsXmDBn1lm B/WR4xeSp1w/8LFXB+xuma5ZUpJ0ajx9w/syJhm9wFYG/wH2WCwbADDngYZULyS80zzq /Pr/0fFZt+CH7qCgPGCZWo//VXDHkauttQidY/v20Ck5TugcD1HmKzjtqGfq18ct0o2/ RVvyvG/JY5nsTFHcuYGBExjxUELuIorrVt4JxZsHiteikQDj84L2aG4K3X2VyazHDAS9 0kRg== X-Forwarded-Encrypted: i=1; AJvYcCWKnbpWWyyIQTXXSYXNgz0rS69XA6+999EFqh/VhuM6WIbqx5lweYDd5701Mh7vx13+blZCTbCYSIgPCHE=@vger.kernel.org X-Gm-Message-State: AOJu0YwpiRnKEkcs9aC/MM1fq92Wgle8b3AIxmF9BpbK/7eSoNcWwryf s6iZ+hJyoSMp9//qfh7WXXJzmEqhllAuIyHhsWbFJH/WHBq4V7EUmbRc9TNm79Uo X-Gm-Gg: AY/fxX77n0vsn/hsn5N7wCJgy2kj370/y4JQazl+xYPBuis5/1QRnaU1VyWlXgoi7tS Ab8OQe9POPCwfFuq12NFourSOrkqwbWGM5omLEDg+Ebn75Wo+To4WVTu0aVedHKWi6Js/Q/5o31 KhyO6prIfC0N0OaIsOIbcp40bD28RtCRkvQzSdcKJsxX/uSj165jWGP7+cJuL8qH9j872k4P4ev zfLggdgD1M6sw4lQllqNgScEvVxS2CzqXfb5Ar/+0wPTNWkmZU+SP8OFgwnnnB6qixWrJJirRPW ipjZB5OL6Euvf7wIXDn8IoaE8+cS1kkyYZBKEGBms9H+xCDdnNAHNwVZnndm3bPr0jpT7HfAYQ4 jz9r4TTqyWkfipUZdaAMYX6N+J1AFjfmdqh+j02CS6deS6TMRCQymLDpsnC/fOdqVfFPTX7pxUc FHSwSVz6dtecHou8I6NfxbyiwuAHBcetBMyDcujXMKtRpJj73ilT1Br1ultn6qNI4= X-Google-Smtp-Source: AGHT+IEY0zZXsw28HdBCqO5suui0ZQArzOaey4A7hNOTjMt9GTJKdAkyGN3WU76yNJIYmYwh3R5SvA== X-Received: by 2002:a05:7022:f00b:b0:11a:126f:ee78 with SMTP id a92af1059eb24-121722fd228mr49567544c88.34.1767572824695; Sun, 04 Jan 2026 16:27:04 -0800 (PST) Received: from zubuntu.bengal-mercat.ts.net ([2001:5a8:60d:bc9:9ebf:dff:fe00:f8f2]) by smtp.gmail.com with ESMTPSA id a92af1059eb24-121724de268sm133378109c88.8.2026.01.04.16.27.03 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 04 Jan 2026 16:27:04 -0800 (PST) From: Zac Bowling To: zbowling@gmail.com Cc: deren.wu@mediatek.com, kvalo@kernel.org, linux-kernel@vger.kernel.org, linux-mediatek@lists.infradead.org, linux-wireless@vger.kernel.org, lorenzo@kernel.org, nbd@nbd.name, ryder.lee@mediatek.com, sean.wang@mediatek.com Subject: [PATCH 13/17] wifi: mt76: mt7925: fix kernel warning in MLO ROC setup Date: Sun, 4 Jan 2026 16:26:34 -0800 Message-ID: <20260105002638.668723-14-zbowling@gmail.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20260105002638.668723-1-zbowling@gmail.com> References: <20260102200524.290779-1-zbowling@gmail.com> <20260105002638.668723-1-zbowling@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" mt7925_mcu_set_mlo_roc() uses WARN_ON_ONCE() to check if link_conf or channel is NULL. However, during MLO AP setup, it's normal for the channel to not be configured yet when this function is called. The WARN_ON_ONCE triggers a kernel warning/oops that makes the system appear to have crashed, even though it's just a timing issue. Example kernel oops during AP setup: WARNING: CPU: 0 PID: 12345 at drivers/net/wireless/mediatek/mt76/mt7925/m= cu.c:1345 Call Trace: mt7925_mcu_set_mlo_roc+0x... mt7925_remain_on_channel+0x... Replace WARN_ON_ONCE with regular NULL checks and return -ENOLINK to indicate the link is not fully configured yet. This allows the upper layers to retry when the link is ready, without spamming the kernel log with warnings. Also add a check for mconf in the first loop to match the pattern used in the second loop, preventing potential NULL dereference. This fixes kernel oops reported during MLO AP setup on OpenWrt with MT7925E hardware and similar issues on standard Linux distributions. Fixes: c5d11e4a9fa8 ("wifi: mt76: mt7925: add mt7925_change_vif_links") Link: https://github.com/openwrt/mt76/issues/1014 Signed-off-by: Zac Bowling --- .../net/wireless/mediatek/mt76/mt7925/mcu.c | 20 +++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c b/drivers/net/= wireless/mediatek/mt76/mt7925/mcu.c index 958ff9da9f01..8080fea30d23 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c +++ b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c @@ -1337,15 +1337,23 @@ int mt7925_mcu_set_mlo_roc(struct mt792x_bss_conf *= mconf, u16 sel_links, for (i =3D 0; i < ARRAY_SIZE(links); i++) { links[i].id =3D i ? __ffs(~BIT(mconf->link_id) & sel_links) : mconf->link_id; + link_conf =3D mt792x_vif_to_bss_conf(vif, links[i].id); - if (WARN_ON_ONCE(!link_conf)) - return -EPERM; + if (!link_conf) + return -ENOLINK; =20 links[i].chan =3D link_conf->chanreq.oper.chan; - if (WARN_ON_ONCE(!links[i].chan)) - return -EPERM; + if (!links[i].chan) + /* Channel not configured yet - this can happen during + * MLO AP setup when links are being added sequentially. + * Return -ENOLINK to indicate link not ready. + */ + return -ENOLINK; =20 links[i].mconf =3D mt792x_vif_to_link(mvif, links[i].id); + if (!links[i].mconf) + return -ENOLINK; + links[i].tag =3D links[i].id =3D=3D mconf->link_id ? UNI_ROC_ACQUIRE : UNI_ROC_SUB_LINK; =20 @@ -1359,8 +1367,8 @@ int mt7925_mcu_set_mlo_roc(struct mt792x_bss_conf *mc= onf, u16 sel_links, type =3D MT7925_ROC_REQ_JOIN; =20 for (i =3D 0; i < ARRAY_SIZE(links) && i < hweight16(vif->active_links); = i++) { - if (WARN_ON_ONCE(!links[i].mconf || !links[i].chan)) - continue; + if (!links[i].mconf || !links[i].chan) + return -ENOLINK; =20 chan =3D links[i].chan; center_ch =3D ieee80211_frequency_to_channel(chan->center_freq); --=20 2.51.0 From nobody Wed Jan 7 23:01:13 2026 Received: from mail-pl1-f182.google.com (mail-pl1-f182.google.com [209.85.214.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 065001A76DE for ; Mon, 5 Jan 2026 00:27:06 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.182 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767572829; cv=none; b=gO60VolccCTi7N9SkHN8yR7vTwfAxAVLKB6v5K1FhU8/ncH5GiEc+vInb8IgtUJIrOxU6+eqdpRXC5Ou9ZkRD8sfKDJQCCNs+/DF2AZloZYVn+nniHDpa4KXqxxVUwFUrW3bFHSVSFzDS5qEcDQ846SMUPPWTX2J5J92Kud4uIg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767572829; c=relaxed/simple; bh=57kIhmtqG6TNbumDiVzXkiPoxDHeC0x5cwZSL+KieZI=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=UhU6Uf8UD/FvqAu/4lgZpbIaoUkb6zcaWwMU27kbDTRcVxZJnCtHt5W7V+kDghsYWjfXD5q4fCoHd8sNTMJWRlTtMMR7GR7aCxannKyeCNXPwiNSubuIx/qP+zGBSoCymH9ruMSE23OOX8hbvx3UnCyvxHgyH5debz2s4pP05p0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=hqNhR+im; arc=none smtp.client-ip=209.85.214.182 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="hqNhR+im" Received: by mail-pl1-f182.google.com with SMTP id d9443c01a7336-2a0d67f1877so179064345ad.2 for ; Sun, 04 Jan 2026 16:27:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767572826; x=1768177626; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=2UazWknOwH04QsneRRrwVbzYeSZapNaz/xF6C2obac4=; b=hqNhR+imXVjygG6o4GtUuLcQ7bInuo0/DzJXuMHS54fMQ6Q1xf37X6NeNw65WGsBee PniUk0iKZGFI8K1KdkaHDbpwtUJVt7z1V1IsWGxI3y9QYa8Zxp3hks/szACFcPLWkTE6 tt4mwJAgD3ntAVGjyBr9so5JPRiQGADx/9zJzWk4bc335o4CtLGQoSK0W9WsqmhySWCV aCke8Aw6weDkWS+xsnxaqjRaJ99wCKWGzVBnkuAE8D8Oqe7Cv9b2YJlMU1HlW73MsPfK KeKUWHRWQqPSCfwcJSZ0CE6mQ38r+K3IR4gWfcqiuJTqHmPT22sY6tOyATFt1kWFvfd7 2zZw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767572826; x=1768177626; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=2UazWknOwH04QsneRRrwVbzYeSZapNaz/xF6C2obac4=; b=v9ez1fHkuo9zHXyeI4cHHLVR1wrktCopngMcpoJOWQjEr5/B8mbbJvbq45sDh3cB+3 XP87EHt1XdWxrBLB5yD2cfOf7TkbSJYmP/0WR+z2e5n3xhsAQn0nupSUv6y91ouqLdPn TzouYUaB349S8eE9bLClhHv+6DOPi6ryMropJa2kqj2hnmGw5guLklPpk28JblGy4zcS muZtrw9MSYzhuAPPST5G5kC9L3rSPK6/XVdYTQjwat20pJESRXMber6akcq1NFfCn+bV Hdb5QSvr8FHqU7v/UuazCDI+pCdda5OM4GJpAZGvs7I4HmXVJ4+fgTpxiY9+mPcPWyWm wwWA== X-Forwarded-Encrypted: i=1; AJvYcCVdEyyrmdOZylrjNzyhuCdy7cY5VRy22d8AJq1WKYFncd3Erm3FLKDRmxESant+UCbNrgDq7sCLcsAOlRk=@vger.kernel.org X-Gm-Message-State: AOJu0YwZWyLh2IPZPMjooJvaV9AV4F7yzxOvalOR93TuoBtGITNP1R3b Xfw6UqUwYaXX/aVZEGLbHTUTUy4B3LaQaZvah6jBeo+kGMKn46sWPWQ+ X-Gm-Gg: AY/fxX59TjRIuulCzBJFoZOm3JBz9wuOnSSD+RhOBUpWiN0L856jirEF4DY1rYY+wYE IGt4bfWn99J2SsVmFY5xG7MbEuBJd6Isqh9sMiZz73TomDS2dE2rg1xev/fOYhoe9iKxICOoVbF 5zARIuKGGuYvp+ME9i61yUT41crvimUz9QKIK+iR0rpEgPPbK5iC7A1zlqMuftt7D1ZsnbujPEC f9ah2u8mMH5GMiKNrHGKCF4MvnwAX70UuZofnWOO3aYqnPxf2KWVJcZhR37UYRXdlSX3h+qodKz GhMJo7HAUkDso0SfJPF9WnB9AYbdN8DA7G8w7yNYJEn5Qm0HTDCQWt6IGpSZ1n2LkMBODeRU8bu OugR7JAX8kHbUUPSggHlFQYiL+IYK6/5MPx2bf5QRJHwTJhgEO6Tphe61XOaHpdihaEgzYT6Fu0 FIaHHFf+IwPdkr+YL3suW3rT7aDPfEEwxEl+FsNoDMOBCYgqKLgvmRVbXyNKP+Xz4= X-Google-Smtp-Source: AGHT+IHo0J1leWdPLu3WQhod7DNS+GZTgRh6fGvRRczAieCCr4pVXf1vgQz9pV4AVAq0GzwSrDdpEg== X-Received: by 2002:a05:7022:428b:b0:11b:f056:a19b with SMTP id a92af1059eb24-121722ab37dmr45418431c88.18.1767572825820; Sun, 04 Jan 2026 16:27:05 -0800 (PST) Received: from zubuntu.bengal-mercat.ts.net ([2001:5a8:60d:bc9:9ebf:dff:fe00:f8f2]) by smtp.gmail.com with ESMTPSA id a92af1059eb24-121724de268sm133378109c88.8.2026.01.04.16.27.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 04 Jan 2026 16:27:05 -0800 (PST) From: Zac Bowling To: zbowling@gmail.com Cc: deren.wu@mediatek.com, kvalo@kernel.org, linux-kernel@vger.kernel.org, linux-mediatek@lists.infradead.org, linux-wireless@vger.kernel.org, lorenzo@kernel.org, nbd@nbd.name, ryder.lee@mediatek.com, sean.wang@mediatek.com Subject: [PATCH 14/17] wifi: mt76: mt7925: add NULL checks for MLO link pointers in MCU functions Date: Sun, 4 Jan 2026 16:26:35 -0800 Message-ID: <20260105002638.668723-15-zbowling@gmail.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20260105002638.668723-1-zbowling@gmail.com> References: <20260102200524.290779-1-zbowling@gmail.com> <20260105002638.668723-1-zbowling@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Several MCU functions dereference pointers returned by mt792x_sta_to_link() and mt792x_vif_to_link() without checking for NULL. During MLO state transitions, these functions can return NULL when link state is being set up or torn down, causing kernel NULL pointer dereferences. Add NULL checks in the following functions: - mt7925_mcu_sta_hdr_trans_tlv(): Check mlink before dereferencing wcid - mt7925_mcu_wtbl_update_hdr_trans(): Check mlink and mconf before use - mt7925_mcu_sta_amsdu_tlv(): Check mlink before setting amsdu flag - mt7925_mcu_sta_mld_tlv(): Check mconf and mlink in link iteration loop - mt7925_mcu_sta_update(): Initialize mlink to NULL and check both link_sta and mlink in the ternary condition These race conditions can occur during: - MLO link setup/teardown - Station add/remove operations - Firmware command generation during state transitions Found through static analysis (clang-tidy) and pattern matching similar to fixes in mt7996 and ath12k drivers for MLO link state handling. Fixes: c948b5da6bbe ("wifi: mt76: mt7925: add Mediatek Wi-Fi7 driver for mt= 7925 chips") Signed-off-by: Zac Bowling --- drivers/net/wireless/mediatek/mt76/mt7925/mcu.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c b/drivers/net/= wireless/mediatek/mt76/mt7925/mcu.c index 8080fea30d23..6f7fc1b9a440 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c +++ b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c @@ -1087,6 +1087,8 @@ mt7925_mcu_sta_hdr_trans_tlv(struct sk_buff *skb, struct mt792x_link_sta *mlink; =20 mlink =3D mt792x_sta_to_link(msta, link_sta->link_id); + if (!mlink) + return; wcid =3D &mlink->wcid; } else { wcid =3D &mvif->sta.deflink.wcid; @@ -1120,6 +1122,9 @@ int mt7925_mcu_wtbl_update_hdr_trans(struct mt792x_de= v *dev, link_sta =3D mt792x_sta_to_link_sta(vif, sta, link_id); mconf =3D mt792x_vif_to_link(mvif, link_id); =20 + if (!mlink || !mconf) + return -EINVAL; + skb =3D __mt76_connac_mcu_alloc_sta_req(&dev->mt76, &mconf->mt76, &mlink->wcid, MT7925_STA_UPDATE_MAX_SIZE); @@ -1751,6 +1756,8 @@ mt7925_mcu_sta_amsdu_tlv(struct sk_buff *skb, amsdu->amsdu_en =3D true; =20 mlink =3D mt792x_sta_to_link(msta, link_sta->link_id); + if (!mlink) + return; mlink->wcid.amsdu =3D true; =20 switch (link_sta->agg.max_amsdu_len) { @@ -1953,6 +1960,9 @@ mt7925_mcu_sta_mld_tlv(struct sk_buff *skb, =20 mconf =3D mt792x_vif_to_link(mvif, i); mlink =3D mt792x_sta_to_link(msta, i); + if (!mconf || !mlink) + continue; + mld->link[cnt].wlan_id =3D cpu_to_le16(mlink->wcid.idx); mld->link[cnt++].bss_idx =3D mconf->mt76.idx; =20 @@ -2045,7 +2055,7 @@ int mt7925_mcu_sta_update(struct mt792x_dev *dev, .rcpi =3D to_rcpi(rssi), }; struct mt792x_sta *msta; - struct mt792x_link_sta *mlink; + struct mt792x_link_sta *mlink =3D NULL; =20 lockdep_assert_held(&dev->mt76.mutex); =20 @@ -2053,7 +2063,7 @@ int mt7925_mcu_sta_update(struct mt792x_dev *dev, msta =3D (struct mt792x_sta *)link_sta->sta->drv_priv; mlink =3D mt792x_sta_to_link(msta, link_sta->link_id); } - info.wcid =3D link_sta ? &mlink->wcid : &mvif->sta.deflink.wcid; + info.wcid =3D (link_sta && mlink) ? &mlink->wcid : &mvif->sta.deflink.wci= d; info.newly =3D state !=3D MT76_STA_INFO_STATE_ASSOC; =20 return mt7925_mcu_sta_cmd(&dev->mphy, &info); --=20 2.51.0 From nobody Wed Jan 7 23:01:13 2026 Received: from mail-pf1-f182.google.com (mail-pf1-f182.google.com [209.85.210.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0C3392417C3 for ; Mon, 5 Jan 2026 00:27:07 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.182 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767572830; cv=none; b=H+pghUqZOrKGgrGb2nBIAw/6C1ATTOF0XFKGgoZhDg9at3b21ZO8jBPJZc3ixYwAIp+/kT/WAkkNqfr2cUAeruvmlpu2U0abZ9uYcfOne49ftYoNdIE95ET/Uwbj3bb9xq9dFMPt9K653CwTXu9L9ZwOVZc0eBffUOv7Zr5wf2A= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767572830; c=relaxed/simple; bh=3BGhu95nJ27lYH43BGIMR+sgNyP0MZttqBXOand+UeI=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=YjpQ9Q+uupGnmgHK/Tgd0vOZWp+S95EufyPw/WLNu4EDurXezLCsa6Zkxn+F5gtkJTSiivkDxsVRVjsWpAKUAImbFTXh0E9JY+0wmWhSQtWkTjzEIUa/mq12LgvxoHsiIq6FxAgRF7a17GzIClVED4CMve5NpAvFxS9Ljm7DZEM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=fMGnZ/cT; arc=none smtp.client-ip=209.85.210.182 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="fMGnZ/cT" Received: by mail-pf1-f182.google.com with SMTP id d2e1a72fcca58-81345800791so1266333b3a.0 for ; Sun, 04 Jan 2026 16:27:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767572827; x=1768177627; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=RJjfGhYzMRnwgUAUKvlNtXxtk0atD56wzBEV6PIqpWc=; b=fMGnZ/cTJ9rXJcdQmGhnSwBIFeGKDF0I54sh/2akOMmMRq2WLGqJOFUdy3EsLrAY+T I0xjelcKsMYle74Lkp5ZkG9QhHBU7FXck7f4Xy+gDn2zAvY/yHPPXUmehChurvWdB9AC FzmYH+PfRSuRF3UZCTwzGpONDlZnhLHAh1HF5qMJGmuDSzuvwshHaJxs0JhdnjNF911m kMZdaO9C46vv1IK2IA4h0JLqMHKvvj3bbh1iV5UAvOSgqbwbfBdu4e1B4GosDNDWIHRT 3ShosIH8UPEdEnbxTTAL8Dk9IRyQLcQhnA3aJYo0bzVVEOZiu3dhh9+9m+t7s/QdQLtZ jGAg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767572827; x=1768177627; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=RJjfGhYzMRnwgUAUKvlNtXxtk0atD56wzBEV6PIqpWc=; b=rlBgIzcsp2WFGTEHPq30VfbTzb5W4sFfM4jBdT517+dI57osemjps/8UB4VQxC9RMs F8gmRfoMVMiDDcehGGqELONMeYF6BF3o9AOSmoz+BIJeWQf0++et/d/nOm/T8uCcnrhb CUhxdt45jqFTr91QQ+Xo7ykUAbh23v9VI4GV1GFTs2h/zBxAtdp49sFugJYz/NN2wZdM d8WZ0T+Bkc8NKIzdlRj/R1lJqcDSE9J5/PbWZUdT5oIOFgVEDcf+gGh5gD+3oTe81HFW pjOPC0MZVvwWm6mfFK5GO1++yjJiIs4PXnV9WNKLD6I7IaJ/ABrmTPj0j5M9OU/i7aIW 1cpg== X-Forwarded-Encrypted: i=1; AJvYcCWT5U6jP/zZApl8luWgEBJgv9nIdYtsRGB5j2EdPuMKZm8KSG9p+/OPkLhpBXjG4bVVAGBDUwuYg9tw52c=@vger.kernel.org X-Gm-Message-State: AOJu0Yz1GaOtC0rJdQxMffnQ3f5eS8skMK6dR2Ysubxl6baewV65AfNa opewJl/+uOUwyP4aj572nzzRphJ+oPB9pGMZ+npc0BWaZxOWLaGKiDag X-Gm-Gg: AY/fxX7D7gzhMtJ+Ky8EmiOYIkKoIIbPmAdfpSkbFHuWTwkWp17B45F+KNBeuyULtMr m5WTsHtqTachY/FXV+Gi03kW6yLRcECO19hpSApEex5VLZF1UFPjDxDHznW182VBWzXVQhhUlWs r/nlVZ/ZtTbfBKZCxh+VvHjEl6gCCmJ+Kc7GQgWe71eWSa+SFhMKrga5qhfHRORr4dRQQ7KgQ9j bH3kw3oMqwUbl1Ml+qpte63XaBLCCZTjAOZ1cJbEUZNIpOOzujxTOQlKYLwyHfgrX3oom7S4CoM ER0v0Ep7gu+YRz2ieMFYfjGI1XGVoSPhOtq8bnAUfLPb4fxqHbiMNqz3Uok/aJMLLvEv5k4zsNo BgpNDfmMhRuWp8cT9m8F4R5mjgXNGAuxSe78qHxMJA1ty6titNFGn9yaqdwcMgtewqlwXuYq2x9 WE2IDW31/+4npyGRNtcq9rcby3cQdhpF7RTcXowyF4hd0q5kUbqxXQNwGqApSE/qw= X-Google-Smtp-Source: AGHT+IEgwdZc2sv9zKx5KjMOni7rSof10mVUH9VaD1BavVlI4TZ/Co6GlilKA9YVOKhSaEIPSjDGFQ== X-Received: by 2002:a05:701a:ca08:b0:11b:9386:825b with SMTP id a92af1059eb24-12172302a23mr38511025c88.48.1767572827042; Sun, 04 Jan 2026 16:27:07 -0800 (PST) Received: from zubuntu.bengal-mercat.ts.net ([2001:5a8:60d:bc9:9ebf:dff:fe00:f8f2]) by smtp.gmail.com with ESMTPSA id a92af1059eb24-121724de268sm133378109c88.8.2026.01.04.16.27.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 04 Jan 2026 16:27:06 -0800 (PST) From: Zac Bowling To: zbowling@gmail.com Cc: deren.wu@mediatek.com, kvalo@kernel.org, linux-kernel@vger.kernel.org, linux-mediatek@lists.infradead.org, linux-wireless@vger.kernel.org, lorenzo@kernel.org, nbd@nbd.name, ryder.lee@mediatek.com, sean.wang@mediatek.com Subject: [PATCH 15/17] wifi: mt76: mt792x: fix firmware reload failure after previous load crash Date: Sun, 4 Jan 2026 16:26:36 -0800 Message-ID: <20260105002638.668723-16-zbowling@gmail.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20260105002638.668723-1-zbowling@gmail.com> References: <20260102200524.290779-1-zbowling@gmail.com> <20260105002638.668723-1-zbowling@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" If the firmware loading process crashes or is interrupted after acquiring the patch semaphore but before releasing it, subsequent firmware load attempts will fail with 'Failed to get patch semaphore' because the semaphore is still held. This issue manifests as devices becoming unusable after suspend/resume failures or firmware crashes, requiring a full hardware reboot to recover. This has been widely reported on MT7921 and MT7925 devices. Example error log: mt7921e 0000:c2:00.0: Failed to get patch semaphore mt7921e 0000:c2:00.0: probe with driver mt7921e failed with error -5 Apply the same fix that was applied to MT7915 in commit 79dd14f: 1. Release the patch semaphore before starting firmware load (in case it was held by a previous failed attempt) 2. Restart MCU firmware to ensure clean state 3. Wait briefly for MCU to be ready This fix applies to both MT7921 and MT7925 drivers which share the mt792x_load_firmware() function. Fixes: 583204ae70f9 ("wifi: mt76: mt792x: move mt7921_load_firmware in mt79= 2x-lib module") Link: https://github.com/openwrt/mt76/commit/79dd14f2e8161b656341b665326177= 9199aedbe4 Signed-off-by: Zac Bowling --- drivers/net/wireless/mediatek/mt76/mt792x_core.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/drivers/net/wireless/mediatek/mt76/mt792x_core.c b/drivers/net= /wireless/mediatek/mt76/mt792x_core.c index 9dc768aa8b9c..05598202b488 100644 --- a/drivers/net/wireless/mediatek/mt76/mt792x_core.c +++ b/drivers/net/wireless/mediatek/mt76/mt792x_core.c @@ -936,6 +936,20 @@ int mt792x_load_firmware(struct mt792x_dev *dev) { int ret; =20 + /* Release semaphore if taken by previous failed load attempt. + * This prevents "Failed to get patch semaphore" errors when + * recovering from firmware crashes or suspend/resume failures. + */ + ret =3D mt76_connac_mcu_patch_sem_ctrl(&dev->mt76, false); + if (ret < 0) + dev_dbg(dev->mt76.dev, "Semaphore release returned %d (may be expected)\= n", ret); + + /* Always restart MCU to ensure clean state before loading firmware */ + mt76_connac_mcu_restart(&dev->mt76); + + /* Wait for MCU to be ready after restart */ + msleep(100); + ret =3D mt76_connac2_load_patch(&dev->mt76, mt792x_patch_name(dev)); if (ret) return ret; --=20 2.51.0 From nobody Wed Jan 7 23:01:13 2026 Received: from mail-pl1-f172.google.com (mail-pl1-f172.google.com [209.85.214.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 735E07B3E1 for ; Mon, 5 Jan 2026 00:27:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.172 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767572831; cv=none; b=DD+MVFPR6FiR1I8pSFM1txw00IPDAvFjog8AYiYRwiGJlqVxYREVzpEKIp7+H7VVd9Vd/mtMg8UvC3/hOxP9sLN2RS4TdFG5JtgXl39LPLD/J4xqxp3HQBqjxtHh32fIW4bQhwySWo2j6W6YlyfbgJ79NCDvCc25ViMX/P21E+E= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767572831; c=relaxed/simple; bh=TwK5yG1+7tBn7pEnm2Ulp9jAVc15XSZWmUbdiepn8ZU=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=bEunJXUBemyjI0y1jkDDRUqLRFKyLgGWw7TPfb8MWAbyom9hpSYdvVitv8pVc/zVsDh8jrlXsDedxL5yX0x9/Y3nhX4MblYovXdT4qPePUwLBsRvqCq38xcRiMfoY3mKwj2AZYrqbKWReDQw4hbvnE6dSBHxNrqn/Dh45f4QfZE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=d/kJHEr7; arc=none smtp.client-ip=209.85.214.172 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="d/kJHEr7" Received: by mail-pl1-f172.google.com with SMTP id d9443c01a7336-2a110548cdeso181741315ad.0 for ; Sun, 04 Jan 2026 16:27:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767572828; x=1768177628; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Lx7Cxs6mPWElG9bplppz5XOkNbtbfz1JGfVMLJ0UqF4=; b=d/kJHEr7q3emXHT/zQLlKeFARXVu7ZG7xF7DSHu5CHUj7EkNjg1aFdo7sWMGgMbY5o or2vC8lIWzCcOoWCUyNKp6P++vbMwZEU/XVVmg6AX1/ScLFpnrSIfhLaL5nMkv2fpcWe qEIBR+RgneqiLSWml9rqKq5jcyAq/JzYcFVU6UTkOdD0CQdE5X0a1ijuouZ6TYgDvgAj vRpcXp+tbrOq8rzR2PqUmlruE3vJUM27HCQUdoiBLy0dqKLFa4C2mPrWN5P/mYRweLlu cfbT8RTKLA525iz1uigdQYRclT5ITNHLpsYy9HLIx06ae1tTpW+uDS1GQ3KExMtNsf/X AAKQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767572828; x=1768177628; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=Lx7Cxs6mPWElG9bplppz5XOkNbtbfz1JGfVMLJ0UqF4=; b=Y9UDI/+JmZ20nUnQv1eXwHHxZD9l/Rromrx35B9nHIjgFoecMN6mDSYVj0TCOhazeq asVovt6upyOdwjRtgKK6p+cAf9r7NypJY4JC2AdPY/2jpYjwLZiKFQ72NkvuqoOAIdCh HVqU0SatxEq3g6bx82eukkXhkPtgaKk7N3eqqrQ/L60t+T5gOFweqBKdwPnEiOHgCdbh eY6YzHD99zzGa98BJ9CYQfkgmg1fJfGaBKVLoQiy+v1Kt5WPdg4y0/9aZ4VQb2pbrcL3 C5vcufBFnuMBw58/QFCMv3CP0mNL4Jilm+pux2i19DsWARNiIRPg3Mfn4wIJMqYpJb/N S/xg== X-Forwarded-Encrypted: i=1; AJvYcCW4paDA/ZWmLZpBrtKYQqMZiEuJ2j3BRhb/OTGPlyZrvoiG/f+kZbeqJa33n2DXg0O0IM9iHi08uVei/Y0=@vger.kernel.org X-Gm-Message-State: AOJu0Yy4jtnN0nZ553JJbi8iyR0wxdQjsDqLD/cPDykNHWS752nysr7E Y37Hp2angXHZBs+/pVkI+auySsXkgGaLm3/9o3DCJ3ecH6ychnBrWYzE X-Gm-Gg: AY/fxX6aBhL6OM/MbxqBH6rjV4ap64TQZ7C/BJIMa4smd2rPXpz3AEaHHxN75PM2pYn yaoj9mD6uyNquvJvO+0IfIWN90BMUD9YoGDBFXPV3F5nrC4jsWnTL19++ZlnSd2ig78CcAEw/Bb uVy/SWeNfK2MfbADihQpTghQlvnwjkSrOhRZaF6wbqf6GqTAGSnQltHe+5Lu0Q9QTFCGIc0b/bL 9sG4bCqbG5GyMPMPIQDiTmIyztoglc5c/AkLUyU4YGvJBq438apxINumChTFUOr17j0aVoYmen+ ZAPvkXWqB8O5q4c2EFQwrd7MnrFjTfLEvP9u+fPelHiw7oQeAji3nkYCkXVgMeXuuJig+5fKs8k 739E51912FKB6l6nCdnD1Edw/6Y/Uk+c78PTOA86/ynXkkuLkQI48+6QXTy3UEaoGwRicNdELnr J60lZPKVvXDbN7KjCkwTB9jMWXWrB3wGUZUp0GfkvhKxyFKe0hF2/2IHuY2Mp+KIo= X-Google-Smtp-Source: AGHT+IF2dXIfKchGTeNJHu2azmCNIm50WiML6/yJZT6JBX6bohZ5k2MDH1QBCndrXw+T70AJIWjSig== X-Received: by 2002:a05:7022:eacd:b0:119:e569:fba6 with SMTP id a92af1059eb24-121722c348emr53252639c88.21.1767572828149; Sun, 04 Jan 2026 16:27:08 -0800 (PST) Received: from zubuntu.bengal-mercat.ts.net ([2001:5a8:60d:bc9:9ebf:dff:fe00:f8f2]) by smtp.gmail.com with ESMTPSA id a92af1059eb24-121724de268sm133378109c88.8.2026.01.04.16.27.07 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 04 Jan 2026 16:27:07 -0800 (PST) From: Zac Bowling To: zbowling@gmail.com Cc: deren.wu@mediatek.com, kvalo@kernel.org, linux-kernel@vger.kernel.org, linux-mediatek@lists.infradead.org, linux-wireless@vger.kernel.org, lorenzo@kernel.org, nbd@nbd.name, ryder.lee@mediatek.com, sean.wang@mediatek.com Subject: [PATCH 16/17] wifi: mt76: mt7925: add mutex protection in resume path Date: Sun, 4 Jan 2026 16:26:37 -0800 Message-ID: <20260105002638.668723-17-zbowling@gmail.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20260105002638.668723-1-zbowling@gmail.com> References: <20260102200524.290779-1-zbowling@gmail.com> <20260105002638.668723-1-zbowling@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Add mutex protection around mt7925_mcu_set_deep_sleep() and mt7925_mcu_regd_update() calls in the resume path to prevent potential race conditions during resume operations. These MCU operations require serialization, and the resume path was the only call site missing mutex protection. Without this, concurrent access during resume could corrupt firmware state or cause race conditions with other MCU commands. Found by static analysis (sparse/coccinelle) pattern matching for unprotected MCU function calls. Fixes: c948b5da6bbe ("wifi: mt76: mt7925: add Mediatek Wi-Fi7 driver for mt= 7925 chips") Signed-off-by: Zac Bowling --- drivers/net/wireless/mediatek/mt76/mt7925/pci.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/pci.c b/drivers/net/= wireless/mediatek/mt76/mt7925/pci.c index e9d62c6aee91..3a9e32a1759d 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7925/pci.c +++ b/drivers/net/wireless/mediatek/mt76/mt7925/pci.c @@ -584,10 +584,12 @@ static int _mt7925_pci_resume(struct device *device, = bool restore) } =20 /* restore previous ds setting */ + mt792x_mutex_acquire(dev); if (!pm->ds_enable) mt7925_mcu_set_deep_sleep(dev, false); =20 mt7925_mcu_regd_update(dev, mdev->alpha2, dev->country_ie_env); + mt792x_mutex_release(dev); failed: pm->suspended =3D false; =20 --=20 2.51.0 From nobody Wed Jan 7 23:01:13 2026 Received: from mail-pg1-f181.google.com (mail-pg1-f181.google.com [209.85.215.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 823E62561A2 for ; Mon, 5 Jan 2026 00:27:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.181 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767572833; cv=none; b=dy8EiPYtvBEShjTJ/NzgalNuGk5skzKcsR4MtHgLPtVAJzeF7v6buT05imPBU+wpmRx+nXJL7PCpEW5eGzN9vPIOht8LGl7VI89uxTwE5WqpC996BT2cubhYLUkxHThZSED3d2um6DsMC3lA3/50XpSrjef61JypzdA3At9+BqQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767572833; c=relaxed/simple; bh=tzBVMM2UuxU44r818zA3Ug+gigrUDnxlT5FMH8AOwj8=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=TmH9RjqkvicO3HRcUOVkFDZs1Y6ILhBW+Mc9x7NKvUESLN1LNKKwDdpWHMXV7e1VOqu/Kh6XnlR8q3aqB6PJmYkOFTIYYw0B8qz1mPwU5/ynoL+uwpJyxwcMSF5nvive632AjTAXspXbfgZJr2G9mJgeIvyJzY+gf7ED4aZnPjU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=eiHGmBdY; arc=none smtp.client-ip=209.85.215.181 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="eiHGmBdY" Received: by mail-pg1-f181.google.com with SMTP id 41be03b00d2f7-c4464dfeae8so1153691a12.3 for ; Sun, 04 Jan 2026 16:27:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767572829; x=1768177629; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=F9pZM3lVItBOVq5Rc4FqhGypr50RN8XCw42MqeJlzrY=; b=eiHGmBdYZQbLWcdxAIL+LAvvARyL+dYEEudPaJpOAeI0FnAvvCfUWbDUPyOnIiKaDt SCgBE+PxAgitdzKQ4Vu7SBw4bqEScXDVXW8SSGMLE2bW3+8mJYy+KqN4LRLPTpcPysbZ uzJWDhL4vqaNwDE75iYC/3xAzDR58z9Ua2QpNaji9qx3H+s9kFEuhq8N02AkEzSrjiJY 6Y0gzRkq7q8wgMzZYSamjSJzQiaPL4Tk6LdBXjwnHwdn0ssL0rufxRyZYYHPAKmLwfBv FknhusmTSTwxXU9/CfrZCVheIsZZI+fPn/8w2mtG0gZpihUP3KJxkGfZx8I9t4Q2Oimu 6SLw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767572829; x=1768177629; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=F9pZM3lVItBOVq5Rc4FqhGypr50RN8XCw42MqeJlzrY=; b=nAv5M6I9KLNwD3wiCg37vAmRkmk/362sDwxuNOMU8Xe0d9IiO3AExxQu8173f+WI2k o14X5rX58fGRMOnwAvCOm4v3dnuICtEKqioZH8XECKhIlVOSlflMbhdbI9s/Esd6k/hv nX3LY47D7PuoqqI9rVB6ulohnOOtcSWmOoFjGXm73N5K1gSmM3Az1jstudq98LRp4dSK rrojNdQUt844Hsgr+U3nU+C8d82THtBKxzXKVHm03FL5nF1dQ9m1ANniwObqkmdqxzAp lNrMAwID2SfPzodtTFS9Igp63nPLvVTVmVC8cLcQUHVh0Kg0qIb5VldMV5iPBAV2r/+n KcBg== X-Forwarded-Encrypted: i=1; AJvYcCUexRefpBE+xuUvzy1yKfqLQ1IT46h4A2joZhldXw7GTFR6rU8s+3Ec7hfnX0U+3iI4PMVqApJAemNB3a0=@vger.kernel.org X-Gm-Message-State: AOJu0Yw6omH+TFX96HL6Rg8kvQbhmT9k6ThY7jF2naZHyR0US+1NDPMz UNfBwLcEKnyi2a5aiubwrAWbzQwV2DUu+ErqowVxqFJgQWLkCzbQhfgM8CgaNTb6 X-Gm-Gg: AY/fxX6/uH7UJBAPam2eGfwQ8aOw2YmQ7fuUNZWtEgVL+6mvyCADw1U4t9/R8lt73VH uv01CQrEvooQ4DpW3kfHodnQnlT1jZJS0auoROwjYQQpeKiUrOBZHkS2U17SzFnkPEiQD8I0wKJ FsM7U53PcplysyA8X++Wi9JjbyRkstN4XLi2mSZ4kk/Pm03ha32MsL6EmFcaPBlEbfA+99eRyp6 K6JdiOCly5Syr8whSp8bkTUyP6UH7NS6bl/KF2OActXiqJn/D/+PIIgSXab4jhfB4EKXQ0mJPOz Vkm7y8CP3CHr716HiSK6gmKXlzhw3P/Cz2nqLT4wBXXQIkBQv8fL7zW1wbleMNUtRrOyqo/h1dB GZRtSx0kaLUB7wMSUdwwsmTYVko8ur7mbaGCYC0tsP73Fws/ViOLFj3aU+zNWc4wim+cc1L1wa8 fFJKaDuGOaGH1zv8c88qL0nzuWGVXZmcI4xb3y75+53BNQXfQCVMyAPG3UUQ+Jupo= X-Google-Smtp-Source: AGHT+IG7x1Ymdyvu9lCiNZWjm0VKOPz4jnCYI4WRlVDYrDXMAI2/7wPYk6ox4CoZIXyf7ZKZ1JhkhQ== X-Received: by 2002:a05:7022:218:b0:119:e56c:18a9 with SMTP id a92af1059eb24-121722b4f87mr46583592c88.17.1767572829297; Sun, 04 Jan 2026 16:27:09 -0800 (PST) Received: from zubuntu.bengal-mercat.ts.net ([2001:5a8:60d:bc9:9ebf:dff:fe00:f8f2]) by smtp.gmail.com with ESMTPSA id a92af1059eb24-121724de268sm133378109c88.8.2026.01.04.16.27.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 04 Jan 2026 16:27:08 -0800 (PST) From: Zac Bowling To: zbowling@gmail.com Cc: deren.wu@mediatek.com, kvalo@kernel.org, linux-kernel@vger.kernel.org, linux-mediatek@lists.infradead.org, linux-wireless@vger.kernel.org, lorenzo@kernel.org, nbd@nbd.name, ryder.lee@mediatek.com, sean.wang@mediatek.com Subject: [PATCH 17/17] wifi: mt76: mt7925: add NULL checks in link station and TX queue setup Date: Sun, 4 Jan 2026 16:26:38 -0800 Message-ID: <20260105002638.668723-18-zbowling@gmail.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20260105002638.668723-1-zbowling@gmail.com> References: <20260102200524.290779-1-zbowling@gmail.com> <20260105002638.668723-1-zbowling@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Add NULL pointer checks for mt792x_sta_to_link() and mt792x_vif_to_link() results in critical paths to prevent kernel crashes during MLO operations. Functions fixed: - mt7925_mac_link_sta_add(): Check mlink and mconf before dereferencing - mt7925_conf_tx(): Check mconf before accessing queue_params These can be NULL during MLO link setup/teardown when mac80211 state may not be fully synchronized with driver state. Found through static analysis and pattern matching. Fixes: c948b5da6bbe ("wifi: mt76: mt7925: add Mediatek Wi-Fi7 driver for mt= 7925 chips") Signed-off-by: Zac Bowling --- drivers/net/wireless/mediatek/mt76/mt7925/main.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/main.c b/drivers/net= /wireless/mediatek/mt76/mt7925/main.c index 7cf6faa1f6f4..81373e479abd 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7925/main.c +++ b/drivers/net/wireless/mediatek/mt76/mt7925/main.c @@ -871,12 +871,17 @@ static int mt7925_mac_link_sta_add(struct mt76_dev *m= dev, =20 msta =3D (struct mt792x_sta *)link_sta->sta->drv_priv; mlink =3D mt792x_sta_to_link(msta, link_id); + if (!mlink) + return -EINVAL; =20 idx =3D mt76_wcid_alloc(dev->mt76.wcid_mask, MT792x_WTBL_STA - 1); if (idx < 0) return -ENOSPC; =20 mconf =3D mt792x_vif_to_link(mvif, link_id); + if (!mconf) + return -EINVAL; + mt76_wcid_init(&mlink->wcid, 0); mlink->wcid.sta =3D 1; mlink->wcid.idx =3D idx; @@ -1735,6 +1740,9 @@ mt7925_conf_tx(struct ieee80211_hw *hw, struct ieee80= 211_vif *vif, [IEEE80211_AC_BK] =3D 1, }; =20 + if (!mconf) + return -EINVAL; + /* firmware uses access class index */ mconf->queue_params[mq_to_aci[queue]] =3D *params; =20 --=20 2.51.0