From nobody Fri Jan 9 00:44:12 2026 Received: from mail-pf1-f176.google.com (mail-pf1-f176.google.com [209.85.210.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5F0B814F9FB for ; Mon, 5 Jan 2026 00:27:02 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.176 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767572824; cv=none; b=WH/szKJVS/m+XKs2f6LCSRvn7D/igkBkruo6YEmJh82uO8/MGH0XT4PD0Gwt3U4qWwmHIcnTkzjw3PfJHJ7XXK7If7Tz7brajHSkHxaPA/TGM99rSDIG0nlpPl9VFbLN9NjX7KzrkFE4/2Xn9SYfbFD9qAr5AejVj90NpqY1xvs= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767572824; c=relaxed/simple; bh=UI9JtUEuEslTaP4rLaUkTohz7iGmINe7yYsfOHt6CR0=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=k8d9iQX/3Pk636Ckc3fm7HbJR/HPwsBw4uPzjElpL72jUFrfvTSoqo2cZJ7tpvmuY/nWXw9uOaND//BS7yYcSgN6i2sEfnRSEvTPTZS1zNCXr2nSsbVHi+IXvU3NRVa7Q+HYoB9k5uaEdwMt5O7dJFhLNuFhwaoON+RCAzU7L74= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=kB1Rx9pG; arc=none smtp.client-ip=209.85.210.176 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="kB1Rx9pG" Received: by mail-pf1-f176.google.com with SMTP id d2e1a72fcca58-7b9387df58cso21747571b3a.3 for ; Sun, 04 Jan 2026 16:27:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767572821; x=1768177621; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Xc3vtf8nV55Q+3v5tcb1BiSqe6gDU9FJGry7raEU0u4=; b=kB1Rx9pGQfv3N4pZPlIkVc5APrtLza9R6tdij4xdynm5SNMv8eTJJ+0Ar+OqRfHAAA ialJdXhVzRVpzqQg+4jqpBJKSR0IdvCYvrJk0Yq9huiCzRxMj2JAlHqljrxkcru8fqZL pt+YqHymn4Qk/3/Ivrex/lsqlQI6g21mbMMveEJFEq5gbJ34tXGCkZmM2OV6UaFo3lr7 a8H5K61/hyK2VQK1zBwBrIm7UVnZRQGenwWuXpNWufVewb2a4zujyi5DEV5lRtgFmInV Vza4ejAfc65Ob0xHYzCx75uvDtNM0hERvS/z0XcbHjy7AP1tMjOCP7Mca1EH/mTkMm5x 7HtQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767572821; x=1768177621; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=Xc3vtf8nV55Q+3v5tcb1BiSqe6gDU9FJGry7raEU0u4=; b=YEJOqWThctLlQTCGRB1C6/Hz4hyPwEVoIor0G/3WzsxZYGDasFm9PQzULyFjZeGV0E duIIy4fJLRYDnWfaI41TElLKMT0j/r5tbVNk5R1Bl8OoeHuRNZ2YqGlUyyrsXu0A5SxU 1lbveW6fGWdbApPPbAZJxMmvGRkvXPKRDAUnECb/VNNjXTi3NlJ/HAkgMwqLTvhFIYbO 1mDi02ekyNYs+udGnSIKYxfKLJsbp14XAYXsgGCNs5SVb9BWwscy+GiRTXgi9UbGbfGt cgPprbEnhSDxDIFjbXKSfVOiLT5zT7gA52lK30aFwgCeoezs6NZvgHdhxo13CkZOt9Zu eJ+A== X-Forwarded-Encrypted: i=1; AJvYcCXgXMlryyHEyXbMMejEVoZAEtCqYZmafxU5HarsF3YtXF9g4GWW6cAKNWD2BbFCXEcIJxofQb/LfFS8cKU=@vger.kernel.org X-Gm-Message-State: AOJu0YxVZes11Nt8inTR/TEfVwxVntMpt7JKrBvPlxKy28vO5g+ozW/X 1rJ1q9IY1k3eo/DUXMDLRUkeG5IY/povjIBlmm16ReT8NZibDoNHjs4i X-Gm-Gg: AY/fxX6kgScVQlnD+tpwj5n6YE/MFEIUgtEX0UKhUegrf7X6PxYJaEA5hDhOJU0AdZf LeqX810/8fzCqsg+GKks2flgSY4qHjg9+8ShwcYmOL5qBa1OdVz2EFN78Me3PQZbMZxQjlKOXlC BC9XGMEBptozVNqoal7SZetizAeuUkJeFWVPiHs8VzRd9k8bCIOG7CjoOF4k5qWmjs+7i3KC8LS +csAr1ltFmPTEhB+SnYLSvN6UesBGc1U1MNFhYG/ep56cIbg4XWlW2HbAmGhOivQIflOvNXlv/F x98q4QfOmls8154WDpmKuz4qfEkl/fo9Y9u3U80jDrhxAtk2emrJhqt7jAlgBnE2OZjBXYNRVbK V1AlZobKyjzQc8t81SZXafhSXnGW7VHPWLNfUJ1YPTdGMhIzLSNV3M1UtS0wTMwcFbOGcol3LPq skk4+1hdWpkPlFX5B0I8+gEq2tXD6WiP21mL0I4fsw39bcksQno1C0mMtoFms1H0E= X-Google-Smtp-Source: AGHT+IEU2h/tWNXbABrCcQmKu0PD8p87Gpp0+pw1A9lE8jv1PWOQX4Lsqm7CqNoXiBV7IUAHXXZutw== X-Received: by 2002:a05:7022:82:b0:11a:126f:ee7d with SMTP id a92af1059eb24-121722f57bamr30029316c88.35.1767572821365; Sun, 04 Jan 2026 16:27:01 -0800 (PST) Received: from zubuntu.bengal-mercat.ts.net ([2001:5a8:60d:bc9:9ebf:dff:fe00:f8f2]) by smtp.gmail.com with ESMTPSA id a92af1059eb24-121724de268sm133378109c88.8.2026.01.04.16.27.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 04 Jan 2026 16:27:00 -0800 (PST) From: Zac Bowling To: zbowling@gmail.com Cc: deren.wu@mediatek.com, kvalo@kernel.org, linux-kernel@vger.kernel.org, linux-mediatek@lists.infradead.org, linux-wireless@vger.kernel.org, lorenzo@kernel.org, nbd@nbd.name, ryder.lee@mediatek.com, sean.wang@mediatek.com Subject: [PATCH 10/17] wifi: mt76: mt792x: fix NULL pointer dereference in TX path Date: Sun, 4 Jan 2026 16:26:31 -0800 Message-ID: <20260105002638.668723-11-zbowling@gmail.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20260105002638.668723-1-zbowling@gmail.com> References: <20260102200524.290779-1-zbowling@gmail.com> <20260105002638.668723-1-zbowling@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Add NULL pointer checks in mt792x_tx() to prevent kernel crashes when transmitting packets during MLO link removal. The function calls mt792x_sta_to_link() which can return NULL if the link is being removed, but the return value was dereferenced without checking. Similarly, the RCU-protected link_conf and link_sta pointers were used without NULL validation. This race can occur when: 1. A packet is queued for transmission 2. Concurrently, the link is being removed (mt7925_mac_link_sta_remove) 3. mt792x_sta_to_link() returns NULL for the removed link 4. Kernel crashes on wcid =3D &mlink->wcid dereference Example crash trace: BUG: kernel NULL pointer dereference RIP: mt792x_tx+0x... Call Trace: ieee80211_tx+0x... __ieee80211_subif_start_xmit+0x... Fix by: - Check mlink return value before dereferencing wcid - Check RCU-dereferenced conf and link_sta before use - Free the SKB and return early if any pointer is NULL This affects both MT7921 and MT7925 drivers as mt792x_core.c is shared. Fixes: c74df1c067f2 ("wifi: mt76: mt792x: introduce mt792x-lib module") Reported-by: Zac Bowling Signed-off-by: Zac Bowling --- drivers/net/wireless/mediatek/mt76/mt792x_core.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/mediatek/mt76/mt792x_core.c b/drivers/net= /wireless/mediatek/mt76/mt792x_core.c index f2ed16feb6c1..9dc768aa8b9c 100644 --- a/drivers/net/wireless/mediatek/mt76/mt792x_core.c +++ b/drivers/net/wireless/mediatek/mt76/mt792x_core.c @@ -95,6 +95,8 @@ void mt792x_tx(struct ieee80211_hw *hw, struct ieee80211_= tx_control *control, IEEE80211_TX_CTRL_MLO_LINK); sta =3D (struct mt792x_sta *)control->sta->drv_priv; mlink =3D mt792x_sta_to_link(sta, link_id); + if (!mlink) + goto free_skb; wcid =3D &mlink->wcid; } =20 @@ -113,9 +115,12 @@ void mt792x_tx(struct ieee80211_hw *hw, struct ieee802= 11_tx_control *control, link_id =3D wcid->link_id; rcu_read_lock(); conf =3D rcu_dereference(vif->link_conf[link_id]); - memcpy(hdr->addr2, conf->addr, ETH_ALEN); - link_sta =3D rcu_dereference(control->sta->link[link_id]); + if (!conf || !link_sta) { + rcu_read_unlock(); + goto free_skb; + } + memcpy(hdr->addr2, conf->addr, ETH_ALEN); memcpy(hdr->addr1, link_sta->addr, ETH_ALEN); =20 if (vif->type =3D=3D NL80211_IFTYPE_STATION) @@ -136,6 +141,10 @@ void mt792x_tx(struct ieee80211_hw *hw, struct ieee802= 11_tx_control *control, } =20 mt76_connac_pm_queue_skb(hw, &dev->pm, wcid, skb); + return; + +free_skb: + ieee80211_free_txskb(hw, skb); } EXPORT_SYMBOL_GPL(mt792x_tx); =20 --=20 2.51.0