From nobody Fri Jan  9 00:44:13 2026
Received: from mail-pl1-f182.google.com (mail-pl1-f182.google.com
 [209.85.214.182])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 065001A76DE
	for <linux-kernel@vger.kernel.org>; Mon,  5 Jan 2026 00:27:06 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.182
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1767572829; cv=none;
 b=gO60VolccCTi7N9SkHN8yR7vTwfAxAVLKB6v5K1FhU8/ncH5GiEc+vInb8IgtUJIrOxU6+eqdpRXC5Ou9ZkRD8sfKDJQCCNs+/DF2AZloZYVn+nniHDpa4KXqxxVUwFUrW3bFHSVSFzDS5qEcDQ846SMUPPWTX2J5J92Kud4uIg=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1767572829; c=relaxed/simple;
	bh=57kIhmtqG6TNbumDiVzXkiPoxDHeC0x5cwZSL+KieZI=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=UhU6Uf8UD/FvqAu/4lgZpbIaoUkb6zcaWwMU27kbDTRcVxZJnCtHt5W7V+kDghsYWjfXD5q4fCoHd8sNTMJWRlTtMMR7GR7aCxannKyeCNXPwiNSubuIx/qP+zGBSoCymH9ruMSE23OOX8hbvx3UnCyvxHgyH5debz2s4pP05p0=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=hqNhR+im; arc=none smtp.client-ip=209.85.214.182
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="hqNhR+im"
Received: by mail-pl1-f182.google.com with SMTP id
 d9443c01a7336-2a0d67f1877so179064345ad.2
        for <linux-kernel@vger.kernel.org>;
 Sun, 04 Jan 2026 16:27:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1767572826; x=1768177626;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=2UazWknOwH04QsneRRrwVbzYeSZapNaz/xF6C2obac4=;
        b=hqNhR+imXVjygG6o4GtUuLcQ7bInuo0/DzJXuMHS54fMQ6Q1xf37X6NeNw65WGsBee
         PniUk0iKZGFI8K1KdkaHDbpwtUJVt7z1V1IsWGxI3y9QYa8Zxp3hks/szACFcPLWkTE6
         tt4mwJAgD3ntAVGjyBr9so5JPRiQGADx/9zJzWk4bc335o4CtLGQoSK0W9WsqmhySWCV
         aCke8Aw6weDkWS+xsnxaqjRaJ99wCKWGzVBnkuAE8D8Oqe7Cv9b2YJlMU1HlW73MsPfK
         KeKUWHRWQqPSCfwcJSZ0CE6mQ38r+K3IR4gWfcqiuJTqHmPT22sY6tOyATFt1kWFvfd7
         2zZw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1767572826; x=1768177626;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=2UazWknOwH04QsneRRrwVbzYeSZapNaz/xF6C2obac4=;
        b=v9ez1fHkuo9zHXyeI4cHHLVR1wrktCopngMcpoJOWQjEr5/B8mbbJvbq45sDh3cB+3
         XP87EHt1XdWxrBLB5yD2cfOf7TkbSJYmP/0WR+z2e5n3xhsAQn0nupSUv6y91ouqLdPn
         TzouYUaB349S8eE9bLClhHv+6DOPi6ryMropJa2kqj2hnmGw5guLklPpk28JblGy4zcS
         muZtrw9MSYzhuAPPST5G5kC9L3rSPK6/XVdYTQjwat20pJESRXMber6akcq1NFfCn+bV
         Hdb5QSvr8FHqU7v/UuazCDI+pCdda5OM4GJpAZGvs7I4HmXVJ4+fgTpxiY9+mPcPWyWm
         wwWA==
X-Forwarded-Encrypted: i=1;
 AJvYcCVdEyyrmdOZylrjNzyhuCdy7cY5VRy22d8AJq1WKYFncd3Erm3FLKDRmxESant+UCbNrgDq7sCLcsAOlRk=@vger.kernel.org
X-Gm-Message-State: AOJu0YwZWyLh2IPZPMjooJvaV9AV4F7yzxOvalOR93TuoBtGITNP1R3b
	Xfw6UqUwYaXX/aVZEGLbHTUTUy4B3LaQaZvah6jBeo+kGMKn46sWPWQ+
X-Gm-Gg: AY/fxX59TjRIuulCzBJFoZOm3JBz9wuOnSSD+RhOBUpWiN0L856jirEF4DY1rYY+wYE
	IGt4bfWn99J2SsVmFY5xG7MbEuBJd6Isqh9sMiZz73TomDS2dE2rg1xev/fOYhoe9iKxICOoVbF
	5zARIuKGGuYvp+ME9i61yUT41crvimUz9QKIK+iR0rpEgPPbK5iC7A1zlqMuftt7D1ZsnbujPEC
	f9ah2u8mMH5GMiKNrHGKCF4MvnwAX70UuZofnWOO3aYqnPxf2KWVJcZhR37UYRXdlSX3h+qodKz
	GhMJo7HAUkDso0SfJPF9WnB9AYbdN8DA7G8w7yNYJEn5Qm0HTDCQWt6IGpSZ1n2LkMBODeRU8bu
	OugR7JAX8kHbUUPSggHlFQYiL+IYK6/5MPx2bf5QRJHwTJhgEO6Tphe61XOaHpdihaEgzYT6Fu0
	FIaHHFf+IwPdkr+YL3suW3rT7aDPfEEwxEl+FsNoDMOBCYgqKLgvmRVbXyNKP+Xz4=
X-Google-Smtp-Source: 
 AGHT+IHo0J1leWdPLu3WQhod7DNS+GZTgRh6fGvRRczAieCCr4pVXf1vgQz9pV4AVAq0GzwSrDdpEg==
X-Received: by 2002:a05:7022:428b:b0:11b:f056:a19b with SMTP id
 a92af1059eb24-121722ab37dmr45418431c88.18.1767572825820;
        Sun, 04 Jan 2026 16:27:05 -0800 (PST)
Received: from zubuntu.bengal-mercat.ts.net
 ([2001:5a8:60d:bc9:9ebf:dff:fe00:f8f2])
        by smtp.gmail.com with ESMTPSA id
 a92af1059eb24-121724de268sm133378109c88.8.2026.01.04.16.27.04
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 04 Jan 2026 16:27:05 -0800 (PST)
From: Zac Bowling <zbowling@gmail.com>
To: zbowling@gmail.com
Cc: deren.wu@mediatek.com,
	kvalo@kernel.org,
	linux-kernel@vger.kernel.org,
	linux-mediatek@lists.infradead.org,
	linux-wireless@vger.kernel.org,
	lorenzo@kernel.org,
	nbd@nbd.name,
	ryder.lee@mediatek.com,
	sean.wang@mediatek.com
Subject: [PATCH 14/17] wifi: mt76: mt7925: add NULL checks for MLO link
 pointers in MCU functions
Date: Sun,  4 Jan 2026 16:26:35 -0800
Message-ID: <20260105002638.668723-15-zbowling@gmail.com>
X-Mailer: git-send-email 2.51.0
In-Reply-To: <20260105002638.668723-1-zbowling@gmail.com>
References: <20260102200524.290779-1-zbowling@gmail.com>
 <20260105002638.668723-1-zbowling@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Several MCU functions dereference pointers returned by mt792x_sta_to_link()
and mt792x_vif_to_link() without checking for NULL. During MLO state
transitions, these functions can return NULL when link state is being
set up or torn down, causing kernel NULL pointer dereferences.

Add NULL checks in the following functions:

- mt7925_mcu_sta_hdr_trans_tlv(): Check mlink before dereferencing wcid
- mt7925_mcu_wtbl_update_hdr_trans(): Check mlink and mconf before use
- mt7925_mcu_sta_amsdu_tlv(): Check mlink before setting amsdu flag
- mt7925_mcu_sta_mld_tlv(): Check mconf and mlink in link iteration loop
- mt7925_mcu_sta_update(): Initialize mlink to NULL and check both
  link_sta and mlink in the ternary condition

These race conditions can occur during:
- MLO link setup/teardown
- Station add/remove operations
- Firmware command generation during state transitions

Found through static analysis (clang-tidy) and pattern matching similar
to fixes in mt7996 and ath12k drivers for MLO link state handling.

Fixes: c948b5da6bbe ("wifi: mt76: mt7925: add Mediatek Wi-Fi7 driver for mt=
7925 chips")
Signed-off-by: Zac Bowling <zac@zacbowling.com>
---
 drivers/net/wireless/mediatek/mt76/mt7925/mcu.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c b/drivers/net/=
wireless/mediatek/mt76/mt7925/mcu.c
index 8080fea30d23..6f7fc1b9a440 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c
@@ -1087,6 +1087,8 @@ mt7925_mcu_sta_hdr_trans_tlv(struct sk_buff *skb,
 		struct mt792x_link_sta *mlink;
=20
 		mlink =3D mt792x_sta_to_link(msta, link_sta->link_id);
+		if (!mlink)
+			return;
 		wcid =3D &mlink->wcid;
 	} else {
 		wcid =3D &mvif->sta.deflink.wcid;
@@ -1120,6 +1122,9 @@ int mt7925_mcu_wtbl_update_hdr_trans(struct mt792x_de=
v *dev,
 	link_sta =3D mt792x_sta_to_link_sta(vif, sta, link_id);
 	mconf =3D mt792x_vif_to_link(mvif, link_id);
=20
+	if (!mlink || !mconf)
+		return -EINVAL;
+
 	skb =3D __mt76_connac_mcu_alloc_sta_req(&dev->mt76, &mconf->mt76,
 					      &mlink->wcid,
 					      MT7925_STA_UPDATE_MAX_SIZE);
@@ -1751,6 +1756,8 @@ mt7925_mcu_sta_amsdu_tlv(struct sk_buff *skb,
 	amsdu->amsdu_en =3D true;
=20
 	mlink =3D mt792x_sta_to_link(msta, link_sta->link_id);
+	if (!mlink)
+		return;
 	mlink->wcid.amsdu =3D true;
=20
 	switch (link_sta->agg.max_amsdu_len) {
@@ -1953,6 +1960,9 @@ mt7925_mcu_sta_mld_tlv(struct sk_buff *skb,
=20
 		mconf =3D mt792x_vif_to_link(mvif, i);
 		mlink =3D mt792x_sta_to_link(msta, i);
+		if (!mconf || !mlink)
+			continue;
+
 		mld->link[cnt].wlan_id =3D cpu_to_le16(mlink->wcid.idx);
 		mld->link[cnt++].bss_idx =3D mconf->mt76.idx;
=20
@@ -2045,7 +2055,7 @@ int mt7925_mcu_sta_update(struct mt792x_dev *dev,
 		.rcpi =3D to_rcpi(rssi),
 	};
 	struct mt792x_sta *msta;
-	struct mt792x_link_sta *mlink;
+	struct mt792x_link_sta *mlink =3D NULL;
=20
 	lockdep_assert_held(&dev->mt76.mutex);
=20
@@ -2053,7 +2063,7 @@ int mt7925_mcu_sta_update(struct mt792x_dev *dev,
 		msta =3D (struct mt792x_sta *)link_sta->sta->drv_priv;
 		mlink =3D mt792x_sta_to_link(msta, link_sta->link_id);
 	}
-	info.wcid =3D link_sta ? &mlink->wcid : &mvif->sta.deflink.wcid;
+	info.wcid =3D (link_sta && mlink) ? &mlink->wcid : &mvif->sta.deflink.wci=
d;
 	info.newly =3D state !=3D MT76_STA_INFO_STATE_ASSOC;
=20
 	return mt7925_mcu_sta_cmd(&dev->mphy, &info);
--=20
2.51.0