From nobody Fri Jan 9 00:49:36 2026 Received: from mail-pf1-f180.google.com (mail-pf1-f180.google.com [209.85.210.180]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E403818C33 for ; Mon, 5 Jan 2026 00:26:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.180 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767572813; cv=none; b=uEpm62SeoOVSfOa14u7FPRTt6Kqqp5NF6FkmeO4SmSKfu2gY0tYY+sCxfC/M4IyO7L1+FkCGYyUVo55O6GrB642FfNXZtZzauVBOd0tT8RW1LieWaZoo3eUu9Zpt2G1rmChyfmk5LfldAvvtQaZ6Dc/KfabbYxdv/Re9VX93Jv0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767572813; c=relaxed/simple; bh=/6QfKpPidHpDqvGcmuwJUfCyH+4jBNFqQ0+6iItk0sI=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=YvVvqrDFLLzg+ForB18iUyCNGU37sUuthG7lNyf6uPV86AFF+Ql6gvhGUw8AeC35aSrWK1bJR97eWaEl2qxLpBDS9jPe+r9ft8vogqS7jmGQhLFFW/AoSCwuLPBMe3Dwn20rw1dnJbDa/rSyL26vURaA4Q3JhKnrdcEbjJKZWUI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=kUoeFAnt; arc=none smtp.client-ip=209.85.210.180 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="kUoeFAnt" Received: by mail-pf1-f180.google.com with SMTP id d2e1a72fcca58-7b22ffa2a88so12562229b3a.1 for ; Sun, 04 Jan 2026 16:26:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767572811; x=1768177611; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=nx+S5z3h6030ObTHHh0B/SCcYrL7BGZ5wBUiVpgW8C8=; b=kUoeFAntXDurCwykSojKmZQ4/wBezsSCCDlgyTHC0p+TZmUCiBcoJnMTWmzcakDHiO tN3PiZOu4yQ9BhWi2LvRFE2I2/mKu/a8lqRXkhYiqlf5RJlb9qY3MHjfpbfcqF5I0gq+ oDgPTHaSnEFlijDgz8lrLmKxrObI3blyyk2/Wj0rkkjJI8qrGIAV2TNWSbFqQTt3kN4T 1/bhVnHVfBWhemgBX0r8k/Dx4To06DVTuIZCBmt7ccSNvYyWFC4jG8clPCBruSUnYMD2 NkYdb/wllI1jERgvn9v9izFckcCTQXISObPM7AOX3HyllRkqKIpTVfv9aAsRpaWHNTuH Je+A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767572811; x=1768177611; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=nx+S5z3h6030ObTHHh0B/SCcYrL7BGZ5wBUiVpgW8C8=; b=sbc3j/E2k5P479IKFD7rpLdqUd0JaCRbgVCrl0gxfrGA24eUZw0yDill+eyMczYqmb Y/vFzP3knMSROxkk4GeJRLf5NIyhpf0YKI4uoavSqgEmbbZX0amMi/jGUqdqJ8xo3njw PHlJWoAOV8YiO2V9qhnbH3uT6pDMpZivoPbSGzZZnKXc7rq/h2B7lKbg7c8uyruk2/No 9ruFDDYHly/zyXU/UAdr4XgYISYnqSIsLFXTy4/vAY8HMo5t/T6jdVQPF3Bjpn3PNk0H SKtElcbbUvBX6THrzmnPE1Hrj+AYbetlrGYTtmdiZNtKNySQFmXiuDhfWUpLWvlMbHzF rxgQ== X-Forwarded-Encrypted: i=1; AJvYcCUfdgShqEvv6veNbB0ixk3hjNd/WsYppzDf4mZs1R+7Bk+eOdrL66n9pzWuXq/jTTzeTWuhqKXhI8mF6aE=@vger.kernel.org X-Gm-Message-State: AOJu0YwYFs6sivl9cTRETjh9P9u18KUIcPT2OmpZkbyrygZFkeoUTNbx 4AC6rTi6D5dKzT3yLcb9gvDfmBxeEkzLT+MOZRKV3GjtYtsbJLf7ISIT X-Gm-Gg: AY/fxX4yax+KRykWVpDAEg3lPV0KlQeZl/tV1nHFBScfojZyQsLM5fIUMXbN6KBW+Sw R/uG30ggN+j+O+P1O0fyxIMzSaPMG6PDoMq24fo1MqaJCk876keyx/MxZ2KLMOp6RUso4sG0Tjg PXDZVjHsBcKm8XOz++SqM0HMwP1egZzufvMc/ij3frQcDhJLxeqx+qU7lH4b25QUVidQ/KvFdDY M1pakatj7c5x6LAMD+oL21Q+N/vcoUx7YX7Zuq/XjjX9RUse8CFn5YoS2xxRDMSHtbg4UmCR51v +y6nvAJrpHZHqAosb91/hgHJ7hDJbOBwg5EWJS0nddXH6UTEbgRDUycHued9feg7r9f5TU+JfpA IDuw1bcSiYfGRKiN3EvrVI1TBoZIMerzIozVZT53dVmut4BEpPtFwNVrl7TJjkmIqmUIg7D0oVZ RhGPCjtSGqdedW9BQSIA/qLdLYqDnOwxa9YbR/f3Kb343zw8bUzeApXE2qWL/nZ+E= X-Google-Smtp-Source: AGHT+IG07f4+BWjJlbqJDdFUMO7Ft/315N9xOwOmVA0qQn17sAgscoR34CTnkVLXsA8WiWEJB7CjHQ== X-Received: by 2002:a05:7023:883:b0:11d:f890:6751 with SMTP id a92af1059eb24-121721acc21mr46191919c88.10.1767572811084; Sun, 04 Jan 2026 16:26:51 -0800 (PST) Received: from zubuntu.bengal-mercat.ts.net ([2001:5a8:60d:bc9:9ebf:dff:fe00:f8f2]) by smtp.gmail.com with ESMTPSA id a92af1059eb24-121724de268sm133378109c88.8.2026.01.04.16.26.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 04 Jan 2026 16:26:50 -0800 (PST) From: Zac Bowling To: zbowling@gmail.com Cc: deren.wu@mediatek.com, kvalo@kernel.org, linux-kernel@vger.kernel.org, linux-mediatek@lists.infradead.org, linux-wireless@vger.kernel.org, lorenzo@kernel.org, nbd@nbd.name, ryder.lee@mediatek.com, sean.wang@mediatek.com Subject: [PATCH 01/17] wifi: mt76: mt7925: fix NULL pointer dereference in vif iteration Date: Sun, 4 Jan 2026 16:26:22 -0800 Message-ID: <20260105002638.668723-2-zbowling@gmail.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20260105002638.668723-1-zbowling@gmail.com> References: <20260102200524.290779-1-zbowling@gmail.com> <20260105002638.668723-1-zbowling@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" mt792x_vif_to_bss_conf() can return NULL when iterating over valid_links during HW reset or other state transitions, because the link configuration in mac80211 may not be set up yet even though the driver's valid_links bitmap has the link marked as valid. This causes a NULL pointer dereference in mt76_connac_mcu_uni_add_dev() when it tries to access bss_conf->vif->type, and similar crashes in other functions that use bss_conf without checking. This crash was observed on Framework Desktop (AMD Ryzen AI Max 300) with MT7925 (RZ717) running kernel 6.17. The panic occurs during BSSID roaming when the adapter attempts to switch to a better access point: BUG: kernel NULL pointer dereference, address: 0000000000000010 CPU: 1 UID: 0 PID: 8362 Comm: kworker/u128:10 Tainted: G OE Workqueue: mt76 mt7925_mac_reset_work [mt7925_common] RIP: 0010:mt76_connac_mcu_uni_add_dev+0x9c/0x780 [mt76_connac_lib] Call Trace: mt7925_vif_connect_iter+0xcb/0x240 [mt7925_common] __iterate_interfaces+0x92/0x130 [mac80211] ieee80211_iterate_interfaces+0x3d/0x60 [mac80211] mt7925_mac_reset_work+0x105/0x190 [mt7925_common] process_one_work+0x18b/0x370 worker_thread+0x317/0x450 The issue manifests approximately every 5 minutes when the adapter tries to hop to a better BSSID, causing system-wide hangs where network commands (ip, ifconfig, etc.) hang indefinitely. Add NULL checks for bss_conf before using it in: - mt7925_vif_connect_iter() - mt7925_change_vif_links() - mt7925_mac_sta_assoc() - mt7925_mac_sta_remove_links() Fixes: c948b5da6bbe ("wifi: mt76: mt7925: add Mediatek Wi-Fi7 driver for mt= 7925 chips") Link: https://community.frame.work/t/kernel-panic-from-wifi-mediatek-mt7925= -nullptr-dereference/79301 Reported-by: Zac Bowling Tested-by: Zac Bowling Signed-off-by: Zac Bowling --- drivers/net/wireless/mediatek/mt76/mt7925/mac.c | 6 ++++++ drivers/net/wireless/mediatek/mt76/mt7925/main.c | 8 ++++++++ 2 files changed, 14 insertions(+) diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/mac.c b/drivers/net/= wireless/mediatek/mt76/mt7925/mac.c index 871b67101976..184efe8afa10 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7925/mac.c +++ b/drivers/net/wireless/mediatek/mt76/mt7925/mac.c @@ -1271,6 +1271,12 @@ mt7925_vif_connect_iter(void *priv, u8 *mac, bss_conf =3D mt792x_vif_to_bss_conf(vif, i); mconf =3D mt792x_vif_to_link(mvif, i); =20 + /* Skip links that don't have bss_conf set up yet in mac80211. + * This can happen during HW reset when link state is inconsistent. + */ + if (!bss_conf) + continue; + mt76_connac_mcu_uni_add_dev(&dev->mphy, bss_conf, &mconf->mt76, &mvif->sta.deflink.wcid, true); mt7925_mcu_set_tx(dev, bss_conf); diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/main.c b/drivers/net= /wireless/mediatek/mt76/mt7925/main.c index 2d358a96640c..3001a62a8b67 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7925/main.c +++ b/drivers/net/wireless/mediatek/mt76/mt7925/main.c @@ -1304,6 +1304,8 @@ mt7925_mlo_pm_iter(void *priv, u8 *mac, struct ieee80= 211_vif *vif) mt792x_mutex_acquire(dev); for_each_set_bit(i, &valid, IEEE80211_MLD_MAX_NUM_LINKS) { bss_conf =3D mt792x_vif_to_bss_conf(vif, i); + if (!bss_conf) + continue; mt7925_mcu_uni_bss_ps(dev, bss_conf); } mt792x_mutex_release(dev); @@ -1630,6 +1632,8 @@ static void mt7925_ipv6_addr_change(struct ieee80211_= hw *hw, =20 for_each_set_bit(i, &valid, IEEE80211_MLD_MAX_NUM_LINKS) { bss_conf =3D mt792x_vif_to_bss_conf(vif, i); + if (!bss_conf) + continue; __mt7925_ipv6_addr_change(hw, bss_conf, idev); } } @@ -1861,6 +1865,8 @@ static void mt7925_vif_cfg_changed(struct ieee80211_h= w *hw, if (changed & BSS_CHANGED_ARP_FILTER) { for_each_set_bit(i, &valid, IEEE80211_MLD_MAX_NUM_LINKS) { bss_conf =3D mt792x_vif_to_bss_conf(vif, i); + if (!bss_conf) + continue; mt7925_mcu_update_arp_filter(&dev->mt76, bss_conf); } } @@ -1876,6 +1882,8 @@ static void mt7925_vif_cfg_changed(struct ieee80211_h= w *hw, } else if (mvif->mlo_pm_state =3D=3D MT792x_MLO_CHANGED_PS) { for_each_set_bit(i, &valid, IEEE80211_MLD_MAX_NUM_LINKS) { bss_conf =3D mt792x_vif_to_bss_conf(vif, i); + if (!bss_conf) + continue; mt7925_mcu_uni_bss_ps(dev, bss_conf); } } --=20 2.51.0