From nobody Fri Jan 9 00:43:27 2026 Received: from mail-pl1-f173.google.com (mail-pl1-f173.google.com [209.85.214.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5A01A1D6AA for ; Mon, 5 Jan 2026 00:26:55 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.173 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767572816; cv=none; b=kvI3Ge13DVRsNEhb9Zf69J8MgRyRo5HjuIwO5LfLL0b9AumCFv7NsRqnsiLizewc0nhPrleBUSd+hW28hlgwE+eDY2zVUvfgTfWyClvx/OGWxI5Gho6reAiQ31JPTxjX5m+yWxaXDZ+hhb/ol2qg9vLwSKJVJHPYI4B3d288zog= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767572816; c=relaxed/simple; bh=GenBBIdoaeGrNuDXWpewI+FWlcSedQ3dzL6cf8SnKio=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=igdPO0IgSOWncQWwjv4szMlRXvFDaHCu0G9ZB09z271ON4L9mvVW9w3+9pRohGJJnKx/K4wUgHzApLRRSdZG9NTRl23NiA+Vagmh22WKkJBJYzawUf7X78l8znJN1rjpCKXlOfyO4/Mc+/5X4RqMrOQN+QBh78HlGC5bQMIstQ8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=OJR8GJWE; arc=none smtp.client-ip=209.85.214.173 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="OJR8GJWE" Received: by mail-pl1-f173.google.com with SMTP id d9443c01a7336-29f0f875bc5so201261775ad.3 for ; Sun, 04 Jan 2026 16:26:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767572815; x=1768177615; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=4A75z2eUdNK91diKdVTUHzH8dkd/SHqnoNMun1BNbA8=; b=OJR8GJWEh15AhZV5KdBfjUfXlKgQeVQDFYF4B60z+YIBzvb+/lc1AzSwhuXM1MRiT1 tk8dhrjd89nWhUL8ocwhCuAYy9c2qdewFpNvoQxs5bmARx0WGGoLhUpGT5E+dKQzcKu4 J/YatftFo8M16Wipl8ZF0zeg3ukGQ22GzNXTMPJx2qO3/BpmknvF9c2nSDxE9M0+KTJ4 WcWggn9/ECynGdItlV1szELvavFd/PlottCG4wB0SvCCOe845crJNsRkLUs+0vQN2gNw 0WCX9wgaLtaZGpZbGluiB9AToF4LfVv0npFjKc6o6WTCZDv8G6QkWETWb+gwy9NHnBHU psuQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767572815; x=1768177615; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=4A75z2eUdNK91diKdVTUHzH8dkd/SHqnoNMun1BNbA8=; b=CV0oWiUm076mmw9OsP+zW6WCIV3BgB6kfcZPN1TpHK8o4BbRvU1UFc9FxMS+j72Wkz C2+qZx2mNwBDPuwEm6uLWK4t/UIDi23o0tTEzAxCA5CbQRzFXcXFIJXhMazvCDRI/Dt1 ere/fg1Wwp9UA2W8HMLJYnr2rWLlY5bQtl6VQ9O3eR3rV6sLovLZ+ggDLHjzbljSam55 wxART4JizkEcyHWsavS74VnQKhL/08mmymZWZC3kLZr+XG9QfmCs6PuZn9pL9iYPiMh1 rfxWctAZr+3olA6y4HVj1ssUAW3Me1hK/sTtX2+rLpjnmZ1Lkz7jkDd4Dlv27tty0rEH tlFw== X-Forwarded-Encrypted: i=1; AJvYcCUzS3gQh4ETZ9IVT04FWVgavEmVh0itAldbimHYuj0yyQ3P+svsfsupERuiBksdupW2JodOCMgX1ypbDeQ=@vger.kernel.org X-Gm-Message-State: AOJu0YyhhXmlOR1S9HbR2GRqXDWmDoPPSnhaG1tWb9nyJzJOuwqRVxlV 99rh0SmjDvLm8qlfKDyY06i8PKX9V4SabsVxLMjwjqvysjivoFRca2ku X-Gm-Gg: AY/fxX7YZIA+6dTe6sfqLWsRQtr4ZzO1gahyIOejSU/c9+Ow7J33go77/TPjkqmPJZd gHLj8bKYCwwtuNmyLH6knmTLAgi4EygeYy0AttE7PQ3HjT/CdhFH74q79AhPty5FWITPqrjY7a3 5RbgFCBeHQNXyZTGaO48ssUmBU4hOU1Tbu1Fa6wO9glfXbaXciXLL0mS1+XSzUGNLXNzn7yl3gm UuGEhao8DXUvJT0v9FI3k2VL7P6mUPq4gt+TyV8RxPRV5sRMKTcQ48WOtA79A9ozlCdYr+kpdV9 Bdes420BrZe+RnYLryqaroBrMRXqc/FT0mpGJYYNC+4YlSg9LQJqc6kgmzwQFQD2W8wDoPPKL3n 3urqLG8HQbndhaPs5VpOKsaS7Td3SaiT7VSiGnJ/aNXioHtpckWT5t5Tiz2YUZWI6+tW+4TQQOK /ULrYMEDdHtzOtKLUfW9rkUoVtyo8Tft98ATVxMF7PKSiBUrfELdf/N4hmc5Xwltw= X-Google-Smtp-Source: AGHT+IFBK3F0/2RgdN/ZpBCzCmAP/zg/RkfAb+km8zi3yK6Guq4CtpKQC9B+fW+51Yj7xBIyBIQ59g== X-Received: by 2002:a05:7022:6190:b0:119:e56b:9585 with SMTP id a92af1059eb24-121722ac504mr52295722c88.10.1767572814538; Sun, 04 Jan 2026 16:26:54 -0800 (PST) Received: from zubuntu.bengal-mercat.ts.net ([2001:5a8:60d:bc9:9ebf:dff:fe00:f8f2]) by smtp.gmail.com with ESMTPSA id a92af1059eb24-121724de268sm133378109c88.8.2026.01.04.16.26.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 04 Jan 2026 16:26:53 -0800 (PST) From: Zac Bowling To: zbowling@gmail.com Cc: deren.wu@mediatek.com, kvalo@kernel.org, linux-kernel@vger.kernel.org, linux-mediatek@lists.infradead.org, linux-wireless@vger.kernel.org, lorenzo@kernel.org, nbd@nbd.name, ryder.lee@mediatek.com, sean.wang@mediatek.com Subject: [PATCH 04/17] wifi: mt76: mt7925: add NULL checks in MCU STA TLV functions Date: Sun, 4 Jan 2026 16:26:25 -0800 Message-ID: <20260105002638.668723-5-zbowling@gmail.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20260105002638.668723-1-zbowling@gmail.com> References: <20260102200524.290779-1-zbowling@gmail.com> <20260105002638.668723-1-zbowling@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Add NULL pointer checks for link_conf and mconf in: - mt7925_mcu_sta_phy_tlv(): builds PHY capability TLV for station record - mt7925_mcu_sta_rate_ctrl_tlv(): builds rate control TLV for station record Both functions call mt792x_vif_to_bss_conf() and mt792x_vif_to_link() which can return NULL during MLO link state transitions when the link configuration in mac80211 is not yet synchronized with the driver's link tracking. Without these checks, the driver will crash with a NULL pointer dereference when accessing link_conf->chanreq.oper or link_conf->basic_rate= s. Found through static analysis (clang-tidy pattern matching for unchecked return values from functions known to return NULL). Reported-by: Zac Bowling Fixes: c948b5da6bbe ("wifi: mt76: mt7925: add Mediatek Wi-Fi7 driver for mt= 7925 chips") Signed-off-by: Zac Bowling --- drivers/net/wireless/mediatek/mt76/mt7925/mcu.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c b/drivers/net/= wireless/mediatek/mt76/mt7925/mcu.c index cf0fdea45cf7..d61a7fbda745 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c +++ b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c @@ -1773,6 +1773,10 @@ mt7925_mcu_sta_phy_tlv(struct sk_buff *skb, =20 link_conf =3D mt792x_vif_to_bss_conf(vif, link_sta->link_id); mconf =3D mt792x_vif_to_link(mvif, link_sta->link_id); + + if (!link_conf || !mconf) + return; + chandef =3D mconf->mt76.ctx ? &mconf->mt76.ctx->def : &link_conf->chanreq.oper; =20 @@ -1851,6 +1855,10 @@ mt7925_mcu_sta_rate_ctrl_tlv(struct sk_buff *skb, =20 link_conf =3D mt792x_vif_to_bss_conf(vif, link_sta->link_id); mconf =3D mt792x_vif_to_link(mvif, link_sta->link_id); + + if (!link_conf || !mconf) + return; + chandef =3D mconf->mt76.ctx ? &mconf->mt76.ctx->def : &link_conf->chanreq.oper; band =3D chandef->chan->band; --=20 2.51.0