From nobody Fri Jan 9 00:44:14 2026 Received: from mail-pf1-f169.google.com (mail-pf1-f169.google.com [209.85.210.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 977401A08AF for ; Mon, 5 Jan 2026 00:26:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.169 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767572818; cv=none; b=C+CZf6gRbWXMk6BRNBQp1lDKpJtimxHdBlhW+XQqExzwD5zIupu9ti6FLYobOvZnJ8b41Qixww1EKfH3V8jLTuu1MddMKgQcwrXAmBiLv4VEWagRzLU+mVNGAWdRMwqvEPorp4km58hlQyrDVX0ubkj2F7mHoZdazoXEF3a2Tk8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767572818; c=relaxed/simple; bh=RSD9Leh3i2WeCr2It/CLzKSgKmadqV+MfdmnklJ6q6s=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=UTWHucGkm5Pj2JKZvQLLnlW6XWy9+aycB2LNKZlnNH2z+entTWN+/5LOQqIvosvUE+Jq8eRDA9bZ8uw8Vjkpm2BBDphauvbOn0qXS4FbQ84ISJLHe3H8cto8+/54kVSE19HitqGn4/Eh280OpsQlFDzVWbWdteuNisc53FeHsx4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=QLlPDz6G; arc=none smtp.client-ip=209.85.210.169 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="QLlPDz6G" Received: by mail-pf1-f169.google.com with SMTP id d2e1a72fcca58-81345800791so1266257b3a.0 for ; Sun, 04 Jan 2026 16:26:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767572816; x=1768177616; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=wgqDXjaM/W6rmb9gEVa1xwOmm1cgdSOfo0YYoA6k0dI=; b=QLlPDz6GdOSzqlP1HrZyeZLE8K17CI6TV4gkGr+a1v0f1jWaU4RT0qi9dz4Mp/lEkF l2exSX9gZrk32YQbTowm9J/RFoQE1eMPGXzdjQ6uyE7Q9imyukVJ5pG6A79HM6gUAmXv C2psh93TVjdamqWbdIYch3LTQiacF5x6fIy09lqJ5ra82QneR7gR/KKxBymZ95jVNU+T uiPrj/HRVSfX1/U+pTBzgpqE3iuPUzsUkfvbe49jNJx650I7G19ltxl+b6ASTU1y+3T0 wSGsFaHbn/JcGnFCMxsR4+AL6+Rvb+5ReY9omh82km4Y6hdftQoZGh6X7EETF0LuURVN 5xfQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767572816; x=1768177616; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=wgqDXjaM/W6rmb9gEVa1xwOmm1cgdSOfo0YYoA6k0dI=; b=p/wp3LiNL2XccPNsdOGw0vMoZ1GmlQmUykr8j5BURAyXmLp4cwm14o1RdNAs34ojLc IDtwDrnjT2AKj8QMzEFfm9RpqKnFth9Ti9OrfizuFaaYuUPLz/tGNrL61FnnVXxwm3NM 6OO7ZR8vSw3FtarCbNq+nDnNKQxmwLLfaxD0mUGuZEoRAYMso9uspIPicAOtlc1juima NMF5ShOd7/nPPbcrEjXH5t/brknn1qlVyMTif0Oylzg2K4yIp+71c0eyPE5+Msp+0vwL 0IPFb1vNcRC77QtSApDj7/pBcNpzdkO+q0pTNx4McosR7tLXFot+dDmGEuW5PTorQeTB rSOg== X-Forwarded-Encrypted: i=1; AJvYcCWdIi7F0vSJQxJNnhVwXpkv5WKbxD3OnWtl+YXORHWwCRiyFZ8cp0uMSmNh91+Q26nB96Qz6QInqf9Tnu0=@vger.kernel.org X-Gm-Message-State: AOJu0YxUkrT1yJqwUzCEOkrZHSbU0YROucHGEpYjPmGiq7ot6tnGNkpG 0Nr+PBHZ9QNujF2EdXHfy6Dg6rceHA4RG/FGsQe8Mf2TftDbm4f3byjW X-Gm-Gg: AY/fxX4l4m/A7yliROB2uDzKcJVSee2dqTfY8rMPvwnxi4w2LJ61KDte+hDl6p9HBRa P53aScZx56iYEPPBqR45Nqgu/mwzBGpn/V6kpPJE61RJ7DSRRWBnig4LP06v24G/uo8dvfq4vwj j64BQcqFJsuh0/Ky6PQNmRadwN9ff5Me+VvdzlcJ+JkCkKp/7R0wkg42FpEo2KR5QIvUQSL5M58 DtSKxiQip2sOVIiDNBlcaI9oaT1UcABT3EsjIgQ0/nzziQiVP2mqBiBg4u245DMtnagqH6ar0fo pxzwlPO4pfDw/lPl0m3MfhYL43nXG4jnThv5actlY+vzdKaaIkZ5FN0cZCld3uAA2UZiyrF7c14 72QGjGGyjtBuIASnIjVTFN1mACsPWECug2I6eErdB2k/xWtHNixPIAAKbCXDui/0HrJBZJlgXfI lARxqQ4gGRHtzuba+S045GP+UYdct7lBgjCg87YLazOpERnitIGVostqUhOT6/Urg= X-Google-Smtp-Source: AGHT+IGbpxhkkCFfYLFi2pkEmN+VY/Htmin9lmOYyGyF+HoewIO2bfL2isyMIVIopnCZQfJHgUOXEA== X-Received: by 2002:a05:701a:ca08:b0:11b:9386:825b with SMTP id a92af1059eb24-12172302a23mr38510813c88.48.1767572815709; Sun, 04 Jan 2026 16:26:55 -0800 (PST) Received: from zubuntu.bengal-mercat.ts.net ([2001:5a8:60d:bc9:9ebf:dff:fe00:f8f2]) by smtp.gmail.com with ESMTPSA id a92af1059eb24-121724de268sm133378109c88.8.2026.01.04.16.26.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 04 Jan 2026 16:26:55 -0800 (PST) From: Zac Bowling To: zbowling@gmail.com Cc: deren.wu@mediatek.com, kvalo@kernel.org, linux-kernel@vger.kernel.org, linux-mediatek@lists.infradead.org, linux-wireless@vger.kernel.org, lorenzo@kernel.org, nbd@nbd.name, ryder.lee@mediatek.com, sean.wang@mediatek.com Subject: [PATCH 05/17] wifi: mt76: mt7925: add NULL checks for link_conf and mlink in main.c Date: Sun, 4 Jan 2026 16:26:26 -0800 Message-ID: <20260105002638.668723-6-zbowling@gmail.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20260105002638.668723-1-zbowling@gmail.com> References: <20260102200524.290779-1-zbowling@gmail.com> <20260105002638.668723-1-zbowling@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Add NULL pointer checks throughout main.c for functions that call mt792x_vif_to_bss_conf(), mt792x_vif_to_link(), and mt792x_sta_to_link() without verifying the return value before dereferencing. Functions fixed: - mt7925_set_key(): Check link_conf, mconf, and mlink before use - mt7925_mac_link_sta_add(): Check link_conf before BSS info update - mt7925_mac_link_sta_assoc(): Check mlink and link_conf before use - mt7925_mac_link_sta_remove(): Check mlink and link_conf, add goto label for proper cleanup path - mt7925_change_vif_links(): Check link_conf before adding BSS These functions can receive NULL when the link configuration in mac80211 is not yet synchronized with the driver's link tracking during MLO operations or state transitions. Without these checks, the driver crashes during station add/remove/ association operations with NULL pointer dereference: BUG: kernel NULL pointer dereference, address: 0000000000000010 Call Trace: mt7925_mac_link_sta_add+0x... ... Found through static analysis and triggered during BSSID roaming on systems with multiple access points. Reported-by: Zac Bowling Fixes: c948b5da6bbe ("wifi: mt76: mt7925: add Mediatek Wi-Fi7 driver for mt= 7925 chips") Signed-off-by: Zac Bowling --- .../net/wireless/mediatek/mt76/mt7925/main.c | 27 ++++++++++++++++--- 1 file changed, 23 insertions(+), 4 deletions(-) diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/main.c b/drivers/net= /wireless/mediatek/mt76/mt7925/main.c index 9f17b21aef1c..7d3322461bcf 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7925/main.c +++ b/drivers/net/wireless/mediatek/mt76/mt7925/main.c @@ -604,6 +604,10 @@ static int mt7925_set_link_key(struct ieee80211_hw *hw= , enum set_key_cmd cmd, link_sta =3D sta ? mt792x_sta_to_link_sta(vif, sta, link_id) : NULL; mconf =3D mt792x_vif_to_link(mvif, link_id); mlink =3D mt792x_sta_to_link(msta, link_id); + + if (!link_conf || !mconf || !mlink) + return -EINVAL; + wcid =3D &mlink->wcid; wcid_keyidx =3D &wcid->hw_key_idx; =20 @@ -889,6 +893,8 @@ static int mt7925_mac_link_sta_add(struct mt76_dev *mde= v, MT_WTBL_UPDATE_ADM_COUNT_CLEAR); =20 link_conf =3D mt792x_vif_to_bss_conf(vif, link_id); + if (!link_conf) + return -EINVAL; =20 /* should update bss info before STA add */ if (vif->type =3D=3D NL80211_IFTYPE_STATION && !link_sta->sta->tdls) { @@ -1034,6 +1040,8 @@ static void mt7925_mac_link_sta_assoc(struct mt76_dev= *mdev, =20 msta =3D (struct mt792x_sta *)link_sta->sta->drv_priv; mlink =3D mt792x_sta_to_link(msta, link_sta->link_id); + if (!mlink) + return; =20 mt792x_mutex_acquire(dev); =20 @@ -1043,12 +1051,13 @@ static void mt7925_mac_link_sta_assoc(struct mt76_d= ev *mdev, link_conf =3D mt792x_vif_to_bss_conf(vif, vif->bss_conf.link_id); } =20 - if (vif->type =3D=3D NL80211_IFTYPE_STATION && !link_sta->sta->tdls) { + if (link_conf && vif->type =3D=3D NL80211_IFTYPE_STATION && !link_sta->st= a->tdls) { struct mt792x_bss_conf *mconf; =20 mconf =3D mt792x_link_conf_to_mconf(link_conf); - mt7925_mcu_add_bss_info(&dev->phy, mconf->mt76.ctx, - link_conf, link_sta, true); + if (mconf) + mt7925_mcu_add_bss_info(&dev->phy, mconf->mt76.ctx, + link_conf, link_sta, true); } =20 ewma_avg_signal_init(&mlink->avg_ack_signal); @@ -1095,6 +1104,8 @@ static void mt7925_mac_link_sta_remove(struct mt76_de= v *mdev, =20 msta =3D (struct mt792x_sta *)link_sta->sta->drv_priv; mlink =3D mt792x_sta_to_link(msta, link_id); + if (!mlink) + return; =20 mt7925_roc_abort_sync(dev); =20 @@ -1108,10 +1119,12 @@ static void mt7925_mac_link_sta_remove(struct mt76_= dev *mdev, =20 link_conf =3D mt792x_vif_to_bss_conf(vif, link_id); =20 - if (vif->type =3D=3D NL80211_IFTYPE_STATION && !link_sta->sta->tdls) { + if (link_conf && vif->type =3D=3D NL80211_IFTYPE_STATION && !link_sta->st= a->tdls) { struct mt792x_bss_conf *mconf; =20 mconf =3D mt792x_link_conf_to_mconf(link_conf); + if (!mconf) + goto out; =20 if (ieee80211_vif_is_mld(vif)) mt792x_mac_link_bss_remove(dev, mconf, mlink); @@ -1119,6 +1132,7 @@ static void mt7925_mac_link_sta_remove(struct mt76_de= v *mdev, mt7925_mcu_add_bss_info(&dev->phy, mconf->mt76.ctx, link_conf, link_sta, false); } +out: =20 spin_lock_bh(&mdev->sta_poll_lock); if (!list_empty(&mlink->wcid.poll_list)) @@ -2031,6 +2045,11 @@ mt7925_change_vif_links(struct ieee80211_hw *hw, str= uct ieee80211_vif *vif, mlink =3D mlinks[link_id]; link_conf =3D mt792x_vif_to_bss_conf(vif, link_id); =20 + if (!link_conf) { + err =3D -EINVAL; + goto free; + } + rcu_assign_pointer(mvif->link_conf[link_id], mconf); rcu_assign_pointer(mvif->sta.link[link_id], mlink); =20 --=20 2.51.0