From nobody Mon Feb  9 09:09:49 2026
Received: from mail-dy1-f178.google.com (mail-dy1-f178.google.com
 [74.125.82.178])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2FCE731D372
	for <linux-kernel@vger.kernel.org>; Fri, 16 Jan 2026 01:05:44 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=74.125.82.178
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1768525552; cv=none;
 b=Zgup89d59cYzBJxW8mCwwCW9C0Y3wTf0Q4WaJwvDGfn2jrdyVlCQp4zYVqwjH9rfFW4AQY9+8up/Z+pxn+XvWdp9mIMc51BORtvCnRImdYcUQqJKizIPgaTWJXaHrIEiLJ4ZFIMCQgxfbD64WrpJ4fAW1vMfBzwstTcH4peF32Y=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1768525552; c=relaxed/simple;
	bh=93CxdtjSiYHRsD65xDT9SzpnY1y8alstttWaEJIdBpo=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=VGsdRwdAPFk7XKyNkfzzTlYOL1orEbwecO3SLE8Afh4dThEjURSzdTInm8WKmwg9rh/iz/zjwM/aJEsHzUlZitfDmD5dkPcAFUr2BDSDiGKdGs/e/FCHPZb8E+TDgI/TVPM+gtS2OjdgpLRKhTBSjv8WXS1os4cV13eabEOUcAA=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=zacbowling.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=YzacuJVg; arc=none smtp.client-ip=74.125.82.178
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=zacbowling.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="YzacuJVg"
Received: by mail-dy1-f178.google.com with SMTP id
 5a478bee46e88-2b04a410f42so1852797eec.0
        for <linux-kernel@vger.kernel.org>;
 Thu, 15 Jan 2026 17:05:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1768525544; x=1769130344;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:sender:from:to:cc:subject:date
         :message-id:reply-to;
        bh=pMsIT9b64DfDkZ2RydlT2hQ2iAnc8d0gWqzQNuaiPqA=;
        b=YzacuJVgs7UAXDh6gczbID/66j0H1npLMyz7q5Qn3lq+IFoDJ74gTH7fT6p/vWjuhp
         OMaLqijOKUvxEv4LbOHrVvCMTr49Vsc4bwaZL9qcyhQgFD1PYTiNVQ5tyPfvWYCxdkaE
         ZvV656ETPlJozqEATaKwaXpsXNZkuUyl3eQ04DGueXa6WCIDI/e9CQWlp/Qp5TSZVqBk
         xygHgZYgy0ryyM+cm559U2aN4krF5DUYru/umPZW/6WXPw1kPCMROkLBRicD+vAW59YB
         JipYeHCslun5qyBQn65ZnzjenhQzCUCcrDwS4ATcyB9hoBImgwgrHOS4oIJdarEY31Ah
         cdSQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1768525544; x=1769130344;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:sender:x-gm-gg
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=pMsIT9b64DfDkZ2RydlT2hQ2iAnc8d0gWqzQNuaiPqA=;
        b=uFinKbIYupxtxsmqivCIk8u7MThPHl0kMiHPTgTnudhRpa0nhVvSrJcF6gjvJ2jaRQ
         ma8EycKJSQ5la8MEL3TTkXL8zwXa6qwypNrXV/nRA80/vmNvGVvEpBb1Go+5hGPXkpQV
         WSPjNlvRHfetI0m45IN7j0/XYxh61J5Th/OXkZx7ZkEbathZ1G6YcL80qlhN2iL567S+
         6u5uiX8zMtlREp1YPflArhZBzYlsXpz71JQuktr84k4SbIRacl90S6lQTe2fT5mxiFvH
         E6qpJ22FZ33rdolOxhAkJ1z+OD2yEoc8UWPqjyf1U263+kOjPuI1lqir4wnnWFHNPjsH
         3WFw==
X-Forwarded-Encrypted: i=1;
 AJvYcCV825JmLm2ZzazV24S/j1V5Ls8NgBhW6epGAB3Sp3QAtoSa8eC7ezvjhUV/CO8lyCH6iXpxU0mmtaLVz4A=@vger.kernel.org
X-Gm-Message-State: AOJu0Yy25ygcpaawWaHVrXVeK4qgHueMpeEHh/QoM8RvhefQuRx7KI6v
	UZCrkJmRsoc/QR6n0lJ5QanVo4aMTOKM0XFEhTWb1tX//7Bca0ReXYSN
X-Gm-Gg: AY/fxX55KshoHX9rO26MNsLJYliD9hgzR9Vblrf6aUR65GPucLmCAfG5XbuLm6iK9wz
	wzlgdw4FURPm3KkMbavBPqepbk6CQdzCGf1PkYUj1PaXamJP13pXY1LTT4eSwtbtAjg+TKiFhPR
	QSblc38mBFQIvIpp323Kii4oD+Cfn69fb42BI279F7Y2DUbcOawXWkE0DWkQESnnKg8mvwDBmR/
	BgAYqcq+UTaBlmShGOrmW0Bbz+HePcfUUFcaxXC8WL8RO/DqO3K9Pk//4YgU82RjURPeSL983u1
	NYCZHfNNofNj1xnzufdy1LqcHsQjiQIxPAUek+oakAml+0GRv/c52x+XSWiGfTo2VmDY49wJz3u
	3khGNCYp9fDdgNrBOfFZtdhPrUM0euj4DE2Kk1fVxmRVRQ+YGykotYPzmvzP9IL1ZUYSkVZamPB
	yzLuEIwQF7SjH32rAP7P/xHhBJIK2dNfEQxEmLjWgjHKS42nFlcG8xIZcOMHqZ8Q==
X-Received: by 2002:a05:7300:6c27:b0:2b0:507d:c2e4 with SMTP id
 5a478bee46e88-2b6b4eb3688mr1326559eec.39.1768525544113;
        Thu, 15 Jan 2026 17:05:44 -0800 (PST)
Received: from zcache.home.zacbowling.com
 ([2001:5a8:60d:bc9:f1d2:502c:a6ff:5556])
        by smtp.gmail.com with ESMTPSA id
 5a478bee46e88-2b6b367cbc9sm1019884eec.32.2026.01.15.17.05.42
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 15 Jan 2026 17:05:43 -0800 (PST)
Sender: Zac Bowling <zbowling@gmail.com>
From: Zac <zac@zacbowling.com>
To: sean.wang@kernel.org
Cc: deren.wu@mediatek.com,
	kvalo@kernel.org,
	linux-kernel@vger.kernel.org,
	linux-mediatek@lists.infradead.org,
	linux-wireless@vger.kernel.org,
	lorenzo@kernel.org,
	nbd@nbd.name,
	linux@frame.work,
	ryder.lee@mediatek.com,
	sean.wang@mediatek.com,
	Zac Bowling <zbowling@gmail.com>,
	Zac Bowling <zac@zacbowling.com>
Subject: [PATCH v4 14/21] wifi: mt76: mt7925: add NULL checks for MLO link
 pointers in MCU functions
Date: Thu, 15 Jan 2026 17:05:12 -0800
Message-ID: <20260116010519.37001-15-zac@zacbowling.com>
X-Mailer: git-send-email 2.52.0
In-Reply-To: <20260116010519.37001-1-zac@zacbowling.com>
References: 
 <CAGp9LzpuyXRDa=TxqY+Xd5ZhDVvNayWbpMGDD1T0g7apkn7P0A@mail.gmail.com>
 <20260116010519.37001-1-zac@zacbowling.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Zac Bowling <zbowling@gmail.com>

Several MCU functions dereference pointers returned by mt792x_sta_to_link()
and mt792x_vif_to_link() without checking for NULL. During MLO state
transitions, these functions can return NULL when link state is being
set up or torn down, causing kernel NULL pointer dereferences.

Add NULL checks in the following functions:

- mt7925_mcu_sta_hdr_trans_tlv(): Check mlink before dereferencing wcid
- mt7925_mcu_wtbl_update_hdr_trans(): Check mlink and mconf before use
- mt7925_mcu_sta_amsdu_tlv(): Check mlink before setting amsdu flag
- mt7925_mcu_sta_mld_tlv(): Check mconf and mlink in link iteration loop
- mt7925_mcu_sta_update(): Initialize mlink to NULL and check both
  link_sta and mlink in the ternary condition

These race conditions can occur during:
- MLO link setup/teardown
- Station add/remove operations
- Firmware command generation during state transitions

Found through static analysis (clang-tidy) and pattern matching similar
to fixes in mt7996 and ath12k drivers for MLO link state handling.

Fixes: c948b5da6bbe ("wifi: mt76: mt7925: add Mediatek Wi-Fi7 driver for mt=
7925 chips")
Signed-off-by: Zac Bowling <zac@zacbowling.com>
---
 drivers/net/wireless/mediatek/mt76/mt7925/mcu.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c b/drivers/net/=
wireless/mediatek/mt76/mt7925/mcu.c
index 8080fea30d..6f7fc1b9a4 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c
@@ -1087,6 +1087,8 @@ mt7925_mcu_sta_hdr_trans_tlv(struct sk_buff *skb,
 		struct mt792x_link_sta *mlink;
=20
 		mlink =3D mt792x_sta_to_link(msta, link_sta->link_id);
+		if (!mlink)
+			return;
 		wcid =3D &mlink->wcid;
 	} else {
 		wcid =3D &mvif->sta.deflink.wcid;
@@ -1120,6 +1122,9 @@ int mt7925_mcu_wtbl_update_hdr_trans(struct mt792x_de=
v *dev,
 	link_sta =3D mt792x_sta_to_link_sta(vif, sta, link_id);
 	mconf =3D mt792x_vif_to_link(mvif, link_id);
=20
+	if (!mlink || !mconf)
+		return -EINVAL;
+
 	skb =3D __mt76_connac_mcu_alloc_sta_req(&dev->mt76, &mconf->mt76,
 					      &mlink->wcid,
 					      MT7925_STA_UPDATE_MAX_SIZE);
@@ -1751,6 +1756,8 @@ mt7925_mcu_sta_amsdu_tlv(struct sk_buff *skb,
 	amsdu->amsdu_en =3D true;
=20
 	mlink =3D mt792x_sta_to_link(msta, link_sta->link_id);
+	if (!mlink)
+		return;
 	mlink->wcid.amsdu =3D true;
=20
 	switch (link_sta->agg.max_amsdu_len) {
@@ -1953,6 +1960,9 @@ mt7925_mcu_sta_mld_tlv(struct sk_buff *skb,
=20
 		mconf =3D mt792x_vif_to_link(mvif, i);
 		mlink =3D mt792x_sta_to_link(msta, i);
+		if (!mconf || !mlink)
+			continue;
+
 		mld->link[cnt].wlan_id =3D cpu_to_le16(mlink->wcid.idx);
 		mld->link[cnt++].bss_idx =3D mconf->mt76.idx;
=20
@@ -2045,7 +2055,7 @@ int mt7925_mcu_sta_update(struct mt792x_dev *dev,
 		.rcpi =3D to_rcpi(rssi),
 	};
 	struct mt792x_sta *msta;
-	struct mt792x_link_sta *mlink;
+	struct mt792x_link_sta *mlink =3D NULL;
=20
 	lockdep_assert_held(&dev->mt76.mutex);
=20
@@ -2053,7 +2063,7 @@ int mt7925_mcu_sta_update(struct mt792x_dev *dev,
 		msta =3D (struct mt792x_sta *)link_sta->sta->drv_priv;
 		mlink =3D mt792x_sta_to_link(msta, link_sta->link_id);
 	}
-	info.wcid =3D link_sta ? &mlink->wcid : &mvif->sta.deflink.wcid;
+	info.wcid =3D (link_sta && mlink) ? &mlink->wcid : &mvif->sta.deflink.wci=
d;
 	info.newly =3D state !=3D MT76_STA_INFO_STATE_ASSOC;
=20
 	return mt7925_mcu_sta_cmd(&dev->mphy, &info);
--=20
2.52.0