From nobody Mon Feb 9 08:53:47 2026 Received: from mail-dy1-f175.google.com (mail-dy1-f175.google.com [74.125.82.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1C3FC313E32 for ; Fri, 16 Jan 2026 01:05:26 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.82.175 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768525528; cv=none; b=bd6Pe9fX4QazsAHGYBsTJWQIMxz9KQaPva/PJQW3UtRsElOjBvzE8fnN7w6Bl/k67cBMJZ2fBAWX/0oRNaLuaHNn5K549XjMoRg20/H78GJYtVNFPrYnxcCK2KE/6/Vaxmh26fT6vGz5xm6p/Kag1RmnKR5nUofxzBw0REX8kPs= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768525528; c=relaxed/simple; bh=Q0dojqi+j0KMnPt+naVmvNKSZbEfuyxt4g9ZjMcJ0QU=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=b/efPW9UQOAk7yHABU3s+bv3RRHBb/tBpkF9R5TYrfoTkJ/Wuu1ccj/h57bjuTnU9LiFSRHlXyWgIM4DjIe1Y5fENzTeiFP4+wbo4ffxKa5+U2IPp3PDPEmsyIcp5MC0KS/3d7St9lFq7u8DWcnU2+ZmYJubphug2yWH98XgCTw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=zacbowling.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=E3TsmA62; arc=none smtp.client-ip=74.125.82.175 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=zacbowling.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="E3TsmA62" Received: by mail-dy1-f175.google.com with SMTP id 5a478bee46e88-2b19939070fso3506743eec.0 for ; Thu, 15 Jan 2026 17:05:26 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768525526; x=1769130326; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:from:to:cc:subject:date :message-id:reply-to; bh=DmitJgGTb482NSa9dbipMswu0tysB2njmnlh/lsqfgI=; b=E3TsmA62RJXbh3Ybm/HlL66PcLssoMhjToThy602s0pnC8SHiuX1LIqDxgsoL7WRtj qOJ98WVlJtR04i/YWeOShxDZfW6rfcVsp9bBgOmq9hWcb+bnEPFfZMkJBn1yPyd2HxzC uaHbhcXjf3DAaaW8ph2LUBhdkoh2CE1A2uL7/4MQj24GOcX95U0bwKYAm0l5P6PsfjVp mc431/U6v8Z7IGJBwlyB5sPvdQujJD7DG8eehPkC7u/s2/AEftRw8FBiGbOT1wPWs7uJ r5k51JLb/1EU/erxv5gyao38bxgxDCGlYQ5Cg5SWToVIJIRbxwnwr0ozSHX/uH2D8O2+ tk3Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768525526; x=1769130326; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=DmitJgGTb482NSa9dbipMswu0tysB2njmnlh/lsqfgI=; b=hCSEzH7E8oY6+10sREksfsyhnH/f68pTTjXYq+aMupMycYeHE3Yjj+ki3t9NVgAamP ZUlODe+ONvmekI5N8hDaP18v5UEyPsBV5C+wjbLCIeYy+H2XE1zGuJU844TcYU+Ug7w6 mBIkvWJVS4EKt8mGlQXCLR5EooB9g3J3e/l1zOwQob/TDiHOfYI18Rw1Al5QE1DfC6P3 yPQCA1n385p4IRiHieabgPusSZ5NhbVPPzHt1q85X8PSufXU7ptbTi0LW4cT0StgBoI3 6cnepBiBJk4L8dwjG1iOtyo9J32eDKySIcQUU7HR++1FWmpRndOSb5ij5JC71s9dVRH4 YH9w== X-Forwarded-Encrypted: i=1; AJvYcCWVYD7t69Mv/jZ8HNIMEjYBJITXOWb8KhOeuoxKnwXPKhp/BGOp/iVTsJASuI+DuKMn84TYs+OmkFM11Aw=@vger.kernel.org X-Gm-Message-State: AOJu0YwnkIAd3803ktZMihGG44jtuWJsGdS4FtRBjdcd3RVMP23jI/en AvV3i+R/Pex88nR5XLqN8hZONL5fHMXEhujFkgfo2erxrtT4UVlDOqnBI6TONtzX X-Gm-Gg: AY/fxX6tlUcxyGadQiBZQhEOdePLbBNARGXitc6/CSTiAc5KnN7dGNL5wcu1MFRWtME d3wnY0EkQPQ72ROI51LiGaIeeNF3p3PolYBlXOBS+TX/3JJIu/Z9mfNI+tgUIFPMahPSTxcSTfR vIhKiii/Sxj5qxgfRug+8j4BtRdmulQjk4RQP1faE/VZ3BbC3reNLikTqhuElegpaILJkmz6oZY NzTZBObDoHFZA0J1A/sGoF4EdlBXaEpMke3wHQ5rw8xRnngE3byrrqMtkHUZRhhoZHs/6eyvwwT sVcRLJCwYhj6wysYeAtpdnGksH0UCl0nLEKeDMncepPpFdFYcgZZgjKjN6A80XfWTrEwyPzcjLz YbekSPRhfhu+QSHaDVEhcsVhiWGipO14wEYXV6/2bjqkd46sqSc/bQv1PsU7HgTb8+wV1Sa5P2M mRTw5UqPu/8xjHBc1GdsivYcpriXRm2QyIOBmYLWXL0J8HW1C944D3xk+SHvcXMw== X-Received: by 2002:a05:7301:1286:b0:2b0:59f9:aed6 with SMTP id 5a478bee46e88-2b6b3f182cemr1704175eec.9.1768525524645; Thu, 15 Jan 2026 17:05:24 -0800 (PST) Received: from zcache.home.zacbowling.com ([2001:5a8:60d:bc9:f1d2:502c:a6ff:5556]) by smtp.gmail.com with ESMTPSA id 5a478bee46e88-2b6b367cbc9sm1019884eec.32.2026.01.15.17.05.23 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 15 Jan 2026 17:05:24 -0800 (PST) Sender: Zac Bowling From: Zac To: sean.wang@kernel.org Cc: deren.wu@mediatek.com, kvalo@kernel.org, linux-kernel@vger.kernel.org, linux-mediatek@lists.infradead.org, linux-wireless@vger.kernel.org, lorenzo@kernel.org, nbd@nbd.name, linux@frame.work, ryder.lee@mediatek.com, sean.wang@mediatek.com, Zac Bowling , Zac Bowling Subject: [PATCH v4 01/21] wifi: mt76: mt7925: fix NULL pointer dereference in vif iteration Date: Thu, 15 Jan 2026 17:04:59 -0800 Message-ID: <20260116010519.37001-2-zac@zacbowling.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260116010519.37001-1-zac@zacbowling.com> References: <20260116010519.37001-1-zac@zacbowling.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Zac Bowling mt792x_vif_to_bss_conf() can return NULL when iterating over valid_links during HW reset or other state transitions, because the link configuration in mac80211 may not be set up yet even though the driver's valid_links bitmap has the link marked as valid. This causes a NULL pointer dereference in mt76_connac_mcu_uni_add_dev() when it tries to access bss_conf->vif->type, and similar crashes in other functions that use bss_conf without checking. This crash was observed on Framework Desktop (AMD Ryzen AI Max 300) with MT7925 (RZ717) running kernel 6.17. The panic occurs during BSSID roaming when the adapter attempts to switch to a better access point: BUG: kernel NULL pointer dereference, address: 0000000000000010 CPU: 1 UID: 0 PID: 8362 Comm: kworker/u128:10 Tainted: G OE Workqueue: mt76 mt7925_mac_reset_work [mt7925_common] RIP: 0010:mt76_connac_mcu_uni_add_dev+0x9c/0x780 [mt76_connac_lib] Call Trace: mt7925_vif_connect_iter+0xcb/0x240 [mt7925_common] __iterate_interfaces+0x92/0x130 [mac80211] ieee80211_iterate_interfaces+0x3d/0x60 [mac80211] mt7925_mac_reset_work+0x105/0x190 [mt7925_common] process_one_work+0x18b/0x370 worker_thread+0x317/0x450 The issue manifests approximately every 5 minutes when the adapter tries to hop to a better BSSID, causing system-wide hangs where network commands (ip, ifconfig, etc.) hang indefinitely. Add NULL checks for bss_conf before using it in: - mt7925_vif_connect_iter() - mt7925_change_vif_links() - mt7925_mac_sta_assoc() - mt7925_mac_sta_remove_links() Fixes: c948b5da6bbe ("wifi: mt76: mt7925: add Mediatek Wi-Fi7 driver for mt= 7925 chips") Link: https://community.frame.work/t/kernel-panic-from-wifi-mediatek-mt7925= -nullptr-dereference/79301 Reported-by: Zac Bowling Tested-by: Zac Bowling Signed-off-by: Zac Bowling --- drivers/net/wireless/mediatek/mt76/mt7925/mac.c | 6 ++++++ drivers/net/wireless/mediatek/mt76/mt7925/main.c | 8 ++++++++ 2 files changed, 14 insertions(+) diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/mac.c b/drivers/net/= wireless/mediatek/mt76/mt7925/mac.c index 871b671019..184efe8afa 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7925/mac.c +++ b/drivers/net/wireless/mediatek/mt76/mt7925/mac.c @@ -1271,6 +1271,12 @@ mt7925_vif_connect_iter(void *priv, u8 *mac, bss_conf =3D mt792x_vif_to_bss_conf(vif, i); mconf =3D mt792x_vif_to_link(mvif, i); =20 + /* Skip links that don't have bss_conf set up yet in mac80211. + * This can happen during HW reset when link state is inconsistent. + */ + if (!bss_conf) + continue; + mt76_connac_mcu_uni_add_dev(&dev->mphy, bss_conf, &mconf->mt76, &mvif->sta.deflink.wcid, true); mt7925_mcu_set_tx(dev, bss_conf); diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/main.c b/drivers/net= /wireless/mediatek/mt76/mt7925/main.c index 2d358a9664..3001a62a8b 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7925/main.c +++ b/drivers/net/wireless/mediatek/mt76/mt7925/main.c @@ -1304,6 +1304,8 @@ mt7925_mlo_pm_iter(void *priv, u8 *mac, struct ieee80= 211_vif *vif) mt792x_mutex_acquire(dev); for_each_set_bit(i, &valid, IEEE80211_MLD_MAX_NUM_LINKS) { bss_conf =3D mt792x_vif_to_bss_conf(vif, i); + if (!bss_conf) + continue; mt7925_mcu_uni_bss_ps(dev, bss_conf); } mt792x_mutex_release(dev); @@ -1630,6 +1632,8 @@ static void mt7925_ipv6_addr_change(struct ieee80211_= hw *hw, =20 for_each_set_bit(i, &valid, IEEE80211_MLD_MAX_NUM_LINKS) { bss_conf =3D mt792x_vif_to_bss_conf(vif, i); + if (!bss_conf) + continue; __mt7925_ipv6_addr_change(hw, bss_conf, idev); } } @@ -1861,6 +1865,8 @@ static void mt7925_vif_cfg_changed(struct ieee80211_h= w *hw, if (changed & BSS_CHANGED_ARP_FILTER) { for_each_set_bit(i, &valid, IEEE80211_MLD_MAX_NUM_LINKS) { bss_conf =3D mt792x_vif_to_bss_conf(vif, i); + if (!bss_conf) + continue; mt7925_mcu_update_arp_filter(&dev->mt76, bss_conf); } } @@ -1876,6 +1882,8 @@ static void mt7925_vif_cfg_changed(struct ieee80211_h= w *hw, } else if (mvif->mlo_pm_state =3D=3D MT792x_MLO_CHANGED_PS) { for_each_set_bit(i, &valid, IEEE80211_MLD_MAX_NUM_LINKS) { bss_conf =3D mt792x_vif_to_bss_conf(vif, i); + if (!bss_conf) + continue; mt7925_mcu_uni_bss_ps(dev, bss_conf); } } --=20 2.52.0