From nobody Mon Feb 9 08:29:21 2026 Received: from mail-dy1-f178.google.com (mail-dy1-f178.google.com [74.125.82.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id AF1F7313E3F for ; Fri, 16 Jan 2026 01:05:31 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.82.178 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768525535; cv=none; b=F6/BCR5ztaSxT05X1ze7rpAawIs4g5IfSntMayOu1ekG4IzawWfX0c5nyU8WfJlWH0JMg2cyzmaQf0LtdbGUplfYgDWf+hGYzCfOAR1S3FiQmgDEiIay983GvOCha3aq1wFiN2Z+0iqi+qd93ORoAjofRvOwXvLYmAudypNLoGY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768525535; c=relaxed/simple; bh=V1e/me2QjmgrVoKQRsR3lYUkkFbtVoc5MRb6S8g/ccs=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=ImtdsMJ+geauRJFR2fZiwE3OAKKzR2vNBgztsOXcuVRgs9u/iuRwuxhoUbCL0gRw4MImvLuM7IXQKI3ZM7Wdq3EhlIu7/xhARhPnd32mRXn/4n8/5CTJsf4VlqwVByKaNjSle/YQC8rkWhj1B66mTYvK1+nmUn9b37AA0pK0dJo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=zacbowling.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=hGX/3jcZ; arc=none smtp.client-ip=74.125.82.178 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=zacbowling.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="hGX/3jcZ" Received: by mail-dy1-f178.google.com with SMTP id 5a478bee46e88-2b4520f6b32so2126381eec.0 for ; Thu, 15 Jan 2026 17:05:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768525531; x=1769130331; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:from:to:cc:subject:date :message-id:reply-to; bh=mSp+N+GShRL+uxhqPaPfFr1j/zGqGJL8NPvnP5M25W4=; b=hGX/3jcZ98VeZo2TDvzi7Jh28Cn9H0222SeYf8J8UdDr8p3x31ldsAMEVwRh0ohiBf iWhWp33wV8zRPW/RWDAqUf1ZITPhcssPsKGxKyC7yy2Q5K2snycnWF2fauoxwRdCBCIN pIh8Zr5oolaQhXqCNoedQs4jxWDfTqwsfWkpUI1IqeCNQKpXTqmZLPMg+cjXr4HuDaEA 6X+iBdEChWyAAEh2TxWV8KbWyYPoRqabXCTclOtAjtkpKttyuQ8nypJ+S9gT8QGimUWr BP2PvhtTWVpD0Jeh6Qthw4lEbPjq/vYxgcn/UUbFJoXvHyA5pisGcqUsKVbD3U5dCvtL 9Acg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768525531; x=1769130331; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=mSp+N+GShRL+uxhqPaPfFr1j/zGqGJL8NPvnP5M25W4=; b=rOSFzO5ZoeK8dZD9nVvhpBT435rZcdum+CVVmQXAAtqb5AKZlgRiovM4ja68SUMQ1p g+GM54nOB5KZyHjREt2D87ksRiSUDnVqHv7VxUF+hsPs+nkl1uDQGCrYCQaDK4nSxbsG crqWJzDVyQgKNEAE42wa0jB/tgIL8+KmQeoraUZRw04gA71qiQkxCnJaYVkS1OnvTMmI 8RFoWwSMH9f1fojtQQcsVVPb8oac4P3XaBUzsoJeCxkg9/w9NtSQU1+HHt5AVu2Kx1X9 9cFYoKeLAYOstl+qwCyLT16jVZolPDwhiQDtY3Jqm4PXpD+8A6cNc9IN3v3/MrR6mlZs X6NQ== X-Forwarded-Encrypted: i=1; AJvYcCXfw/nj0uDZL0QPFDf/lhyS72uTWz6gc4JH+2S0TwCDiZQqfgc13md9rkxeIF7+JcAkyqzNbhqG1zLwlNk=@vger.kernel.org X-Gm-Message-State: AOJu0Yw0kzmGR6P6Ahp7HEiumEkFVExp0ke9lKgjOQu7Sm5tE0cFz+pL BDhoM+waDrZt++z+amuAcgh21V2Bn6FyOK5gauGKKRT7ly4Y4qyjo1Fy X-Gm-Gg: AY/fxX5wHdvyD9yRBsS4GXf25KkyzxvdOsaEC3QmABwDmpcr7+JjItbE2lVMxIDhHEr xjhM9w9vSThi/9xqDhFcgJm770dGO/NLqzGnBJFZ/CUztjI+UM74TZKh7nSu8OD+MsFoCyNvoSF FSAO+UmfLj7IDDHcb/6rPt/xb6aNEnxsHDMZg+WmmDK/FYllhUbT9U3qmFUXGsRDhs736WBBFnF FKHKUkTrjJXN4LWjcAxvpyKF9nKH07MCGTqWCA3yg/4ZU0aLW3xJT1bjpQaL4/dyuzsW9+ZZ1Bu 5mxaXtzDV7iyNP1dHTdJtzO7bJTEU5/Y/iVpQHd7NB8GEg5tf3uHAj3xge0jcI+5iyh+nlxv4ax 4PYqsqZ6o3vo5u20JpdKWkMzES+ol0oes1MkPbOE+tZROVMQRNixsvjOI68mJVUaewLaS4xGPqm /hzkFOQ+gBB7rwGdBaNwGhtStTIKHWzaHaTUi1rF55axQQLLkeYPy+hR/ziAjsIA== X-Received: by 2002:a05:7300:549:b0:2b0:5306:1773 with SMTP id 5a478bee46e88-2b6b3ecb06dmr1089037eec.1.1768525530659; Thu, 15 Jan 2026 17:05:30 -0800 (PST) Received: from zcache.home.zacbowling.com ([2001:5a8:60d:bc9:f1d2:502c:a6ff:5556]) by smtp.gmail.com with ESMTPSA id 5a478bee46e88-2b6b367cbc9sm1019884eec.32.2026.01.15.17.05.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 15 Jan 2026 17:05:30 -0800 (PST) Sender: Zac Bowling From: Zac To: sean.wang@kernel.org Cc: deren.wu@mediatek.com, kvalo@kernel.org, linux-kernel@vger.kernel.org, linux-mediatek@lists.infradead.org, linux-wireless@vger.kernel.org, lorenzo@kernel.org, nbd@nbd.name, linux@frame.work, ryder.lee@mediatek.com, sean.wang@mediatek.com, Zac Bowling , Zac Bowling Subject: [PATCH v4 05/21] wifi: mt76: mt7925: add NULL checks for link_conf and mlink in main.c Date: Thu, 15 Jan 2026 17:05:03 -0800 Message-ID: <20260116010519.37001-6-zac@zacbowling.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260116010519.37001-1-zac@zacbowling.com> References: <20260116010519.37001-1-zac@zacbowling.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Zac Bowling Add NULL pointer checks throughout main.c for functions that call mt792x_vif_to_bss_conf(), mt792x_vif_to_link(), and mt792x_sta_to_link() without verifying the return value before dereferencing. Functions fixed: - mt7925_set_key(): Check link_conf, mconf, and mlink before use - mt7925_mac_link_sta_add(): Check link_conf before BSS info update - mt7925_mac_link_sta_assoc(): Check mlink and link_conf before use - mt7925_mac_link_sta_remove(): Check mlink and link_conf, add goto label for proper cleanup path - mt7925_change_vif_links(): Check link_conf before adding BSS These functions can receive NULL when the link configuration in mac80211 is not yet synchronized with the driver's link tracking during MLO operations or state transitions. Without these checks, the driver crashes during station add/remove/ association operations with NULL pointer dereference: BUG: kernel NULL pointer dereference, address: 0000000000000010 Call Trace: mt7925_mac_link_sta_add+0x... ... Found through static analysis and triggered during BSSID roaming on systems with multiple access points. Reported-by: Zac Bowling Fixes: c948b5da6bbe ("wifi: mt76: mt7925: add Mediatek Wi-Fi7 driver for mt= 7925 chips") Signed-off-by: Zac Bowling --- .../net/wireless/mediatek/mt76/mt7925/main.c | 27 ++++++++++++++++--- 1 file changed, 23 insertions(+), 4 deletions(-) diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/main.c b/drivers/net= /wireless/mediatek/mt76/mt7925/main.c index 9f17b21aef..7d3322461b 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7925/main.c +++ b/drivers/net/wireless/mediatek/mt76/mt7925/main.c @@ -604,6 +604,10 @@ static int mt7925_set_link_key(struct ieee80211_hw *hw= , enum set_key_cmd cmd, link_sta =3D sta ? mt792x_sta_to_link_sta(vif, sta, link_id) : NULL; mconf =3D mt792x_vif_to_link(mvif, link_id); mlink =3D mt792x_sta_to_link(msta, link_id); + + if (!link_conf || !mconf || !mlink) + return -EINVAL; + wcid =3D &mlink->wcid; wcid_keyidx =3D &wcid->hw_key_idx; =20 @@ -889,6 +893,8 @@ static int mt7925_mac_link_sta_add(struct mt76_dev *mde= v, MT_WTBL_UPDATE_ADM_COUNT_CLEAR); =20 link_conf =3D mt792x_vif_to_bss_conf(vif, link_id); + if (!link_conf) + return -EINVAL; =20 /* should update bss info before STA add */ if (vif->type =3D=3D NL80211_IFTYPE_STATION && !link_sta->sta->tdls) { @@ -1034,6 +1040,8 @@ static void mt7925_mac_link_sta_assoc(struct mt76_dev= *mdev, =20 msta =3D (struct mt792x_sta *)link_sta->sta->drv_priv; mlink =3D mt792x_sta_to_link(msta, link_sta->link_id); + if (!mlink) + return; =20 mt792x_mutex_acquire(dev); =20 @@ -1043,12 +1051,13 @@ static void mt7925_mac_link_sta_assoc(struct mt76_d= ev *mdev, link_conf =3D mt792x_vif_to_bss_conf(vif, vif->bss_conf.link_id); } =20 - if (vif->type =3D=3D NL80211_IFTYPE_STATION && !link_sta->sta->tdls) { + if (link_conf && vif->type =3D=3D NL80211_IFTYPE_STATION && !link_sta->st= a->tdls) { struct mt792x_bss_conf *mconf; =20 mconf =3D mt792x_link_conf_to_mconf(link_conf); - mt7925_mcu_add_bss_info(&dev->phy, mconf->mt76.ctx, - link_conf, link_sta, true); + if (mconf) + mt7925_mcu_add_bss_info(&dev->phy, mconf->mt76.ctx, + link_conf, link_sta, true); } =20 ewma_avg_signal_init(&mlink->avg_ack_signal); @@ -1095,6 +1104,8 @@ static void mt7925_mac_link_sta_remove(struct mt76_de= v *mdev, =20 msta =3D (struct mt792x_sta *)link_sta->sta->drv_priv; mlink =3D mt792x_sta_to_link(msta, link_id); + if (!mlink) + return; =20 mt7925_roc_abort_sync(dev); =20 @@ -1108,10 +1119,12 @@ static void mt7925_mac_link_sta_remove(struct mt76_= dev *mdev, =20 link_conf =3D mt792x_vif_to_bss_conf(vif, link_id); =20 - if (vif->type =3D=3D NL80211_IFTYPE_STATION && !link_sta->sta->tdls) { + if (link_conf && vif->type =3D=3D NL80211_IFTYPE_STATION && !link_sta->st= a->tdls) { struct mt792x_bss_conf *mconf; =20 mconf =3D mt792x_link_conf_to_mconf(link_conf); + if (!mconf) + goto out; =20 if (ieee80211_vif_is_mld(vif)) mt792x_mac_link_bss_remove(dev, mconf, mlink); @@ -1119,6 +1132,7 @@ static void mt7925_mac_link_sta_remove(struct mt76_de= v *mdev, mt7925_mcu_add_bss_info(&dev->phy, mconf->mt76.ctx, link_conf, link_sta, false); } +out: =20 spin_lock_bh(&mdev->sta_poll_lock); if (!list_empty(&mlink->wcid.poll_list)) @@ -2031,6 +2045,11 @@ mt7925_change_vif_links(struct ieee80211_hw *hw, str= uct ieee80211_vif *vif, mlink =3D mlinks[link_id]; link_conf =3D mt792x_vif_to_bss_conf(vif, link_id); =20 + if (!link_conf) { + err =3D -EINVAL; + goto free; + } + rcu_assign_pointer(mvif->link_conf[link_id], mconf); rcu_assign_pointer(mvif->sta.link[link_id], mlink); =20 --=20 2.52.0