From nobody Mon Feb 9 16:51:07 2026 Received: from mail-dl1-f54.google.com (mail-dl1-f54.google.com [74.125.82.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6178E3A9615 for ; Tue, 20 Jan 2026 20:11:02 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.82.54 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768939865; cv=none; b=R4pW/U5G360AmI3iU1fkSklYmp8WhigDHR+HucohYuD2ZJ4SPkEp/6fbOikeUc9WAJUQ+9QONs+/MPe2BGh3cMwvdwjhivGx74tabtkVUW7Cu85e4EouvpGlBMcQEUP8wQDxDWnDv3EC05mS6nkw0SJGtfH6s+HE11xierA4AHM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768939865; c=relaxed/simple; bh=/IefA+8JdDclRON4a/9CGbkJdy6uMN9aANZxEW2BTdo=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=D9fse7MQH30ZCcW2ABfC4flF7o3nWbhYczd19/smlrB3ck2Z8OdrfDxeRuqorgro1vZMUkUKproNv08lgzBtJbbGUxyNilgmY2fOBqi1sYLQVPYbBVLGlzY5lQ73Zkk/KcwxSIiw5Da8gPwlBVer/IneqV3o/ArBno2XRerGi0M= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=zacbowling.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=dD+hpThh; arc=none smtp.client-ip=74.125.82.54 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=zacbowling.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="dD+hpThh" Received: by mail-dl1-f54.google.com with SMTP id a92af1059eb24-1233702afd3so7451036c88.0 for ; Tue, 20 Jan 2026 12:11:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768939861; x=1769544661; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:from:to:cc:subject:date :message-id:reply-to; bh=BT0PDrEpagMr6lAPteYD4f8kUJ9U66WD57A1dqEsIkg=; b=dD+hpThh5RR7Y7+sPlJ9ZqunZpyWUcAdH6zJcrkAATKoMhcbQV4yZXcz2ALuOWdDMG IW66PUo8MqXmJia/w6M7wUn3Ck72oP1rjevhj80rcluhO9NubWjpKdCmfXAPSLys9Ad+ s+z8LyAsfiaSjJdPCzM/vKfACAuZXqFNZsJ8Y/Xi6HeVuUBMxGbWG8mBPuD6hAtK4SAL TyzBZaOa4Y1A9eZPqFOgk1paDmgbvicDItQPTWsvcgrER5denAqvawjduArfWI0Qm+hF 6Z3wV9VztaMP/4WWptmzkJmk+0UxiQPdTgDa81ntSbssvSwhu7oor8+sY0yb+8zM4x0T 2GWg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768939861; x=1769544661; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=BT0PDrEpagMr6lAPteYD4f8kUJ9U66WD57A1dqEsIkg=; b=W2z98D9uw8i1a+/BbOkyWPq2DdWz4Ehd1bNjCwNKBjB7DPraajSpTQGRzffdLYSKRw sVfEWeBi7CtmwQt9cYGPJU1E9kmPIdAXieuo6jN79Qr0Om//GFbzvoZjf5ngTMgqGq5E NnakE+mT5EvjknfFJRnCgtIUQpcVIsmceouI0pgiLBWZjfAv8Dixg1jlMDYYgsupDvnc SIpBR+B4Wxfdrl7LI+YoaCbB2UDO2kKIArFd/gXFYpNMBVylkuNB104qR+V1fhwnXXyO 6d3EiAd/MmbZKIJoaoAmcrtAWJIljABzvFClHKr0Be7KqQCEliip9aHNdIA/zFVrleKQ Edqw== X-Forwarded-Encrypted: i=1; AJvYcCVQrXp6IGgEgkefEU5MK75VaqksjTc4kIipHdMBhEaQaGRf825fsNHn9Iiury4F523HvNvZWWoJazUbVrU=@vger.kernel.org X-Gm-Message-State: AOJu0YxOWwXGA1k+4UXPejIAv0pmhN8ygSaiP33b5t63aV1SYeCQpCBs tfsPnUnad5yu8/u+siYwHOxv1Wy6FtNrqJhlmVrjhIUDQCrnURf0cZrl X-Gm-Gg: AY/fxX5vrF+HBjZad5WyD5WoCxipgctm+OIWxI4LKm29c/3XIM+sndcmFVNczsR9Nea CZq1XP1q2/XdX7FAkSpJvLVb+hQyB/4LXB2s91y0l8+hyIiF6xveWbqMONWAJ6NFp/JxBBqk2Dv /1H/5BUlcuWc6TpmPCxPbA9kC/Go0E/OtkrNsWpdt69JD0Dd6Qp+E14EvoYs3nlIYLqc8iqPiXW EryTBx2j9Fncm3grxIWWvikCOWvFxcMxQgJgAHBqFA96+K3MK3TNz7b+aojxCrqkM9cTV0N3ccq CuMK0c4c6uWUYkQcf3iNVIyP+NENEU8G90h3H3cnfCN51yZH4r/1FePAZrev9Ru3AWTCEad481s eTgYF5GiH1aWzrmQoQ8DVtl+cEodGwmnYQ/djBnjetqYm4PyxwZqmmVpPsUD8guGES2tXhuQXe0 yoRlmGZ2gzKxgpQkIUBTwMJQhnAiPUcxAv3EKlCeGvGYyxfJR71LUPhNAGqOAt6Za54jfPL2PW X-Received: by 2002:a05:7022:1e03:b0:11b:9386:a387 with SMTP id a92af1059eb24-1246aacae80mr2182611c88.42.1768939860981; Tue, 20 Jan 2026 12:11:00 -0800 (PST) Received: from zcache.home.zacbowling.com ([2001:5a8:60d:bc9:4a3c:9f7c:8037:90c1]) by smtp.gmail.com with ESMTPSA id a92af1059eb24-1244ad7201fsm21982990c88.7.2026.01.20.12.10.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 20 Jan 2026 12:10:59 -0800 (PST) Sender: Zac Bowling From: Zac To: sean.wang@kernel.org Cc: deren.wu@mediatek.com, kvalo@kernel.org, linux-kernel@vger.kernel.org, linux-mediatek@lists.infradead.org, linux-wireless@vger.kernel.org, linux@frame.work, lorenzo@kernel.org, nbd@nbd.name, ryder.lee@mediatek.com, sean.wang@mediatek.com, zac@zacbowling.com, zbowling@gmail.com Subject: [PATCH 06/13] wifi: mt76: mt7925: add comprehensive NULL pointer protection for MLO Date: Tue, 20 Jan 2026 12:10:36 -0800 Message-ID: <20260120201043.38225-7-zac@zacbowling.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260120201043.38225-1-zac@zacbowling.com> References: <20260120201043.38225-1-zac@zacbowling.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Zac Bowling Add NULL pointer checks for functions that return pointers to link-related structures throughout the mt7925 driver. During MLO state transitions, these functions can return NULL when link configuration is not synchronized. Functions protected: - mt792x_vif_to_bss_conf(): Returns link BSS configuration - mt792x_vif_to_link(): Returns driver link state - mt792x_sta_to_link(): Returns station link state Files updated: 1. mac.c: - mt7925_vif_connect_iter(): Check bss_conf before use - mt7925_mac_sta_assoc(): Check bss_conf before use 2. main.c: - mt7925_set_key(): Check link_conf and mlink - mt7925_mac_link_sta_add(): Check link_conf and mlink - mt7925_mac_link_sta_assoc(): Check bss_conf and mlink - mt7925_mac_link_sta_remove(): Check bss_conf and mlink - mt7925_change_vif_links(): Check conf before use - mt7925_assign_vif_chanctx(): Check mconf and mlink - mt7925_unassign_vif_chanctx(): Check mconf and mlink - mt7925_mgd_prepare_tx(): Check link_conf 3. mcu.c: - mt7925_mcu_sta_phy_tlv(): Check link_sta - mt7925_mcu_sta_amsdu_tlv(): Check link_sta - mt7925_mcu_sta_mld_tlv(): Check link_sta - mt7925_mcu_sta_cmd(): Check mlink - mt7925_mcu_add_bss_info(): Check link_conf - mt7925_mcu_set_chctx(): Check link_conf and mlink Prevents crashes during: - BSSID roaming transitions - MLO setup and teardown - Hardware reset operations - Runtime power management Fixes: c948b5da6bbe ("wifi: mt76: mt7925: add Mediatek Wi-Fi7 driver for mt= 7925 device") Signed-off-by: Zac Bowling --- .../net/wireless/mediatek/mt76/mt7925/mac.c | 6 ++ .../net/wireless/mediatek/mt76/mt7925/main.c | 82 ++++++++++++++++--- .../net/wireless/mediatek/mt76/mt7925/mcu.c | 22 ++++- 3 files changed, 97 insertions(+), 13 deletions(-) diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/mac.c b/drivers/net/= wireless/mediatek/mt76/mt7925/mac.c index 871b67101976..184efe8afa10 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7925/mac.c +++ b/drivers/net/wireless/mediatek/mt76/mt7925/mac.c @@ -1271,6 +1271,12 @@ mt7925_vif_connect_iter(void *priv, u8 *mac, bss_conf =3D mt792x_vif_to_bss_conf(vif, i); mconf =3D mt792x_vif_to_link(mvif, i); =20 + /* Skip links that don't have bss_conf set up yet in mac80211. + * This can happen during HW reset when link state is inconsistent. + */ + if (!bss_conf) + continue; + mt76_connac_mcu_uni_add_dev(&dev->mphy, bss_conf, &mconf->mt76, &mvif->sta.deflink.wcid, true); mt7925_mcu_set_tx(dev, bss_conf); diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/main.c b/drivers/net= /wireless/mediatek/mt76/mt7925/main.c index 05990455ee7d..74a48742e234 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7925/main.c +++ b/drivers/net/wireless/mediatek/mt76/mt7925/main.c @@ -608,6 +608,10 @@ static int mt7925_set_link_key(struct ieee80211_hw *hw= , enum set_key_cmd cmd, link_sta =3D sta ? mt792x_sta_to_link_sta(vif, sta, link_id) : NULL; mconf =3D mt792x_vif_to_link(mvif, link_id); mlink =3D mt792x_sta_to_link(msta, link_id); + + if (!link_conf || !mconf || !mlink) + return -EINVAL; + wcid =3D &mlink->wcid; wcid_keyidx =3D &wcid->hw_key_idx; =20 @@ -860,12 +864,17 @@ static int mt7925_mac_link_sta_add(struct mt76_dev *m= dev, =20 msta =3D (struct mt792x_sta *)link_sta->sta->drv_priv; mlink =3D mt792x_sta_to_link(msta, link_id); + if (!mlink) + return -EINVAL; =20 idx =3D mt76_wcid_alloc(dev->mt76.wcid_mask, MT792x_WTBL_STA - 1); if (idx < 0) return -ENOSPC; =20 mconf =3D mt792x_vif_to_link(mvif, link_id); + if (!mconf) + return -EINVAL; + mt76_wcid_init(&mlink->wcid, 0); mlink->wcid.sta =3D 1; mlink->wcid.idx =3D idx; @@ -891,6 +900,8 @@ static int mt7925_mac_link_sta_add(struct mt76_dev *mde= v, MT_WTBL_UPDATE_ADM_COUNT_CLEAR); =20 link_conf =3D mt792x_vif_to_bss_conf(vif, link_id); + if (!link_conf) + return -EINVAL; =20 /* should update bss info before STA add */ if (vif->type =3D=3D NL80211_IFTYPE_STATION && !link_sta->sta->tdls) { @@ -997,18 +1008,29 @@ mt7925_mac_set_links(struct mt76_dev *mdev, struct i= eee80211_vif *vif) { struct mt792x_dev *dev =3D container_of(mdev, struct mt792x_dev, mt76); struct mt792x_vif *mvif =3D (struct mt792x_vif *)vif->drv_priv; - struct ieee80211_bss_conf *link_conf =3D - mt792x_vif_to_bss_conf(vif, mvif->deflink_id); - struct cfg80211_chan_def *chandef =3D &link_conf->chanreq.oper; - enum nl80211_band band =3D chandef->chan->band, secondary_band; + struct ieee80211_bss_conf *link_conf; + struct cfg80211_chan_def *chandef; + enum nl80211_band band, secondary_band; + u16 sel_links; + u8 secondary_link_id; =20 - u16 sel_links =3D mt76_select_links(vif, 2); - u8 secondary_link_id =3D __ffs(~BIT(mvif->deflink_id) & sel_links); + link_conf =3D mt792x_vif_to_bss_conf(vif, mvif->deflink_id); + if (!link_conf) + return; + + chandef =3D &link_conf->chanreq.oper; + band =3D chandef->chan->band; + + sel_links =3D mt76_select_links(vif, 2); + secondary_link_id =3D __ffs(~BIT(mvif->deflink_id) & sel_links); =20 if (!ieee80211_vif_is_mld(vif) || hweight16(sel_links) < 2) return; =20 link_conf =3D mt792x_vif_to_bss_conf(vif, secondary_link_id); + if (!link_conf) + return; + secondary_band =3D link_conf->chanreq.oper.chan->band; =20 if (band =3D=3D NL80211_BAND_2GHZ || @@ -1036,6 +1058,8 @@ static void mt7925_mac_link_sta_assoc(struct mt76_dev= *mdev, =20 msta =3D (struct mt792x_sta *)link_sta->sta->drv_priv; mlink =3D mt792x_sta_to_link(msta, link_sta->link_id); + if (!mlink) + return; =20 mt792x_mutex_acquire(dev); =20 @@ -1045,12 +1069,13 @@ static void mt7925_mac_link_sta_assoc(struct mt76_d= ev *mdev, link_conf =3D mt792x_vif_to_bss_conf(vif, vif->bss_conf.link_id); } =20 - if (vif->type =3D=3D NL80211_IFTYPE_STATION && !link_sta->sta->tdls) { + if (link_conf && vif->type =3D=3D NL80211_IFTYPE_STATION && !link_sta->st= a->tdls) { struct mt792x_bss_conf *mconf; =20 mconf =3D mt792x_link_conf_to_mconf(link_conf); - mt7925_mcu_add_bss_info(&dev->phy, mconf->mt76.ctx, - link_conf, link_sta, true); + if (mconf) + mt7925_mcu_add_bss_info(&dev->phy, mconf->mt76.ctx, + link_conf, link_sta, true); } =20 ewma_avg_signal_init(&mlink->avg_ack_signal); @@ -1097,6 +1122,8 @@ static void mt7925_mac_link_sta_remove(struct mt76_de= v *mdev, =20 msta =3D (struct mt792x_sta *)link_sta->sta->drv_priv; mlink =3D mt792x_sta_to_link(msta, link_id); + if (!mlink) + return; =20 mt7925_roc_abort_sync(dev); =20 @@ -1110,10 +1137,12 @@ static void mt7925_mac_link_sta_remove(struct mt76_= dev *mdev, =20 link_conf =3D mt792x_vif_to_bss_conf(vif, link_id); =20 - if (vif->type =3D=3D NL80211_IFTYPE_STATION && !link_sta->sta->tdls) { + if (link_conf && vif->type =3D=3D NL80211_IFTYPE_STATION && !link_sta->st= a->tdls) { struct mt792x_bss_conf *mconf; =20 mconf =3D mt792x_link_conf_to_mconf(link_conf); + if (!mconf) + goto out; =20 if (ieee80211_vif_is_mld(vif)) mt792x_mac_link_bss_remove(dev, mconf, mlink); @@ -1121,6 +1150,7 @@ static void mt7925_mac_link_sta_remove(struct mt76_de= v *mdev, mt7925_mcu_add_bss_info(&dev->phy, mconf->mt76.ctx, link_conf, link_sta, false); } +out: =20 spin_lock_bh(&mdev->sta_poll_lock); if (!list_empty(&mlink->wcid.poll_list)) @@ -1308,6 +1338,8 @@ mt7925_mlo_pm_iter(void *priv, u8 *mac, struct ieee80= 211_vif *vif) mt792x_mutex_acquire(dev); for_each_set_bit(i, &valid, IEEE80211_MLD_MAX_NUM_LINKS) { bss_conf =3D mt792x_vif_to_bss_conf(vif, i); + if (!bss_conf) + continue; mt7925_mcu_uni_bss_ps(dev, bss_conf); } mt792x_mutex_release(dev); @@ -1634,6 +1666,8 @@ static void mt7925_ipv6_addr_change(struct ieee80211_= hw *hw, =20 for_each_set_bit(i, &valid, IEEE80211_MLD_MAX_NUM_LINKS) { bss_conf =3D mt792x_vif_to_bss_conf(vif, i); + if (!bss_conf) + continue; __mt7925_ipv6_addr_change(hw, bss_conf, idev); } } @@ -1695,6 +1729,9 @@ mt7925_conf_tx(struct ieee80211_hw *hw, struct ieee80= 211_vif *vif, [IEEE80211_AC_BK] =3D 1, }; =20 + if (!mconf) + return -EINVAL; + /* firmware uses access class index */ mconf->queue_params[mq_to_aci[queue]] =3D *params; =20 @@ -1865,6 +1902,8 @@ static void mt7925_vif_cfg_changed(struct ieee80211_h= w *hw, if (changed & BSS_CHANGED_ARP_FILTER) { for_each_set_bit(i, &valid, IEEE80211_MLD_MAX_NUM_LINKS) { bss_conf =3D mt792x_vif_to_bss_conf(vif, i); + if (!bss_conf) + continue; mt7925_mcu_update_arp_filter(&dev->mt76, bss_conf); } } @@ -1880,6 +1919,8 @@ static void mt7925_vif_cfg_changed(struct ieee80211_h= w *hw, } else if (mvif->mlo_pm_state =3D=3D MT792x_MLO_CHANGED_PS) { for_each_set_bit(i, &valid, IEEE80211_MLD_MAX_NUM_LINKS) { bss_conf =3D mt792x_vif_to_bss_conf(vif, i); + if (!bss_conf) + continue; mt7925_mcu_uni_bss_ps(dev, bss_conf); } } @@ -1901,7 +1942,12 @@ static void mt7925_link_info_changed(struct ieee8021= 1_hw *hw, struct ieee80211_bss_conf *link_conf; =20 mconf =3D mt792x_vif_to_link(mvif, info->link_id); + if (!mconf) + return; + link_conf =3D mt792x_vif_to_bss_conf(vif, mconf->link_id); + if (!link_conf) + return; =20 mt792x_mutex_acquire(dev); =20 @@ -2025,6 +2071,11 @@ mt7925_change_vif_links(struct ieee80211_hw *hw, str= uct ieee80211_vif *vif, mlink =3D mlinks[link_id]; link_conf =3D mt792x_vif_to_bss_conf(vif, link_id); =20 + if (!link_conf) { + err =3D -EINVAL; + goto free; + } + rcu_assign_pointer(mvif->link_conf[link_id], mconf); rcu_assign_pointer(mvif->sta.link[link_id], mlink); =20 @@ -2105,9 +2156,14 @@ static int mt7925_assign_vif_chanctx(struct ieee8021= 1_hw *hw, =20 if (ieee80211_vif_is_mld(vif)) { mconf =3D mt792x_vif_to_link(mvif, link_conf->link_id); + if (!mconf) { + mutex_unlock(&dev->mt76.mutex); + return -EINVAL; + } + pri_link_conf =3D mt792x_vif_to_bss_conf(vif, mvif->deflink_id); =20 - if (vif->type =3D=3D NL80211_IFTYPE_STATION && + if (pri_link_conf && vif->type =3D=3D NL80211_IFTYPE_STATION && mconf =3D=3D &mvif->bss_conf) mt7925_mcu_add_bss_info(&dev->phy, NULL, pri_link_conf, NULL, true); @@ -2136,6 +2192,10 @@ static void mt7925_unassign_vif_chanctx(struct ieee8= 0211_hw *hw, =20 if (ieee80211_vif_is_mld(vif)) { mconf =3D mt792x_vif_to_link(mvif, link_conf->link_id); + if (!mconf) { + mutex_unlock(&dev->mt76.mutex); + return; + } =20 if (vif->type =3D=3D NL80211_IFTYPE_STATION && mconf =3D=3D &mvif->bss_conf) diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c b/drivers/net/= wireless/mediatek/mt76/mt7925/mcu.c index cf0fdea45cf7..94ec62a4538a 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c +++ b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c @@ -1087,6 +1087,8 @@ mt7925_mcu_sta_hdr_trans_tlv(struct sk_buff *skb, struct mt792x_link_sta *mlink; =20 mlink =3D mt792x_sta_to_link(msta, link_sta->link_id); + if (!mlink) + return; wcid =3D &mlink->wcid; } else { wcid =3D &mvif->sta.deflink.wcid; @@ -1120,6 +1122,9 @@ int mt7925_mcu_wtbl_update_hdr_trans(struct mt792x_de= v *dev, link_sta =3D mt792x_sta_to_link_sta(vif, sta, link_id); mconf =3D mt792x_vif_to_link(mvif, link_id); =20 + if (!mlink || !mconf) + return -EINVAL; + skb =3D __mt76_connac_mcu_alloc_sta_req(&dev->mt76, &mconf->mt76, &mlink->wcid, MT7925_STA_UPDATE_MAX_SIZE); @@ -1741,6 +1746,8 @@ mt7925_mcu_sta_amsdu_tlv(struct sk_buff *skb, amsdu->amsdu_en =3D true; =20 mlink =3D mt792x_sta_to_link(msta, link_sta->link_id); + if (!mlink) + return; mlink->wcid.amsdu =3D true; =20 switch (link_sta->agg.max_amsdu_len) { @@ -1773,6 +1780,10 @@ mt7925_mcu_sta_phy_tlv(struct sk_buff *skb, =20 link_conf =3D mt792x_vif_to_bss_conf(vif, link_sta->link_id); mconf =3D mt792x_vif_to_link(mvif, link_sta->link_id); + + if (!link_conf || !mconf) + return; + chandef =3D mconf->mt76.ctx ? &mconf->mt76.ctx->def : &link_conf->chanreq.oper; =20 @@ -1851,6 +1862,10 @@ mt7925_mcu_sta_rate_ctrl_tlv(struct sk_buff *skb, =20 link_conf =3D mt792x_vif_to_bss_conf(vif, link_sta->link_id); mconf =3D mt792x_vif_to_link(mvif, link_sta->link_id); + + if (!link_conf || !mconf) + return; + chandef =3D mconf->mt76.ctx ? &mconf->mt76.ctx->def : &link_conf->chanreq.oper; band =3D chandef->chan->band; @@ -1935,6 +1950,9 @@ mt7925_mcu_sta_mld_tlv(struct sk_buff *skb, =20 mconf =3D mt792x_vif_to_link(mvif, i); mlink =3D mt792x_sta_to_link(msta, i); + if (!mconf || !mlink) + continue; + mld->link[cnt].wlan_id =3D cpu_to_le16(mlink->wcid.idx); mld->link[cnt++].bss_idx =3D mconf->mt76.idx; =20 @@ -2027,13 +2045,13 @@ int mt7925_mcu_sta_update(struct mt792x_dev *dev, .rcpi =3D to_rcpi(rssi), }; struct mt792x_sta *msta; - struct mt792x_link_sta *mlink; + struct mt792x_link_sta *mlink =3D NULL; =20 if (link_sta) { msta =3D (struct mt792x_sta *)link_sta->sta->drv_priv; mlink =3D mt792x_sta_to_link(msta, link_sta->link_id); } - info.wcid =3D link_sta ? &mlink->wcid : &mvif->sta.deflink.wcid; + info.wcid =3D (link_sta && mlink) ? &mlink->wcid : &mvif->sta.deflink.wci= d; info.newly =3D state !=3D MT76_STA_INFO_STATE_ASSOC; =20 return mt7925_mcu_sta_cmd(&dev->mphy, &info); --=20 2.52.0