From: Lorenzo Bianconi <lorenzo@kernel.org>
To: Felix Fietkau <nbd@nbd.name>
Cc: linux-wireless@vger.kernel.org
Subject: Re: [PATCH 1/6] wifi: mt76: mt7996: fix crash on some tx status reports
Date: Wed, 27 Aug 2025 14:58:41 +0200 [thread overview]
Message-ID: <aK8BAS3aYZSl_NJL@lore-rh-laptop> (raw)
In-Reply-To: <20250827085352.51636-1-nbd@nbd.name>
[-- Attachment #1: Type: text/plain, Size: 1254 bytes --]
> When a wcid can't be found, link_sta can be stale from a previous batch.
> The code currently assumes that if link_sta is set, wcid is also non-zero.
> Fix wcid NULL pointer dereference by resetting link_sta when a wcid entry
> can't be found.
>
> Fixes: 62da647a2b20 ("wifi: mt76: mt7996: Add MLO support to mt7996_tx_check_aggr()")
Acked-by: Lorenzo Bianconi <lorenzo@kernel.org>
> Signed-off-by: Felix Fietkau <nbd@nbd.name>
> ---
> drivers/net/wireless/mediatek/mt76/mt7996/mac.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
> index d6531b74be1f..837deb41ae13 100644
> --- a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
> +++ b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
> @@ -1247,8 +1247,10 @@ mt7996_mac_tx_free(struct mt7996_dev *dev, void *data, int len)
> idx = FIELD_GET(MT_TXFREE_INFO_WLAN_ID, info);
> wcid = mt76_wcid_ptr(dev, idx);
> sta = wcid_to_sta(wcid);
> - if (!sta)
> + if (!sta) {
> + link_sta = NULL;
> goto next;
> + }
>
> link_sta = rcu_dereference(sta->link[wcid->link_id]);
> if (!link_sta)
> --
> 2.51.0
>
>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
prev parent reply other threads:[~2025-08-27 12:58 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-27 8:53 [PATCH 1/6] wifi: mt76: mt7996: fix crash on some tx status reports Felix Fietkau
2025-08-27 8:53 ` [PATCH 2/6] wifi: mt76: do not add non-sta wcid entries to the poll list Felix Fietkau
2025-08-27 8:53 ` [PATCH 3/6] wifi: mt76: mt7996: add missing check for rx wcid entries Felix Fietkau
2025-08-27 8:53 ` [PATCH 4/6] wifi: mt76: mt7915: fix list corruption after hardware restart Felix Fietkau
2025-08-27 8:53 ` [PATCH 5/6] wifi: mt76: free pending offchannel tx frames on wcid cleanup Felix Fietkau
2025-08-27 8:53 ` [PATCH 6/6] wifi: mt76: fix linked list corruption Felix Fietkau
2025-08-27 12:58 ` Lorenzo Bianconi [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aK8BAS3aYZSl_NJL@lore-rh-laptop \
--to=lorenzo@kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=nbd@nbd.name \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.