[PATCH] wifi: mt76: mt7925: add NULL checks for MLO link pointers in MCU functions

linux-wireless.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Zac Bowling <zbowling@gmail.com>
To: zbowling@gmail.com
Cc: deren.wu@mediatek.com, kvalo@kernel.org,
	linux-kernel@vger.kernel.org, linux-mediatek@lists.infradead.org,
	linux-wireless@vger.kernel.org, lorenzo@kernel.org, nbd@nbd.name,
	ryder.lee@mediatek.com, sean.wang@mediatek.com
Subject: [PATCH] wifi: mt76: mt7925: add NULL checks for MLO link pointers in MCU functions
Date: Fri,  2 Jan 2026 12:03:12 -0800	[thread overview]
Message-ID: <20260102200315.290015-4-zbowling@gmail.com> (raw)
In-Reply-To: <20260102200315.290015-1-zbowling@gmail.com>

Several MCU functions dereference pointers returned by mt792x_sta_to_link()
and mt792x_vif_to_link() without checking for NULL. During MLO state
transitions, these functions can return NULL when link state is being
set up or torn down, causing kernel NULL pointer dereferences.

Add NULL checks in the following functions:

- mt7925_mcu_sta_hdr_trans_tlv(): Check mlink before dereferencing wcid
- mt7925_mcu_wtbl_update_hdr_trans(): Check mlink and mconf before use
- mt7925_mcu_sta_amsdu_tlv(): Check mlink before setting amsdu flag
- mt7925_mcu_sta_mld_tlv(): Check mconf and mlink in link iteration loop
- mt7925_mcu_sta_update(): Initialize mlink to NULL and check both
  link_sta and mlink in the ternary condition

These race conditions can occur during:
- MLO link setup/teardown
- Station add/remove operations
- Firmware command generation during state transitions

The fixes follow the pattern used in mt7996 and ath12k drivers for
similar MLO link state handling.

Signed-off-by: Zac Bowling <zac@zacbowling.com>
---
 mt7925/mcu.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/mt7925/mcu.c b/mt7925/mcu.c
index bd38807e..b9c4b99d 100644
--- a/mt7925/mcu.c
+++ b/mt7925/mcu.c
@@ -1087,6 +1087,8 @@ mt7925_mcu_sta_hdr_trans_tlv(struct sk_buff *skb,
 		struct mt792x_link_sta *mlink;
 
 		mlink = mt792x_sta_to_link(msta, link_sta->link_id);
+		if (!mlink)
+			return;
 		wcid = &mlink->wcid;
 	} else {
 		wcid = &mvif->sta.deflink.wcid;
@@ -1120,6 +1122,9 @@ int mt7925_mcu_wtbl_update_hdr_trans(struct mt792x_dev *dev,
 	link_sta = mt792x_sta_to_link_sta(vif, sta, link_id);
 	mconf = mt792x_vif_to_link(mvif, link_id);
 
+	if (!mlink || !mconf)
+		return -EINVAL;
+
 	skb = __mt76_connac_mcu_alloc_sta_req(&dev->mt76, &mconf->mt76,
 					      &mlink->wcid,
 					      MT7925_STA_UPDATE_MAX_SIZE);
@@ -1741,6 +1746,8 @@ mt7925_mcu_sta_amsdu_tlv(struct sk_buff *skb,
 	amsdu->amsdu_en = true;
 
 	mlink = mt792x_sta_to_link(msta, link_sta->link_id);
+	if (!mlink)
+		return;
 	mlink->wcid.amsdu = true;
 
 	switch (link_sta->agg.max_amsdu_len) {
@@ -1935,6 +1942,9 @@ mt7925_mcu_sta_mld_tlv(struct sk_buff *skb,
 
 		mconf = mt792x_vif_to_link(mvif, i);
 		mlink = mt792x_sta_to_link(msta, i);
+		if (!mconf || !mlink)
+			continue;
+
 		mld->link[cnt].wlan_id = cpu_to_le16(mlink->wcid.idx);
 		mld->link[cnt++].bss_idx = mconf->mt76.idx;
 
@@ -2027,13 +2037,13 @@ int mt7925_mcu_sta_update(struct mt792x_dev *dev,
 		.rcpi = to_rcpi(rssi),
 	};
 	struct mt792x_sta *msta;
-	struct mt792x_link_sta *mlink;
+	struct mt792x_link_sta *mlink = NULL;
 
 	if (link_sta) {
 		msta = (struct mt792x_sta *)link_sta->sta->drv_priv;
 		mlink = mt792x_sta_to_link(msta, link_sta->link_id);
 	}
-	info.wcid = link_sta ? &mlink->wcid : &mvif->sta.deflink.wcid;
+	info.wcid = (link_sta && mlink) ? &mlink->wcid : &mvif->sta.deflink.wcid;
 	info.newly = state != MT76_STA_INFO_STATE_ASSOC;
 
 	return mt7925_mcu_sta_cmd(&dev->mphy, &info);
-- 
2.51.0

next prev parent reply	other threads:[~2026-01-02 20:03 UTC|newest]

Thread overview: 43+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-12-31  5:29 [PATCH] wifi: mt76: mt7925: fix NULL pointer dereference in vif iteration loops Zac Bowling
2025-12-31 22:37 ` [PATCH] wifi: mt76: mt7925: fix missing mutex protection in reset and ROC abort paths Zac Bowling
2026-01-01  0:22   ` [PATCH 2/3] wifi: mt76: mt7925: fix missing mutex protection in reset and ROC abort Zac Bowling
2026-01-01  0:23   ` [PATCH 3/3] wifi: mt76: mt7925: fix missing mutex protection in runtime PM and MLO PM Zac Bowling
2026-01-01  0:41     ` Zac Bowling
2026-01-01  6:25       ` [PATCH] wifi: mt76: mt7925: add NULL checks in MCU STA TLV functions Zac Bowling
2026-01-01  6:25         ` [PATCH] wifi: mt76: mt7925: add NULL checks for link_conf and mlink in main.c Zac Bowling
2026-01-01  6:25         ` [PATCH] wifi: mt76: mt7925: add NULL checks in MLO link and chanctx functions Zac Bowling
2026-01-01  6:25       ` [PATCH] wifi: mt76: mt7925: add error handling for AMPDU MCU commands Zac Bowling
2026-01-01  6:25         ` [PATCH] wifi: mt76: mt7925: add error handling for BSS info MCU command in sta_add Zac Bowling
2026-01-01  6:25         ` [PATCH] wifi: mt76: mt7925: add error handling for BSS info in key setup Zac Bowling
2026-01-01  6:25       ` [PATCH] wifi: mt76: mt7921: fix missing mutex protection in multiple paths Zac Bowling
2026-01-01  6:25       ` [PATCH] wifi: mt76: mt7925: add lockdep assertions for mutex verification Zac Bowling
2026-01-02 20:03         ` [PATCH v2 0/6] wifi: mt76: mt7925/mt792x: additional stability fixes Zac Bowling
2026-01-02 20:03           ` [PATCH] wifi: mt76: mt7925: fix key removal failure during MLO roaming Zac Bowling
2026-01-02 20:03           ` [PATCH] wifi: mt76: mt7925: fix kernel warning in MLO ROC setup when channel not configured Zac Bowling
2026-01-02 20:03           ` Zac Bowling [this message]
2026-01-02 20:03           ` [PATCH] wifi: mt76: mt792x: fix firmware reload failure after previous load crash Zac Bowling
2026-01-03  6:46             ` Sean Wang
2026-01-03 18:42               ` Zac Bowling
2026-01-02 20:03           ` [PATCH] wifi: mt76: mt7925: add mutex protection in resume path Zac Bowling
2026-01-02 20:03           ` [PATCH] wifi: mt76: mt7925: add NULL checks and error handling for MCU calls Zac Bowling
2026-01-02 20:05           ` [PATCH] wifi: mt76: mt7925: comprehensive stability fixes Zac Bowling
2026-01-03  6:25             ` Sean Wang
2026-01-03 19:11               ` Zac Bowling
2026-01-05  0:26             ` [PATCH v3 00/17] wifi: mt76: mt7925/mt792x: " Zac Bowling
2026-01-05  0:26               ` [PATCH 01/17] wifi: mt76: mt7925: fix NULL pointer dereference in vif iteration Zac Bowling
2026-01-05  0:26               ` [PATCH 02/17] wifi: mt76: mt7925: fix missing mutex protection in reset and ROC abort Zac Bowling
2026-01-05  0:26               ` [PATCH 03/17] wifi: mt76: mt7925: fix missing mutex protection in runtime PM and MLO PM Zac Bowling
2026-01-05  0:26               ` [PATCH 04/17] wifi: mt76: mt7925: add NULL checks in MCU STA TLV functions Zac Bowling
2026-01-05  0:26               ` [PATCH 05/17] wifi: mt76: mt7925: add NULL checks for link_conf and mlink in main.c Zac Bowling
2026-01-05  0:26               ` [PATCH 06/17] wifi: mt76: mt7925: add error handling for AMPDU MCU commands Zac Bowling
2026-01-05  0:26               ` [PATCH 07/17] wifi: mt76: mt7925: add error handling for BSS info MCU command in sta_add Zac Bowling
2026-01-05  0:26               ` [PATCH 08/17] wifi: mt76: mt7925: add error handling for BSS info in key setup Zac Bowling
2026-01-05  0:26               ` [PATCH 09/17] wifi: mt76: mt7925: add NULL checks in MLO link and chanctx functions Zac Bowling
2026-01-05  0:26               ` [PATCH 10/17] wifi: mt76: mt792x: fix NULL pointer dereference in TX path Zac Bowling
2026-01-05  0:26               ` [PATCH 11/17] wifi: mt76: mt7925: add lockdep assertions for mutex verification Zac Bowling
2026-01-05  0:26               ` [PATCH 12/17] wifi: mt76: mt7925: fix key removal failure during MLO roaming Zac Bowling
2026-01-05  0:26               ` [PATCH 13/17] wifi: mt76: mt7925: fix kernel warning in MLO ROC setup Zac Bowling
2026-01-05  0:26               ` [PATCH 14/17] wifi: mt76: mt7925: add NULL checks for MLO link pointers in MCU functions Zac Bowling
2026-01-05  0:26               ` [PATCH 15/17] wifi: mt76: mt792x: fix firmware reload failure after previous load crash Zac Bowling
2026-01-05  0:26               ` [PATCH 16/17] wifi: mt76: mt7925: add mutex protection in resume path Zac Bowling
2026-01-05  0:26               ` [PATCH 17/17] wifi: mt76: mt7925: add NULL checks in link station and TX queue setup Zac Bowling

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:bd38807 dfblob:b9c4b99 )
 OR (
bs:"[PATCH] wifi: mt76: mt7925: add NULL checks for MLO link pointers in MCU functions" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260102200315.290015-4-zbowling@gmail.com \
    --to=zbowling@gmail.com \
    --cc=deren.wu@mediatek.com \
    --cc=kvalo@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mediatek@lists.infradead.org \
    --cc=linux-wireless@vger.kernel.org \
    --cc=lorenzo@kernel.org \
    --cc=nbd@nbd.name \
    --cc=ryder.lee@mediatek.com \
    --cc=sean.wang@mediatek.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).