[BUG] wifi: mt7902: NULL pointer dereference

[BUG] wifi: mt7902: NULL pointer dereference

[Bongani Hlope]

[-- Attachment #1: Type: text/plain, Size: 4646 bytes --]

Hello

I'm not sure if this has been reported yet, first ran into this on
linux-next and it is still present on linux 7.1.0-rc1+. I get the
following kernel Oops:

wpa_supplicant[918]: wlp3s0: CTRL-EVENT-STARTED-CHANNEL-SWITCH
freq=5240 ht_enabled=1 ch_offset=-1 ch_width=80 MHz cf1=5210 cf2=0
kernel: BUG: kernel NULL pointer dereference, address: 0000000000000000
kernel: #PF: supervisor read access in kernel mode
kernel: #PF: error_code(0x0000) - not-present page
kernel: PGD 0 P4D 0 
kernel: Oops: Oops: 0000 [#1] SMP NOPTI
kernel: CPU: 7 UID: 0 PID: 6710 Comm: kworker/u64:1 Not tainted
7.1.0-rc1+ #4 PREEMPT(full) 
kernel: Hardware name: Micro Computer (HK) Tech Limited EliteMini
Series/F7BSI, BIOS 1.08 11/05/2024
kernel: Workqueue: events_unbound cfg80211_wiphy_work [cfg80211]
kernel: PGD 0 P4D 0 
kernel: Oops: Oops: 0000 [#1] SMP NOPTI
kernel: CPU: 7 UID: 0 PID: 6710 Comm: kworker/u64:1 Not tainted
7.1.0-rc1+ #4 PREEMPT(full) 
kernel: Hardware name: Micro Computer (HK) Tech Limited EliteMini
Series/F7BSI, BIOS 1.08 11/05/2024
kernel: Workqueue: events_unbound cfg80211_wiphy_work [cfg80211]
kernel: RIP: 0010:mt7921_channel_switch_rx_beacon+0x1f/0x100
[mt7921_common]
kernel: Code: 12 3d 00 eb 9a 66 0f 1f 44 00 00 f3 0f 1e fa 0f 1f 44 00
00 48 8b 47 58 48 ff 05 ec 15 3d 00 48 8b 40 08 48 8b 80 80 9c 00 00 <48> 8b 08 48 39 4a 10 74 0c 48 ff 05 81 02 3d 00 e9 f7 f4 74 ea 53
kernel: RSP: 0018:ffffb75fa1993af0 EFLAGS: 00010202
kernel: RAX: 0000000000000000 RBX: ffff91cae1eb09e0 RCX:
0000000000000000
kernel: RDX: ffffb75fa1993b20 RSI: ffff91ca84badfe8 RDI:
ffff91cae1eb09e0
kernel: RBP: ffff91ca84bacac0 R08: 0000000000000001 R09:
0000000000000001
kernel: R10: ffff91ca8ba56128 R11: ffff91cae1eb0518 R12:
0000000000000000
kernel: R13: 0000000000000000 R14: ffffb75fa1993b60 R15:
ffff91cae1eb09e0
kernel: FS:  0000000000000000(0000) GS:ffff91d18ebde000(0000)
knlGS:0000000000000000
kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
kernel: CR2: 0000000000000000 CR3: 0000000562a38000 CR4:
0000000000f50ef0
kernel: PKRU: 55555554
kernel: Call Trace:
kernel:  <TASK>
kernel:  ieee80211_sta_process_chanswitch+0x67c/0xee0 [mac80211]
kernel:  ieee80211_rx_mgmt_beacon+0x842/0x22a0 [mac80211]
kernel:  ? __entry_text_end+0x1020b6/0x1020b9
kernel:  ? internal_add_timer+0x4d/0x80
kernel:  ? __mod_timer+0x25e/0x500
kernel:  ? srso_alias_return_thunk+0x5/0xfbef5
kernel:  ieee80211_sta_rx_queued_mgmt+0xa7/0xbb0 [mac80211]
kernel:  ? srso_alias_return_thunk+0x5/0xfbef5
kernel:  ? psi_task_switch+0x31e/0x410
kernel:  ? srso_alias_return_thunk+0x5/0xfbef5
kernel:  ieee80211_iface_work+0x62e/0x890 [mac80211]
kernel:  ? srso_alias_return_thunk+0x5/0xfbef5
kernel:  ? __schedule+0x5c8/0x20d0
kernel:  cfg80211_wiphy_work+0x1ee/0x280 [cfg80211]
kernel:  process_scheduled_works+0x180/0x680
kernel:  ? rescuer_thread+0x7f0/0x7f0
kernel:  worker_thread+0x1aa/0x450
kernel:  ? rescuer_thread+0x7f0/0x7f0
kernel:  kthread+0x181/0x1e0
kernel:  ? kthread_affine_node+0x1e0/0x1e0
kernel:  ret_from_fork+0x405/0x600
kernel:  ? kthread_affine_node+0x1e0/0x1e0
kernel:  ret_from_fork_asm+0x11/0x20
kernel:  </TASK>
kernel: Modules linked in: joydev uinput mptcp_diag xsk_diag tcp_diag
udp_diag raw_diag inet_diag unix_diag af_packet_diag netlink_diag sd_mod scsi_mod scsi_common ccm snd_seq_dummy snd_hrtimer snd_seq snd_>
kernel:  snd snd_pci_acp5x snd_rn_pci_acp3x irqbypass aesni_intel
snd_acp_config gf128mul snd_soc_acpi rapl ecdh_generic pcspkr k10temp amd_pmc snd_pci_acp3x soundcore button evdev rfkill libarc4 aead msr e>
kernel: CR2: 0000000000000000
kernel: ---[ end trace 0000000000000000 ]---
kernel: RIP: 0010:mt7921_channel_switch_rx_beacon+0x1f/0x100
[mt7921_common]
kernel: Code: 12 3d 00 eb 9a 66 0f 1f 44 00 00 f3 0f 1e fa 0f 1f 44 00
00 48 8b 47 58 48 ff 05 ec 15 3d 00 48 8b 40 08 48 8b 80 80 9c 00 00 <48> 8b 08 48 39 4a 10 74 0c 48 ff 05 81 02 3d 00 e9 f7 f4 74 ea 53
kernel: RSP: 0018:ffffb75fa1993af0 EFLAGS: 00010202
kernel: RAX: 0000000000000000 RBX: ffff91cae1eb09e0 RCX:
0000000000000000
kernel: RDX: ffffb75fa1993b20 RSI: ffff91ca84badfe8 RDI:
ffff91cae1eb09e0
kernel: RBP: ffff91ca84bacac0 R08: 0000000000000001 R09:
0000000000000001
kernel: R10: ffff91ca8ba56128 R11: ffff91cae1eb0518 R12:
0000000000000000
kernel: R13: 0000000000000000 R14: ffffb75fa1993b60 R15:
ffff91cae1eb09e0
kernel: FS:  0000000000000000(0000) GS:ffff91d18ebde000(0000)
knlGS:0000000000000000
kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
kernel: CR2: 0000000000000000 CR3: 0000000562a38000 CR4:
0000000000f50ef0
kernel: PKRU: 55555554
kernel: note: kworker/u64:1[6710] exited with irqs disabled

Regards,
Bongani Hlope



[-- Attachment #2: lspci.txt --]
[-- Type: text/plain, Size: 3580 bytes --]

00:00.0 Host bridge: Advanced Micro Devices, Inc. [AMD] Phoenix Root Complex
00:00.2 IOMMU: Advanced Micro Devices, Inc. [AMD] Phoenix IOMMU
00:01.0 Host bridge: Advanced Micro Devices, Inc. [AMD] Phoenix Dummy Host Bridge
00:01.2 PCI bridge: Advanced Micro Devices, Inc. [AMD] Phoenix GPP Bridge
00:02.0 Host bridge: Advanced Micro Devices, Inc. [AMD] Phoenix Dummy Host Bridge
00:02.1 PCI bridge: Advanced Micro Devices, Inc. [AMD] Phoenix GPP Bridge
00:02.3 PCI bridge: Advanced Micro Devices, Inc. [AMD] Phoenix GPP Bridge
00:03.0 Host bridge: Advanced Micro Devices, Inc. [AMD] Phoenix Dummy Host Bridge
00:03.1 PCI bridge: Advanced Micro Devices, Inc. [AMD] Family 19h USB4/Thunderbolt PCIe tunnel
00:04.0 Host bridge: Advanced Micro Devices, Inc. [AMD] Phoenix Dummy Host Bridge
00:04.1 PCI bridge: Advanced Micro Devices, Inc. [AMD] Family 19h USB4/Thunderbolt PCIe tunnel
00:08.0 Host bridge: Advanced Micro Devices, Inc. [AMD] Phoenix Dummy Host Bridge
00:08.1 PCI bridge: Advanced Micro Devices, Inc. [AMD] Phoenix Internal GPP Bridge to Bus [C:A]
00:08.2 PCI bridge: Advanced Micro Devices, Inc. [AMD] Phoenix Internal GPP Bridge to Bus [C:A]
00:08.3 PCI bridge: Advanced Micro Devices, Inc. [AMD] Phoenix Internal GPP Bridge to Bus [C:A]
00:14.0 SMBus: Advanced Micro Devices, Inc. [AMD] FCH SMBus Controller (rev 71)
00:14.3 ISA bridge: Advanced Micro Devices, Inc. [AMD] FCH LPC Bridge (rev 51)
00:18.0 Host bridge: Advanced Micro Devices, Inc. [AMD] Phoenix Data Fabric; Function 0
00:18.1 Host bridge: Advanced Micro Devices, Inc. [AMD] Phoenix Data Fabric; Function 1
00:18.2 Host bridge: Advanced Micro Devices, Inc. [AMD] Phoenix Data Fabric; Function 2
00:18.3 Host bridge: Advanced Micro Devices, Inc. [AMD] Phoenix Data Fabric; Function 3
00:18.4 Host bridge: Advanced Micro Devices, Inc. [AMD] Phoenix Data Fabric; Function 4
00:18.5 Host bridge: Advanced Micro Devices, Inc. [AMD] Phoenix Data Fabric; Function 5
00:18.6 Host bridge: Advanced Micro Devices, Inc. [AMD] Phoenix Data Fabric; Function 6
00:18.7 Host bridge: Advanced Micro Devices, Inc. [AMD] Phoenix Data Fabric; Function 7
01:00.0 Non-Volatile memory controller: Kingston Technology Company, Inc. OM8TAP4 PCIe 4 NVMe SSD (QLC) (DRAM-less)
02:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8125 2.5GbE Controller (rev 05)
03:00.0 Network controller: MEDIATEK Corp. Device 7902
c4:00.0 VGA compatible controller: Advanced Micro Devices, Inc. [AMD/ATI] Phoenix3 (rev b3)
c4:00.1 Audio device: Advanced Micro Devices, Inc. [AMD/ATI] Radeon High Definition Audio Controller [Rembrandt/Strix]
c4:00.2 Encryption controller: Advanced Micro Devices, Inc. [AMD] Phoenix CCP/PSP 3.0 Device
c4:00.3 USB controller: Advanced Micro Devices, Inc. [AMD] Device 15b9
c4:00.4 USB controller: Advanced Micro Devices, Inc. [AMD] Device 15ba
c4:00.5 Multimedia controller: Advanced Micro Devices, Inc. [AMD] Audio Coprocessor (rev 63)
c4:00.6 Audio device: Advanced Micro Devices, Inc. [AMD] Family 17h/19h/1ah HD Audio Controller
c5:00.0 Non-Essential Instrumentation [1300]: Advanced Micro Devices, Inc. [AMD] Phoenix Dummy Function
c6:00.0 Non-Essential Instrumentation [1300]: Advanced Micro Devices, Inc. [AMD] Phoenix Dummy Function
c6:00.3 USB controller: Advanced Micro Devices, Inc. [AMD] Device 15c0
c6:00.4 USB controller: Advanced Micro Devices, Inc. [AMD] Device 15c1
c6:00.5 USB controller: Advanced Micro Devices, Inc. [AMD] Pink Sardine USB4/Thunderbolt NHI controller #1
c6:00.6 USB controller: Advanced Micro Devices, Inc. [AMD] Pink Sardine USB4/Thunderbolt NHI controller #2

Re: [BUG] wifi: mt7902: NULL pointer dereference

[Bongani Hlope]

On Sat, 2 May 2026 12:58:24 +0200
Bongani Hlope <developer@hlope.org.za> wrote:

> Hello
> 
> I'm not sure if this has been reported yet, first ran into this on
> linux-next and it is still present on linux 7.1.0-rc1+. I get the
> following kernel Oops:

addr2line -e drivers/net/wireless/mediatek/mt76/mt7921/mt7921-common.ko
mt7921_channel_switch_rx_beacon+0x1f

Gives:
include/net/cfg80211.h:1016

Which is here:

 1007 static inline bool
 1008 cfg80211_chandef_identical(const struct cfg80211_chan_def *chandef1,
 1009                            const struct cfg80211_chan_def *chandef2)
 1010 {
 1011         return (chandef1->chan == chandef2->chan &&
 1012                 chandef1->width == chandef2->width &&
 1013                 chandef1->center_freq1 == chandef2->center_freq1 &&
 1014                 chandef1->freq1_offset == chandef2->freq1_offset &&
 1015                 chandef1->center_freq2 == chandef2->center_freq2 &&
 --> 1016                 chandef1->punctured == chandef2->punctured &&
 1017                 chandef1->s1g_primary_2mhz == chandef2->s1g_primary_2mhz);
 1018 }


8<

> Regards,
> Bongani Hlope
> 
> 

[PATCH] wifi: mt76: mt7921/mt7925: fix NULL dereference in CSA beacon

[Arjan van de Ven]

This patch is based on a BUG as reported by Bongani Hlope at
https://lore.kernel.org/all/20260502125824.425d7159@bongani-mini.home.org.za/

When a channel-switch announcement (CSA) beacon is received,
cfg80211 queues a wiphy work item that eventually calls
mt7921_channel_switch_rx_beacon(). If the station disconnects
(or the channel context is otherwise torn down) between the
time the work is queued and the time it runs, the driver's
dev->new_ctx pointer can already have been cleared to NULL.
mt7921_channel_switch_rx_beacon() then dereferences new_ctx
unconditionally, triggering a NULL pointer dereference at
address 0x0:

  BUG: kernel NULL pointer dereference, address: 0000000000000000
  RIP: 0010:mt7921_channel_switch_rx_beacon+0x1f/0x100 [mt7921_common]

The same missing guard exists in mt7925_channel_switch_rx_beacon(),
which shares the same code pattern introduced by the same commit.

Add an early-return NULL check for dev->new_ctx in both
mt7921_channel_switch_rx_beacon() and
mt7925_channel_switch_rx_beacon(). When new_ctx is NULL there is
no pending channel switch to process, so returning immediately is
the correct and safe action.

Fixes: 8aa2f59260eb ("wifi: mt76: mt7921: introduce CSA support")
Reported-by: Bongani Hlope <developer@hlope.org.za>
Oops-Analysis: http://oops.fenrus.org/reports/lkml/20260502125824.425d7159@bongani-mini.home.org.za/report.html
Link: https://lore.kernel.org/all/20260502125824.425d7159@bongani-mini.home.org.za/
Signed-off-by: Arjan van de Ven <arjan@linux.intel.com>
Cc: linux-wireless@vger.kernel.org
Cc: linux-mediatek@lists.infradead.org
Cc: Felix Fietkau <nbd@nbd.name>
Cc: Lorenzo Bianconi <lorenzo@kernel.org>
Cc: Ryder Lee <ryder.lee@mediatek.com>

---
 drivers/net/wireless/mediatek/mt76/mt7921/main.c |    3 +++
 drivers/net/wireless/mediatek/mt76/mt7925/main.c |    3 +++
 2 files changed, 6 insertions(+)

--- a/drivers/net/wireless/mediatek/mt76/mt7921/main.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7921/main.c
@@ -1503,6 +1503,9 @@ static void mt7921_channel_switch_rx_beacon(struct ieee80211_hw *hw,
 	struct mt792x_dev *dev = mt792x_hw_dev(hw);
 	struct mt792x_vif *mvif = (struct mt792x_vif *)vif->drv_priv;
 	u16 beacon_interval = vif->bss_conf.beacon_int;
+
+	if (!dev->new_ctx)
+		return;
 
 	if (cfg80211_chandef_identical(&chsw->chandef,
 				       &dev->new_ctx->def) &&
--- a/drivers/net/wireless/mediatek/mt76/mt7925/main.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7925/main.c
@@ -2392,6 +2392,9 @@ static void mt7925_channel_switch_rx_beacon(struct ieee80211_hw *hw,
 	u16 beacon_interval;
 
 	if (ieee80211_vif_is_mld(vif))
 		return;
+
+	if (!dev->new_ctx)
+		return;
 
 	beacon_interval = vif->bss_conf.beacon_int;