Skip to content

wifi: mt76: mt7925: add NULL pointer checks in MLO paths#1030

Open
zbowling wants to merge 2 commits intoopenwrt:masterfrom
zbowling:mt7925-null-checks
Open

wifi: mt76: mt7925: add NULL pointer checks in MLO paths#1030
zbowling wants to merge 2 commits intoopenwrt:masterfrom
zbowling:mt7925-null-checks

Conversation

@zbowling
Copy link
Contributor

@zbowling zbowling commented Jan 1, 2026
edited
Loading

This PR adds defensive NULL pointer checks throughout the MT7925 driver to prevent
kernel panics during MLO (Multi-Link Operation) state transitions.

Problem

The MT7925 driver can crash with NULL pointer dereferences when:

  • mt792x_vif_to_bss_conf() returns NULL during link state transitions
  • mt792x_vif_to_link() returns NULL when link configuration is not yet set up
  • mt792x_sta_to_link() returns NULL during station operations

These conditions occur when the link configuration in mac80211 is not yet
synchronized with the driver's internal link tracking.

Changes

Patch 1: MCU STA TLV NULL checks (mcu.c)

  • mt7925_mcu_sta_phy_tlv(): Check link_conf and mconf before use
  • mt7925_mcu_sta_rate_ctrl_tlv(): Check link_conf and mconf before use

Patch 2: Main.c NULL checks

  • mt7925_set_key(): Check link_conf, mconf, and mlink before use
  • mt7925_mac_link_sta_add(): Check link_conf before BSS info update
  • mt7925_mac_link_sta_assoc(): Check mlink and link_conf before use
  • mt7925_mac_link_sta_remove(): Check mlink and link_conf with proper cleanup
  • mt7925_change_vif_links(): Check link_conf before adding BSS

Testing

Tested on Framework Desktop (AMD Ryzen AI Max 300 Series) with MT7925 WiFi.
These checks complement the mutex fixes in PR #1029.

Related

@zbowling
wifi: mt76: mt7925: add NULL checks in MCU STA TLV functions
2c9a4ff 
Add NULL pointer checks for link_conf and mconf in:
- mt7925_mcu_sta_phy_tlv(): builds PHY capability TLV for station record
- mt7925_mcu_sta_rate_ctrl_tlv(): builds rate control TLV for station record

Both functions call mt792x_vif_to_bss_conf() and mt792x_vif_to_link()
which can return NULL during MLO link state transitions when the link
configuration in mac80211 is not yet synchronized with the driver's
link tracking.

Without these checks, the driver will crash with a NULL pointer
dereference when accessing link_conf->chanreq.oper or link_conf->basic_rates.

Reported-by: Zac Bowling <zac@zacbowling.com>
Signed-off-by: Zac Bowling <zac@zacbowling.com>
@zbowling
wifi: mt76: mt7925: add NULL checks for link_conf and mlink in main.c
ba0f55d 
Add NULL pointer checks throughout main.c for functions that call
mt792x_vif_to_bss_conf(), mt792x_vif_to_link(), and mt792x_sta_to_link()
without verifying the return value before dereferencing.

Functions fixed:
- mt7925_set_key(): Check link_conf, mconf, and mlink before use
- mt7925_mac_link_sta_add(): Check link_conf before BSS info update
- mt7925_mac_link_sta_assoc(): Check mlink and link_conf before use
- mt7925_mac_link_sta_remove(): Check mlink and link_conf, add goto
  label for proper cleanup path
- mt7925_change_vif_links(): Check link_conf before adding BSS

These functions can receive NULL when the link configuration in mac80211
is not yet synchronized with the driver's link tracking during MLO
operations or state transitions.

Without these checks, the driver will crash with NULL pointer
dereferences during station add/remove/association operations.

Reported-by: Zac Bowling <zac@zacbowling.com>
Signed-off-by: Zac Bowling <zac@zacbowling.com>
This was referenced Jan 1, 2026
Open
Open
Open
Open
Open
Open
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@zbowling