wifi: mt76: mt792x: fix NULL pointer dereference in TX path

[zbowling]

CRITICAL FIX

This patch fixes a NULL pointer dereference bug in mt792x_tx() that can cause
kernel crashes when transmitting packets during MLO link removal.

Affects both MT7921 and MT7925 drivers since mt792x_core.c is shared.

The Bug

mlink = mt792x_sta_to_link(sta, link_id);
wcid = &mlink->wcid;  // <-- NULL dereference if mlink is NULL!

mt792x_sta_to_link() can return NULL during link removal, but there was no
check before dereferencing.

Also, RCU-dereferenced conf and link_sta pointers were used without
NULL validation.

Race Condition

1. A packet is queued for transmission
2. Concurrently, the link is being removed (mt7925_mac_link_sta_remove)
3. mt792x_sta_to_link() returns NULL for the removed link
4. Kernel crashes on wcid = &mlink->wcid dereference

Fix

• Check mlink return value before dereferencing wcid
• Check RCU-dereferenced conf and link_sta before use
• Free the SKB and return early if any pointer is NULL

Testing

Tested on Framework Desktop (AMD Ryzen AI Max 300 Series) with MT7925 WiFi.

Related PRs

• PR wifi: mt76: mt7925: fix mutex protection and NULL pointer bugs #1029: Critical mutex fixes
• PR wifi: mt76: mt7925: add NULL pointer checks in MLO paths #1030: NULL checks (MCU TLV, main.c)
• PR wifi: mt76: mt7925: add MCU command error handling #1031: MCU error handling
• PR wifi: mt76: mt7925: add NULL checks in MLO link and chanctx functions #1032: MLO link/chanctx NULL checks