wifi: mt76: mt7925: add NULL pointer checks in MLO paths #1030
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add NULL pointer checks for link_conf and mconf in: - mt7925_mcu_sta_phy_tlv(): builds PHY capability TLV for station record - mt7925_mcu_sta_rate_ctrl_tlv(): builds rate control TLV for station record Both functions call mt792x_vif_to_bss_conf() and mt792x_vif_to_link() which can return NULL during MLO link state transitions when the link configuration in mac80211 is not yet synchronized with the driver's link tracking. Without these checks, the driver will crash with a NULL pointer dereference when accessing link_conf->chanreq.oper or link_conf->basic_rates. Reported-by: Zac Bowling <zac@zacbowling.com> Signed-off-by: Zac Bowling <zac@zacbowling.com>
Add NULL pointer checks throughout main.c for functions that call mt792x_vif_to_bss_conf(), mt792x_vif_to_link(), and mt792x_sta_to_link() without verifying the return value before dereferencing. Functions fixed: - mt7925_set_key(): Check link_conf, mconf, and mlink before use - mt7925_mac_link_sta_add(): Check link_conf before BSS info update - mt7925_mac_link_sta_assoc(): Check mlink and link_conf before use - mt7925_mac_link_sta_remove(): Check mlink and link_conf, add goto label for proper cleanup path - mt7925_change_vif_links(): Check link_conf before adding BSS These functions can receive NULL when the link configuration in mac80211 is not yet synchronized with the driver's link tracking during MLO operations or state transitions. Without these checks, the driver will crash with NULL pointer dereferences during station add/remove/association operations. Reported-by: Zac Bowling <zac@zacbowling.com> Signed-off-by: Zac Bowling <zac@zacbowling.com>
This was referenced Jan 1, 2026
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR adds defensive NULL pointer checks throughout the MT7925 driver to prevent
kernel panics during MLO (Multi-Link Operation) state transitions.
Problem
The MT7925 driver can crash with NULL pointer dereferences when:
mt792x_vif_to_bss_conf()returns NULL during link state transitionsmt792x_vif_to_link()returns NULL when link configuration is not yet set upmt792x_sta_to_link()returns NULL during station operationsThese conditions occur when the link configuration in mac80211 is not yet
synchronized with the driver's internal link tracking.
Changes
Patch 1: MCU STA TLV NULL checks (mcu.c)
mt7925_mcu_sta_phy_tlv(): Check link_conf and mconf before usemt7925_mcu_sta_rate_ctrl_tlv(): Check link_conf and mconf before usePatch 2: Main.c NULL checks
mt7925_set_key(): Check link_conf, mconf, and mlink before usemt7925_mac_link_sta_add(): Check link_conf before BSS info updatemt7925_mac_link_sta_assoc(): Check mlink and link_conf before usemt7925_mac_link_sta_remove(): Check mlink and link_conf with proper cleanupmt7925_change_vif_links(): Check link_conf before adding BSSTesting
Tested on Framework Desktop (AMD Ryzen AI Max 300 Series) with MT7925 WiFi.
These checks complement the mutex fixes in PR #1029.
Related
mt7925_vif_connect_iter()