Skip to content

wifi: mt76: mt792x: fix NULL pointer dereference in TX path #1033

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
zbowling wants to merge 1 commit into
base: master
Choose a base branch
from
Open

wifi: mt76: mt792x: fix NULL pointer dereference in TX path #1033

zbowling wants to merge 1 commit into from

Conversation

@zbowling
Copy link

@zbowling zbowling commented Jan 1, 2026

CRITICAL FIX

This patch fixes a NULL pointer dereference bug in mt792x_tx() that can cause
kernel crashes when transmitting packets during MLO link removal.

Affects both MT7921 and MT7925 drivers since mt792x_core.c is shared.

The Bug

mlink = mt792x_sta_to_link(sta, link_id);
wcid = &mlink->wcid;  // <-- NULL dereference if mlink is NULL!

mt792x_sta_to_link() can return NULL during link removal, but there was no
check before dereferencing.

Also, RCU-dereferenced conf and link_sta pointers were used without
NULL validation.

Race Condition

  1. A packet is queued for transmission
  2. Concurrently, the link is being removed (mt7925_mac_link_sta_remove)
  3. mt792x_sta_to_link() returns NULL for the removed link
  4. Kernel crashes on wcid = &mlink->wcid dereference

Fix

  • Check mlink return value before dereferencing wcid
  • Check RCU-dereferenced conf and link_sta before use
  • Free the SKB and return early if any pointer is NULL

Testing

Tested on Framework Desktop (AMD Ryzen AI Max 300 Series) with MT7925 WiFi.

Related PRs

@zbowling
wifi: mt76: mt792x: fix NULL pointer dereference in TX path
6958b98 
Add NULL pointer checks in mt792x_tx() to prevent kernel crashes when
transmitting packets during MLO link removal.

The function calls mt792x_sta_to_link() which can return NULL if the
link is being removed, but the return value was dereferenced without
checking. Similarly, the RCU-protected link_conf and link_sta pointers
were used without NULL validation.

This race can occur when:
1. A packet is queued for transmission
2. Concurrently, the link is being removed (mt7925_mac_link_sta_remove)
3. mt792x_sta_to_link() returns NULL for the removed link
4. Kernel crashes on wcid = &mlink->wcid dereference

Fix by:
- Check mlink return value before dereferencing wcid
- Check RCU-dereferenced conf and link_sta before use
- Free the SKB and return early if any pointer is NULL

This affects both MT7921 and MT7925 drivers as mt792x_core.c is shared.

Reported-by: Zac Bowling <zac@zacbowling.com>
Signed-off-by: Zac Bowling <zac@zacbowling.com>
This was referenced Jan 1, 2026
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@zbowling