wifi: mt76: mt7925: add NULL checks for MLO link pointers in MCU functions #1039
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…tions Several MCU functions dereference pointers returned by mt792x_sta_to_link() and mt792x_vif_to_link() without checking for NULL. During MLO state transitions, these functions can return NULL when link state is being set up or torn down, causing kernel NULL pointer dereferences. Add NULL checks in the following functions: - mt7925_mcu_sta_hdr_trans_tlv(): Check mlink before dereferencing wcid - mt7925_mcu_wtbl_update_hdr_trans(): Check mlink and mconf before use - mt7925_mcu_sta_amsdu_tlv(): Check mlink before setting amsdu flag - mt7925_mcu_sta_mld_tlv(): Check mconf and mlink in link iteration loop - mt7925_mcu_sta_update(): Initialize mlink to NULL and check both link_sta and mlink in the ternary condition These race conditions can occur during: - MLO link setup/teardown - Station add/remove operations - Firmware command generation during state transitions The fixes follow the pattern used in mt7996 and ath12k drivers for similar MLO link state handling. Signed-off-by: Zac Bowling <zac@zacbowling.com>
zbowling
added a commit
to zbowling/mt7925
that referenced
this pull request
Jan 1, 2026
Adds comprehensive NULL checks in 5 MCU functions that were dereferencing mt792x_sta_to_link() and mt792x_vif_to_link() return values without checking: - mt7925_mcu_sta_hdr_trans_tlv() - mt7925_mcu_wtbl_update_hdr_trans() - mt7925_mcu_sta_amsdu_tlv() - mt7925_mcu_sta_mld_tlv() - mt7925_mcu_sta_update() Found via code audit comparing against mt7996 and ath12k patterns. OpenWrt PR: openwrt/mt76#1039
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Several MCU functions dereference pointers returned by
mt792x_sta_to_link()and
mt792x_vif_to_link()without checking for NULL. During MLO statetransitions, these functions can return NULL when link state is being
set up or torn down, causing kernel NULL pointer dereferences.
Add NULL checks in the following functions:
mt7925_mcu_sta_hdr_trans_tlv(): Check mlink before dereferencing wcidmt7925_mcu_wtbl_update_hdr_trans(): Check mlink and mconf before usemt7925_mcu_sta_amsdu_tlv(): Check mlink before setting amsdu flagmt7925_mcu_sta_mld_tlv(): Check mconf and mlink in link iteration loopmt7925_mcu_sta_update(): Initialize mlink to NULL and check bothlink_sta and mlink in the ternary condition
These race conditions can occur during:
The fixes follow the pattern used in mt7996 and ath12k drivers for
similar MLO link state handling.
Related PRs:
Testing: Found via code audit comparing against mt7996 and ath12k patterns.