[PATCH] wifi: mt76: mt7925: fix NULL pointer dereference in vif iteration loops

Next message: Joseph Chen: "[PATCH v1 2/2] mfd: rk808: Add RK801 support"
Previous message: JaeJoon Jung: "Re: [PATCH] mm/damon/core: remove call_control in inactive contexts"
Next in thread: Zac Bowling: "[PATCH] wifi: mt76: mt7925: fix missing mutex protection in reset and ROC abort paths"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Zac Bowling

Date: Wed Dec 31 2025 - 00:29:58 EST

I was getting a kernel panic on my new Framework Desktop running
Ubuntu 25.10 with this specific WIFI chipset.

mt792x_vif_to_bss_conf() can return NULL when iterating over valid_links
during HW reset or other state transitions, because the link configuration
in mac80211 may not be set up yet even though the driver's valid_links
bitmap has the link marked as valid.

This causes a NULL pointer dereference in mt76_connac_mcu_uni_add_dev()
when it tries to access bss_conf->vif->type, and similar crashes in other
functions that use bss_conf without checking.

The crash manifests as:
BUG: kernel NULL pointer dereference, address: 0000000000000000
RIP: 0010:mt76_connac_mcu_uni_add_dev+0xba/0x1f0 [mt76_connac_lib]
Call Trace:
mt7925_vif_connect_iter+0xcb/0x240 [mt7925_common]
__iterate_interfaces+0x92/0x130 [mac80211]
ieee80211_iterate_interfaces+0x3d/0x60 [mac80211]
mt7925_mac_reset_work+0x105/0x190 [mt7925_common]

Add NULL checks for bss_conf in all loops that iterate over valid_links
and call mt792x_vif_to_bss_conf(), skipping links where the mac80211
link configuration is not yet available.

Reported-by: Zac Bowling <zac@xxxxxxxxxxxxxx>
Signed-off-by: Zac Bowling <zac@xxxxxxxxxxxxxx>

Attachment: 0001-wifi-mt76-mt7925-fix-NULL-pointer-dereference-in-vif.patch
Description: Binary data