> When a wcid can't be found, link_sta can be stale from a previous batch.
> The code currently assumes that if link_sta is set, wcid is also non-zero.
> Fix wcid NULL pointer dereference by resetting link_sta when a wcid entry
> can't be found.
>
> Fixes: 62da647a2b20 ("wifi: mt76: mt7996: Add MLO support to mt7996_tx_check_aggr()")
Acked-by: Lorenzo Bianconi <lorenzo@xxxxxxxxxx>
> Signed-off-by: Felix Fietkau <nbd@xxxxxxxx>
> ---
> drivers/net/wireless/mediatek/mt76/mt7996/mac.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
> index d6531b74be1f..837deb41ae13 100644
> --- a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
> +++ b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
> @@ -1247,8 +1247,10 @@ mt7996_mac_tx_free(struct mt7996_dev *dev, void *data, int len)
> idx = FIELD_GET(MT_TXFREE_INFO_WLAN_ID, info);
> wcid = mt76_wcid_ptr(dev, idx);
> sta = wcid_to_sta(wcid);
> - if (!sta)
> + if (!sta) {
> + link_sta = NULL;
> goto next;
> + }
>
> link_sta = rcu_dereference(sta->link[wcid->link_id]);
> if (!link_sta)
> --
> 2.51.0
>
>
Attachment:
signature.asc
Description: PGP signature
