wifi: mt76: mt7996: Fix possible OOB access in mt7996_tx()

Fis possible Out-Of-Boundary access in mt7996_tx routine if link_id is
set to IEEE80211_LINK_UNSPECIFIED

Fixes: 3ce8acb86b661 ("wifi: mt76: mt7996: Update mt7996_tx to MLO support")
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Link: https://patch.msgid.link/20250704-mt7996-mlo-fixes-v1-6-356456c73f43@kernel.org
Signed-off-by: Felix Fietkau <nbd@nbd.name>

diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/main.c b/drivers/net/wireless/mediatek/mt76/mt7996/main.c
index d1f90dea512bade652743611b7d062863a63ccfe..6404514556419f75b69a783d96b0920157263e04 100644 (file)
--- a/drivers/net/wireless/mediatek/mt76/mt7996/main.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7996/main.c
@@ -1216,10 +1216,17 @@ static void mt7996_tx(struct ieee80211_hw *hw,
 
        if (vif) {
                struct mt7996_vif *mvif = (void *)vif->drv_priv;
-               struct mt76_vif_link *mlink;
+               struct mt76_vif_link *mlink = &mvif->deflink.mt76;
 
-               mlink = rcu_dereference(mvif->mt76.link[link_id]);
-               if (mlink && mlink->wcid)
+               if (link_id < IEEE80211_LINK_UNSPECIFIED)
+                       mlink = rcu_dereference(mvif->mt76.link[link_id]);
+
+               if (!mlink) {
+                       ieee80211_free_txskb(hw, skb);
+                       goto unlock;
+               }
+
+               if (mlink->wcid)
                        wcid = mlink->wcid;
 
                if (mvif->mt76.roc_phy &&
@@ -1228,7 +1235,7 @@ static void mt7996_tx(struct ieee80211_hw *hw,
                        if (mphy->roc_link)
                                wcid = mphy->roc_link->wcid;
                } else {
-                       mphy = mt76_vif_link_phy(&mvif->deflink.mt76);
+                       mphy = mt76_vif_link_phy(mlink);
                }
        }
 
@@ -1237,7 +1244,7 @@ static void mt7996_tx(struct ieee80211_hw *hw,
                goto unlock;
        }
 
-       if (control->sta) {
+       if (control->sta && link_id < IEEE80211_LINK_UNSPECIFIED) {
                struct mt7996_sta *msta = (void *)control->sta->drv_priv;
                struct mt7996_sta_link *msta_link;