wifi: mt76: mt7996: fix null pointer deref in mt7996_conf_tx()

If a link does not have an assigned channel yet, mt7996_vif_link returns
NULL. We still need to store the updated queue settings in that case, and
apply them later.
Move the location of the queue params to within struct mt7996_vif_link.

Fixes: c0df2f0caa8d ("wifi: mt76: mt7996: prepare mt7996_mcu_set_tx for MLO support")
Acked-by: Lorenzo Bianconi <lorenzo@kernel.org>
Link: https://patch.msgid.link/20250929111723.52486-1-nbd@nbd.name
Signed-off-by: Felix Fietkau <nbd@nbd.name>

diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/main.c b/drivers/net/wireless/mediatek/mt76/mt7996/main.c
index 581314368c5ba566f6050bee86696c4654619176..b53ca702591c62873dbdcf0835dda6289aeac3bd 100644 (file)
--- a/drivers/net/wireless/mediatek/mt76/mt7996/main.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7996/main.c
@@ -665,8 +665,8 @@ mt7996_conf_tx(struct ieee80211_hw *hw, struct ieee80211_vif *vif,
               unsigned int link_id, u16 queue,
               const struct ieee80211_tx_queue_params *params)
 {
-       struct mt7996_dev *dev = mt7996_hw_dev(hw);
-       struct mt7996_vif_link *mlink = mt7996_vif_link(dev, vif, link_id);
+       struct mt7996_vif *mvif = (struct mt7996_vif *)vif->drv_priv;
+       struct mt7996_vif_link_info *link_info = &mvif->link_info[link_id];
        static const u8 mq_to_aci[] = {
                [IEEE80211_AC_VO] = 3,
                [IEEE80211_AC_VI] = 2,
@@ -675,7 +675,7 @@ mt7996_conf_tx(struct ieee80211_hw *hw, struct ieee80211_vif *vif,
        };
 
        /* firmware uses access class index */
-       mlink->queue_params[mq_to_aci[queue]] = *params;
+       link_info->queue_params[mq_to_aci[queue]] = *params;
        /* no need to update right away, we'll get BSS_CHANGED_QOS */
 
        return 0;

diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c
index 0347ee0c2dd75dd524660d00e12e4df72ddadef6..afa6a43bd51e55bae9b12d49093d0b7091df790a 100644 (file)
--- a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c
@@ -3414,6 +3414,9 @@ int mt7996_mcu_set_tx(struct mt7996_dev *dev, struct ieee80211_vif *vif,
 #define WMM_PARAM_SET          (WMM_AIFS_SET | WMM_CW_MIN_SET | \
                                 WMM_CW_MAX_SET | WMM_TXOP_SET)
        struct mt7996_vif_link *link = mt7996_vif_conf_link(dev, vif, link_conf);
+       struct mt7996_vif *mvif = (struct mt7996_vif *)vif->drv_priv;
+       unsigned int link_id = link_conf->link_id;
+       struct mt7996_vif_link_info *link_info = &mvif->link_info[link_id];
        struct {
                u8 bss_idx;
                u8 __rsv[3];
@@ -3431,7 +3434,7 @@ int mt7996_mcu_set_tx(struct mt7996_dev *dev, struct ieee80211_vif *vif,
        skb_put_data(skb, &hdr, sizeof(hdr));
 
        for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) {
-               struct ieee80211_tx_queue_params *q = &link->queue_params[ac];
+               struct ieee80211_tx_queue_params *q = &link_info->queue_params[ac];
                struct edca *e;
                struct tlv *tlv;
 

diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mt7996.h b/drivers/net/wireless/mediatek/mt76/mt7996/mt7996.h
index 8ec2acdb33193752a51ecbb28014545015724b5c..718e4d4ad85f2736b17804ad021a98c857c807ab 100644 (file)
--- a/drivers/net/wireless/mediatek/mt76/mt7996/mt7996.h
+++ b/drivers/net/wireless/mediatek/mt76/mt7996/mt7996.h
@@ -253,16 +253,21 @@ struct mt7996_vif_link {
        struct mt7996_sta_link msta_link;
        struct mt7996_phy *phy;
 
-       struct ieee80211_tx_queue_params queue_params[IEEE80211_NUM_ACS];
        struct cfg80211_bitrate_mask bitrate_mask;
 
        u8 mld_idx;
 };
 
+struct mt7996_vif_link_info {
+       struct ieee80211_tx_queue_params queue_params[IEEE80211_NUM_ACS];
+};
+
 struct mt7996_vif {
        struct mt7996_vif_link deflink; /* must be first */
        struct mt76_vif_data mt76;
 
+       struct mt7996_vif_link_info link_info[IEEE80211_MLD_MAX_NUM_LINKS];
+
        u8 mld_group_idx;
        u8 mld_remap_idx;
 };