wifi: mt76: mt7996: fix crash on some tx status reports

When a wcid can't be found, link_sta can be stale from a previous batch.
The code currently assumes that if link_sta is set, wcid is also non-zero.
Fix wcid NULL pointer dereference by resetting link_sta when a wcid entry
can't be found.

Fixes: 62da647 ("wifi: mt76: mt7996: Add MLO support to mt7996_tx_check_aggr()")
Link: https://patch.msgid.link/[email protected]
Signed-off-by: Felix Fietkau <[email protected]>

Author: nbd168

drivers/net/wireless/mediatek/mt76/mt7996/mac.c

@@ -1247,8 +1247,10 @@ mt7996_mac_tx_free(struct mt7996_dev *dev, void *data, int len)
 			idx = FIELD_GET(MT_TXFREE_INFO_WLAN_ID, info);
 			wcid = mt76_wcid_ptr(dev, idx);
 			sta = wcid_to_sta(wcid);
-			if (!sta)
+			if (!sta) {
+				link_sta = NULL;
 				goto next;
+			}
 
 			link_sta = rcu_dereference(sta->link[wcid->link_id]);
 			if (!link_sta)