From nobody Sat Feb  7 18:21:15 2026
Received: from mail-pg1-f182.google.com (mail-pg1-f182.google.com
 [209.85.215.182])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2CF8330AACA
	for <linux-kernel@vger.kernel.org>; Wed, 31 Dec 2025 22:37:06 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.215.182
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1767220628; cv=none;
 b=JDozQK+b/vvAcQWPr7iIs5jGydwxwFTBzaOGDhjyaEvRJ0+pXQTE4NfRjF7jWgIvRALyVoI/xPZdOsHjwp6c7qrQydp0Kd3cAmM9fxCrdxWY1jaS6a/mETz7TNGOdLTyKsloS9GTzpxOk+p3T0syASwcrhr9/PLtqMxjfJxNRoM=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1767220628; c=relaxed/simple;
	bh=oRqrRFGHp9Zedf0Kkom7ohXC/s2x9M7NKkmWrCTkdhg=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=HnoHKafbOe4oMYt4Jtmn+hFkfYZPwutxKUD4vK+VGVVo0gqBPFDSelD5Iu1eEUD2q2d/tHWbu1OMx18BTbxycGlJRHpqAo+Zm2dD43DWDev9zwywZpYAijWHIK3/n33lpiTaTArJrINAe8RpKHFehyEsX61W71VwR60YX1Ogyms=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=N8tFnLjW; arc=none smtp.client-ip=209.85.215.182
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="N8tFnLjW"
Received: by mail-pg1-f182.google.com with SMTP id
 41be03b00d2f7-bd1ce1b35e7so7571925a12.0
        for <linux-kernel@vger.kernel.org>;
 Wed, 31 Dec 2025 14:37:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1767220626; x=1767825426;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=kZB0aBwHBsHnm/b2GY2momvTrZBbqthwPjLSAEmi3GY=;
        b=N8tFnLjWxzhqeuln/oIzwxpRgFOE4VpAB0sYk33ZOQaQsAmyAEcKXf5XNXX9n9dy0o
         Q12PEvwMjiS6rvUP7iy2H725y0lADc7XQdWBG/Jup4/4ylAIgA/hrBaYP/h7WLCsfeQi
         5NfDwzURp++fPzPvNDMpBkpiWNvfsH8J4L8ZhmUV6D/v+efxRTZIt9Ohwo8jMoZ2SR3J
         xDXU2xHmJilPVdiogqYz8jvyql8H/Q9tP20TJJEDPRiYV4AsKnVRFyMTDtaiohDwz+/T
         wCU7D93YGcX5G9J6iy+18Z5nK+LBr2jzjhQAeZfyxahhP/HH2oRJ8YvjpFgu7fF6N527
         zjxw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1767220626; x=1767825426;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=kZB0aBwHBsHnm/b2GY2momvTrZBbqthwPjLSAEmi3GY=;
        b=eaurfHtA7cdzqzmkxNBTW8wdAoeW8Uj0ztKizA0yd30UeYvtNj6dFamDKJ9lIfbDb4
         aEvPd2ilGERFKp6IyJaOBPuXRuuigvA0rvZDRazOuGnnEe/9iAG8CIBYeLE9Hc5F+S4X
         rhQAkORWS4yW7nmbWsoXqWRkUi4+J/fMfHnjFaDFQuDJXDM9wToJKdwOMVOsrZtJJIXg
         W/XPdP7QJuheUWRPIT6Q6Zxs8EskIgaoBb5r9C3iQ5t83M4C8rgriKe7O+GYIqlOur5d
         eqBonNm6EqXgP/Td4+pT71q6EL4jI/W7G+kZF/DilJockt4NM2+ga6qhtR4Zb6ly3/Sm
         UIMA==
X-Forwarded-Encrypted: i=1;
 AJvYcCXD132mUwzdcYUJiLoxd9x67F1Up2NxMHbZYfd0tbf1eqfAruhLJkg64loVztSAmO/67KF5kCvUKx/GwdM=@vger.kernel.org
X-Gm-Message-State: AOJu0YyT0nsxIrPElI2m3Ktuz9qS7NenVwAmiF70ZaL1zUwiw6EamTmB
	ylCsJKPa+3vY2/hQzgVewQ35imzC57HqvjgRxsmNEiy91ptT5ZJjM30M
X-Gm-Gg: AY/fxX72MbfLrLtjqtiinUTo00Hhom1VgQOWx9jz7wa/eEBurVVc62LTfdnonqFvKw8
	mnHgB7YL+b1zxBg3Ki2KjrPnFwa8c9c3nlM5M8nk2QNt3ZwQ24Cw76ZFxiOwtWMGmCyRlQ81WfJ
	866BI/X98cwSdp7elqCUsBv6jDnAVmf5r+WluulqVaPrwgX6tASXwsWjYT8dg1+dreE5sERtwHW
	+QYRg72Gao6VXQ4/cWJH33xG3dRslMNxz+MovNjM9M4DKvN8UCP6f5UFpxjSCla5EU7nZQAdhpz
	25L2kOZi4oqUx0QW03IHH1RdQ8m3G7B/bg6tWeaNVJ1Uu+Y6M9Pf38o3pXj+yXKGVcOULQgVIyz
	LgAdAMECSD1104/bi4xRTuKUBLpFpNST6k5f2gFKVPIh7XrSDgbHbX9ndJttvO4byyjdZum8O+M
	rafd35WhHIOcGo3JNy5qwtRdqOPqY+yOxIJgzemheU2umJV+gkIYsM0pgVrAW8Qw==
X-Google-Smtp-Source: 
 AGHT+IFDO7PqMSfJ9kZvMehwUr1S7PTSmbtdpd6FcboT9jIMWivuwfE88+jhwgbCLEm+TMz2XJeAbg==
X-Received: by 2002:a05:7300:d58b:b0:2b0:4f34:eed3 with SMTP id
 5a478bee46e88-2b05ec3d5e0mr20245885eec.27.1767220626281;
        Wed, 31 Dec 2025 14:37:06 -0800 (PST)
Received: from zubuntu.home.zacbowling.com
 ([2001:5a8:60d:bc9:9ebf:dff:fe00:f8f2])
        by smtp.gmail.com with ESMTPSA id
 5a478bee46e88-2b05ffd5f86sm80818712eec.5.2025.12.31.14.37.05
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 31 Dec 2025 14:37:05 -0800 (PST)
From: Zac Bowling <zbowling@gmail.com>
To: zac@zacbowling.com
Cc: deren.wu@mediatek.com,
	kvalo@kernel.org,
	linux-kernel@vger.kernel.org,
	linux-mediatek@lists.infradead.org,
	linux-wireless@vger.kernel.org,
	lorenzo@kernel.org,
	nbd@nbd.name,
	ryder.lee@mediatek.com,
	sean.wang@mediatek.com
Subject: [PATCH] wifi: mt76: mt7925: fix missing mutex protection in reset and
 ROC abort paths
Date: Wed, 31 Dec 2025 14:37:02 -0800
Message-ID: <20251231223702.30957-1-zbowling@gmail.com>
X-Mailer: git-send-email 2.51.0
In-Reply-To: 
 <CAA5_Hq7vNOy9oCGkkgyukq2OP=a5yL_3ZKBdmNtBXS+zp6byiQ@mail.gmail.com>
References: 
 <CAA5_Hq7vNOy9oCGkkgyukq2OP=a5yL_3ZKBdmNtBXS+zp6byiQ@mail.gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Zac Bowling <zac@zacbowling.com>

This patch is a follow-up to the NULL pointer dereference fix (commit
6790e656030fb23527aa5c0d6eaa28ce029335b1). While that patch prevented
kernel panics from NULL pointer dereferences, it did not address the
underlying system hangs and deadlocks that occur during firmware
recovery.

The issue manifests on Framework Desktop systems with MT7925 WiFi cards
when:
1. Switching between WiFi networks
2. Disconnecting/reconnecting ethernet while WiFi is active
3. Firmware message timeouts trigger hardware reset recovery

During these operations, MCU message timeouts can occur, triggering
mt792x_reset() which queues reset_work. The reset work and ROC abort
functions iterate over active interfaces and call MCU functions that
require the device mutex to be held, but the mutex was not acquired
before the iteration.

This causes system-wide hangs where:
- Network commands (ip, etc.) hang indefinitely
- Processes get stuck in uninterruptible sleep (D state)
- Tailscale and other network services timeout
- System becomes completely unresponsive requiring force reboot

The hang occurs because:
1. Firmware timeouts trigger hardware reset via mt792x_reset()
2. Reset work (mt7925_mac_reset_work) or ROC abort (mt7925_roc_abort_sync)
   tries to iterate interfaces and call MCU functions
3. MCU operations block indefinitely waiting for mutex that's held
   elsewhere, or deadlock occurs
4. Network stack becomes unresponsive

Add mutex protection around interface iteration in both:
- mt7925_mac_reset_work(): Called during firmware recovery after MCU
  timeouts to reconnect all interfaces
- mt7925_roc_abort_sync(): Called during suspend/resume and when aborting
  Remain On Channel operations

This matches the pattern used elsewhere in the driver (e.g., in
mt7925_roc_iter, mt7925_mcu_set_suspend_iter, etc.) where interface
iteration callbacks invoke MCU functions.

Note: The author does not have deep familiarity with this codebase, but
this fix has been tested and appears to resolve the panic and deadlock
issues observed on Framework Desktop hardware with MT7925 WiFi cards.

Reported-by: Zac Bowling <zac@zacbowling.com>
Tested-by: Zac Bowling <zac@zacbowling.com>
Signed-off-by: Zac Bowling <zac@zacbowling.com>
---
 drivers/net/wireless/mediatek/mt76/mt7925/mac.c  | 2 ++
 drivers/net/wireless/mediatek/mt76/mt7925/main.c | 5 ++++-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/mac.c b/drivers/net/=
wireless/mediatek/mt76/mt7925/mac.c
index 184efe8afa10..06420ac6ed55 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7925/mac.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7925/mac.c
@@ -1331,9 +1331,11 @@ void mt7925_mac_reset_work(struct work_struct *work)
 	dev->hw_full_reset =3D false;
 	pm->suspended =3D false;
 	ieee80211_wake_queues(hw);
+	mt792x_mutex_acquire(dev);
 	ieee80211_iterate_active_interfaces(hw,
 					    IEEE80211_IFACE_ITER_RESUME_ALL,
 					    mt7925_vif_connect_iter, NULL);
+	mt792x_mutex_release(dev);
 	mt76_connac_power_save_sched(&dev->mt76.phy, pm);
=20
 	mt7925_regd_change(&dev->phy, "00");
diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/main.c b/drivers/net=
/wireless/mediatek/mt76/mt7925/main.c
index 3001a62a8b67..1f7661175623 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7925/main.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7925/main.c
@@ -459,10 +459,13 @@ void mt7925_roc_abort_sync(struct mt792x_dev *dev)
=20
 	timer_delete_sync(&phy->roc_timer);
 	cancel_work_sync(&phy->roc_work);
-	if (test_and_clear_bit(MT76_STATE_ROC, &phy->mt76->state))
+	if (test_and_clear_bit(MT76_STATE_ROC, &phy->mt76->state)) {
+		mt792x_mutex_acquire(dev);
 		ieee80211_iterate_interfaces(mt76_hw(dev),
 					     IEEE80211_IFACE_ITER_RESUME_ALL,
 					     mt7925_roc_iter, (void *)phy);
+		mt792x_mutex_release(dev);
+	}
 }
 EXPORT_SYMBOL_GPL(mt7925_roc_abort_sync);
=20
--=20
2.51.0