From nobody Sun Feb 8 02:22:41 2026 Received: from mail-dy1-f175.google.com (mail-dy1-f175.google.com [74.125.82.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1C3FC313E32 for ; Fri, 16 Jan 2026 01:05:26 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.82.175 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768525528; cv=none; b=bd6Pe9fX4QazsAHGYBsTJWQIMxz9KQaPva/PJQW3UtRsElOjBvzE8fnN7w6Bl/k67cBMJZ2fBAWX/0oRNaLuaHNn5K549XjMoRg20/H78GJYtVNFPrYnxcCK2KE/6/Vaxmh26fT6vGz5xm6p/Kag1RmnKR5nUofxzBw0REX8kPs= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768525528; c=relaxed/simple; bh=Q0dojqi+j0KMnPt+naVmvNKSZbEfuyxt4g9ZjMcJ0QU=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=b/efPW9UQOAk7yHABU3s+bv3RRHBb/tBpkF9R5TYrfoTkJ/Wuu1ccj/h57bjuTnU9LiFSRHlXyWgIM4DjIe1Y5fENzTeiFP4+wbo4ffxKa5+U2IPp3PDPEmsyIcp5MC0KS/3d7St9lFq7u8DWcnU2+ZmYJubphug2yWH98XgCTw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=zacbowling.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=E3TsmA62; arc=none smtp.client-ip=74.125.82.175 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=zacbowling.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="E3TsmA62" Received: by mail-dy1-f175.google.com with SMTP id 5a478bee46e88-2b19939070fso3506743eec.0 for ; Thu, 15 Jan 2026 17:05:26 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768525526; x=1769130326; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:from:to:cc:subject:date :message-id:reply-to; bh=DmitJgGTb482NSa9dbipMswu0tysB2njmnlh/lsqfgI=; b=E3TsmA62RJXbh3Ybm/HlL66PcLssoMhjToThy602s0pnC8SHiuX1LIqDxgsoL7WRtj qOJ98WVlJtR04i/YWeOShxDZfW6rfcVsp9bBgOmq9hWcb+bnEPFfZMkJBn1yPyd2HxzC uaHbhcXjf3DAaaW8ph2LUBhdkoh2CE1A2uL7/4MQj24GOcX95U0bwKYAm0l5P6PsfjVp mc431/U6v8Z7IGJBwlyB5sPvdQujJD7DG8eehPkC7u/s2/AEftRw8FBiGbOT1wPWs7uJ r5k51JLb/1EU/erxv5gyao38bxgxDCGlYQ5Cg5SWToVIJIRbxwnwr0ozSHX/uH2D8O2+ tk3Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768525526; x=1769130326; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=DmitJgGTb482NSa9dbipMswu0tysB2njmnlh/lsqfgI=; b=hCSEzH7E8oY6+10sREksfsyhnH/f68pTTjXYq+aMupMycYeHE3Yjj+ki3t9NVgAamP ZUlODe+ONvmekI5N8hDaP18v5UEyPsBV5C+wjbLCIeYy+H2XE1zGuJU844TcYU+Ug7w6 mBIkvWJVS4EKt8mGlQXCLR5EooB9g3J3e/l1zOwQob/TDiHOfYI18Rw1Al5QE1DfC6P3 yPQCA1n385p4IRiHieabgPusSZ5NhbVPPzHt1q85X8PSufXU7ptbTi0LW4cT0StgBoI3 6cnepBiBJk4L8dwjG1iOtyo9J32eDKySIcQUU7HR++1FWmpRndOSb5ij5JC71s9dVRH4 YH9w== X-Forwarded-Encrypted: i=1; AJvYcCWVYD7t69Mv/jZ8HNIMEjYBJITXOWb8KhOeuoxKnwXPKhp/BGOp/iVTsJASuI+DuKMn84TYs+OmkFM11Aw=@vger.kernel.org X-Gm-Message-State: AOJu0YwnkIAd3803ktZMihGG44jtuWJsGdS4FtRBjdcd3RVMP23jI/en AvV3i+R/Pex88nR5XLqN8hZONL5fHMXEhujFkgfo2erxrtT4UVlDOqnBI6TONtzX X-Gm-Gg: AY/fxX6tlUcxyGadQiBZQhEOdePLbBNARGXitc6/CSTiAc5KnN7dGNL5wcu1MFRWtME d3wnY0EkQPQ72ROI51LiGaIeeNF3p3PolYBlXOBS+TX/3JJIu/Z9mfNI+tgUIFPMahPSTxcSTfR vIhKiii/Sxj5qxgfRug+8j4BtRdmulQjk4RQP1faE/VZ3BbC3reNLikTqhuElegpaILJkmz6oZY NzTZBObDoHFZA0J1A/sGoF4EdlBXaEpMke3wHQ5rw8xRnngE3byrrqMtkHUZRhhoZHs/6eyvwwT sVcRLJCwYhj6wysYeAtpdnGksH0UCl0nLEKeDMncepPpFdFYcgZZgjKjN6A80XfWTrEwyPzcjLz YbekSPRhfhu+QSHaDVEhcsVhiWGipO14wEYXV6/2bjqkd46sqSc/bQv1PsU7HgTb8+wV1Sa5P2M mRTw5UqPu/8xjHBc1GdsivYcpriXRm2QyIOBmYLWXL0J8HW1C944D3xk+SHvcXMw== X-Received: by 2002:a05:7301:1286:b0:2b0:59f9:aed6 with SMTP id 5a478bee46e88-2b6b3f182cemr1704175eec.9.1768525524645; Thu, 15 Jan 2026 17:05:24 -0800 (PST) Received: from zcache.home.zacbowling.com ([2001:5a8:60d:bc9:f1d2:502c:a6ff:5556]) by smtp.gmail.com with ESMTPSA id 5a478bee46e88-2b6b367cbc9sm1019884eec.32.2026.01.15.17.05.23 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 15 Jan 2026 17:05:24 -0800 (PST) Sender: Zac Bowling From: Zac To: sean.wang@kernel.org Cc: deren.wu@mediatek.com, kvalo@kernel.org, linux-kernel@vger.kernel.org, linux-mediatek@lists.infradead.org, linux-wireless@vger.kernel.org, lorenzo@kernel.org, nbd@nbd.name, linux@frame.work, ryder.lee@mediatek.com, sean.wang@mediatek.com, Zac Bowling , Zac Bowling Subject: [PATCH v4 01/21] wifi: mt76: mt7925: fix NULL pointer dereference in vif iteration Date: Thu, 15 Jan 2026 17:04:59 -0800 Message-ID: <20260116010519.37001-2-zac@zacbowling.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260116010519.37001-1-zac@zacbowling.com> References: <20260116010519.37001-1-zac@zacbowling.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Zac Bowling mt792x_vif_to_bss_conf() can return NULL when iterating over valid_links during HW reset or other state transitions, because the link configuration in mac80211 may not be set up yet even though the driver's valid_links bitmap has the link marked as valid. This causes a NULL pointer dereference in mt76_connac_mcu_uni_add_dev() when it tries to access bss_conf->vif->type, and similar crashes in other functions that use bss_conf without checking. This crash was observed on Framework Desktop (AMD Ryzen AI Max 300) with MT7925 (RZ717) running kernel 6.17. The panic occurs during BSSID roaming when the adapter attempts to switch to a better access point: BUG: kernel NULL pointer dereference, address: 0000000000000010 CPU: 1 UID: 0 PID: 8362 Comm: kworker/u128:10 Tainted: G OE Workqueue: mt76 mt7925_mac_reset_work [mt7925_common] RIP: 0010:mt76_connac_mcu_uni_add_dev+0x9c/0x780 [mt76_connac_lib] Call Trace: mt7925_vif_connect_iter+0xcb/0x240 [mt7925_common] __iterate_interfaces+0x92/0x130 [mac80211] ieee80211_iterate_interfaces+0x3d/0x60 [mac80211] mt7925_mac_reset_work+0x105/0x190 [mt7925_common] process_one_work+0x18b/0x370 worker_thread+0x317/0x450 The issue manifests approximately every 5 minutes when the adapter tries to hop to a better BSSID, causing system-wide hangs where network commands (ip, ifconfig, etc.) hang indefinitely. Add NULL checks for bss_conf before using it in: - mt7925_vif_connect_iter() - mt7925_change_vif_links() - mt7925_mac_sta_assoc() - mt7925_mac_sta_remove_links() Fixes: c948b5da6bbe ("wifi: mt76: mt7925: add Mediatek Wi-Fi7 driver for mt= 7925 chips") Link: https://community.frame.work/t/kernel-panic-from-wifi-mediatek-mt7925= -nullptr-dereference/79301 Reported-by: Zac Bowling Tested-by: Zac Bowling Signed-off-by: Zac Bowling --- drivers/net/wireless/mediatek/mt76/mt7925/mac.c | 6 ++++++ drivers/net/wireless/mediatek/mt76/mt7925/main.c | 8 ++++++++ 2 files changed, 14 insertions(+) diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/mac.c b/drivers/net/= wireless/mediatek/mt76/mt7925/mac.c index 871b671019..184efe8afa 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7925/mac.c +++ b/drivers/net/wireless/mediatek/mt76/mt7925/mac.c @@ -1271,6 +1271,12 @@ mt7925_vif_connect_iter(void *priv, u8 *mac, bss_conf =3D mt792x_vif_to_bss_conf(vif, i); mconf =3D mt792x_vif_to_link(mvif, i); =20 + /* Skip links that don't have bss_conf set up yet in mac80211. + * This can happen during HW reset when link state is inconsistent. + */ + if (!bss_conf) + continue; + mt76_connac_mcu_uni_add_dev(&dev->mphy, bss_conf, &mconf->mt76, &mvif->sta.deflink.wcid, true); mt7925_mcu_set_tx(dev, bss_conf); diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/main.c b/drivers/net= /wireless/mediatek/mt76/mt7925/main.c index 2d358a9664..3001a62a8b 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7925/main.c +++ b/drivers/net/wireless/mediatek/mt76/mt7925/main.c @@ -1304,6 +1304,8 @@ mt7925_mlo_pm_iter(void *priv, u8 *mac, struct ieee80= 211_vif *vif) mt792x_mutex_acquire(dev); for_each_set_bit(i, &valid, IEEE80211_MLD_MAX_NUM_LINKS) { bss_conf =3D mt792x_vif_to_bss_conf(vif, i); + if (!bss_conf) + continue; mt7925_mcu_uni_bss_ps(dev, bss_conf); } mt792x_mutex_release(dev); @@ -1630,6 +1632,8 @@ static void mt7925_ipv6_addr_change(struct ieee80211_= hw *hw, =20 for_each_set_bit(i, &valid, IEEE80211_MLD_MAX_NUM_LINKS) { bss_conf =3D mt792x_vif_to_bss_conf(vif, i); + if (!bss_conf) + continue; __mt7925_ipv6_addr_change(hw, bss_conf, idev); } } @@ -1861,6 +1865,8 @@ static void mt7925_vif_cfg_changed(struct ieee80211_h= w *hw, if (changed & BSS_CHANGED_ARP_FILTER) { for_each_set_bit(i, &valid, IEEE80211_MLD_MAX_NUM_LINKS) { bss_conf =3D mt792x_vif_to_bss_conf(vif, i); + if (!bss_conf) + continue; mt7925_mcu_update_arp_filter(&dev->mt76, bss_conf); } } @@ -1876,6 +1882,8 @@ static void mt7925_vif_cfg_changed(struct ieee80211_h= w *hw, } else if (mvif->mlo_pm_state =3D=3D MT792x_MLO_CHANGED_PS) { for_each_set_bit(i, &valid, IEEE80211_MLD_MAX_NUM_LINKS) { bss_conf =3D mt792x_vif_to_bss_conf(vif, i); + if (!bss_conf) + continue; mt7925_mcu_uni_bss_ps(dev, bss_conf); } } --=20 2.52.0 From nobody Sun Feb 8 02:22:41 2026 Received: from mail-dy1-f172.google.com (mail-dy1-f172.google.com [74.125.82.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 81F3D314D08 for ; Fri, 16 Jan 2026 01:05:27 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.82.172 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768525529; cv=none; b=fS8EAGC2LFkbhH9RX9UXEa4t8IiOpE/J7/80nw230tTDQHcN5enrVeO45R9kMZw9Tvupa0gt39IpAzZBE29L794wSikNMjnMH1SQDedXvw0C1sde+xA/4B8qOTxOkuctCUSzWJ71WeNHonclRLHcwYAcYZg4rTAfLts96utsXc0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768525529; c=relaxed/simple; bh=RODJo0dX5b/DRTFhY2cSaN8LgFh3iNNX0MJ6nJMpBFc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=qeHFuzCP6NEcRt3TCu/DrfuDIAWgP8Ip1GlOLur+y+q7OEi4cUMkzXd36S8lShb3iLtxLXwmYxVeZTIC1HU3IWOEtvpXQSlo3e4MN2IXKiEYZX4sFGXTgG8kbvZG9h/+GvV4oggU7VYcQfBbo/8vENMmiPGlQNkPJr0BQXUsx1U= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=zacbowling.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=NXicS9PO; arc=none smtp.client-ip=74.125.82.172 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=zacbowling.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="NXicS9PO" Received: by mail-dy1-f172.google.com with SMTP id 5a478bee46e88-2b6bb644e8eso30923eec.1 for ; Thu, 15 Jan 2026 17:05:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768525527; x=1769130327; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:from:to:cc:subject:date :message-id:reply-to; bh=3AlYUZTasc+1BNyrEOuxrME8CBfLRDkLtwgOBsYdMoM=; b=NXicS9POL4+PpSDerqVhuMTiywoBCZ/6mVfMRB2410dymDLNBVSyiAAEGRdQ51HmJS sPLlMp20wt1hseJWJiMCUjCbKpywp4ZN7buFXlq5d0RiTO1z4coBY6JYly02KwKPR5po pph3WjAK5Ise3jmCy3Pd/h7lwrQpAYd7aNFlykHLM6SLKG/OUqvFpqLKsdepZTwqzAxM yUTVKQZI6uUvMb+57VRXKxSdPA3HN2tjDP8i2heb2hYV06pDjf2dPAtQUqxfLXUP0I5R IWzSm0LiyDAazFe458DibD++jnO7pWazexuA67Dstdx/rrrm9BP/+qsQGUs77v4iHItI udPw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768525527; x=1769130327; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=3AlYUZTasc+1BNyrEOuxrME8CBfLRDkLtwgOBsYdMoM=; b=WNvrwcsrNisQ3Ql0z2ztpSPkYvU3722uUAoyEJQO9Ol/FF0GU4tOrICq0o1iBNIdcn 72MFp8Bp+JksjSOs0RKpP/SekPNv+1AOGWObF8lJgvSVfc7Kcnh3Gv2evAiLpv3vh81O 5eGtZEENk760fL5jH14wjaJ4q5fE+rL1pnPlYly8bkT5G2nvhZsEdFVmwYEyCazkuxIy EG0pF4vc2/8RSAzLmuuJcVeIiHTjD/m0IUrvRSPtsQxTJGQ9daU7AvBcgB7Do8lqCUVN 0/jzTJ4UQzkUyhkoCIWfEWtkLfjyGIsSSXKJUOTWrv/ZSOUAoSrABpbcD8QsrX0kGS2H 87pQ== X-Forwarded-Encrypted: i=1; AJvYcCWhofsdNtU69OgB7F34oV8C2GcnpcMBacPxCnO1XhkVvlDYIaH5qQTy49ABaCKJZKe0q6RNL6K0igLHhKw=@vger.kernel.org X-Gm-Message-State: AOJu0YxPr9Ii7sp7bLYNPcNnIKPG5wdDmPw546D1ksFmCMOxGcIuHRoS BfyJrFapGqBlSlvr7ai+SaWjkzwcEmQ2rQu5S8/8OW/14ycYidmbVm/u X-Gm-Gg: AY/fxX6pO5iwlPwFJamwZAD4apsbsE8r1T6uoy6dzo+mMxzQPOSms7X4gEilLB2b//8 8C31wzLHyC0EnCJIo39NN827NSLMUA7+wiiTRToinPEoK25Svx1g7w/ftP/Tzy4H5hgQ18pRE0x TFm69J8q0nOye2cFIDVl6KgS8q1mzgWt8t0tCjADs7mh4i52vFTjqaMIhGuxPux/BBebJtE+bnM kFp/bYIVin6B63Jt7vTeGpDDNHa/xgfgAAJfH9CRl58M9fcpmbX7SiXvClIiO6ayaUtsLsCUbt4 XsGDj849lrr8Er9QpuRxqPXES4XXDNVo/DaqLesDRbF+avFXBcDQ67jAOEM9+uVfurOHILDaz4/ Qee3e0O0PVFcbz9d9Gn6dT56OX56kQgNmKCrh+OKKRqy1mgTG1vaH4azyMGLeO6mCaPjqoYIi4F zq1LrmqOwVt85n6ATsS7jNWU7r1E9F4rMr1OGZRocTyeymVlXd2xt1FFZh4qX19Q== X-Received: by 2002:a05:7301:650c:b0:2ae:51ae:5cfd with SMTP id 5a478bee46e88-2b6b4104264mr1496968eec.22.1768525526187; Thu, 15 Jan 2026 17:05:26 -0800 (PST) Received: from zcache.home.zacbowling.com ([2001:5a8:60d:bc9:f1d2:502c:a6ff:5556]) by smtp.gmail.com with ESMTPSA id 5a478bee46e88-2b6b367cbc9sm1019884eec.32.2026.01.15.17.05.24 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 15 Jan 2026 17:05:25 -0800 (PST) Sender: Zac Bowling From: Zac To: sean.wang@kernel.org Cc: deren.wu@mediatek.com, kvalo@kernel.org, linux-kernel@vger.kernel.org, linux-mediatek@lists.infradead.org, linux-wireless@vger.kernel.org, lorenzo@kernel.org, nbd@nbd.name, linux@frame.work, ryder.lee@mediatek.com, sean.wang@mediatek.com, Zac Bowling , Zac Bowling Subject: [PATCH v4 02/21] wifi: mt76: mt7925: fix missing mutex protection in reset and ROC abort Date: Thu, 15 Jan 2026 17:05:00 -0800 Message-ID: <20260116010519.37001-3-zac@zacbowling.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260116010519.37001-1-zac@zacbowling.com> References: <20260116010519.37001-1-zac@zacbowling.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Zac Bowling During firmware recovery and ROC (Remain On Channel) abort operations, the driver iterates over active interfaces and calls MCU functions that require the device mutex to be held, but the mutex was not acquired. This causes system-wide deadlocks where the system becomes completely unresponsive. From logs on affected systems: INFO: task kworker/u128:0:48737 blocked for more than 122 seconds. Workqueue: mt76 mt7925_mac_reset_work [mt7925_common] Call Trace: __schedule+0x426/0x12c0 schedule+0x27/0xf0 schedule_preempt_disabled+0x15/0x30 __mutex_lock.constprop.0+0x3d0/0x6d0 mt7925_mac_reset_work+0x85/0x170 [mt7925_common] The deadlock manifests approximately every 5 minutes when the adapter tries to hop to a better BSSID, triggering firmware reset. Network commands (ip, ifconfig, etc.) hang indefinitely, processes get stuck in uninterruptible sleep (D state), and reboot hangs as well. Add mutex protection around interface iteration in: - mt7925_mac_reset_work(): Called during firmware recovery after MCU timeouts to reconnect all interfaces - mt7925_roc_abort_sync() in suspend path: Called during suspend to clean up Remain On Channel operations This matches the pattern used in mt7615 and other MediaTek drivers where interface iteration callbacks invoke MCU functions with mutex held: // mt7615/main.c - roc_work has mutex protection mt7615_mutex_acquire(phy->dev); ieee80211_iterate_active_interfaces(...); mt7615_mutex_release(phy->dev); Note: Sean Wang from MediaTek has submitted an alternative fix for the ROC path using cancel_delayed_work() instead of cancel_delayed_work_sync(). Both approaches address the deadlock; this one adds explicit mutex protection which may be superseded by the upstream fix. Fixes: c948b5da6bbe ("wifi: mt76: mt7925: add Mediatek Wi-Fi7 driver for mt= 7925 chips") Link: https://community.frame.work/t/kernel-panic-from-wifi-mediatek-mt7925= -nullptr-dereference/79301 Reported-by: Zac Bowling Tested-by: Zac Bowling Signed-off-by: Zac Bowling --- drivers/net/wireless/mediatek/mt76/mt7925/mac.c | 2 ++ drivers/net/wireless/mediatek/mt76/mt7925/pci.c | 2 ++ 2 files changed, 4 insertions(+) diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/mac.c b/drivers/net/= wireless/mediatek/mt76/mt7925/mac.c index 184efe8afa..06420ac6ed 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7925/mac.c +++ b/drivers/net/wireless/mediatek/mt76/mt7925/mac.c @@ -1331,9 +1331,11 @@ void mt7925_mac_reset_work(struct work_struct *work) dev->hw_full_reset =3D false; pm->suspended =3D false; ieee80211_wake_queues(hw); + mt792x_mutex_acquire(dev); ieee80211_iterate_active_interfaces(hw, IEEE80211_IFACE_ITER_RESUME_ALL, mt7925_vif_connect_iter, NULL); + mt792x_mutex_release(dev); mt76_connac_power_save_sched(&dev->mt76.phy, pm); =20 mt7925_regd_change(&dev->phy, "00"); diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/pci.c b/drivers/net/= wireless/mediatek/mt76/mt7925/pci.c index c4161754c0..e9d62c6aee 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7925/pci.c +++ b/drivers/net/wireless/mediatek/mt76/mt7925/pci.c @@ -455,7 +455,9 @@ static int mt7925_pci_suspend(struct device *device) cancel_delayed_work_sync(&pm->ps_work); cancel_work_sync(&pm->wake_work); =20 + mt792x_mutex_acquire(dev); mt7925_roc_abort_sync(dev); + mt792x_mutex_release(dev); =20 err =3D mt792x_mcu_drv_pmctrl(dev); if (err < 0) --=20 2.52.0 From nobody Sun Feb 8 02:22:41 2026 Received: from mail-dy1-f178.google.com (mail-dy1-f178.google.com [74.125.82.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id AF1532F261C for ; Fri, 16 Jan 2026 01:05:28 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.82.178 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768525535; cv=none; b=ozs/zlEiWTbVG7i7lJvLvUmqzd+jTRml6H1KdMnBI+7kOEr2RsamVeUId/E2WAeN70Scrzw8it50VPJbwWOMa0XDaXTO+80fwAztN3/oCNNQXvb2GeaeNOdtkY2oKFjKH0Pt+IHfz1dn3oCiqgE8CV6+zVbW5+iFsRDxjfKp7Qw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768525535; c=relaxed/simple; bh=bTBkoR/HGMUKUB0iBrEP++9Evouf7Ac6pUXzKhtf6hY=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=ekeCIXxxMaTRaCShTJRctmfpwN0vQSZ/TXzDbaPAkIdxG5R1CwDl4AwEW9eLlQRydWcePCAtnm5BG50Fx0riSf+fZlfBaxUoUudWvi42b7IwCN9mqA5Jm4lZZjcE1wfQIbwR3CSfS+KEofr8AiDFBcztifcfBQhlL4Vj97BRY3s= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=zacbowling.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=m9uvqedC; arc=none smtp.client-ip=74.125.82.178 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=zacbowling.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="m9uvqedC" Received: by mail-dy1-f178.google.com with SMTP id 5a478bee46e88-2ae61424095so1666475eec.1 for ; Thu, 15 Jan 2026 17:05:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768525528; x=1769130328; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:from:to:cc:subject:date :message-id:reply-to; bh=y9d/7gkP0dehSO2kv5Bs0x2eBF89HHL2x635aV3XfFw=; b=m9uvqedCAl6WqnsmwzDThrZAG4kUMsuLpebC4Dt5ndhqYkitrWyyC17lnP6i5mw+Fk 02nN66gwNFMTzgxXlUzNyZySEJ9mKgbjJZcWiTMVo4ZrpvcOZa/MiQNnFRejTE8K4Rcd Cc3QgWOT9gCd8Gwx4i/pHMJPmZMGpP0+eiEgsFGhLiMFk6ARUubHWP9HtOk++RsO0yYT eC1epEImNxkw6MlSP/4KbVJVvz1n+zeTl2IpQLb/ln9iyoAlO37wdDrPI0d+AUnqWRzu KHq4ZQ1avSSxDyZWtkeDIj9w4iz9bbUM51m+7yDoPGjCq65HQZUmepQYhmEe8kSudX9q sDUg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768525528; x=1769130328; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=y9d/7gkP0dehSO2kv5Bs0x2eBF89HHL2x635aV3XfFw=; b=GYFzvtLMKHBF8pkKep+Fg91kJrlSmgeGFmKelOaHj4z/ilVG2ZG9UjjDbNtZHLLOeD jyQ1ZjQOqVPWkMXAgUFz1lS3bFLRsbS9Yw7bml58dApbDq7jz4UagSjj12q4ZfMCbQCT rPm2GHfF+eIt/gjbXoy2rD6nXfZrCd3lnDtudEPcH5sxK7LIg5dDFZ7H9IyTb+bX6tJO t2Ri4/sspgoWaFA/VuJAxGgyj/jQQk4IwNyPKIW1JjkU+OqcY1kcL1IhEO2dttf1bgHb 0cToVsWKrY1WjPRJL/KidJzQf/M4iBMirl5haWV5FZ4+xDjXi6j7kCWGLtaNmOVSqFr1 gopA== X-Forwarded-Encrypted: i=1; AJvYcCWLsLhgY9QGmzeONSyZPketJZ8StvzAhUWbnoAmjYSRxKoccPOjr0irzjSLqDfiSNOT6q/+C8ZSRm77ppQ=@vger.kernel.org X-Gm-Message-State: AOJu0YyU2omw8dqMPXlKSaXW8dm7VWUMTG2zs9rwlhYa7j3JYYQxa1Uy id0fYaBTK+KabdnEgnm0q/0bpWIWu08NxzZXGOkhezxZfKdKgvkGfMb6 X-Gm-Gg: AY/fxX7QcujIKkzVvPxVRSgq32yfF1GYw/Mb7l02YtZdSsAsQGTy6n85cM2S//xCbZ6 cRWEUPehNaWmIo7P2WPM76db5IfxUOln/MRSzuFYYl/QvLDqAVv9WIipCjh++PklmitLQ+i/wbl 9McR4Cnw4ry8f5/wNhmkbz6dvSnFVT9cuCxse5xPuVYbVSsuuQWS/Zx9xLDAR/qonnrFtRMCtdi se5C7uSGSdJUQ1JNUlaS9MClG+dE0VbVekgzSOIeI0cXzbtQYc7KgW7yHlWiEt1tCFbtyw0kBFs BiZNQpmfW6EyQ65YBU3xP1et7MfutYKO6K5IdtZFQuPArG+3FErOVQXP2Eqzfvh3uhsnDQtrPDM k3gLyDRSZwNDsOfZQSE09jyi6aAHEGexPhvf/kGtrqB5ZHaRriEPcOEsydyLKoDnQCzG61xkl7A EKezTMNsDF8aqC/DdXu4+D5K3V19EOjzpnNCnnbEAQd3qyxPZpWd5J+Yry16rZ7g== X-Received: by 2002:a05:7301:290a:b0:2ae:60fd:6f18 with SMTP id 5a478bee46e88-2b6b4e8a496mr1565789eec.22.1768525527714; Thu, 15 Jan 2026 17:05:27 -0800 (PST) Received: from zcache.home.zacbowling.com ([2001:5a8:60d:bc9:f1d2:502c:a6ff:5556]) by smtp.gmail.com with ESMTPSA id 5a478bee46e88-2b6b367cbc9sm1019884eec.32.2026.01.15.17.05.26 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 15 Jan 2026 17:05:27 -0800 (PST) Sender: Zac Bowling From: Zac To: sean.wang@kernel.org Cc: deren.wu@mediatek.com, kvalo@kernel.org, linux-kernel@vger.kernel.org, linux-mediatek@lists.infradead.org, linux-wireless@vger.kernel.org, lorenzo@kernel.org, nbd@nbd.name, linux@frame.work, ryder.lee@mediatek.com, sean.wang@mediatek.com, Zac Bowling , Zac Bowling Subject: [PATCH v4 03/21] wifi: mt76: mt7925: fix missing mutex protection in runtime PM and MLO PM Date: Thu, 15 Jan 2026 17:05:01 -0800 Message-ID: <20260116010519.37001-4-zac@zacbowling.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260116010519.37001-1-zac@zacbowling.com> References: <20260116010519.37001-1-zac@zacbowling.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Zac Bowling Two additional code paths iterate over active interfaces and call MCU functions without proper mutex protection: 1. mt7925_set_runtime_pm(): Called when runtime PM settings change. The callback mt7925_pm_interface_iter() calls mt7925_mcu_set_beacon_filt= er() which in turn calls mt7925_mcu_set_rxfilter(). These MCU functions requi= re the device mutex to be held. 2. mt7925_mlo_pm_work(): A workqueue function for MLO power management. The callback mt7925_mlo_pm_iter() was acquiring mutex internally, which is inconsistent with the rest of the driver where the caller holds the mutex during interface iteration. These bugs can cause deadlocks when: - Power management settings are changed while WiFi is active - MLO power save state transitions occur during roaming Move the mutex to the caller in mt7925_mlo_pm_work() for consistency with the rest of the driver, and add mutex protection in mt7925_set_runtime_pm(). Found through static analysis (clang-tidy) and comparison with the MT7615 driver which correctly acquires mutex before interface iteration. Fixes: c948b5da6bbe ("wifi: mt76: mt7925: add Mediatek Wi-Fi7 driver for mt= 7925 chips") Reported-by: Zac Bowling Tested-by: Zac Bowling Signed-off-by: Zac Bowling --- drivers/net/wireless/mediatek/mt76/mt7925/main.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/main.c b/drivers/net= /wireless/mediatek/mt76/mt7925/main.c index 3001a62a8b..9f17b21aef 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7925/main.c +++ b/drivers/net/wireless/mediatek/mt76/mt7925/main.c @@ -751,9 +751,11 @@ void mt7925_set_runtime_pm(struct mt792x_dev *dev) bool monitor =3D !!(hw->conf.flags & IEEE80211_CONF_MONITOR); =20 pm->enable =3D pm->enable_user && !monitor; + mt792x_mutex_acquire(dev); ieee80211_iterate_active_interfaces(hw, IEEE80211_IFACE_ITER_RESUME_ALL, mt7925_pm_interface_iter, dev); + mt792x_mutex_release(dev); pm->ds_enable =3D pm->ds_enable_user && !monitor; mt7925_mcu_set_deep_sleep(dev, pm->ds_enable); } @@ -1301,14 +1303,12 @@ mt7925_mlo_pm_iter(void *priv, u8 *mac, struct ieee= 80211_vif *vif) if (mvif->mlo_pm_state !=3D MT792x_MLO_CHANGED_PS) return; =20 - mt792x_mutex_acquire(dev); for_each_set_bit(i, &valid, IEEE80211_MLD_MAX_NUM_LINKS) { bss_conf =3D mt792x_vif_to_bss_conf(vif, i); if (!bss_conf) continue; mt7925_mcu_uni_bss_ps(dev, bss_conf); } - mt792x_mutex_release(dev); } =20 void mt7925_mlo_pm_work(struct work_struct *work) @@ -1317,9 +1317,11 @@ void mt7925_mlo_pm_work(struct work_struct *work) mlo_pm_work.work); struct ieee80211_hw *hw =3D mt76_hw(dev); =20 + mt792x_mutex_acquire(dev); ieee80211_iterate_active_interfaces(hw, IEEE80211_IFACE_ITER_RESUME_ALL, mt7925_mlo_pm_iter, dev); + mt792x_mutex_release(dev); } =20 void mt7925_scan_work(struct work_struct *work) --=20 2.52.0 From nobody Sun Feb 8 02:22:41 2026 Received: from mail-dy1-f174.google.com (mail-dy1-f174.google.com [74.125.82.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A6111318EDD for ; Fri, 16 Jan 2026 01:05:33 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.82.174 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768525542; cv=none; b=Ka4JltWBNfAyHDpAlSWa6mSiFUXTR3sCiu9/xYErRD+jAU/P2IRKHS2RmggS5hVEC9vv0d7QcLXrqedxTfncRbEEWbVGIfDJ9AwJ7EYfAzQIWOKfaQ+jVAD1rBCwnhMSFT5xjPXK5gghz1O2W4NxAzqvq2mYpRDVbw33qcPkf2M= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768525542; c=relaxed/simple; bh=bTIw3jO9OrGp1Jt+Zshd1N+f6Fcp97wlvVOjLk0G0yM=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=sQXtnpXYWb/EazHn3rrH5+Rk2/eR6ZzurPG4QI0Mcj4Il24jGjKlT20GHo+auclY4CTea56Xo0Z4I9Yb3fxQGd8jltfwkX+iJ4FFuvG5yImoCBPyFCceRDvXldALp6C7rzvvIUNhvNzuTFkrMD7LdS5f0gfX6LA1Odfh6WFdxHc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=zacbowling.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Mk5HIebQ; arc=none smtp.client-ip=74.125.82.174 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=zacbowling.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Mk5HIebQ" Received: by mail-dy1-f174.google.com with SMTP id 5a478bee46e88-2b6ae4c2012so847259eec.0 for ; Thu, 15 Jan 2026 17:05:33 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768525531; x=1769130331; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:from:to:cc:subject:date :message-id:reply-to; bh=FyvHxTD9jYvJ1aFDphS8iH5fAIcPW7RDWbIxYHLNdZg=; b=Mk5HIebQ1Sbc/KZAZV+5cA+izf6L6MG6b7DzbrZP/2v3ymefRE6KMHz4m6nWCZ7FbA 7HMo7u+3RUQjEc4SW6IVKvBEkRnWoAV8ETIzoaTMJXasWAUogcEo8Y57XyVomwk3PipB QmAzL3IcpzyhVJQE0pvXE8z1ENeUAf65aQ1Kx/+SZ1b/LSn+5VD0m8CiYItOU/xI0kmG t/Dn3uNim6wRBwZHKjpEYsqkuTw1YgN7SxN+XQn7Pu0Q3ZGJeLVtCdluHjgEhoiWK+RN T+On2SzOp3tSB+Hy5svYHmava1AS8ebdSIxEwv49+GcCEI+U9bFUtGcee+bNKkw8k7DQ bKkQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768525531; x=1769130331; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=FyvHxTD9jYvJ1aFDphS8iH5fAIcPW7RDWbIxYHLNdZg=; b=tDxhDRiUMN6HG0gAIJ8m0K1E7l9rNSDEaE40dVuH58s8qNiwrVCEoAuZVEDLjqMqrg zYjmOqTa2chaac5GGSKwOs2+R1VK4Ii4gBrunukGvYGoRDbJtZpLwMXNt+OnKF6wB8K6 cqGFJ+lc45tKtbso8oCwX9TfVQgHqBKKYkNpP+7lBGEgdFANpEUzR5VLgdTWVyWPMsDs oKYNvNhMrF/2lNGTiABTVgOdYJUwbEnogn62fWPaYAlkMLiJ7KqPkP5lTo5a8nPPS3O2 9G/6gwdOFfUrhid+Q4C1PGsEqzK5N1caFlm4B7qcfEPHFHBrIBdB/mDOXCpatVHVHgHI 862g== X-Forwarded-Encrypted: i=1; AJvYcCW1BLoy+4/NjzgXRzrKkYEd8IuG6WJW1c99vHMrCaKgJEEve/3cm0MOggdu59Nzglvh48gzGAWWvJL15jo=@vger.kernel.org X-Gm-Message-State: AOJu0Yzg5C4DDDUARBZKRwnOAlGFnCPkaB8p+LFTVTMZV0GO/xpWc4cU gbLI8QSBcyN9Ztp+gd0nkBy+hhftVqynC14V+j9ufP0wpDS+Igt1A8sn X-Gm-Gg: AY/fxX4O5gqa6u5aIKSdnaV+3UR6R6jD15ebZDZnXmoydLVuBUbBPx8bO5XGKnoKQPv cI8N7hT70N3NPl21bQ4t9c2zxzPyDVIT3hr/nHgvlkbrN9VUVD+0DCrfoDQ/sUW4tjD6REeXzTj DDrwUc4L7YXoQSHqEBH4qAS7UGJBeJ+djkU9dVzb8h3RIFjWTYJ109YmznuT4qv1n+ZSPwhuX8f NPbxwwJj2YIE40f00rl6bgj53EFR/DsxwK5LrGcP1ge+2w6AcwZZc0z2V9chnK8b7reqXiCxDMz ajLLqnfYYjhXUi2RHitwJG1ynwSgCBCE/ef9/G/9lacZ9cUTQJiJHy4g0Ke1Psra9btCGn6G4rB Ptn20wWKrstt/34anqxRNXA2iu5Du9RigkuKAgmW1lRvGa5/0SKzgD5Daoj7BTTB1Qp0+wE9bp1 lltNjlUN1fHIyUBOMWFk49JYIqMiUpiDBfxvbhl4w9UUkn/Lbwo/MWKHbgs5c0UA== X-Received: by 2002:a05:7301:3f07:b0:2ae:60f7:7f42 with SMTP id 5a478bee46e88-2b6b3f05f0fmr774432eec.11.1768525529188; Thu, 15 Jan 2026 17:05:29 -0800 (PST) Received: from zcache.home.zacbowling.com ([2001:5a8:60d:bc9:f1d2:502c:a6ff:5556]) by smtp.gmail.com with ESMTPSA id 5a478bee46e88-2b6b367cbc9sm1019884eec.32.2026.01.15.17.05.27 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 15 Jan 2026 17:05:28 -0800 (PST) Sender: Zac Bowling From: Zac To: sean.wang@kernel.org Cc: deren.wu@mediatek.com, kvalo@kernel.org, linux-kernel@vger.kernel.org, linux-mediatek@lists.infradead.org, linux-wireless@vger.kernel.org, lorenzo@kernel.org, nbd@nbd.name, linux@frame.work, ryder.lee@mediatek.com, sean.wang@mediatek.com, Zac Bowling , Zac Bowling Subject: [PATCH v4 04/21] wifi: mt76: mt7925: add NULL checks in MCU STA TLV functions Date: Thu, 15 Jan 2026 17:05:02 -0800 Message-ID: <20260116010519.37001-5-zac@zacbowling.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260116010519.37001-1-zac@zacbowling.com> References: <20260116010519.37001-1-zac@zacbowling.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Zac Bowling Add NULL pointer checks for link_conf and mconf in: - mt7925_mcu_sta_phy_tlv(): builds PHY capability TLV for station record - mt7925_mcu_sta_rate_ctrl_tlv(): builds rate control TLV for station record Both functions call mt792x_vif_to_bss_conf() and mt792x_vif_to_link() which can return NULL during MLO link state transitions when the link configuration in mac80211 is not yet synchronized with the driver's link tracking. Without these checks, the driver will crash with a NULL pointer dereference when accessing link_conf->chanreq.oper or link_conf->basic_rate= s. Found through static analysis (clang-tidy pattern matching for unchecked return values from functions known to return NULL). Reported-by: Zac Bowling Fixes: c948b5da6bbe ("wifi: mt76: mt7925: add Mediatek Wi-Fi7 driver for mt= 7925 chips") Signed-off-by: Zac Bowling --- drivers/net/wireless/mediatek/mt76/mt7925/mcu.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c b/drivers/net/= wireless/mediatek/mt76/mt7925/mcu.c index cf0fdea45c..d61a7fbda7 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c +++ b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c @@ -1773,6 +1773,10 @@ mt7925_mcu_sta_phy_tlv(struct sk_buff *skb, =20 link_conf =3D mt792x_vif_to_bss_conf(vif, link_sta->link_id); mconf =3D mt792x_vif_to_link(mvif, link_sta->link_id); + + if (!link_conf || !mconf) + return; + chandef =3D mconf->mt76.ctx ? &mconf->mt76.ctx->def : &link_conf->chanreq.oper; =20 @@ -1851,6 +1855,10 @@ mt7925_mcu_sta_rate_ctrl_tlv(struct sk_buff *skb, =20 link_conf =3D mt792x_vif_to_bss_conf(vif, link_sta->link_id); mconf =3D mt792x_vif_to_link(mvif, link_sta->link_id); + + if (!link_conf || !mconf) + return; + chandef =3D mconf->mt76.ctx ? &mconf->mt76.ctx->def : &link_conf->chanreq.oper; band =3D chandef->chan->band; --=20 2.52.0 From nobody Sun Feb 8 02:22:41 2026 Received: from mail-dy1-f178.google.com (mail-dy1-f178.google.com [74.125.82.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id AF1F7313E3F for ; Fri, 16 Jan 2026 01:05:31 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.82.178 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768525535; cv=none; b=F6/BCR5ztaSxT05X1ze7rpAawIs4g5IfSntMayOu1ekG4IzawWfX0c5nyU8WfJlWH0JMg2cyzmaQf0LtdbGUplfYgDWf+hGYzCfOAR1S3FiQmgDEiIay983GvOCha3aq1wFiN2Z+0iqi+qd93ORoAjofRvOwXvLYmAudypNLoGY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768525535; c=relaxed/simple; bh=V1e/me2QjmgrVoKQRsR3lYUkkFbtVoc5MRb6S8g/ccs=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=ImtdsMJ+geauRJFR2fZiwE3OAKKzR2vNBgztsOXcuVRgs9u/iuRwuxhoUbCL0gRw4MImvLuM7IXQKI3ZM7Wdq3EhlIu7/xhARhPnd32mRXn/4n8/5CTJsf4VlqwVByKaNjSle/YQC8rkWhj1B66mTYvK1+nmUn9b37AA0pK0dJo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=zacbowling.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=hGX/3jcZ; arc=none smtp.client-ip=74.125.82.178 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=zacbowling.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="hGX/3jcZ" Received: by mail-dy1-f178.google.com with SMTP id 5a478bee46e88-2b4520f6b32so2126381eec.0 for ; Thu, 15 Jan 2026 17:05:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768525531; x=1769130331; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:from:to:cc:subject:date :message-id:reply-to; bh=mSp+N+GShRL+uxhqPaPfFr1j/zGqGJL8NPvnP5M25W4=; b=hGX/3jcZ98VeZo2TDvzi7Jh28Cn9H0222SeYf8J8UdDr8p3x31ldsAMEVwRh0ohiBf iWhWp33wV8zRPW/RWDAqUf1ZITPhcssPsKGxKyC7yy2Q5K2snycnWF2fauoxwRdCBCIN pIh8Zr5oolaQhXqCNoedQs4jxWDfTqwsfWkpUI1IqeCNQKpXTqmZLPMg+cjXr4HuDaEA 6X+iBdEChWyAAEh2TxWV8KbWyYPoRqabXCTclOtAjtkpKttyuQ8nypJ+S9gT8QGimUWr BP2PvhtTWVpD0Jeh6Qthw4lEbPjq/vYxgcn/UUbFJoXvHyA5pisGcqUsKVbD3U5dCvtL 9Acg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768525531; x=1769130331; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=mSp+N+GShRL+uxhqPaPfFr1j/zGqGJL8NPvnP5M25W4=; b=rOSFzO5ZoeK8dZD9nVvhpBT435rZcdum+CVVmQXAAtqb5AKZlgRiovM4ja68SUMQ1p g+GM54nOB5KZyHjREt2D87ksRiSUDnVqHv7VxUF+hsPs+nkl1uDQGCrYCQaDK4nSxbsG crqWJzDVyQgKNEAE42wa0jB/tgIL8+KmQeoraUZRw04gA71qiQkxCnJaYVkS1OnvTMmI 8RFoWwSMH9f1fojtQQcsVVPb8oac4P3XaBUzsoJeCxkg9/w9NtSQU1+HHt5AVu2Kx1X9 9cFYoKeLAYOstl+qwCyLT16jVZolPDwhiQDtY3Jqm4PXpD+8A6cNc9IN3v3/MrR6mlZs X6NQ== X-Forwarded-Encrypted: i=1; AJvYcCXfw/nj0uDZL0QPFDf/lhyS72uTWz6gc4JH+2S0TwCDiZQqfgc13md9rkxeIF7+JcAkyqzNbhqG1zLwlNk=@vger.kernel.org X-Gm-Message-State: AOJu0Yw0kzmGR6P6Ahp7HEiumEkFVExp0ke9lKgjOQu7Sm5tE0cFz+pL BDhoM+waDrZt++z+amuAcgh21V2Bn6FyOK5gauGKKRT7ly4Y4qyjo1Fy X-Gm-Gg: AY/fxX5wHdvyD9yRBsS4GXf25KkyzxvdOsaEC3QmABwDmpcr7+JjItbE2lVMxIDhHEr xjhM9w9vSThi/9xqDhFcgJm770dGO/NLqzGnBJFZ/CUztjI+UM74TZKh7nSu8OD+MsFoCyNvoSF FSAO+UmfLj7IDDHcb/6rPt/xb6aNEnxsHDMZg+WmmDK/FYllhUbT9U3qmFUXGsRDhs736WBBFnF FKHKUkTrjJXN4LWjcAxvpyKF9nKH07MCGTqWCA3yg/4ZU0aLW3xJT1bjpQaL4/dyuzsW9+ZZ1Bu 5mxaXtzDV7iyNP1dHTdJtzO7bJTEU5/Y/iVpQHd7NB8GEg5tf3uHAj3xge0jcI+5iyh+nlxv4ax 4PYqsqZ6o3vo5u20JpdKWkMzES+ol0oes1MkPbOE+tZROVMQRNixsvjOI68mJVUaewLaS4xGPqm /hzkFOQ+gBB7rwGdBaNwGhtStTIKHWzaHaTUi1rF55axQQLLkeYPy+hR/ziAjsIA== X-Received: by 2002:a05:7300:549:b0:2b0:5306:1773 with SMTP id 5a478bee46e88-2b6b3ecb06dmr1089037eec.1.1768525530659; Thu, 15 Jan 2026 17:05:30 -0800 (PST) Received: from zcache.home.zacbowling.com ([2001:5a8:60d:bc9:f1d2:502c:a6ff:5556]) by smtp.gmail.com with ESMTPSA id 5a478bee46e88-2b6b367cbc9sm1019884eec.32.2026.01.15.17.05.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 15 Jan 2026 17:05:30 -0800 (PST) Sender: Zac Bowling From: Zac To: sean.wang@kernel.org Cc: deren.wu@mediatek.com, kvalo@kernel.org, linux-kernel@vger.kernel.org, linux-mediatek@lists.infradead.org, linux-wireless@vger.kernel.org, lorenzo@kernel.org, nbd@nbd.name, linux@frame.work, ryder.lee@mediatek.com, sean.wang@mediatek.com, Zac Bowling , Zac Bowling Subject: [PATCH v4 05/21] wifi: mt76: mt7925: add NULL checks for link_conf and mlink in main.c Date: Thu, 15 Jan 2026 17:05:03 -0800 Message-ID: <20260116010519.37001-6-zac@zacbowling.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260116010519.37001-1-zac@zacbowling.com> References: <20260116010519.37001-1-zac@zacbowling.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Zac Bowling Add NULL pointer checks throughout main.c for functions that call mt792x_vif_to_bss_conf(), mt792x_vif_to_link(), and mt792x_sta_to_link() without verifying the return value before dereferencing. Functions fixed: - mt7925_set_key(): Check link_conf, mconf, and mlink before use - mt7925_mac_link_sta_add(): Check link_conf before BSS info update - mt7925_mac_link_sta_assoc(): Check mlink and link_conf before use - mt7925_mac_link_sta_remove(): Check mlink and link_conf, add goto label for proper cleanup path - mt7925_change_vif_links(): Check link_conf before adding BSS These functions can receive NULL when the link configuration in mac80211 is not yet synchronized with the driver's link tracking during MLO operations or state transitions. Without these checks, the driver crashes during station add/remove/ association operations with NULL pointer dereference: BUG: kernel NULL pointer dereference, address: 0000000000000010 Call Trace: mt7925_mac_link_sta_add+0x... ... Found through static analysis and triggered during BSSID roaming on systems with multiple access points. Reported-by: Zac Bowling Fixes: c948b5da6bbe ("wifi: mt76: mt7925: add Mediatek Wi-Fi7 driver for mt= 7925 chips") Signed-off-by: Zac Bowling --- .../net/wireless/mediatek/mt76/mt7925/main.c | 27 ++++++++++++++++--- 1 file changed, 23 insertions(+), 4 deletions(-) diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/main.c b/drivers/net= /wireless/mediatek/mt76/mt7925/main.c index 9f17b21aef..7d3322461b 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7925/main.c +++ b/drivers/net/wireless/mediatek/mt76/mt7925/main.c @@ -604,6 +604,10 @@ static int mt7925_set_link_key(struct ieee80211_hw *hw= , enum set_key_cmd cmd, link_sta =3D sta ? mt792x_sta_to_link_sta(vif, sta, link_id) : NULL; mconf =3D mt792x_vif_to_link(mvif, link_id); mlink =3D mt792x_sta_to_link(msta, link_id); + + if (!link_conf || !mconf || !mlink) + return -EINVAL; + wcid =3D &mlink->wcid; wcid_keyidx =3D &wcid->hw_key_idx; =20 @@ -889,6 +893,8 @@ static int mt7925_mac_link_sta_add(struct mt76_dev *mde= v, MT_WTBL_UPDATE_ADM_COUNT_CLEAR); =20 link_conf =3D mt792x_vif_to_bss_conf(vif, link_id); + if (!link_conf) + return -EINVAL; =20 /* should update bss info before STA add */ if (vif->type =3D=3D NL80211_IFTYPE_STATION && !link_sta->sta->tdls) { @@ -1034,6 +1040,8 @@ static void mt7925_mac_link_sta_assoc(struct mt76_dev= *mdev, =20 msta =3D (struct mt792x_sta *)link_sta->sta->drv_priv; mlink =3D mt792x_sta_to_link(msta, link_sta->link_id); + if (!mlink) + return; =20 mt792x_mutex_acquire(dev); =20 @@ -1043,12 +1051,13 @@ static void mt7925_mac_link_sta_assoc(struct mt76_d= ev *mdev, link_conf =3D mt792x_vif_to_bss_conf(vif, vif->bss_conf.link_id); } =20 - if (vif->type =3D=3D NL80211_IFTYPE_STATION && !link_sta->sta->tdls) { + if (link_conf && vif->type =3D=3D NL80211_IFTYPE_STATION && !link_sta->st= a->tdls) { struct mt792x_bss_conf *mconf; =20 mconf =3D mt792x_link_conf_to_mconf(link_conf); - mt7925_mcu_add_bss_info(&dev->phy, mconf->mt76.ctx, - link_conf, link_sta, true); + if (mconf) + mt7925_mcu_add_bss_info(&dev->phy, mconf->mt76.ctx, + link_conf, link_sta, true); } =20 ewma_avg_signal_init(&mlink->avg_ack_signal); @@ -1095,6 +1104,8 @@ static void mt7925_mac_link_sta_remove(struct mt76_de= v *mdev, =20 msta =3D (struct mt792x_sta *)link_sta->sta->drv_priv; mlink =3D mt792x_sta_to_link(msta, link_id); + if (!mlink) + return; =20 mt7925_roc_abort_sync(dev); =20 @@ -1108,10 +1119,12 @@ static void mt7925_mac_link_sta_remove(struct mt76_= dev *mdev, =20 link_conf =3D mt792x_vif_to_bss_conf(vif, link_id); =20 - if (vif->type =3D=3D NL80211_IFTYPE_STATION && !link_sta->sta->tdls) { + if (link_conf && vif->type =3D=3D NL80211_IFTYPE_STATION && !link_sta->st= a->tdls) { struct mt792x_bss_conf *mconf; =20 mconf =3D mt792x_link_conf_to_mconf(link_conf); + if (!mconf) + goto out; =20 if (ieee80211_vif_is_mld(vif)) mt792x_mac_link_bss_remove(dev, mconf, mlink); @@ -1119,6 +1132,7 @@ static void mt7925_mac_link_sta_remove(struct mt76_de= v *mdev, mt7925_mcu_add_bss_info(&dev->phy, mconf->mt76.ctx, link_conf, link_sta, false); } +out: =20 spin_lock_bh(&mdev->sta_poll_lock); if (!list_empty(&mlink->wcid.poll_list)) @@ -2031,6 +2045,11 @@ mt7925_change_vif_links(struct ieee80211_hw *hw, str= uct ieee80211_vif *vif, mlink =3D mlinks[link_id]; link_conf =3D mt792x_vif_to_bss_conf(vif, link_id); =20 + if (!link_conf) { + err =3D -EINVAL; + goto free; + } + rcu_assign_pointer(mvif->link_conf[link_id], mconf); rcu_assign_pointer(mvif->sta.link[link_id], mlink); =20 --=20 2.52.0 From nobody Sun Feb 8 02:22:41 2026 Received: from mail-dy1-f177.google.com (mail-dy1-f177.google.com [74.125.82.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D0A00314A8A for ; Fri, 16 Jan 2026 01:05:33 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.82.177 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768525536; cv=none; b=Nbkc7kqhvMJkwtIcRfNYx4mBgvM0YX27IkcrkyK1PvBYsBYZCu2qbvr7BcBMsLyan7U5qhqgXokEam2EJ+n6diEBnMI1bct39EKOUT2DCUwabaNC2QtGqBqgxWPDt9xjsrwhtJxgLMKN5mOM2agouJyhtHF7HmEUUJtmkoznqbI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768525536; c=relaxed/simple; bh=s3ZwCB3JvlyU+vipl3q6KmMqgje/HoIfqvCD0zlfKcg=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=fEcGv0ctX6WrVHbm7TaXPyqENVk6hZiDoyiHB/imjvgKIouvqtg+g8mvRns2e5Gy+VaKmDbMG09WgTFCl0vAzQbC8TLt9cHQ7kJhpC23YhRV6EGuJ7KrG25vCVzLgnEWNLp07o7HEj0vG7/9oJKWANep1C1UD2ryWzhEMoOVt1g= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=zacbowling.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=RNspB2JW; arc=none smtp.client-ip=74.125.82.177 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=zacbowling.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="RNspB2JW" Received: by mail-dy1-f177.google.com with SMTP id 5a478bee46e88-2b1981ca515so1731858eec.1 for ; Thu, 15 Jan 2026 17:05:33 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768525533; x=1769130333; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:from:to:cc:subject:date :message-id:reply-to; bh=ayqgJZ8LSe73VJtWRWF0cloWppdfmdK1Vbp7fAPizSU=; b=RNspB2JW3/dmFRSvviJwqD69xBtrbtmDmignOxG9dIullct54/pZXDIhQFWwhoBvni YdHAEMTWIsO83yKmb4IP+lIQR903iPP3Bhp4s3WeTbrs+SA24rk0NE7xF+GEELq3oJD2 6RLu89NFGcI4gt9j475HEVB1iNfagRm4hH/vdq4m6D0g54go5LXrukcKgcuusUPbyZG9 vOESys0paEBy7Qs2xRwsIhFZjQAhcwosuYdtbdVpdakFTme7lcletzydJFt/bVfTICOF +5XQMjvwARzA+S5+NsLX5F8JErNgjKwQu0WhftX3D3+9oc+tIq30LpyVZu+EqsO8m0RF 2gig== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768525533; x=1769130333; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=ayqgJZ8LSe73VJtWRWF0cloWppdfmdK1Vbp7fAPizSU=; b=VtfJ+XZKQCustYUhiWMnSbuL44O9NEKiTNH4NUcrBAmEzvkL75Acn9jBMcVSgY5cWp 2xfa850YIT04eaYZnAFxoW7ElgbTG2T7X3TLwzmaeaTKtYPQEi8ULJGT0ZFiWHb7+Vm9 Z8dDYblHr9SXLvGp5DXMXmwaDE0EDhsfhffCvxmBxHZgtW7kc+gMOAat/JTO6nSuWHtm 65mnU2gSk7XEqJgBikRxTesxjkashA/4u3lfQq6Xre8B1oX4P3KMl03t+Rr/lO9S+rYq ev/221Bn/Z09iG7ENxbMk1Mg1xhcx+A1WGAk+8+nTubrdeC1uiUBzlTvNOLhexzTagcB 1uTA== X-Forwarded-Encrypted: i=1; AJvYcCUxv7n/9opMD9lPvIBTDfy0pMhICdMLhxuJDGNaF41qDbgL27Tlu2O1IscxZImtUgyx4dAXpU8KcwttSlo=@vger.kernel.org X-Gm-Message-State: AOJu0Yzi5y9aRHYn5w/XIlyVj/Bv1nqeA9ngizOjxZWik3R0TeKQ1xRH c4XDzbX29/N5TLkxP0nD+Hq1Ciuet61DIykLY/Z3Rme+yB4eMmKfWM+4 X-Gm-Gg: AY/fxX4jDtO2rPvLoO5ZGFIvsIZwLQkSaTYnye3ofAn3HKQnEyY9kpx6yOAVrp9hkfE sZByIziYmOYSJ8v/CX1dIxND2s1EAN/4IegsZBXN239IMdBK/eDZHlX/uAVQ5kP51ystztCS/uS H+EWlJv6GFsbyLGxcVm6jy18elIUF0Y9LO7chZq3X9Ews4IlrXdPSaB563XwAPSA3rtSEV4VLWO Ez2dEFcEnDGTej+eJr10yW3eouFUkpUYO5QtuzCphIo1G/P+/qySZXAbI6GDGGVFdo1BsATRm4m lINOxUNFeybUoPJTkv89X7BNLfmKQMPkqu/tq+GDpE/qVLoMW9Gs1EBL2HzwzbWAM4vMnvxkV0T IvA25e1Fi5VFHZaa+7orrfvYbGuOc7tWDDABPvnZE7r05oQGG4OCJWi2g0XVxt3uBZaLwuRfjL4 vqkmeB/L5DuddLVg0fE+c8hjpNMY8jvzbAHsPjjvw/kRXcUjDkkWD09urgK9cASQ== X-Received: by 2002:a05:7300:73cb:b0:2ae:614a:3307 with SMTP id 5a478bee46e88-2b6b410c29bmr1459357eec.42.1768525532104; Thu, 15 Jan 2026 17:05:32 -0800 (PST) Received: from zcache.home.zacbowling.com ([2001:5a8:60d:bc9:f1d2:502c:a6ff:5556]) by smtp.gmail.com with ESMTPSA id 5a478bee46e88-2b6b367cbc9sm1019884eec.32.2026.01.15.17.05.30 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 15 Jan 2026 17:05:31 -0800 (PST) Sender: Zac Bowling From: Zac To: sean.wang@kernel.org Cc: deren.wu@mediatek.com, kvalo@kernel.org, linux-kernel@vger.kernel.org, linux-mediatek@lists.infradead.org, linux-wireless@vger.kernel.org, lorenzo@kernel.org, nbd@nbd.name, linux@frame.work, ryder.lee@mediatek.com, sean.wang@mediatek.com, Zac Bowling , Zac Bowling Subject: [PATCH v4 06/21] wifi: mt76: mt7925: add error handling for AMPDU MCU commands Date: Thu, 15 Jan 2026 17:05:04 -0800 Message-ID: <20260116010519.37001-7-zac@zacbowling.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260116010519.37001-1-zac@zacbowling.com> References: <20260116010519.37001-1-zac@zacbowling.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Zac Bowling Check return values of mt7925_mcu_uni_rx_ba() and mt7925_mcu_uni_tx_ba() in mt7925_ampdu_action() and propagate errors to the caller. Previously, failures in these MCU commands were silently ignored, which could leave block aggregation in an inconsistent state between the driver and firmware. For IEEE80211_AMPDU_TX_STOP_CONT, only call the completion callback ieee80211_stop_tx_ba_cb_irqsafe() if the MCU command succeeded, to avoid signaling completion when the firmware operation failed. Found through code review - pattern of ignored return values throughout AMPDU handling. Reported-by: Zac Bowling Fixes: c948b5da6bbe ("wifi: mt76: mt7925: add Mediatek Wi-Fi7 driver for mt= 7925 chips") Signed-off-by: Zac Bowling --- drivers/net/wireless/mediatek/mt76/mt7925/main.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/main.c b/drivers/net= /wireless/mediatek/mt76/mt7925/main.c index 7d3322461b..d966e5ab50 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7925/main.c +++ b/drivers/net/wireless/mediatek/mt76/mt7925/main.c @@ -1271,22 +1271,22 @@ mt7925_ampdu_action(struct ieee80211_hw *hw, struct= ieee80211_vif *vif, case IEEE80211_AMPDU_RX_START: mt76_rx_aggr_start(&dev->mt76, &msta->deflink.wcid, tid, ssn, params->buf_size); - mt7925_mcu_uni_rx_ba(dev, params, true); + ret =3D mt7925_mcu_uni_rx_ba(dev, params, true); break; case IEEE80211_AMPDU_RX_STOP: mt76_rx_aggr_stop(&dev->mt76, &msta->deflink.wcid, tid); - mt7925_mcu_uni_rx_ba(dev, params, false); + ret =3D mt7925_mcu_uni_rx_ba(dev, params, false); break; case IEEE80211_AMPDU_TX_OPERATIONAL: mtxq->aggr =3D true; mtxq->send_bar =3D false; - mt7925_mcu_uni_tx_ba(dev, params, true); + ret =3D mt7925_mcu_uni_tx_ba(dev, params, true); break; case IEEE80211_AMPDU_TX_STOP_FLUSH: case IEEE80211_AMPDU_TX_STOP_FLUSH_CONT: mtxq->aggr =3D false; clear_bit(tid, &msta->deflink.wcid.ampdu_state); - mt7925_mcu_uni_tx_ba(dev, params, false); + ret =3D mt7925_mcu_uni_tx_ba(dev, params, false); break; case IEEE80211_AMPDU_TX_START: set_bit(tid, &msta->deflink.wcid.ampdu_state); @@ -1295,8 +1295,9 @@ mt7925_ampdu_action(struct ieee80211_hw *hw, struct i= eee80211_vif *vif, case IEEE80211_AMPDU_TX_STOP_CONT: mtxq->aggr =3D false; clear_bit(tid, &msta->deflink.wcid.ampdu_state); - mt7925_mcu_uni_tx_ba(dev, params, false); - ieee80211_stop_tx_ba_cb_irqsafe(vif, sta->addr, tid); + ret =3D mt7925_mcu_uni_tx_ba(dev, params, false); + if (!ret) + ieee80211_stop_tx_ba_cb_irqsafe(vif, sta->addr, tid); break; } mt792x_mutex_release(dev); --=20 2.52.0 From nobody Sun Feb 8 02:22:41 2026 Received: from mail-dy1-f169.google.com (mail-dy1-f169.google.com [74.125.82.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 60179315D2D for ; Fri, 16 Jan 2026 01:05:35 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.82.169 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768525542; cv=none; b=pHBfBW/Ji/yxIepKlh8DbrSdgCEgFagWlWWnUpdgFmYLAGc/qsGNO+bR58dUOy6FUXBa53rGNkd4ClGJmZU1re3FnrlVSJX1LahL9AH6TkzGa3aUiJHrDjirorQ9/3d52FVDj4txDny7QKSBaKuA3/CQTpWLSeqwvesSy9Av19o= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768525542; c=relaxed/simple; bh=sxn8m2wfjaMr0Go0RxIOhMpMUABI6p8vpxtI2DFz5oc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=hoal9pWEQrJ2htMTSDlXfKbSbob5qOzdOav0RlxUPYv9q52AsMboz814po8gzxAS5JbE3b9nuk2Rk4lb8cgB/4x6SGl2zKVzzsnW7Vi1lHXs7YRZYekxkD8U+Oi9Nylez8dKcnIRhVM42bdTJLQ+5t/ebLq9M/1/IJ8aLa4Vq/w= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=zacbowling.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=HQq7DeYZ; arc=none smtp.client-ip=74.125.82.169 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=zacbowling.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="HQq7DeYZ" Received: by mail-dy1-f169.google.com with SMTP id 5a478bee46e88-2b6b0500e06so914135eec.1 for ; Thu, 15 Jan 2026 17:05:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768525534; x=1769130334; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:from:to:cc:subject:date :message-id:reply-to; bh=mmo1wCmkMZsP9rEEVr9OwRQ+MJCKwHnawZH5r7i9q+E=; b=HQq7DeYZf8cJXVfj8I4nAb5/iATtVop0q+PjL1/Cvu8QC7S3DVa+pVXiAVczoGHN/H XAC8PnxtYVWAl4fHtGTdC5S3rHvNkGMdI+a/dpYMLXPVxKnK1aIyqBBVqMQQV4zdxLhD 1Iv8TPPDnphWMzq+dSXh5SBzaAD5jM7Pwf3burrNFqTRVlKNhGOzJoUSTnv2SPVdf3sN z7FpzUczp2HJ11LG+5lmPx5eo6SLwvA7uxQ+MIEN9KWPzd0ZcPYmHhfpJ/laugk/iDol 6mPQRJROtGrYrS2sFq6Udwh5ziT+tdyzJ7Wy/5DPHuA3wxWGYYzK8kJzTr3u/WL3ygy2 uxhA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768525534; x=1769130334; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=mmo1wCmkMZsP9rEEVr9OwRQ+MJCKwHnawZH5r7i9q+E=; b=cTupxVQDl5FBLLTSTd7B2cDq833IkebLfRdBZAnY8Xo2TfWLJTl4JhMp1azW3Tzxl3 YNa9uzATbLouZAVVvDseuEmujeCTK24138X0Ekfb88wgTOHbcFO8ip9EvDxJr0/PZzRP PpR4bw7PHk9K993cRXzelciS1wGBWlSx6yXh6dvoIrKrwvoVtp+wz5qsTzFGcCHFffts RRZ9D7O7PF4O8qjZrTtih7ll8vwi9S1wrUd1ZDdnVYKsOVkKLu3NUMSp/GnqmvgTTfv3 gBY6t9fPa1CYyzYZRdRPXEqTtndEuKOfOeVuYti+MpRFYqlXHixNcFjEO4N3Bt99Dovf sDAA== X-Forwarded-Encrypted: i=1; AJvYcCU92YsQSmTvbaB1EQ9hOGY7xNHrG6j7/i/o78mpmpGQeQoi7q9CQGfMEv3AF1gMyjT9aml+b3DVhtQiTP8=@vger.kernel.org X-Gm-Message-State: AOJu0YyZklaF8rXN4XMQcpkT8CT3O1bhWYMoHgX2HZLQjonBImo5kyGq IMQu0mJvT/reAAwK8U6ZfnEU5HJ0AMd3fggpm4RvgXdMrO23pyrjPJqJ X-Gm-Gg: AY/fxX6RYKgIdmjQ0hACMJbN7oYnPo87jLrqqpeBDdKT233XxlCNMeQkGKPddwcU2wh i7Fx/VEEd7PZKVLs4+NU8W+KqxCeEHxwJDdbCBdVdUP3F6YTYlal28y5ceoEkUR560133lKSnt2 xrKu3Jj/yT8QwS0E+rBXx7n5ohS9ffTUwL21KI3OXU887RMKHqBkpZn0F8t17VjelQqIMcmlXkz H4m5vdOG0pDL8wjL7fztgCdjKsXhLkyzSf3562UOsAA9+T7njtogWWr3iJhv66FSgZF+lV1MeE2 2IAIyMR1tocslJ1Wza/gqttO0FbSJ7yRpl/+5sNsLrQZxCVSrX9iK5q508AR+CxPtdmiZ8HUf5c w3EmDEyvKlBcYd+RP3q5XHmHmuIHLimAewvhYz9dvMcxRXUSpIgsx24t68n6zO/+8EFOF/5ubyD yyEgX6Ls78+1VK0IKbsrrDXR/Lz7jVKHIF+tHFkEQtGkztc6s91+La2sqp8NUrdg== X-Received: by 2002:a05:7300:2d06:b0:2a4:61d1:f433 with SMTP id 5a478bee46e88-2b6b3f2a8ccmr1281770eec.16.1768525533543; Thu, 15 Jan 2026 17:05:33 -0800 (PST) Received: from zcache.home.zacbowling.com ([2001:5a8:60d:bc9:f1d2:502c:a6ff:5556]) by smtp.gmail.com with ESMTPSA id 5a478bee46e88-2b6b367cbc9sm1019884eec.32.2026.01.15.17.05.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 15 Jan 2026 17:05:33 -0800 (PST) Sender: Zac Bowling From: Zac To: sean.wang@kernel.org Cc: deren.wu@mediatek.com, kvalo@kernel.org, linux-kernel@vger.kernel.org, linux-mediatek@lists.infradead.org, linux-wireless@vger.kernel.org, lorenzo@kernel.org, nbd@nbd.name, linux@frame.work, ryder.lee@mediatek.com, sean.wang@mediatek.com, Zac Bowling , Zac Bowling Subject: [PATCH v4 07/21] wifi: mt76: mt7925: add error handling for BSS info MCU command in sta_add Date: Thu, 15 Jan 2026 17:05:05 -0800 Message-ID: <20260116010519.37001-8-zac@zacbowling.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260116010519.37001-1-zac@zacbowling.com> References: <20260116010519.37001-1-zac@zacbowling.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Zac Bowling Check return value of mt7925_mcu_add_bss_info() in mt7925_mac_link_sta_add() and propagate errors to the caller. BSS info must be set up before adding a station record. If this MCU command fails, continuing with station add would leave the firmware in an inconsistent state with a station but no BSS configuration. This can cause undefined behavior in the firmware, particularly during MLO link setup where multiple BSS configurations are being programmed. Reported-by: Zac Bowling Fixes: c948b5da6bbe ("wifi: mt76: mt7925: add Mediatek Wi-Fi7 driver for mt= 7925 chips") Signed-off-by: Zac Bowling --- drivers/net/wireless/mediatek/mt76/mt7925/main.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/main.c b/drivers/net= /wireless/mediatek/mt76/mt7925/main.c index d966e5ab50..a7e1e673c4 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7925/main.c +++ b/drivers/net/wireless/mediatek/mt76/mt7925/main.c @@ -899,11 +899,14 @@ static int mt7925_mac_link_sta_add(struct mt76_dev *m= dev, /* should update bss info before STA add */ if (vif->type =3D=3D NL80211_IFTYPE_STATION && !link_sta->sta->tdls) { if (ieee80211_vif_is_mld(vif)) - mt7925_mcu_add_bss_info(&dev->phy, mconf->mt76.ctx, - link_conf, link_sta, link_sta !=3D mlink->pri_link); + ret =3D mt7925_mcu_add_bss_info(&dev->phy, mconf->mt76.ctx, + link_conf, link_sta, + link_sta !=3D mlink->pri_link); else - mt7925_mcu_add_bss_info(&dev->phy, mconf->mt76.ctx, - link_conf, link_sta, false); + ret =3D mt7925_mcu_add_bss_info(&dev->phy, mconf->mt76.ctx, + link_conf, link_sta, false); + if (ret) + return ret; } =20 if (ieee80211_vif_is_mld(vif) && --=20 2.52.0 From nobody Sun Feb 8 02:22:41 2026 Received: from mail-dy1-f179.google.com (mail-dy1-f179.google.com [74.125.82.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 222673168EB for ; Fri, 16 Jan 2026 01:05:38 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.82.179 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768525544; cv=none; b=tCONL5Rjje4qU/pYnTC3HywTiNyriuuHcls2ECPdHgQyW29KOfi/VE9oy1Wa4V2MWNikz5YqMOUyONp2yjnhpM2jfb479BSIaKduxhSL7FBYoAu3ucDsv8Z8POL2JdDqaQZBhmXqrSpfvZblPpsVgiggived690Ulb+HIkS8Wzo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768525544; c=relaxed/simple; bh=y94WeVxba42kdyHkNRz0nzHnFxtZWYsnVp0GS8SE25U=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=nT59IDg7Z2/iXAh9MYPKPejPz4PrrHgnnN5xA5ldwZfiBTLA3qyKP1H184zxdcQzbZsV/ltjhw6xeIJfrnx3XJzUh8rnMkMl2+6JTGGG9f9hMa8bXVFUmimgbA5wxvJBUZF2ZOfH+AcNFtJABp6qSYyG/rWqsQ1nMd0W2LBqh5c= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=zacbowling.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=HD2l/Qpj; arc=none smtp.client-ip=74.125.82.179 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=zacbowling.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="HD2l/Qpj" Received: by mail-dy1-f179.google.com with SMTP id 5a478bee46e88-2b1981ca515so1731886eec.1 for ; Thu, 15 Jan 2026 17:05:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768525535; x=1769130335; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:from:to:cc:subject:date :message-id:reply-to; bh=zWTGhizPE0uX/1Ee6qZDpLjHp14QecuWlmzggUKYyNs=; b=HD2l/Qpj2cq/wxU2LKd1NUDgMmUB1c5MPoCU0ZaANi01FPx0GecyWlMbW0GukoS4Oo 28pIwFhMdzSdOSOrYSl+RldzmTm/NHrD+5jDUKaYSCLVsAvqrDX6/uuMp2K6CA6yyxZn MU0HhAqF17KSL4LzvLQvXQUgXLe4Q9QKZg6lzMqY0E+hVeyIAp2ye9YFnC+Z3lwnnS7d BRXb4f//0PsypwDpqkuYRVRJcDv++NIojE9pWoJb8/3eJf/+Nqd6s+/5CvAgaKfwRpJ6 CvChyD0ruEWVaGS0bPfx2MLVvwMbj+kZXDtpsvIU/qDnVJPzOhULdBqCtgLQn1f5+EB9 0EQw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768525535; x=1769130335; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=zWTGhizPE0uX/1Ee6qZDpLjHp14QecuWlmzggUKYyNs=; b=UmWI+lImBQSDgTuKRloZCJ9lhBx5jkh9u934A4xpQsEzJhBYj5+jNleu/RjypqQUhN fPqXLtlUruiVWuJKvdUhLFPt5xjptZOKzIEs9MjftNzzZZqEa1qFl4nm5J2rYX+r1t5l 0VaYmiGT8ZcXshqgQ9KuNzD/+bLUNZU4a4ZdHEFEuVMC/0sn/e4A3GCVyJPSdqBU5iwe 7bj9DRrNooDFaJbzmYo0u8Sq/Oz0X8D3hJuDkwact9RGKln90ASR6Sdk4R0b51d2R13K I50VAfQGRrEfksSPoSXcmHDy70eXcmRshJ2KRp9RgUFFUEYosxYw9j/mIsnMLf7ZoL3E pZ4A== X-Forwarded-Encrypted: i=1; AJvYcCVFSI+N63deYB50ghnltQfz3bP+DfOhtenAG/V85dTR3dN2/zPm/sIeZnHwJ1F9ob2OmarhoTLGJJ/NFB0=@vger.kernel.org X-Gm-Message-State: AOJu0YynnJtbkNOPvC7Y/MKXvg/+LWbqBNL6QUdfQpIS5xymj61AeyZK c3/x9drS4qOfs/UYDAZt3wfn8cjYrK2yYsWESzCVK49FAWoDxwLoKkPZ X-Gm-Gg: AY/fxX46QFgyjttzRCUGZhHmmnhTPVKO3GmNW8eTA2DmJMJwlOEX0JarLSiJH5w3He5 ZUzEmyo94dNlAjgJkAdytwOSqefwBIu7iN+9UN8oIVCXUWbTB/XN856g1749ThDzxtLo0ZqsNjG j87VWSf+UZ8zHLzUv5RE2zmIS1oMizJV3IGCEvyqI5y1tw7cxgenEIdv3Z7HxwmIlkaWvvjSiTK KernEe+oXfAAA359KJc53ZckOa/NpoYK1ay2zr+VZTt9QPFU6hYoSAh0MvVEYuqC/HcHc0CtZ4j N3WEMXYOZpQbFwi027mrWiyRmXLpipaB4IpJHVm4Hj9VY/5eYaR/9CB6wVxOM+of2RkX0CX2OHY W0dS0oiMf4S3CagzHcHs9Stc4zAStQhUwJgrT5tmLsE5xo1fGgBp/95st27zEPY0cLj71LcVLrq yOgF5mdhTMNNx87BDexLedN6EdbuwKO5dxVZTGjw7+0nvtLm95EJaynyvxjm184g== X-Received: by 2002:a05:7300:748a:b0:2b6:adb4:8a18 with SMTP id 5a478bee46e88-2b6b40c8cf0mr1480744eec.22.1768525534956; Thu, 15 Jan 2026 17:05:34 -0800 (PST) Received: from zcache.home.zacbowling.com ([2001:5a8:60d:bc9:f1d2:502c:a6ff:5556]) by smtp.gmail.com with ESMTPSA id 5a478bee46e88-2b6b367cbc9sm1019884eec.32.2026.01.15.17.05.33 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 15 Jan 2026 17:05:34 -0800 (PST) Sender: Zac Bowling From: Zac To: sean.wang@kernel.org Cc: deren.wu@mediatek.com, kvalo@kernel.org, linux-kernel@vger.kernel.org, linux-mediatek@lists.infradead.org, linux-wireless@vger.kernel.org, lorenzo@kernel.org, nbd@nbd.name, linux@frame.work, ryder.lee@mediatek.com, sean.wang@mediatek.com, Zac Bowling , Zac Bowling Subject: [PATCH v4 08/21] wifi: mt76: mt7925: add error handling for BSS info in key setup Date: Thu, 15 Jan 2026 17:05:06 -0800 Message-ID: <20260116010519.37001-9-zac@zacbowling.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260116010519.37001-1-zac@zacbowling.com> References: <20260116010519.37001-1-zac@zacbowling.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Zac Bowling Check return value of mt7925_mcu_add_bss_info() in mt7925_set_link_key() when setting up cipher for the first time and propagate errors. The BSS info update with cipher information must succeed before key programming can proceed. If this MCU command fails, continuing with key setup would program keys into the firmware for a BSS that does not have the correct cipher configuration. SECURITY NOTE: Silent failure here is particularly dangerous because the user would believe encryption is active when the firmware may not have the cipher properly configured, potentially resulting in unencrypted or incorrectly encrypted traffic. This ensures the error is propagated up the stack rather than silently ignored. Reported-by: Zac Bowling Fixes: c948b5da6bbe ("wifi: mt76: mt7925: add Mediatek Wi-Fi7 driver for mt= 7925 chips") Signed-off-by: Zac Bowling --- drivers/net/wireless/mediatek/mt76/mt7925/main.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/main.c b/drivers/net= /wireless/mediatek/mt76/mt7925/main.c index a7e1e673c4..058394b2e0 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7925/main.c +++ b/drivers/net/wireless/mediatek/mt76/mt7925/main.c @@ -637,8 +637,10 @@ static int mt7925_set_link_key(struct ieee80211_hw *hw= , enum set_key_cmd cmd, struct mt792x_phy *phy =3D mt792x_hw_phy(hw); =20 mconf->mt76.cipher =3D mt7925_mcu_get_cipher(key->cipher); - mt7925_mcu_add_bss_info(phy, mconf->mt76.ctx, link_conf, - link_sta, true); + err =3D mt7925_mcu_add_bss_info(phy, mconf->mt76.ctx, link_conf, + link_sta, true); + if (err) + goto out; } =20 if (cmd =3D=3D SET_KEY) --=20 2.52.0 From nobody Sun Feb 8 02:22:41 2026 Received: from mail-dy1-f170.google.com (mail-dy1-f170.google.com [74.125.82.170]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5DB8F302CDE for ; Fri, 16 Jan 2026 01:05:37 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.82.170 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768525550; cv=none; b=nA3L9jBtYgJK36ynOcbZmCdB8kEyr+Y9zTBBJEwfRlcHh+O04AMMxptZc5K9etmHkNepqS3MTHWFLFNu+Wvvne9QXN1UupziM6wHOgpp9L7pX+eUOPlU35oMOIFkmpdm/X9RfR8+sIEC+KQxPcmXdb9hpNHzCxHw6tgyjhzLHRY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768525550; c=relaxed/simple; bh=UtDRJAA+MPtf7ebptEaBueINPsW854AUm8zzzFfN3Ak=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=GayK6OtFp0bEZikwXUFIyn+g5jCevW1zNPjcMcblP3e9TCBxzphQSjsvIdwVCSmRbkWtpitInuXYIjj2tAHzJ/4dzKFpH+nJDwZkU7QRshzvtXrbyDZJfhk+I69mSs1thnMI3RuKaIF/HlRnoUSVZ7ns5HKM2QJF5SSX1EvTUbQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=zacbowling.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=h2m/bVYB; arc=none smtp.client-ip=74.125.82.170 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=zacbowling.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="h2m/bVYB" Received: by mail-dy1-f170.google.com with SMTP id 5a478bee46e88-2b6b0500e06so914170eec.1 for ; Thu, 15 Jan 2026 17:05:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768525536; x=1769130336; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:from:to:cc:subject:date :message-id:reply-to; bh=rZlc8vYTcRnUgM5gL9ljbqiK/D1gsQfXcDj7/vtO1vs=; b=h2m/bVYBgaEH3ISUEhtu5hSWY4GAKVBJq6xWrhW+zMQr66/gz2iNIk2dO8uEiM6isC sSI484dCGNE5iONZfuZkkearpkaLEDIq1SrvRvBim4ahEwQUGpDRPaBPNiFuLRtQyra5 Zn7wEyFWmUGrF8tR3DvkZ4ACBAJGgjq6HkUighedf1kS8IarBSRodkLoAS6nykeq6Btv RoRUa1hGZAe6eMvWue3d+0TBtlDo+NnLd8ZTPfPw+XEXNnN1AbfKv7rYZRmqmYFJjFy1 v1y/1XZBQN9gICBNKwdEO1U7QhlYnLJhQap66X0XTlmgE84gsFi81Cat3j+H9hbzWsw3 1oFg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768525536; x=1769130336; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=rZlc8vYTcRnUgM5gL9ljbqiK/D1gsQfXcDj7/vtO1vs=; b=AM0tidA98TIF10H4Fu9jO9F329NUDzMzbnx4y5uV8d+awpsAqmDr/8oXozDIbhnzfz 66nXqN1gplxdq8dpbAp/nKPhts8BiG1/9AAqNCeKPosH3vRXNAg33Xc6kYU5xmWUujQc PkNbOi3lvuplSI/paeHxvrYb6Poi69ASq9pobqxSy9QWrloP26pKIgFlIpO3TuEQZ9Kh wgI7w+GHETCk4JeA7Ioc/pHAQPbsjZoMQwcyp949z5a3VLbd+Toy0GFpfFJbSy9A11kv zh0D1X6yaUTsgzOACSyO8QJakOJlHBVJbZgxGoCAoKqRUJXXgGKCzezBT9jH4K/VZN5h 4cHQ== X-Forwarded-Encrypted: i=1; AJvYcCUZvmqvxCSL+XsrPx1RGTpDurWblp+iCB24nIj8sKwdmEMZ3G1RI3di8vRKQAECBjWYY6ny9gQTtW/WJ0k=@vger.kernel.org X-Gm-Message-State: AOJu0YzXG+clNGwpxA+cFABMdF+3+9rM+Ar99bmPs2ICzK/Sm9PlTuIg 2IqCAVWAW+0KGord6di8A6tfrGfa90GibM486rgBHp1LKNbFTJIrAkpC X-Gm-Gg: AY/fxX74y2zbS8X3lfCZcn2SJl5cnu0FOjwtnsibCrhTt4JC5ymZeb+XZlB7GC5o25z UOmIhvUXJXEfQg9qgCQqrPEZcnRx1Yk8DVjObP9HFVM4Bq6MDoJPtuODPzbA/UpvY6cfXGSnKB3 pswKTPIyDYBW8K+Xt6CkhS8wxBDRL85GXK/Y5+fHlJnuQkg7uBPL7eNJrVdVjfggTlTRVDQ94yp hwZj52KWQZMx2lQ+WgeSgxsBShhObYTcdBiB5lIuWyzXWoVHlrBfOgRonFtWb68G84rt0ut/neL ztiLEZksVsYCsP7r5L1sFBW0/Kd9qHz7SoYfwjBNQ8sDrFRRd9ca4z6fnFhTDUKPLnAsuMmyrUP 6AlAnelq/qi2kJOhEa3i//DgOM+NkHKcgbHB74Mvcz0YuByN/0qvW+Ogao1uEwWe0OhMHosOtNZ pG9SDoNgL20MS97lqGz5kTJi/EljzaoL1SoAKq7Ek6ru2gzs6pXi9y3wDTKtfXYQ== X-Received: by 2002:a05:7300:b505:b0:2b0:5412:3ef with SMTP id 5a478bee46e88-2b6b412b810mr1269769eec.42.1768525536379; Thu, 15 Jan 2026 17:05:36 -0800 (PST) Received: from zcache.home.zacbowling.com ([2001:5a8:60d:bc9:f1d2:502c:a6ff:5556]) by smtp.gmail.com with ESMTPSA id 5a478bee46e88-2b6b367cbc9sm1019884eec.32.2026.01.15.17.05.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 15 Jan 2026 17:05:35 -0800 (PST) Sender: Zac Bowling From: Zac To: sean.wang@kernel.org Cc: deren.wu@mediatek.com, kvalo@kernel.org, linux-kernel@vger.kernel.org, linux-mediatek@lists.infradead.org, linux-wireless@vger.kernel.org, lorenzo@kernel.org, nbd@nbd.name, linux@frame.work, ryder.lee@mediatek.com, sean.wang@mediatek.com, Zac Bowling , Zac Bowling Subject: [PATCH v4 09/21] wifi: mt76: mt7925: add NULL checks in MLO link and chanctx functions Date: Thu, 15 Jan 2026 17:05:07 -0800 Message-ID: <20260116010519.37001-10-zac@zacbowling.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260116010519.37001-1-zac@zacbowling.com> References: <20260116010519.37001-1-zac@zacbowling.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Zac Bowling Add NULL pointer checks for mconf and link_conf in several functions that were missing validation after calling mt792x_vif_to_link() and mt792x_vif_to_bss_conf(). Functions fixed: - mt7925_mac_set_links(): Check both primary and secondary link_conf before dereferencing chanreq.oper for band selection - mt7925_link_info_changed(): Check mconf before using it to get link_conf, prevents NULL dereference chain - mt7925_assign_vif_chanctx(): Check mconf before use, return -EINVAL if NULL; check pri_link_conf before passing to MCU function - mt7925_unassign_vif_chanctx(): Check mconf before dereferencing, return early if NULL during MLO cleanup These functions handle MLO (Multi-Link Operation) scenarios where link configurations may not be fully set up when called, particularly during rapid link state transitions or error recovery paths. Prevents panics during WiFi 7 MLO link setup and teardown sequences. Reported-by: Zac Bowling Fixes: c948b5da6bbe ("wifi: mt76: mt7925: add Mediatek Wi-Fi7 driver for mt= 7925 chips") Signed-off-by: Zac Bowling --- .../net/wireless/mediatek/mt76/mt7925/main.c | 39 +++++++++++++++---- 1 file changed, 32 insertions(+), 7 deletions(-) diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/main.c b/drivers/net= /wireless/mediatek/mt76/mt7925/main.c index 058394b2e0..852cf8ff84 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7925/main.c +++ b/drivers/net/wireless/mediatek/mt76/mt7925/main.c @@ -1006,18 +1006,29 @@ mt7925_mac_set_links(struct mt76_dev *mdev, struct = ieee80211_vif *vif) { struct mt792x_dev *dev =3D container_of(mdev, struct mt792x_dev, mt76); struct mt792x_vif *mvif =3D (struct mt792x_vif *)vif->drv_priv; - struct ieee80211_bss_conf *link_conf =3D - mt792x_vif_to_bss_conf(vif, mvif->deflink_id); - struct cfg80211_chan_def *chandef =3D &link_conf->chanreq.oper; - enum nl80211_band band =3D chandef->chan->band, secondary_band; + struct ieee80211_bss_conf *link_conf; + struct cfg80211_chan_def *chandef; + enum nl80211_band band, secondary_band; + u16 sel_links; + u8 secondary_link_id; =20 - u16 sel_links =3D mt76_select_links(vif, 2); - u8 secondary_link_id =3D __ffs(~BIT(mvif->deflink_id) & sel_links); + link_conf =3D mt792x_vif_to_bss_conf(vif, mvif->deflink_id); + if (!link_conf) + return; + + chandef =3D &link_conf->chanreq.oper; + band =3D chandef->chan->band; + + sel_links =3D mt76_select_links(vif, 2); + secondary_link_id =3D __ffs(~BIT(mvif->deflink_id) & sel_links); =20 if (!ieee80211_vif_is_mld(vif) || hweight16(sel_links) < 2) return; =20 link_conf =3D mt792x_vif_to_bss_conf(vif, secondary_link_id); + if (!link_conf) + return; + secondary_band =3D link_conf->chanreq.oper.chan->band; =20 if (band =3D=3D NL80211_BAND_2GHZ || @@ -1927,7 +1938,12 @@ static void mt7925_link_info_changed(struct ieee8021= 1_hw *hw, struct ieee80211_bss_conf *link_conf; =20 mconf =3D mt792x_vif_to_link(mvif, info->link_id); + if (!mconf) + return; + link_conf =3D mt792x_vif_to_bss_conf(vif, mconf->link_id); + if (!link_conf) + return; =20 mt792x_mutex_acquire(dev); =20 @@ -2136,9 +2152,14 @@ static int mt7925_assign_vif_chanctx(struct ieee8021= 1_hw *hw, =20 if (ieee80211_vif_is_mld(vif)) { mconf =3D mt792x_vif_to_link(mvif, link_conf->link_id); + if (!mconf) { + mutex_unlock(&dev->mt76.mutex); + return -EINVAL; + } + pri_link_conf =3D mt792x_vif_to_bss_conf(vif, mvif->deflink_id); =20 - if (vif->type =3D=3D NL80211_IFTYPE_STATION && + if (pri_link_conf && vif->type =3D=3D NL80211_IFTYPE_STATION && mconf =3D=3D &mvif->bss_conf) mt7925_mcu_add_bss_info(&dev->phy, NULL, pri_link_conf, NULL, true); @@ -2167,6 +2188,10 @@ static void mt7925_unassign_vif_chanctx(struct ieee8= 0211_hw *hw, =20 if (ieee80211_vif_is_mld(vif)) { mconf =3D mt792x_vif_to_link(mvif, link_conf->link_id); + if (!mconf) { + mutex_unlock(&dev->mt76.mutex); + return; + } =20 if (vif->type =3D=3D NL80211_IFTYPE_STATION && mconf =3D=3D &mvif->bss_conf) --=20 2.52.0 From nobody Sun Feb 8 02:22:41 2026 Received: from mail-dy1-f172.google.com (mail-dy1-f172.google.com [74.125.82.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 107F8314D14 for ; Fri, 16 Jan 2026 01:05:41 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.82.172 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768525547; cv=none; b=bmkATbd4vJsmKLQCIOzgJYIy7mly3WadIQdzomAm01Uc7iDXIaAS7Jxb8QSBUrjeDR9d8nxTdzHkLPuFcVm3sX7Xhbu8ipDc8X6Iyp0dRc1n4W8mb1WXx6yrDyTMVPaWTApW7QQumkuXfEpAyWAreATbZKo7cYwT46diyc1K2tE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768525547; c=relaxed/simple; bh=JZnzZyYJvjFa0LSUbqrGxrB2MD2Wwfj5C3G4vxH/yhU=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=CMi+l89lQabpXX+fx25yIWsecVSYHY8l153XEwznglaV7aqpHiswTmkia/M2SOEZ6n3YIOlPRBS8j+Agr3RPs6Sa5UiFGRm1Q1Fww0g0a+cMemONXBFxNCmeTY89zF9S0X9XLLmG8sKaR87plP3c+XxMVd529y6ykW7ub4CacRw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=zacbowling.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=j3yNlEh6; arc=none smtp.client-ip=74.125.82.172 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=zacbowling.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="j3yNlEh6" Received: by mail-dy1-f172.google.com with SMTP id 5a478bee46e88-2b19939070fso3506991eec.0 for ; Thu, 15 Jan 2026 17:05:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768525538; x=1769130338; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:from:to:cc:subject:date :message-id:reply-to; bh=nS7hbe2idkDtMNr1sikCj+4G/Yawhd2uUbgexxTfUAA=; b=j3yNlEh6mLCJt/CsnZqF5a49YL3O5rIngRu1c/S2U3xoDaBiayJh/TkGkYxKS3ccoQ K8O5Ea2CHugF53BicCR0zWuLZ9SH+GX5x+LL+5t3h+yHCaZI1S8Z1xBYzwGeD7hHY7qF /fLg00W0k469+zTPfLSZfG5zvpIdT8LUFye6EZ8CLlIigrUh2+eVav090wi+KQalgU/9 q8bEuA1x1o2hLNx1gPbfp3Y1x96+aPilqJ3FfP1QN9xEr/KdyQDTmSXuW95hXhfvgJpU tvlv8E5TVF9MX/k/Oy/AuM3nlru6n8heG4qVAz+3au+gokIA2dHpPsZaxLNzVa8rPJCK aSDA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768525538; x=1769130338; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=nS7hbe2idkDtMNr1sikCj+4G/Yawhd2uUbgexxTfUAA=; b=FPiiI0OdwtLRFI+BQzNebBTSNnB2/s79qVZT07H2fJN/GEo3wda2IFSzIjUozD9ipH 5Kns48sxr3kyHWeC4+HGWlJ9tdCstLWSopJ2UDPjnPYqlhYKRvPRqUoE3mrDV9iApYVA HK6RiaF9UnBSV4HRJrbFDHXqhi60t3ayMUL2dIDBnQj6//SwCN0x6X3U7XrtzKosjaK0 DpKcDPw3U9w9N+szNpWCEdkxrbfxgLvZHs6aR6Od/ruE0I5R49B/d1KGkBB4EVIPaPPv 7AiJ0pZ5ZoyQpO9UItkraVH7Fy52E2McqF8fbJY2T/LL/gGur2MSDckPkYca9SmZOeLD V0ww== X-Forwarded-Encrypted: i=1; AJvYcCXByQ0AwcSaZ7vvewwb2vaAL8w2/ZfVHHJ04VUgl6g1dq+Qe3rMEKcWbDho1I8c8aldVueTQLMZFOY+3Sg=@vger.kernel.org X-Gm-Message-State: AOJu0YxWcVZOzCXFC2Ybl6SGgnidIttq/Vka8BUZnqs36GdcRz7McPhG Yb6H1E0ohQTo0TzihGiYCxX68lBWPPxlJQcoKIV70gRJW/VO9bvbXpne X-Gm-Gg: AY/fxX6nD8C/LVSWR2zk9BZie+JZcuv/6b4YOE12CXGivm2j7XEGyWLoqHg83r41Dbp dbwTQOeWOjRg1zxYb0pH+rgF/731rSl7VT063541lOGC1FewIeMewiqKcQw8SObHAEZnOAKfQY1 cs4mjRMvOd7NGMnOyy17rNjz4U0U75R1p8LC4CUQGfyy0K5SgjJ6TkD7vU0nBW9ft0ceMbcizfC BIgfB5Tk8+lT/lR7PD7r5lDs26TooWi9REVwwROhUlgCJ56mtg/1/yRDOmSrEpUsfS/Tsw/OFBc cUTKU0ufq2ERcwQAuUYfoPMSoToWvuy/Tw5Kblor0A5DKjRXv4UIUUAy4YiBRrVLz9U12JRWloQ 5J0AuIeZjseu8cENBdEKjRjDPa3kg32IpBb8y5ohSj49BnlGditpYzEwL79tc0SKkw4BFwsQ/kT yxfxE7e3ffMPbw7jgszJqmVleY/A6egS0lkLEmY02Crohd8Bf4J6ullbcWfyvE9Q== X-Received: by 2002:a05:7300:5724:b0:2ac:1b61:ae1 with SMTP id 5a478bee46e88-2b6b40ffb6cmr1144200eec.26.1768525537895; Thu, 15 Jan 2026 17:05:37 -0800 (PST) Received: from zcache.home.zacbowling.com ([2001:5a8:60d:bc9:f1d2:502c:a6ff:5556]) by smtp.gmail.com with ESMTPSA id 5a478bee46e88-2b6b367cbc9sm1019884eec.32.2026.01.15.17.05.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 15 Jan 2026 17:05:37 -0800 (PST) Sender: Zac Bowling From: Zac To: sean.wang@kernel.org Cc: deren.wu@mediatek.com, kvalo@kernel.org, linux-kernel@vger.kernel.org, linux-mediatek@lists.infradead.org, linux-wireless@vger.kernel.org, lorenzo@kernel.org, nbd@nbd.name, linux@frame.work, ryder.lee@mediatek.com, sean.wang@mediatek.com, Zac Bowling , Zac Bowling Subject: [PATCH v4 10/21] wifi: mt76: mt792x: fix NULL pointer dereference in TX path Date: Thu, 15 Jan 2026 17:05:08 -0800 Message-ID: <20260116010519.37001-11-zac@zacbowling.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260116010519.37001-1-zac@zacbowling.com> References: <20260116010519.37001-1-zac@zacbowling.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Zac Bowling Add NULL pointer checks in mt792x_tx() to prevent kernel crashes when transmitting packets during MLO link removal. The function calls mt792x_sta_to_link() which can return NULL if the link is being removed, but the return value was dereferenced without checking. Similarly, the RCU-protected link_conf and link_sta pointers were used without NULL validation. This race can occur when: 1. A packet is queued for transmission 2. Concurrently, the link is being removed (mt7925_mac_link_sta_remove) 3. mt792x_sta_to_link() returns NULL for the removed link 4. Kernel crashes on wcid =3D &mlink->wcid dereference Example crash trace: BUG: kernel NULL pointer dereference RIP: mt792x_tx+0x... Call Trace: ieee80211_tx+0x... __ieee80211_subif_start_xmit+0x... Fix by: - Check mlink return value before dereferencing wcid - Check RCU-dereferenced conf and link_sta before use - Free the SKB and return early if any pointer is NULL This affects both MT7921 and MT7925 drivers as mt792x_core.c is shared. Fixes: c74df1c067f2 ("wifi: mt76: mt792x: introduce mt792x-lib module") Reported-by: Zac Bowling Signed-off-by: Zac Bowling --- drivers/net/wireless/mediatek/mt76/mt792x_core.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/mediatek/mt76/mt792x_core.c b/drivers/net= /wireless/mediatek/mt76/mt792x_core.c index f2ed16feb6..9dc768aa8b 100644 --- a/drivers/net/wireless/mediatek/mt76/mt792x_core.c +++ b/drivers/net/wireless/mediatek/mt76/mt792x_core.c @@ -95,6 +95,8 @@ void mt792x_tx(struct ieee80211_hw *hw, struct ieee80211_= tx_control *control, IEEE80211_TX_CTRL_MLO_LINK); sta =3D (struct mt792x_sta *)control->sta->drv_priv; mlink =3D mt792x_sta_to_link(sta, link_id); + if (!mlink) + goto free_skb; wcid =3D &mlink->wcid; } =20 @@ -113,9 +115,12 @@ void mt792x_tx(struct ieee80211_hw *hw, struct ieee802= 11_tx_control *control, link_id =3D wcid->link_id; rcu_read_lock(); conf =3D rcu_dereference(vif->link_conf[link_id]); - memcpy(hdr->addr2, conf->addr, ETH_ALEN); - link_sta =3D rcu_dereference(control->sta->link[link_id]); + if (!conf || !link_sta) { + rcu_read_unlock(); + goto free_skb; + } + memcpy(hdr->addr2, conf->addr, ETH_ALEN); memcpy(hdr->addr1, link_sta->addr, ETH_ALEN); =20 if (vif->type =3D=3D NL80211_IFTYPE_STATION) @@ -136,6 +141,10 @@ void mt792x_tx(struct ieee80211_hw *hw, struct ieee802= 11_tx_control *control, } =20 mt76_connac_pm_queue_skb(hw, &dev->pm, wcid, skb); + return; + +free_skb: + ieee80211_free_txskb(hw, skb); } EXPORT_SYMBOL_GPL(mt792x_tx); =20 --=20 2.52.0 From nobody Sun Feb 8 02:22:41 2026 Received: from mail-dy1-f194.google.com (mail-dy1-f194.google.com [74.125.82.194]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8A0F93164A1 for ; Fri, 16 Jan 2026 01:05:40 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.82.194 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768525545; cv=none; b=UlQEhQ6+XcoTa7XYcydva9tAWInwk9PrcnFDZh0FRDqmAv8ruPNLkW6tU1pZyonHjw+l6xsKIopMHyDzJMUShjwj8yDvcN7NopJSdOW/+v6yLgHWw0M4rvr7uaTgSXzieVxOgBO2QnU49d2baU3rIBjko050dGQHtB7bDCQsOuo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768525545; c=relaxed/simple; bh=w6QN5tnbV21n88GBqrBPSA7O7w2Y8eDZmrW+Y9oHKq8=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=qZaYE5EivhCYVTjH7MxvGzb4j23ekhGzjGU1fyXu2dx4bGoHS+du3jFqO3yDCfWYL7rnnSJwiJpLS7liC2CPN+KuFdpf9drBTlztqOgnbiaL55tjxdHy4xqzvWkoq4DXV59GqUAnDk5S9dBJVjsH0zhro1gFOtIjpu3e0huCVTs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=zacbowling.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=GcEu1HNb; arc=none smtp.client-ip=74.125.82.194 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=zacbowling.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="GcEu1HNb" Received: by mail-dy1-f194.google.com with SMTP id 5a478bee46e88-2b6ae4c2012so847362eec.0 for ; Thu, 15 Jan 2026 17:05:40 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768525540; x=1769130340; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:from:to:cc:subject:date :message-id:reply-to; bh=7ZFGFJGnMesEgV/ggwEQUIQPbrKFKaXQBFGLJsUOfUw=; b=GcEu1HNbDTvEB0srfk5NFk/8KFEM53CARuYsm4d6RsxWJpS5WXL4fgx9W1wkU8d4nG STP/73G9JBVEJ1WgSk0C3zFVNY5iGW2zmatQI2REfI2Tb9RnYxO4mRqluJJxNUxSo1BT VmK6DvViFm4RjipIb21OtPpO77IlKM9jfUaKHuqSfpwAl5zRh+1gVlx8/Jsq8gywfamN oqXQfEcC5w0hjP2k7bvuirQYuyNDwT1qZCWX52i0sbq2PZ9AaydqBW7FbTC7G1aTlmfY W9LloFQSrQVPMFQ9pAGkk6yvoukiMRhFflhnB37iVM9bqCML0CLXHc/uLDm1OzLpa0qG BWxA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768525540; x=1769130340; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=7ZFGFJGnMesEgV/ggwEQUIQPbrKFKaXQBFGLJsUOfUw=; b=cF5GobcuSSFLQohcCMQ1uKbcjthzNs2dh6cVTO9USpD4fOEigeU1eEVPbtPdgqBaVp 9lExvuLj5O+Wywpfo8n0BfXdGdgzz/HifvQxAbiYV5Z7GHk+rTGHPW/Vj47PJipOhuie M7cCe5vQzn5neHH8DfRzSpTOqRDGJfETXwRKvGtzi+7/PZ2jcAMlWJsSnrNX7Dx65oRQ OWox9uqbtCRk7w4MYTLQj1HZQK0aMeZ0gQeWEiLTPdUDJyk6sbkcHKWMyTNImlbujxLL duc9sr2UsA1I9hshfxJ1798KVnQk6QzmVEVDFnUIHtXekGjVWd66r4BpwRuWx0AWuZan W/rg== X-Forwarded-Encrypted: i=1; AJvYcCVAKn0cLfU3qlkD64JulamEFbO3PYJdsWi8mGST1ieQth4p6gZyIacWu+i2IZTbGyBgkHGLRrwJbOK/iHw=@vger.kernel.org X-Gm-Message-State: AOJu0YzxK9FKU7weN1RfbMiePeru8++b8CsqX036vNGIreDELJ6YRTfl Lx3Xv80PpSdmloeoHr/jhNRPRB3evstOHvxESbUhjgUUgmMieMKc5w3H X-Gm-Gg: AY/fxX4dYCjxckmaNja7cVncRbfr/veTYO/qjkMc+OY+3oMWEqADMn9nPtkjpab3h6Y NKP0yHGVIiraMA33V/CAi5j/aklfif17TDi0hftil9XjQVJnHHJGvpJJmA/tt+kZkrvf9iNHYVz yXkKDULfLfuF1wqgHuL9mI8iVN4viFg+sq8YKHXRpFyCbnKS2Bmiqu/Lv3sL15pmduTC47UrQYE bQP8bVuU1Sj9ZESlZh8LZEFTf7Y7qieYszE8TBcTIiyqjmoSvefIgXD/xTO8CMq3EQ78AYnXkiv QXTOrlpKp7w8f93jdxeVNNyY4VaDw/0S1YwSCetrclp7H48pW4rKl2uWcIGY12PMJ9bu+SMXXZL S6Ydl60/PDf+iu6RWVfQIgsmVVkTXHzWCdmMFX2YqLd2eqjIxzEGYhX+ogy/82LCNthjbWxFI8E haQkIaFGgow8njuit3Z7Nq4gZZvun++MyzAHEUucbMDwE9PwM/l2Pjh2uhkvB5uQ== X-Received: by 2002:a05:7300:cc0a:b0:2b0:56fd:4b67 with SMTP id 5a478bee46e88-2b6b3f074e7mr1271641eec.12.1768525539493; Thu, 15 Jan 2026 17:05:39 -0800 (PST) Received: from zcache.home.zacbowling.com ([2001:5a8:60d:bc9:f1d2:502c:a6ff:5556]) by smtp.gmail.com with ESMTPSA id 5a478bee46e88-2b6b367cbc9sm1019884eec.32.2026.01.15.17.05.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 15 Jan 2026 17:05:38 -0800 (PST) Sender: Zac Bowling From: Zac To: sean.wang@kernel.org Cc: deren.wu@mediatek.com, kvalo@kernel.org, linux-kernel@vger.kernel.org, linux-mediatek@lists.infradead.org, linux-wireless@vger.kernel.org, lorenzo@kernel.org, nbd@nbd.name, linux@frame.work, ryder.lee@mediatek.com, sean.wang@mediatek.com, Zac Bowling , Zac Bowling Subject: [PATCH v4 11/21] wifi: mt76: mt7925: add lockdep assertions for mutex verification Date: Thu, 15 Jan 2026 17:05:09 -0800 Message-ID: <20260116010519.37001-12-zac@zacbowling.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260116010519.37001-1-zac@zacbowling.com> References: <20260116010519.37001-1-zac@zacbowling.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Zac Bowling Add lockdep_assert_held() calls to critical MCU functions to help catch mutex violations during development and debugging. This follows the pattern used in other mt76 drivers (mt7996, mt7915, mt7615). Functions with new assertions: - mt7925_mcu_add_bss_info(): Core BSS configuration MCU command - mt7925_mcu_sta_update(): Station record update MCU command - mt7925_mcu_uni_bss_ps(): Power save state MCU command These functions modify firmware state and must be called with the device mutex held to prevent race conditions. The lockdep assertions will trigger warnings at runtime if code paths exist that call these functions without proper mutex protection. This aids in detecting the class of bugs fixed by patches in this series. Signed-off-by: Zac Bowling --- drivers/net/wireless/mediatek/mt76/mt7925/mcu.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c b/drivers/net/= wireless/mediatek/mt76/mt7925/mcu.c index d61a7fbda7..958ff9da9f 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c +++ b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c @@ -1527,6 +1527,8 @@ int mt7925_mcu_uni_bss_ps(struct mt792x_dev *dev, }, }; =20 + lockdep_assert_held(&dev->mt76.mutex); + if (link_conf->vif->type !=3D NL80211_IFTYPE_STATION) return -EOPNOTSUPP; =20 @@ -2037,6 +2039,8 @@ int mt7925_mcu_sta_update(struct mt792x_dev *dev, struct mt792x_sta *msta; struct mt792x_link_sta *mlink; =20 + lockdep_assert_held(&dev->mt76.mutex); + if (link_sta) { msta =3D (struct mt792x_sta *)link_sta->sta->drv_priv; mlink =3D mt792x_sta_to_link(msta, link_sta->link_id); @@ -2843,6 +2847,8 @@ int mt7925_mcu_add_bss_info(struct mt792x_phy *phy, struct mt792x_link_sta *mlink_bc; struct sk_buff *skb; =20 + lockdep_assert_held(&dev->mt76.mutex); + skb =3D __mt7925_mcu_alloc_bss_req(&dev->mt76, &mconf->mt76, MT7925_BSS_UPDATE_MAX_SIZE); if (IS_ERR(skb)) --=20 2.52.0 From nobody Sun Feb 8 02:22:41 2026 Received: from mail-dy1-f171.google.com (mail-dy1-f171.google.com [74.125.82.171]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9E368315D37 for ; Fri, 16 Jan 2026 01:05:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.82.171 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768525552; cv=none; b=akEr4xnB/7uN5+o2xuMmASEc4XcR1/SnWs6taadvEZrZLocyAO/V2xmeO2KIuXhPZL3jDlWZOnbjrKK9DGW2XbchZJgkMgRRp+l1n7QlniQTVgVTPBvLFDVoALf6xgOKnGglWjuQVKZJWU+OHTzIGacu+UFvpzEB4qH9cg3uFIs= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768525552; c=relaxed/simple; bh=RL2egL+gt/RYZ+mDWmObhYGMsncwjLrPK8QRWukDVTM=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=sWNKIymaiND/IPOIWKSHo1m0n331qrfrNjuRUypnAcchaXB3NkueKPT1lks+qAYKVC0OoNI3kcFlG77B8pDUtnMyWDa1BEPNyoMwmJ1UAgYkEwr48EE+vqXvftB6OkllCtzPyqsgMD/29P5wl+YgPj7nK+ZUmLetSJIZue2hQ70= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=zacbowling.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=PPJXptpw; arc=none smtp.client-ip=74.125.82.171 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=zacbowling.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="PPJXptpw" Received: by mail-dy1-f171.google.com with SMTP id 5a478bee46e88-2ae287a8444so744580eec.0 for ; Thu, 15 Jan 2026 17:05:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768525541; x=1769130341; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:from:to:cc:subject:date :message-id:reply-to; bh=SmoSCGQL2mRlPPuo0uD512LAshqRjYzmZB3+T0TG3ug=; b=PPJXptpwWOI/pWfflSYTHtGDLMOQp+dr2qSkO3m/IhF2uORooGcJFeVVPJkG9bq3SL 1EQZsiNHvoL1M2/4Whf8u+Z+54dRe0VKDQ14tCHWUqSjM9TXg2lFYVasl7Iu10KKiRwa SrgenHXxBzc331kg2e2q0DAAfFiU6AMut/ppoVolMns2aJ3Qstl4EgGi/eoaRsnPz2oe pgYkA/QCw31d8nvM6yxsMYfyAjY/m9O2fj0iJfvFDqYcuJZ+cMQOKUG3qHWD8GrqwOd3 GVWEwAXmTZWiTDTXwCPzdz0YRtsS6vk8ZvXfOtV9YUeSqAnzUXgltMLdIY0UAcyxw45l D9nw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768525541; x=1769130341; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=SmoSCGQL2mRlPPuo0uD512LAshqRjYzmZB3+T0TG3ug=; b=CDS+g+4855QsPoJkiEbS9vzrRN2bVBI0YPj7PAxbtEe8x84Vdn1oDYchxmqHQ9fBPw rsTOCamRJXbMcmv2lvZSeIowO9NfbYR9q+YBIqSMt+v99yoW8aBNBhJSqwTw2QUblZWy oTyAa6UmNOx11WuMhouVP5rUYJOIU5gjtvcA8kDMg6mfvSy4+eKyww86Fs605ew401PN tHUjj8VYa6WQ+lzIRUWRbTmbKafe6llQuKJ2i3qD9UVotFsqdfqjptnpkOy/oo/DQrtI 4yygmCr1z2nm1JawcPaj62RePeBRcNZeoBujpw5t/wefrM2InaN9CrwI+5UGYybFsR13 zzkw== X-Forwarded-Encrypted: i=1; AJvYcCUIcXYd/oVedsRL5hGrtDydWtAMNjCVm/cmV0HCE38gSm/HqfAu21XVLtAxCA2mRBW/pA2PyV9YAfJx9TY=@vger.kernel.org X-Gm-Message-State: AOJu0YyloLm7qiWivhkKJeQDPGxOSnRgoivhsAuJM7YRbbU9xSdjhIXa 0LatY7bCofxzIHc9EwXKNeRtPGLE1jw6dXhlOTjJe5l8lyXAcYgWax0unxxlnms1 X-Gm-Gg: AY/fxX5p4pWu/O2ZsJxrhMy1MEqNjZmwIjpSX7E3MupnITlGNf5alRHML2C/3O/PVFn +H6aFg2FEgnbZi36DvNVvYDF7Dz+0cYVv1qqaetvViwc55NMyGa17Hq1dDqAIxKCSeOuJmI31t1 iccEwPDc+b3onqN1aAWStrXVa4Nn+iKypJImNkWjutKtkp15sVouPdWzNmsY2Ta5MWl2we6RNRY gmF/qyzHSzAJJcSuo8oyHz7yx2euakzsiMjTUaIFw/+qE3O2Wl+rcgDeAecUjR73bY6y/nzuyC4 AYKlxeZvyynxtNQmVOOjLG1jY6HocAWaUSk5UeMWOwOb11o2Uzl/4JQOQPYTIB7Xib7bV3WQqJh KEOY02+hxTykKQ330WxLEVm1J0otF9qfKoDWoPYSTijv+8tORQJW8N2QEZXMxbwl0BqgkwqFFk0 6XulHYxgsdp9vXzVdvsKZKcaGxCT/UimoZyuHiaMI2BGb/AJEm/8qp8ndEHp95/A== X-Received: by 2002:a05:7300:5353:b0:2ab:f490:79f9 with SMTP id 5a478bee46e88-2b6b35a1060mr1657052eec.21.1768525540952; Thu, 15 Jan 2026 17:05:40 -0800 (PST) Received: from zcache.home.zacbowling.com ([2001:5a8:60d:bc9:f1d2:502c:a6ff:5556]) by smtp.gmail.com with ESMTPSA id 5a478bee46e88-2b6b367cbc9sm1019884eec.32.2026.01.15.17.05.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 15 Jan 2026 17:05:40 -0800 (PST) Sender: Zac Bowling From: Zac To: sean.wang@kernel.org Cc: deren.wu@mediatek.com, kvalo@kernel.org, linux-kernel@vger.kernel.org, linux-mediatek@lists.infradead.org, linux-wireless@vger.kernel.org, lorenzo@kernel.org, nbd@nbd.name, linux@frame.work, ryder.lee@mediatek.com, sean.wang@mediatek.com, Zac Bowling , Zac Bowling Subject: [PATCH v4 12/21] wifi: mt76: mt7925: fix key removal failure during MLO roaming Date: Thu, 15 Jan 2026 17:05:10 -0800 Message-ID: <20260116010519.37001-13-zac@zacbowling.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260116010519.37001-1-zac@zacbowling.com> References: <20260116010519.37001-1-zac@zacbowling.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Zac Bowling During MLO roaming, mac80211 may request key removal after the link state has already been torn down. The current code returns -EINVAL when link_conf, mconf, or mlink is NULL, causing 'failed to remove key from hardware (-22)' errors in the kernel log. This is a race condition where: 1. MLO link teardown begins, cleaning up driver state 2. mac80211 requests group key removal for the old link 3. mt792x_vif_to_bss_conf() or related functions return NULL 4. Driver returns -EINVAL, confusing upper layers Observed kernel log errors during roaming: wlp192s0: failed to remove key (1, ff:ff:ff:ff:ff:ff) from hardware (-22) wlp192s0: failed to remove key (4, ff:ff:ff:ff:ff:ff) from hardware (-22) And associated wpa_supplicant warnings: nl80211: kernel reports: link ID must for MLO group key The fix: When removing a key (cmd !=3D SET_KEY), if the link state is already gone, return success (0) instead of error. The key is effectively removed when the link was torn down. Fixes: c948b5da6bbe ("wifi: mt76: mt7925: add Mediatek Wi-Fi7 driver for mt= 7925 chips") Reported-by: Zac Bowling Tested-by: Zac Bowling Signed-off-by: Zac Bowling --- drivers/net/wireless/mediatek/mt76/mt7925/main.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/main.c b/drivers/net= /wireless/mediatek/mt76/mt7925/main.c index 852cf8ff84..7cf6faa1f6 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7925/main.c +++ b/drivers/net/wireless/mediatek/mt76/mt7925/main.c @@ -605,8 +605,15 @@ static int mt7925_set_link_key(struct ieee80211_hw *hw= , enum set_key_cmd cmd, mconf =3D mt792x_vif_to_link(mvif, link_id); mlink =3D mt792x_sta_to_link(msta, link_id); =20 - if (!link_conf || !mconf || !mlink) + if (!link_conf || !mconf || !mlink) { + /* During MLO roaming, link state may be torn down before + * mac80211 requests key removal. If removing a key and + * the link is already gone, consider it successfully removed. + */ + if (cmd !=3D SET_KEY) + return 0; return -EINVAL; + } =20 wcid =3D &mlink->wcid; wcid_keyidx =3D &wcid->hw_key_idx; --=20 2.52.0 From nobody Sun Feb 8 02:22:41 2026 Received: from mail-dy1-f181.google.com (mail-dy1-f181.google.com [74.125.82.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9F89F3191C0 for ; Fri, 16 Jan 2026 01:05:43 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.82.181 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768525550; cv=none; b=fbDYxHc34pLpP9OIPvCdKMfQnGYlv4DaxGA9GyluZREdayZ4mY6mIz0phq1v0Tgv4qIT18KWMwiuWXn4V2zaiFDlVEhzYpHZE6D7DbeO93X1gWDQArXXYj8K4HWht7gihIf4ZVvAG68cmlpb40TuIY60SKdvB28VPRUydeTaeZk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768525550; c=relaxed/simple; bh=THp17qwz/s7EuMJZ0CTg83KqAMU4k3KM+VZ16LR1b8Q=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=IMMwDWw/w4VB+s42ypFlCN3Y0Pc3fW+l+YUgyxIWsuzEFwah2Dfbu7QPh9UNiH4HzB7K6f/waLSpzEQ9iMqjt4wuDtHGUYPCeprPRm15ZrcbeAfFY+RPXpe0yPINcursQFNmd77DVfe5yDX0h08nBoasuw5SHINkHbSWr9yFGUI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=zacbowling.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Uz2aKADe; arc=none smtp.client-ip=74.125.82.181 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=zacbowling.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Uz2aKADe" Received: by mail-dy1-f181.google.com with SMTP id 5a478bee46e88-2ae61424095so1666655eec.1 for ; Thu, 15 Jan 2026 17:05:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768525543; x=1769130343; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:from:to:cc:subject:date :message-id:reply-to; bh=JxAIadq5UWGlyJvy2LxwAuNLP4e79ezvRvh2d89gw+s=; b=Uz2aKADeHtxbbg/eqh+megtI7cZm0ZofdtV9+eWnHla/X7B5c536TId2yAetKIBqqp uGdZnDMfMjZfpfqk/TN4idWv03NXRz8lQSQkRY0nxvKBZFTfOEgC/5Cwn5JxiOYJ2p4/ bNwi/GCH3DyDawlBm/EZZom2St/1ze5sbJnxsriOtHdXkPkkqnco8BBegm4WM5gRwz6k aZA/KibnLjrcvfD1TBxyQ/rTNS7MKaUDcyf0Sh+kVqyUT9CMV4xyBe8L1A/ah7zowqDZ uQQRa/X2+QroK/w1A33ovTrvnMrEIWp96r7e1TSIocdVPiC+fDZWVtbE/E6pxPfL1u2B XsMw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768525543; x=1769130343; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=JxAIadq5UWGlyJvy2LxwAuNLP4e79ezvRvh2d89gw+s=; b=D+6AsGmLnul2HjLm5sznbw1MM6/f+VcKG01stUTDq0ldWcK0gAv25Mzi1k7sjFJHIT DuZ/CoK1FAG/MdtstPWgRVxX+SseE9QkKENHY5cdkrut1aZMzEpKLJhqW6L6QAA6KY0D iKxVvJRvYlVAp1NcDvgYoI7bTvJx4z46/yk5SrsDfl8gMA7fXnKGDU3KSKofiEMXDDpo B5dXqLa9cdeGfET3quFLZbHQou03o7sxYdm0/z/nTsw2MjTiN+jP3077Gfvb32QftFaW PqycEwTawSqjtSA5o2dCM9l9f8+j2E5jNn+iMeLbL5xkBHtIt/uXpvqL821XxuNf1k2g jOrw== X-Forwarded-Encrypted: i=1; AJvYcCUyXMqm2rac85jTRHY1/M5wJsW3SS+tctQdb7XJCPOvQUVC4eLWbXjHKnTuXebdlu6bItwmtdhq7kKCi/g=@vger.kernel.org X-Gm-Message-State: AOJu0YxsXtIBsLJzDXQBLzqjuNlCbyiwSwu2KdRY9xaepKgKO5mdM3+m BaoOYuNFTRD/dqVO6n1bPwIoTuK4SMd0VldMXVu9eX9NZJjr5nwrgng5 X-Gm-Gg: AY/fxX5miUgQEM2QLqiWESMULVU4d7m7HVFg+hUU37GSLMf+V1x13FHa9m25sk1jx+z VzUoYsv3h3HgIJEMneetwe6E9br6ANYBfqt3Fkz+MZH0EV08ewcP3iGR+8AmwKOnfxpGoHfHsHI Wrnp830Vr+MSy0ppAqiZsW3wvh1mQeOOZqOGUK1rCe3hyic2+WC5kNC9rI8kOPC2aoSHt/xNfaE 7u2odYsjxDzOrmXQSvbcXfivKtDpO7rNDHzaIP2YbYuMieflT6+TALklSWZ7pCwWU0So3NsVNmk h19F2v9+OPq+M6AvA7R4QdFU5i79ZwSWmoyeAEHbdRryb1YfmnRzsrQ/vCqXfzHIopbs9hSFxkm dTBdRkodCajHdr2SpaZsUcboeXfb2S0K+9rGvTu4A2SSZlMGgsD0HPylkR28BuSPMmjNNN90P72 Kagv/f/Bt1R9eMjfvXSA3m28RS44mDF+a7JnlAQf+aiorPVEUSrrrN2i+mbZbwRA== X-Received: by 2002:a05:7300:6d1f:b0:2ae:5cb2:cc11 with SMTP id 5a478bee46e88-2b6b46d33b4mr1489936eec.6.1768525542657; Thu, 15 Jan 2026 17:05:42 -0800 (PST) Received: from zcache.home.zacbowling.com ([2001:5a8:60d:bc9:f1d2:502c:a6ff:5556]) by smtp.gmail.com with ESMTPSA id 5a478bee46e88-2b6b367cbc9sm1019884eec.32.2026.01.15.17.05.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 15 Jan 2026 17:05:41 -0800 (PST) Sender: Zac Bowling From: Zac To: sean.wang@kernel.org Cc: deren.wu@mediatek.com, kvalo@kernel.org, linux-kernel@vger.kernel.org, linux-mediatek@lists.infradead.org, linux-wireless@vger.kernel.org, lorenzo@kernel.org, nbd@nbd.name, linux@frame.work, ryder.lee@mediatek.com, sean.wang@mediatek.com, Zac Bowling , Zac Bowling Subject: [PATCH v4 13/21] wifi: mt76: mt7925: fix kernel warning in MLO ROC setup Date: Thu, 15 Jan 2026 17:05:11 -0800 Message-ID: <20260116010519.37001-14-zac@zacbowling.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260116010519.37001-1-zac@zacbowling.com> References: <20260116010519.37001-1-zac@zacbowling.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Zac Bowling mt7925_mcu_set_mlo_roc() uses WARN_ON_ONCE() to check if link_conf or channel is NULL. However, during MLO AP setup, it's normal for the channel to not be configured yet when this function is called. The WARN_ON_ONCE triggers a kernel warning/oops that makes the system appear to have crashed, even though it's just a timing issue. Example kernel oops during AP setup: WARNING: CPU: 0 PID: 12345 at drivers/net/wireless/mediatek/mt76/mt7925/m= cu.c:1345 Call Trace: mt7925_mcu_set_mlo_roc+0x... mt7925_remain_on_channel+0x... Replace WARN_ON_ONCE with regular NULL checks and return -ENOLINK to indicate the link is not fully configured yet. This allows the upper layers to retry when the link is ready, without spamming the kernel log with warnings. Also add a check for mconf in the first loop to match the pattern used in the second loop, preventing potential NULL dereference. This fixes kernel oops reported during MLO AP setup on OpenWrt with MT7925E hardware and similar issues on standard Linux distributions. Fixes: c5d11e4a9fa8 ("wifi: mt76: mt7925: add mt7925_change_vif_links") Link: https://github.com/openwrt/mt76/issues/1014 Signed-off-by: Zac Bowling --- .../net/wireless/mediatek/mt76/mt7925/mcu.c | 20 +++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c b/drivers/net/= wireless/mediatek/mt76/mt7925/mcu.c index 958ff9da9f..8080fea30d 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c +++ b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c @@ -1337,15 +1337,23 @@ int mt7925_mcu_set_mlo_roc(struct mt792x_bss_conf *= mconf, u16 sel_links, for (i =3D 0; i < ARRAY_SIZE(links); i++) { links[i].id =3D i ? __ffs(~BIT(mconf->link_id) & sel_links) : mconf->link_id; + link_conf =3D mt792x_vif_to_bss_conf(vif, links[i].id); - if (WARN_ON_ONCE(!link_conf)) - return -EPERM; + if (!link_conf) + return -ENOLINK; =20 links[i].chan =3D link_conf->chanreq.oper.chan; - if (WARN_ON_ONCE(!links[i].chan)) - return -EPERM; + if (!links[i].chan) + /* Channel not configured yet - this can happen during + * MLO AP setup when links are being added sequentially. + * Return -ENOLINK to indicate link not ready. + */ + return -ENOLINK; =20 links[i].mconf =3D mt792x_vif_to_link(mvif, links[i].id); + if (!links[i].mconf) + return -ENOLINK; + links[i].tag =3D links[i].id =3D=3D mconf->link_id ? UNI_ROC_ACQUIRE : UNI_ROC_SUB_LINK; =20 @@ -1359,8 +1367,8 @@ int mt7925_mcu_set_mlo_roc(struct mt792x_bss_conf *mc= onf, u16 sel_links, type =3D MT7925_ROC_REQ_JOIN; =20 for (i =3D 0; i < ARRAY_SIZE(links) && i < hweight16(vif->active_links); = i++) { - if (WARN_ON_ONCE(!links[i].mconf || !links[i].chan)) - continue; + if (!links[i].mconf || !links[i].chan) + return -ENOLINK; =20 chan =3D links[i].chan; center_ch =3D ieee80211_frequency_to_channel(chan->center_freq); --=20 2.52.0 From nobody Sun Feb 8 02:22:41 2026 Received: from mail-dy1-f178.google.com (mail-dy1-f178.google.com [74.125.82.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2FCE731D372 for ; Fri, 16 Jan 2026 01:05:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.82.178 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768525552; cv=none; b=Zgup89d59cYzBJxW8mCwwCW9C0Y3wTf0Q4WaJwvDGfn2jrdyVlCQp4zYVqwjH9rfFW4AQY9+8up/Z+pxn+XvWdp9mIMc51BORtvCnRImdYcUQqJKizIPgaTWJXaHrIEiLJ4ZFIMCQgxfbD64WrpJ4fAW1vMfBzwstTcH4peF32Y= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768525552; c=relaxed/simple; bh=93CxdtjSiYHRsD65xDT9SzpnY1y8alstttWaEJIdBpo=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=VGsdRwdAPFk7XKyNkfzzTlYOL1orEbwecO3SLE8Afh4dThEjURSzdTInm8WKmwg9rh/iz/zjwM/aJEsHzUlZitfDmD5dkPcAFUr2BDSDiGKdGs/e/FCHPZb8E+TDgI/TVPM+gtS2OjdgpLRKhTBSjv8WXS1os4cV13eabEOUcAA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=zacbowling.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=YzacuJVg; arc=none smtp.client-ip=74.125.82.178 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=zacbowling.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="YzacuJVg" Received: by mail-dy1-f178.google.com with SMTP id 5a478bee46e88-2b04a410f42so1852797eec.0 for ; Thu, 15 Jan 2026 17:05:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768525544; x=1769130344; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:from:to:cc:subject:date :message-id:reply-to; bh=pMsIT9b64DfDkZ2RydlT2hQ2iAnc8d0gWqzQNuaiPqA=; b=YzacuJVgs7UAXDh6gczbID/66j0H1npLMyz7q5Qn3lq+IFoDJ74gTH7fT6p/vWjuhp OMaLqijOKUvxEv4LbOHrVvCMTr49Vsc4bwaZL9qcyhQgFD1PYTiNVQ5tyPfvWYCxdkaE ZvV656ETPlJozqEATaKwaXpsXNZkuUyl3eQ04DGueXa6WCIDI/e9CQWlp/Qp5TSZVqBk xygHgZYgy0ryyM+cm559U2aN4krF5DUYru/umPZW/6WXPw1kPCMROkLBRicD+vAW59YB JipYeHCslun5qyBQn65ZnzjenhQzCUCcrDwS4ATcyB9hoBImgwgrHOS4oIJdarEY31Ah cdSQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768525544; x=1769130344; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=pMsIT9b64DfDkZ2RydlT2hQ2iAnc8d0gWqzQNuaiPqA=; b=uFinKbIYupxtxsmqivCIk8u7MThPHl0kMiHPTgTnudhRpa0nhVvSrJcF6gjvJ2jaRQ ma8EycKJSQ5la8MEL3TTkXL8zwXa6qwypNrXV/nRA80/vmNvGVvEpBb1Go+5hGPXkpQV WSPjNlvRHfetI0m45IN7j0/XYxh61J5Th/OXkZx7ZkEbathZ1G6YcL80qlhN2iL567S+ 6u5uiX8zMtlREp1YPflArhZBzYlsXpz71JQuktr84k4SbIRacl90S6lQTe2fT5mxiFvH E6qpJ22FZ33rdolOxhAkJ1z+OD2yEoc8UWPqjyf1U263+kOjPuI1lqir4wnnWFHNPjsH 3WFw== X-Forwarded-Encrypted: i=1; AJvYcCV825JmLm2ZzazV24S/j1V5Ls8NgBhW6epGAB3Sp3QAtoSa8eC7ezvjhUV/CO8lyCH6iXpxU0mmtaLVz4A=@vger.kernel.org X-Gm-Message-State: AOJu0Yy25ygcpaawWaHVrXVeK4qgHueMpeEHh/QoM8RvhefQuRx7KI6v UZCrkJmRsoc/QR6n0lJ5QanVo4aMTOKM0XFEhTWb1tX//7Bca0ReXYSN X-Gm-Gg: AY/fxX55KshoHX9rO26MNsLJYliD9hgzR9Vblrf6aUR65GPucLmCAfG5XbuLm6iK9wz wzlgdw4FURPm3KkMbavBPqepbk6CQdzCGf1PkYUj1PaXamJP13pXY1LTT4eSwtbtAjg+TKiFhPR QSblc38mBFQIvIpp323Kii4oD+Cfn69fb42BI279F7Y2DUbcOawXWkE0DWkQESnnKg8mvwDBmR/ BgAYqcq+UTaBlmShGOrmW0Bbz+HePcfUUFcaxXC8WL8RO/DqO3K9Pk//4YgU82RjURPeSL983u1 NYCZHfNNofNj1xnzufdy1LqcHsQjiQIxPAUek+oakAml+0GRv/c52x+XSWiGfTo2VmDY49wJz3u 3khGNCYp9fDdgNrBOfFZtdhPrUM0euj4DE2Kk1fVxmRVRQ+YGykotYPzmvzP9IL1ZUYSkVZamPB yzLuEIwQF7SjH32rAP7P/xHhBJIK2dNfEQxEmLjWgjHKS42nFlcG8xIZcOMHqZ8Q== X-Received: by 2002:a05:7300:6c27:b0:2b0:507d:c2e4 with SMTP id 5a478bee46e88-2b6b4eb3688mr1326559eec.39.1768525544113; Thu, 15 Jan 2026 17:05:44 -0800 (PST) Received: from zcache.home.zacbowling.com ([2001:5a8:60d:bc9:f1d2:502c:a6ff:5556]) by smtp.gmail.com with ESMTPSA id 5a478bee46e88-2b6b367cbc9sm1019884eec.32.2026.01.15.17.05.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 15 Jan 2026 17:05:43 -0800 (PST) Sender: Zac Bowling From: Zac To: sean.wang@kernel.org Cc: deren.wu@mediatek.com, kvalo@kernel.org, linux-kernel@vger.kernel.org, linux-mediatek@lists.infradead.org, linux-wireless@vger.kernel.org, lorenzo@kernel.org, nbd@nbd.name, linux@frame.work, ryder.lee@mediatek.com, sean.wang@mediatek.com, Zac Bowling , Zac Bowling Subject: [PATCH v4 14/21] wifi: mt76: mt7925: add NULL checks for MLO link pointers in MCU functions Date: Thu, 15 Jan 2026 17:05:12 -0800 Message-ID: <20260116010519.37001-15-zac@zacbowling.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260116010519.37001-1-zac@zacbowling.com> References: <20260116010519.37001-1-zac@zacbowling.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Zac Bowling Several MCU functions dereference pointers returned by mt792x_sta_to_link() and mt792x_vif_to_link() without checking for NULL. During MLO state transitions, these functions can return NULL when link state is being set up or torn down, causing kernel NULL pointer dereferences. Add NULL checks in the following functions: - mt7925_mcu_sta_hdr_trans_tlv(): Check mlink before dereferencing wcid - mt7925_mcu_wtbl_update_hdr_trans(): Check mlink and mconf before use - mt7925_mcu_sta_amsdu_tlv(): Check mlink before setting amsdu flag - mt7925_mcu_sta_mld_tlv(): Check mconf and mlink in link iteration loop - mt7925_mcu_sta_update(): Initialize mlink to NULL and check both link_sta and mlink in the ternary condition These race conditions can occur during: - MLO link setup/teardown - Station add/remove operations - Firmware command generation during state transitions Found through static analysis (clang-tidy) and pattern matching similar to fixes in mt7996 and ath12k drivers for MLO link state handling. Fixes: c948b5da6bbe ("wifi: mt76: mt7925: add Mediatek Wi-Fi7 driver for mt= 7925 chips") Signed-off-by: Zac Bowling --- drivers/net/wireless/mediatek/mt76/mt7925/mcu.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c b/drivers/net/= wireless/mediatek/mt76/mt7925/mcu.c index 8080fea30d..6f7fc1b9a4 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c +++ b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c @@ -1087,6 +1087,8 @@ mt7925_mcu_sta_hdr_trans_tlv(struct sk_buff *skb, struct mt792x_link_sta *mlink; =20 mlink =3D mt792x_sta_to_link(msta, link_sta->link_id); + if (!mlink) + return; wcid =3D &mlink->wcid; } else { wcid =3D &mvif->sta.deflink.wcid; @@ -1120,6 +1122,9 @@ int mt7925_mcu_wtbl_update_hdr_trans(struct mt792x_de= v *dev, link_sta =3D mt792x_sta_to_link_sta(vif, sta, link_id); mconf =3D mt792x_vif_to_link(mvif, link_id); =20 + if (!mlink || !mconf) + return -EINVAL; + skb =3D __mt76_connac_mcu_alloc_sta_req(&dev->mt76, &mconf->mt76, &mlink->wcid, MT7925_STA_UPDATE_MAX_SIZE); @@ -1751,6 +1756,8 @@ mt7925_mcu_sta_amsdu_tlv(struct sk_buff *skb, amsdu->amsdu_en =3D true; =20 mlink =3D mt792x_sta_to_link(msta, link_sta->link_id); + if (!mlink) + return; mlink->wcid.amsdu =3D true; =20 switch (link_sta->agg.max_amsdu_len) { @@ -1953,6 +1960,9 @@ mt7925_mcu_sta_mld_tlv(struct sk_buff *skb, =20 mconf =3D mt792x_vif_to_link(mvif, i); mlink =3D mt792x_sta_to_link(msta, i); + if (!mconf || !mlink) + continue; + mld->link[cnt].wlan_id =3D cpu_to_le16(mlink->wcid.idx); mld->link[cnt++].bss_idx =3D mconf->mt76.idx; =20 @@ -2045,7 +2055,7 @@ int mt7925_mcu_sta_update(struct mt792x_dev *dev, .rcpi =3D to_rcpi(rssi), }; struct mt792x_sta *msta; - struct mt792x_link_sta *mlink; + struct mt792x_link_sta *mlink =3D NULL; =20 lockdep_assert_held(&dev->mt76.mutex); =20 @@ -2053,7 +2063,7 @@ int mt7925_mcu_sta_update(struct mt792x_dev *dev, msta =3D (struct mt792x_sta *)link_sta->sta->drv_priv; mlink =3D mt792x_sta_to_link(msta, link_sta->link_id); } - info.wcid =3D link_sta ? &mlink->wcid : &mvif->sta.deflink.wcid; + info.wcid =3D (link_sta && mlink) ? &mlink->wcid : &mvif->sta.deflink.wci= d; info.newly =3D state !=3D MT76_STA_INFO_STATE_ASSOC; =20 return mt7925_mcu_sta_cmd(&dev->mphy, &info); --=20 2.52.0 From nobody Sun Feb 8 02:22:41 2026 Received: from mail-dy1-f178.google.com (mail-dy1-f178.google.com [74.125.82.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DFD2531E0F7 for ; Fri, 16 Jan 2026 01:05:46 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.82.178 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768525551; cv=none; b=WD5Z8N2C/hY6OPVLHcqhwvISsDEVsc61l398XxZgOPmHCKwBspT0aCZrTSRWG0oWIxjyMQqafVOOspnqoQSERCBoCoKMDuOLLSyEjcwDYz/XKD9NQsCt2WEw5Xf2ESPIuH/Nq5S9NUOizP/pyRFeX/+j5sNkPlfm1VR3quBtPEk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768525551; c=relaxed/simple; bh=yGyc3K+9APMkKCyvio1xpxkU1KL5Q828KBPgc4VkbUk=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=kV+tqsbBrLg3Lz7o3HI6JE+pLeXBCFxi4hGnskOBcgoKXCPulIIwZBMMIcEBpCf4Na/0H6czH41O8oXI2i04m4Cvzi0xpSHaXcwiZzPZOu96jt9pUpYMODstd2yhR3cq4IbHWeFLi/prs7RNV1a3Vp40kJ5XP0KIYY15tWBh6QU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=zacbowling.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=NZkU1bdU; arc=none smtp.client-ip=74.125.82.178 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=zacbowling.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="NZkU1bdU" Received: by mail-dy1-f178.google.com with SMTP id 5a478bee46e88-2ac3d5ab81bso1765195eec.1 for ; Thu, 15 Jan 2026 17:05:46 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768525546; x=1769130346; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:from:to:cc:subject:date :message-id:reply-to; bh=bLWOoyw2E8LXJk20xk6S4eG/DnEYq6CXxfM8xw/u51Q=; b=NZkU1bdU/30bQgw/qKpC9YOH527eIe+aShAKEnKmV4bjJL5meuNxlfJgkVYUpdaVpl xFC1Mx633QoVPCMPlar8YT/F1o+rjZDhOuiMoWSOVE3Iu3sUEIkBT3Ep95XMlZDNEqbP CmZ8VKmIxczYxhR470jcO9+RlJ3KjPe9ELHyeEJyY8a/JeFJObiCvfy5CuvcHfdsc8Ms piceKnnZXybsM7aRGs7PhM68nxxvXRN1XRamgQDi/1JtrVJljq9mSQvXgNp9WsKeX2WU Vd6HCy3He9cN1/rSY9jdQUKQJBbwWXJQvHWxc3kDcSf5L+4EfIVJCRZKa4ulpsRAr7Ab Ny+A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768525546; x=1769130346; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=bLWOoyw2E8LXJk20xk6S4eG/DnEYq6CXxfM8xw/u51Q=; b=Yk6b9UybxN0eE9lsbJw2xskX2ru+l+hdq2lRn4HV+P20ej+fZsQxLP81p+eApL5yWH dXu1/7VfqwBvRUC3WZZGiwMBvPpjE9JAXTqxABX9u9hBFGqhhsX9j4Fs76KiclEjrR7a KzEu1Xu5DPZzORlfI+mqv0JBiZDTQYr3y2TkCUY/pRrjt9LuURZk1lQyzhgLmqTQ2OGI MNwAD7ZnW1tlYVp/5XOj5sePrice5t/kxe7wvGCFiw31xdreDks8Vz5mmD1FnVQsyMI8 jryPvuH0bvDzXNQRF5RcTd1yorqVftf4vJvMx759l7HVRWgZlPEFyKICDHn1j+8X4pZN vK/A== X-Forwarded-Encrypted: i=1; AJvYcCVqNsje1K4aI5KYvyxA5rC/Pwl+yuYq3wgf5lfVTdnGkK31CFVPPizfFeeH2IkegA26Ese1Hb65LCi89fA=@vger.kernel.org X-Gm-Message-State: AOJu0YzduQt0Pu3AC/ji9jLzq5olM14j53r4E7GrKlKdc9vkdbJR6w2t MttzO49Rn50tvUp40dxMpMhXqgzOER8rlFfWAReRX8nB7I0Ic+zRromj X-Gm-Gg: AY/fxX7VXut5I7GirdmpgBADtSU7zrpLS/ZoEWjX6Rg7zay3YwHp56D13gfaw5MNvxX i2v4tG0QIjq2LzH93/n657/lSNlU4CETXnVRNcga81gIt04bmRMtdFiMOd9wVWN6VoVxCkOhJxl nWu0pnVC8nGYEjEP0TXEb15NX0vuY1+uKdZn0STumiqAy1RVptcUp2jgVOsfnMUPOxlRwMqat/+ +vyxJy2+m4LnoL3G232+YrupEk2oTzAdUedj43nHlY8heOuuzn/Swb8vjYsIiwr8DlzdNBjV3cb vF/wkMAByMjiJZfAwK6N2+bOnJTxaPPqc8FRKnjxdgZd97pXDFhq/9qksQO7+oyi1zwJChmKBbE kyvPHrUiYtHw5dwTGJBAFzq4j1YvkExgBigJo/2Dfv6v/VRyOBXc6NbPUg6i6WfvMX941ejZMqH cNMT4CdyCYBTj3jaP0xP3qCbictSViOuGw9FYijEGp6wzfmCsTxM7cV4th95HCHQ== X-Received: by 2002:a05:7301:3804:b0:2ae:5d3b:e1c6 with SMTP id 5a478bee46e88-2b6b4e64b90mr1425584eec.21.1768525545632; Thu, 15 Jan 2026 17:05:45 -0800 (PST) Received: from zcache.home.zacbowling.com ([2001:5a8:60d:bc9:f1d2:502c:a6ff:5556]) by smtp.gmail.com with ESMTPSA id 5a478bee46e88-2b6b367cbc9sm1019884eec.32.2026.01.15.17.05.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 15 Jan 2026 17:05:45 -0800 (PST) Sender: Zac Bowling From: Zac To: sean.wang@kernel.org Cc: deren.wu@mediatek.com, kvalo@kernel.org, linux-kernel@vger.kernel.org, linux-mediatek@lists.infradead.org, linux-wireless@vger.kernel.org, lorenzo@kernel.org, nbd@nbd.name, linux@frame.work, ryder.lee@mediatek.com, sean.wang@mediatek.com, Zac Bowling , Zac Bowling Subject: [PATCH v4 15/21] wifi: mt76: mt792x: fix firmware reload failure after previous load crash Date: Thu, 15 Jan 2026 17:05:13 -0800 Message-ID: <20260116010519.37001-16-zac@zacbowling.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260116010519.37001-1-zac@zacbowling.com> References: <20260116010519.37001-1-zac@zacbowling.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Zac Bowling If the firmware loading process crashes or is interrupted after acquiring the patch semaphore but before releasing it, subsequent firmware load attempts will fail with 'Failed to get patch semaphore' because the semaphore is still held. This issue manifests as devices becoming unusable after suspend/resume failures or firmware crashes, requiring a full hardware reboot to recover. This has been widely reported on MT7921 and MT7925 devices. Example error log: mt7921e 0000:c2:00.0: Failed to get patch semaphore mt7921e 0000:c2:00.0: probe with driver mt7921e failed with error -5 Apply the same fix that was applied to MT7915 in commit 79dd14f: 1. Release the patch semaphore before starting firmware load (in case it was held by a previous failed attempt) 2. Restart MCU firmware to ensure clean state 3. Wait briefly for MCU to be ready This fix applies to both MT7921 and MT7925 drivers which share the mt792x_load_firmware() function. Fixes: 583204ae70f9 ("wifi: mt76: mt792x: move mt7921_load_firmware in mt79= 2x-lib module") Link: https://github.com/openwrt/mt76/commit/79dd14f2e8161b656341b665326177= 9199aedbe4 Signed-off-by: Zac Bowling --- drivers/net/wireless/mediatek/mt76/mt792x_core.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/drivers/net/wireless/mediatek/mt76/mt792x_core.c b/drivers/net= /wireless/mediatek/mt76/mt792x_core.c index 9dc768aa8b..05598202b4 100644 --- a/drivers/net/wireless/mediatek/mt76/mt792x_core.c +++ b/drivers/net/wireless/mediatek/mt76/mt792x_core.c @@ -936,6 +936,20 @@ int mt792x_load_firmware(struct mt792x_dev *dev) { int ret; =20 + /* Release semaphore if taken by previous failed load attempt. + * This prevents "Failed to get patch semaphore" errors when + * recovering from firmware crashes or suspend/resume failures. + */ + ret =3D mt76_connac_mcu_patch_sem_ctrl(&dev->mt76, false); + if (ret < 0) + dev_dbg(dev->mt76.dev, "Semaphore release returned %d (may be expected)\= n", ret); + + /* Always restart MCU to ensure clean state before loading firmware */ + mt76_connac_mcu_restart(&dev->mt76); + + /* Wait for MCU to be ready after restart */ + msleep(100); + ret =3D mt76_connac2_load_patch(&dev->mt76, mt792x_patch_name(dev)); if (ret) return ret; --=20 2.52.0 From nobody Sun Feb 8 02:22:41 2026 Received: from mail-dl1-f51.google.com (mail-dl1-f51.google.com [74.125.82.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0F52631E0F0 for ; Fri, 16 Jan 2026 01:05:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.82.51 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768525550; cv=none; b=TP/M9tR4Lcxmp6S6vGTqW8asiEV1pbALLEkfUfOrT+byTAzml7WrygUlNSmpTxXNg7krp88SrMW/11Yp9PKyMKCuPDQboQ5V/+TIWBRmK7y3M+pXug57hB9cBxn+cqdyuVbtTzomYDeT8FZ4y5TPc0Yu+JGADMXB6WlMIMf4DdE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768525550; c=relaxed/simple; bh=75lhl3OVFrElnB+W1iwlHJCQNfPL/id3yEAWpSq3TRw=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=T12UwRfcNqqB3GEN1YSdmg8Mdxv99qPJd6AQ1JDWUGqEsVx1wh49915DODl7lS3gNaAANdzojoccoND21ECKj3Wgr9q7y8YKRtmfWRqzyz/1cCXClSLlvBKPO9FplwqEz0SVBifzXj6/DYZjBVyRw5Qz5dntaPvBgYddCzr1rUw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=zacbowling.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=K+q6Zo8E; arc=none smtp.client-ip=74.125.82.51 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=zacbowling.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="K+q6Zo8E" Received: by mail-dl1-f51.google.com with SMTP id a92af1059eb24-11f3a10dcbbso1509478c88.1 for ; Thu, 15 Jan 2026 17:05:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768525547; x=1769130347; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:from:to:cc:subject:date :message-id:reply-to; bh=IUlCSJ4sVDZpvZSnTCZZWPWUvx5qo1tAq80JkqdgelI=; b=K+q6Zo8EQt0Ieb5xVV5x0wq12M796dIYSTnoFy4saNahufvUK0C6g9PGhbzixMqd0U A8J1qwyVykF3/n3mRyYgN07P0Y4v2AKRvFKyxWTO+t0vTNf2qRjmsQXEyC5GZP70fimL y0GoOa26NAqn8OqZsyoRexrtHjJhvF5/UGWm/2Jd1U153nKNEJPw7Wii+eB/AcaA0Itp Ohd2i8a9Q+UkaiefZzT7Clb+JRi5mHh8oaKp9LxDSFu8J1MvZ6FbFMRyvjNvdFiPtT3z 7UlGeERjGdPmDQi9Iw8IERpz+yQbQI7M5wJtTRF2ToUNRpkPlJedQKz75eNUTd6vAg3W rQ3A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768525547; x=1769130347; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=IUlCSJ4sVDZpvZSnTCZZWPWUvx5qo1tAq80JkqdgelI=; b=qN584HC8Xz6CshunUDJsEMG53F9+Nz2QfnEciDMoRpaLgmrXZs5hjQhyYwCH6vRuO4 f4SwVSlQDbPye2MwbxpNTgzx+pDBFPr/nn2AoCgKczpsJoUJ8CmyWTsApkMLs+sniSD5 w2Md5vhe44HU5NXJ0d5aZo7V3et3K91sUyon6VVL+NQUv924RvLVoKRecIqtyGzbfm/k GWy70AjMtd+GexpSAGCXFAlm9lMZImcKYlxqT7jGDIBCrIGPJ5sVp0bhb1+RISOwc+9d Uho7MrSseWnCyVOIBDh5CSridpWf2nN7ZQilKDSTWwKBncgs9TKhI+aat0uxpX+5PtH3 hIIw== X-Forwarded-Encrypted: i=1; AJvYcCXlopYMNFFdiB2iNqGD5qfJRoU5v75+SJAVqSbQADJIjy5R2Xk+U0jYE4FC7qVVz+K8GeygcA5zItKAk2Y=@vger.kernel.org X-Gm-Message-State: AOJu0Yyty1doiPnbNN78SoBNhnhfQKobm8SFYZJBOCyj+vlGF4Hp/VVL NYdjL2gNbrBRGxVWsKbuFC50US3zr6XwpK+QxPhO6D/o+QA+Oaq65VQc X-Gm-Gg: AY/fxX7BYQMriKkKV8c1y0+7RZOm5MS+gZzBSqemgcso+oL8t3cBEstmEyOTNRKXsqq S6NPWkLIoNoszKhmYPSs/koIUuMh1g5dlD/t5pu37dVJRT2goRFYhebj3Yk7k9MVFDrJ0SMXGbn 2f1XdEQ2SwR+CRq4nLFvkxY0OZUkGYl3pa6DgOGRmaapTbeMva791qJYtdfjp7r2XXlPR0JdgoC c2l/aFFjUj/oq3IELL8Zv/ThMsMbcS+svrURUTFCrcgGN9xSk98eDrS2Z8WYn63o9yv+bjcTPr7 izo6MaH2CF/llBFCAqepYDpZkXr5umgnwZzq93nnXbCLjQpLYXlelYzX69AshtZyElPhd89rRN0 YkaRYYzvLCtgA5wYiekPCZ0qf8oMyMimqbuzCySDN5iouRrx6PzUbcOUbVC40/cpQ14lNHiQhAd XxC9ErxCro2oL/nEW/RKlLJOvS9EAb1JFnb9LSaOVh14pL0UGfQZt21vvGwvNG7g== X-Received: by 2002:a05:7022:2491:b0:11b:38b6:a95a with SMTP id a92af1059eb24-1244b31e681mr1231822c88.11.1768525547022; Thu, 15 Jan 2026 17:05:47 -0800 (PST) Received: from zcache.home.zacbowling.com ([2001:5a8:60d:bc9:f1d2:502c:a6ff:5556]) by smtp.gmail.com with ESMTPSA id 5a478bee46e88-2b6b367cbc9sm1019884eec.32.2026.01.15.17.05.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 15 Jan 2026 17:05:46 -0800 (PST) Sender: Zac Bowling From: Zac To: sean.wang@kernel.org Cc: deren.wu@mediatek.com, kvalo@kernel.org, linux-kernel@vger.kernel.org, linux-mediatek@lists.infradead.org, linux-wireless@vger.kernel.org, lorenzo@kernel.org, nbd@nbd.name, linux@frame.work, ryder.lee@mediatek.com, sean.wang@mediatek.com, Zac Bowling , Zac Bowling Subject: [PATCH v4 16/21] wifi: mt76: mt7925: add mutex protection in resume path Date: Thu, 15 Jan 2026 17:05:14 -0800 Message-ID: <20260116010519.37001-17-zac@zacbowling.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260116010519.37001-1-zac@zacbowling.com> References: <20260116010519.37001-1-zac@zacbowling.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Zac Bowling Add mutex protection around mt7925_mcu_set_deep_sleep() and mt7925_mcu_regd_update() calls in the resume path to prevent potential race conditions during resume operations. These MCU operations require serialization, and the resume path was the only call site missing mutex protection. Without this, concurrent access during resume could corrupt firmware state or cause race conditions with other MCU commands. Found by static analysis (sparse/coccinelle) pattern matching for unprotected MCU function calls. Fixes: c948b5da6bbe ("wifi: mt76: mt7925: add Mediatek Wi-Fi7 driver for mt= 7925 chips") Signed-off-by: Zac Bowling --- drivers/net/wireless/mediatek/mt76/mt7925/pci.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/pci.c b/drivers/net/= wireless/mediatek/mt76/mt7925/pci.c index e9d62c6aee..3a9e32a175 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7925/pci.c +++ b/drivers/net/wireless/mediatek/mt76/mt7925/pci.c @@ -584,10 +584,12 @@ static int _mt7925_pci_resume(struct device *device, = bool restore) } =20 /* restore previous ds setting */ + mt792x_mutex_acquire(dev); if (!pm->ds_enable) mt7925_mcu_set_deep_sleep(dev, false); =20 mt7925_mcu_regd_update(dev, mdev->alpha2, dev->country_ie_env); + mt792x_mutex_release(dev); failed: pm->suspended =3D false; =20 --=20 2.52.0 From nobody Sun Feb 8 02:22:41 2026 Received: from mail-dy1-f177.google.com (mail-dy1-f177.google.com [74.125.82.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 10E02321426 for ; Fri, 16 Jan 2026 01:05:49 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.82.177 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768525552; cv=none; b=BaNaoWGaVPS22hMxnFvH/Hz2t3VSUHFTDbe1PoKj75hDsu5cavs4DTHgg8BADgcqsUO1nqyH8CQ2K46NqDaxLfckFDwDmIelPhye7pS+vYvmgjGS+k+ZolJOLJCzVCV5vQjKYdbZ2NlKuH2FJeTH6LMV+Bk7kXm71YIsQMIrRH4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768525552; c=relaxed/simple; bh=2S+4CpPwY/s450vUeuQiJVlhysU5x7J8xTxoXkfRjw8=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=tKqOd2Lihoe1bROd9/g72CD31mwWg3nlKhuajOiE3cEZHTdIHweCtyKVQeA1BAmtMpXdM735kH9zB0cwpSINfIOpv48Dw6lIcberJjoa/YoTO+LJzAGWNReAIT0pbLMvWuqPCckN0ivVov4XyM1j+/4J1GTi72uBPOFwV+eSS/E= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=zacbowling.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=cJCJHUET; arc=none smtp.client-ip=74.125.82.177 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=zacbowling.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="cJCJHUET" Received: by mail-dy1-f177.google.com with SMTP id 5a478bee46e88-2ac3d5ab81bso1765221eec.1 for ; Thu, 15 Jan 2026 17:05:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768525548; x=1769130348; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:from:to:cc:subject:date :message-id:reply-to; bh=ajGEE+zV+m1fee4TbMLVvt12s4XfuElR8HLx1UKiaMk=; b=cJCJHUETp2L4RlLoW6LjH8Hl8Znrb4Y5bjADAiX7ym4u4obIVOVQkNvEe93oTkDlHe 9aBLJK2Lcfy2KF7CAODuXQsVh1RQj0ExC24CulrR0cp5YR9+zkvLfBrkS+lIdtoeP4gq hgRe12+j/e7KN+qd0g/vo00dSkrtr89J1cHGCZL8QGVG2jk4bS3N60BZu47fPA6kWDv3 q023U7ZmdO8Y//ZLHMGMQZVwYsBuqk8Mr/9VMQEU0kBJN3btZZYjtHDgdxyoHUsOSAo/ +ZFRQYJKl5Qdn33mbnRVugaXGDXlgs3exL42m6SCypee592yZnXWsZNzLMLP/oSZNPF+ NOcg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768525548; x=1769130348; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=ajGEE+zV+m1fee4TbMLVvt12s4XfuElR8HLx1UKiaMk=; b=uGhNYOEGfVX0AY4x9vrX18b63XU331hZt+YisAC6shTrgwvsHDMJAO5t8RVIBCyHAx 8vptYNfwcS/HQSWhW3SLF46b6pmrC6w/qTU+vkgFk3OLGq+ofmsJFirLqHWrjbZwwo4c BBYNMMRBOPZPwEpQ/FK+9uw8/JglkQU7Or7jwv/Ene2DauR1sFxPeZ1z8bNZ1sq+NISZ QeKSXYmWqeQAOZ72Mh+ogtpsuVEFPNMRWCXUzKOC62L5Xo7fLj9itdvCc0pi4QGJtRbV t8ZGd54Rv6vf0Nyzr7GCvEHBAV9aQ31P8fYLzgAsNYaJJpr/JWTwOJCvTc6onKkjUbdc FsHQ== X-Forwarded-Encrypted: i=1; AJvYcCVc8ictH1Gm7h3Tmsui4CcM9hptEf/qdzcNAMfoYb8/ZNh9w0zpFwqUDVh68l9/4cDNBztPa1ELL5YOag0=@vger.kernel.org X-Gm-Message-State: AOJu0Yz0s2gPM0vXzUlT2Iluy1iqrnuh2MqS9AnSMiQ/fr6QQxh07uFw L0v2LcL17qbD8YUPLFrzJJH8p/dUh3D6lo8GmLE7/NeYqsjX9AUv+JX7 X-Gm-Gg: AY/fxX4jBHRHGFqeHmFTqHr+6woVXEdTYSbFoC4cw/kv7JYjCEzR+BLovm5myc65Bsi Kjj1uVOi+hrcruaK1oTfhkDje1LMhl4AmBae0SCqTawLvjD564LNt0iDKaVFcYg9QGumdN5U2AM 6bPSAj7qxUUkWqQf/IYgAtlKD2/DQfZ85bLOjdUbViN1Ny9wIpPfgCZp0ZkkFLS5nDbD5wZI7ZA A2sVFMxzuR7YQuG1Uj4EcGNZBzsGht2Lo8yR8n1GLt+xstpZwJvv46e7aY+0kArddF2mg1l9h+4 105FVcxK0iEGnXBmgG5GEZiZI1IhkEdPS8UeApGCmTglKvuZLSxBTqodJ8aK6GHRgsyxhDOCAyd vdjJfoSeBejq22kIIU3WffF5Bcb7NtMv1tcZyj46HFeJWQw5q+1EE5ds4T4W813gcJwYDF8rH9O eHskaCl0s3biNjfUs8fMrzzKnLg16KRVjfgu/gfXFNCUpArXP5KaGDcYm/8AKh4Q== X-Received: by 2002:a05:7301:1687:b0:2a7:83e:7b17 with SMTP id 5a478bee46e88-2b6b46e6ddfmr1326151eec.12.1768525548448; Thu, 15 Jan 2026 17:05:48 -0800 (PST) Received: from zcache.home.zacbowling.com ([2001:5a8:60d:bc9:f1d2:502c:a6ff:5556]) by smtp.gmail.com with ESMTPSA id 5a478bee46e88-2b6b367cbc9sm1019884eec.32.2026.01.15.17.05.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 15 Jan 2026 17:05:47 -0800 (PST) Sender: Zac Bowling From: Zac To: sean.wang@kernel.org Cc: deren.wu@mediatek.com, kvalo@kernel.org, linux-kernel@vger.kernel.org, linux-mediatek@lists.infradead.org, linux-wireless@vger.kernel.org, lorenzo@kernel.org, nbd@nbd.name, linux@frame.work, ryder.lee@mediatek.com, sean.wang@mediatek.com, Zac Bowling , Zac Bowling Subject: [PATCH v4 17/21] wifi: mt76: mt7925: add NULL checks in link station and TX queue setup Date: Thu, 15 Jan 2026 17:05:15 -0800 Message-ID: <20260116010519.37001-18-zac@zacbowling.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260116010519.37001-1-zac@zacbowling.com> References: <20260116010519.37001-1-zac@zacbowling.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Zac Bowling Add NULL pointer checks for mt792x_sta_to_link() and mt792x_vif_to_link() results in critical paths to prevent kernel crashes during MLO operations. Functions fixed: - mt7925_mac_link_sta_add(): Check mlink and mconf before dereferencing - mt7925_conf_tx(): Check mconf before accessing queue_params These can be NULL during MLO link setup/teardown when mac80211 state may not be fully synchronized with driver state. Found through static analysis and pattern matching. Fixes: c948b5da6bbe ("wifi: mt76: mt7925: add Mediatek Wi-Fi7 driver for mt= 7925 chips") Signed-off-by: Zac Bowling --- drivers/net/wireless/mediatek/mt76/mt7925/main.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/main.c b/drivers/net= /wireless/mediatek/mt76/mt7925/main.c index 7cf6faa1f6..81373e479a 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7925/main.c +++ b/drivers/net/wireless/mediatek/mt76/mt7925/main.c @@ -871,12 +871,17 @@ static int mt7925_mac_link_sta_add(struct mt76_dev *m= dev, =20 msta =3D (struct mt792x_sta *)link_sta->sta->drv_priv; mlink =3D mt792x_sta_to_link(msta, link_id); + if (!mlink) + return -EINVAL; =20 idx =3D mt76_wcid_alloc(dev->mt76.wcid_mask, MT792x_WTBL_STA - 1); if (idx < 0) return -ENOSPC; =20 mconf =3D mt792x_vif_to_link(mvif, link_id); + if (!mconf) + return -EINVAL; + mt76_wcid_init(&mlink->wcid, 0); mlink->wcid.sta =3D 1; mlink->wcid.idx =3D idx; @@ -1735,6 +1740,9 @@ mt7925_conf_tx(struct ieee80211_hw *hw, struct ieee80= 211_vif *vif, [IEEE80211_AC_BK] =3D 1, }; =20 + if (!mconf) + return -EINVAL; + /* firmware uses access class index */ mconf->queue_params[mq_to_aci[queue]] =3D *params; =20 --=20 2.52.0 From nobody Sun Feb 8 02:22:41 2026 Received: from mail-dy1-f170.google.com (mail-dy1-f170.google.com [74.125.82.170]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E120B3242D8 for ; Fri, 16 Jan 2026 01:05:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.82.170 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768525554; cv=none; b=ZtNGEuBFCvs1er/6tQwZtJv8AbEGP8pdlO++fT4nNcJGAM/sTcZlw+iHN0oz/ND3sWPI/f1SVi8J2gi5gaUQGdHEUdP4Ww1T8xiQECwZBNgHbFTWJS7ztwu9OlP/qBNeGy0hJtM9qF6R5MQcR49ZrrIxZqQo9SMOPm6WRrL5Fbs= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768525554; c=relaxed/simple; bh=HaKBfzs+vbqcZU4vZwpXtkvIH+Urmp8bT+Ano+LNPMs=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=S60wyXilgCaacASUVeJGIWVtNK4UNk2tbe4CxBfVJJ+y4Nhs9GXsvJS9cAw/eANEdfFhC1/cX2iUNaQEa9nPm2hWMxioVK7Y7DH4kl+KfQQrEo/zzGAnpW4k6jUk4QZjD7DPn+YvdA0HT8nXruhhuxxoep+9nD+GIohSOW7MBI8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=zacbowling.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=apD8G5Go; arc=none smtp.client-ip=74.125.82.170 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=zacbowling.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="apD8G5Go" Received: by mail-dy1-f170.google.com with SMTP id 5a478bee46e88-2b6b0500e06so914449eec.1 for ; Thu, 15 Jan 2026 17:05:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768525550; x=1769130350; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:from:to:cc:subject:date :message-id:reply-to; bh=uzEynkgBJi1NWbI0Fd8DGgsgD9GPNNMBHOPHCo9YUDo=; b=apD8G5GowbiIhoVY8FDpNQoUbI0ZPVfE2UbF1MYEG3l17kC78fXDjjLv1VqugTRb3Z hJYjEGoCdtFtxYPF85aUQ1dQ5nmH6Tx8hSVWMatl7TtjsS32JGTw6ZAPtveKsrfvV5Wp TX76ft2MsuaFrsS5fL29aiyQZXSNlgSWW2/+xnGra3jHsD6xJMS1Z0zHhVWSDvE98tnJ F31OsMRbIAFEvu4p3akqxWyP+/1Wabqgf+giCn2G2JewW40q6FVH5AmDTjQhtqZgzmJx tE0eQl06zfc/bagqjTlGcyVTRgzj3aRMZkSIi3S7kYsEBjxm++9AXqRrveXuO9HZevez XCPg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768525550; x=1769130350; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=uzEynkgBJi1NWbI0Fd8DGgsgD9GPNNMBHOPHCo9YUDo=; b=BIs9Hnpeiqd7kexmUY+PWD/TbFVKWvjskrsI9JIHB6JlkrxP2sGcDMZ/vpcN4hmQ2c N0Mt0n9iI/LQOWDqD1ZVh1qv2XXhujpmvKXYoIPXyw58c5pC5J8aL2uxgPc186nxuiF5 gdQnXXSjRVfzmujP+msaKzA+KYFBgQETVDlQ49/5/eatMUXCzOYBX1qHZ8cLrvDfKTPa t+0uyO8CmlrvRwuFKL0sx9rDLKo3fIPc/+2HliLpSvlIdQmzWza5kotf7DTJKwzxLTHA 98HeHAH2K045cUHCki0Q2qDJ/rG+a0Nzo46Hx5s4g4JvOKYiobOUC9KEJZMF79ADllEi XC9Q== X-Forwarded-Encrypted: i=1; AJvYcCW4C/Mi/5H0caQC288JZQhUcpKGD9skxQYUciBmGrca1fVREZIrL+GF29yOhhSQG3WTV4VdiTc8hmgDxe4=@vger.kernel.org X-Gm-Message-State: AOJu0YzUFbqP2YITh97rW1mSQY0OiYkAjOr43s3T8MkiVg8ZrI6BslhV l0kPTmCbXKmt6W07xCCX1WwRKuOqSJAJQVNWsweSvnycYz7YZxzzxMLavQ9oB6Ty X-Gm-Gg: AY/fxX5kPL8hoQSMlBSb6Fg1+jot0v2l+4TSRfWjq8mflHJM1P+zAzJJ55F7mTml2ku rG0MMS94qrZ287lVO0oeyg3jJb9quPhUrkIeaXv6N68P3B+wvwfSBxAyc8AfRkTD4pJBUOyJVUx aaR8TxDqDHbKjSveXv92tmLKpav8B18s5pBxEM9NKZg9jQBRkHqm6qJ3ZGu60MgWXh+hdux0jck iw3BARZ2/Gla8AQvScnlvBnjD+ft93oqLhzXmPKHYdokDbLMlQoZGKuz6giqp0xsPvkBQizLeNf Eit4dcLYhlYVi1ErstADrRC/l4gh0LdcGxPPjcveXzEnK5LepdfXjH2C24JGu6oldPyDnviW+XX 3j9W8x+DRjw6VvKaVZZPztYFXrtvJl4375tzhFykbQu5mBmh4Ldi3zEp3n2wg3OscJ3p5avkCmp 6ZSbOJfeNZ4dP8RIAVmqXghoN2rGjylgVl5PQsLmoqTSF+Ff3RzJ3Zehpds3Tfdw== X-Received: by 2002:a05:7301:678f:b0:2b0:4fe2:6a2e with SMTP id 5a478bee46e88-2b6b3f05fd8mr1663499eec.9.1768525549846; Thu, 15 Jan 2026 17:05:49 -0800 (PST) Received: from zcache.home.zacbowling.com ([2001:5a8:60d:bc9:f1d2:502c:a6ff:5556]) by smtp.gmail.com with ESMTPSA id 5a478bee46e88-2b6b367cbc9sm1019884eec.32.2026.01.15.17.05.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 15 Jan 2026 17:05:49 -0800 (PST) Sender: Zac Bowling From: Zac To: sean.wang@kernel.org Cc: deren.wu@mediatek.com, kvalo@kernel.org, linux-kernel@vger.kernel.org, linux-mediatek@lists.infradead.org, linux-wireless@vger.kernel.org, lorenzo@kernel.org, nbd@nbd.name, linux@frame.work, ryder.lee@mediatek.com, sean.wang@mediatek.com, Zac Subject: [PATCH v4 18/21] wifi: mt76: mt7921: fix missing mutex protection in multiple paths Date: Thu, 15 Jan 2026 17:05:16 -0800 Message-ID: <20260116010519.37001-19-zac@zacbowling.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260116010519.37001-1-zac@zacbowling.com> References: <20260116010519.37001-1-zac@zacbowling.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Add mt792x_mutex_acquire/release around ieee80211_iterate_*() calls in MT7921 driver to prevent race conditions: - mt7921_roc_abort_sync(): protect ROC abort iteration - mt7921_set_runtime_pm(): protect runtime PM iteration - mt7921_regd_set_6ghz_power_type(): protect 6GHz power type iteration - mt7921_mac_reset_work(): protect vif reconnect iteration after reset These paths were missing the mutex protection that is required when calling ieee80211_iterate_* functions with ITER_RESUME_ALL flag. Signed-off-by: Zac Bowling --- drivers/net/wireless/mediatek/mt76/mt7921/mac.c | 2 ++ drivers/net/wireless/mediatek/mt76/mt7921/main.c | 9 ++++++++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/mac.c b/drivers/net/= wireless/mediatek/mt76/mt7921/mac.c index 03b4960db7..f5c882e45b 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7921/mac.c +++ b/drivers/net/wireless/mediatek/mt76/mt7921/mac.c @@ -693,9 +693,11 @@ void mt7921_mac_reset_work(struct work_struct *work) clear_bit(MT76_RESET, &dev->mphy.state); pm->suspended =3D false; ieee80211_wake_queues(hw); + mt792x_mutex_acquire(dev); ieee80211_iterate_active_interfaces(hw, IEEE80211_IFACE_ITER_RESUME_ALL, mt7921_vif_connect_iter, NULL); + mt792x_mutex_release(dev); mt76_connac_power_save_sched(&dev->mt76.phy, pm); } =20 diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/main.c b/drivers/net= /wireless/mediatek/mt76/mt7921/main.c index 5fae9a6e27..8fc3770d1b 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7921/main.c +++ b/drivers/net/wireless/mediatek/mt76/mt7921/main.c @@ -373,10 +373,13 @@ void mt7921_roc_abort_sync(struct mt792x_dev *dev) =20 timer_delete_sync(&phy->roc_timer); cancel_work_sync(&phy->roc_work); - if (test_and_clear_bit(MT76_STATE_ROC, &phy->mt76->state)) + if (test_and_clear_bit(MT76_STATE_ROC, &phy->mt76->state)) { + mt792x_mutex_acquire(dev); ieee80211_iterate_interfaces(mt76_hw(dev), IEEE80211_IFACE_ITER_RESUME_ALL, mt7921_roc_iter, (void *)phy); + mt792x_mutex_release(dev); + } } EXPORT_SYMBOL_GPL(mt7921_roc_abort_sync); =20 @@ -619,9 +622,11 @@ void mt7921_set_runtime_pm(struct mt792x_dev *dev) bool monitor =3D !!(hw->conf.flags & IEEE80211_CONF_MONITOR); =20 pm->enable =3D pm->enable_user && !monitor; + mt792x_mutex_acquire(dev); ieee80211_iterate_active_interfaces(hw, IEEE80211_IFACE_ITER_RESUME_ALL, mt7921_pm_interface_iter, dev); + mt792x_mutex_release(dev); pm->ds_enable =3D pm->ds_enable_user && !monitor; mt76_connac_mcu_set_deep_sleep(&dev->mt76, pm->ds_enable); } @@ -765,9 +770,11 @@ mt7921_regd_set_6ghz_power_type(struct ieee80211_vif *= vif, bool is_add) struct mt792x_dev *dev =3D phy->dev; u32 valid_vif_num =3D 0; =20 + mt792x_mutex_acquire(dev); ieee80211_iterate_active_interfaces(mt76_hw(dev), IEEE80211_IFACE_ITER_RESUME_ALL, mt7921_calc_vif_num, &valid_vif_num); + mt792x_mutex_release(dev); =20 if (valid_vif_num > 1) { phy->power_type =3D MT_AP_DEFAULT; --=20 2.52.0 From nobody Sun Feb 8 02:22:41 2026 Received: from mail-dy1-f179.google.com (mail-dy1-f179.google.com [74.125.82.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E4E39326930 for ; Fri, 16 Jan 2026 01:05:53 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.82.179 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768525559; cv=none; b=QMlXHLqUCqDQSicZMEucnGwL76rOzgrj3R4HMLDXxJDZ/03pjJw1RlU1KRYdrSz0eWp0PucIgfyzfWiF7EpE50fsl3zIDJwmCFeLy9VxOmR0lK0R9PVdMhI3wPsOT4HxRUKx+YMyD1lXfMwif4gcxyx8uMe2e8yolAiXtA/LY6g= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768525559; c=relaxed/simple; bh=xQRro3eUc7+kAN+ySF7Y8lq417EJb125DwuP6Y/XROE=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=JgMkzQMDTJDTKXfH1KFQ3Uk0Ai0fO3XqReOha39F96YeRHNVyT5PaV8e9zUFefSOImwZPyK7cyB7ooZ+Xe6ma4f9CY55eqrpZjcWNboJBtEcAHm/IRlXnGc5evYOsgEcju+XXUJujsG7ZP03eYE1fY1tfaiVRuPiMQei31pXe38= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=zacbowling.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=NnBZHSan; arc=none smtp.client-ip=74.125.82.179 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=zacbowling.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="NnBZHSan" Received: by mail-dy1-f179.google.com with SMTP id 5a478bee46e88-2ac3d5ab81bso1765263eec.1 for ; Thu, 15 Jan 2026 17:05:52 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768525551; x=1769130351; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:from:to:cc:subject:date :message-id:reply-to; bh=VPmr/YvMhh6PyVTDX5uGjbBQK9qU8oKB4kDMk8rc0co=; b=NnBZHSanZ+A4AEA98UD7U2186AoVx78VFx7jl/fs7poER/HTLIhwX/AloQzUYXs0/H Ra90f4e3xN0R+6VAXEYlTGBdVSzpiOsx8yxWDlXthSjM8Mz96c1RQqlVxX5QvvhYG+57 95sSSuKKRqTYWGc2xbU5oISHShmQ9ZL1wH1fiW5KQ1dKtC/xQGwLPt1o0HNLjAxXuxsV vebOgAptrds6aPB7HZwClH2UOMKW3LRyazBkGa4KZgUdf8txLn/N31seeQZEkMFBO3JL AzOwh3Ej9iEDYQCzXSmhcMYRkk/UEDVJ5Atk5df4mvaeRBfmCRpAeszdqN4RMFB/sUh3 vgAw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768525551; x=1769130351; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=VPmr/YvMhh6PyVTDX5uGjbBQK9qU8oKB4kDMk8rc0co=; b=ZQo/7OLLFsOu9y0yfzxC2yWeG4KcTjK6fkJHW1M0WprIUmAH+XOj4wI1+66J7Ke3WO R80UZUhjHr5vdq+G0ShMk9EqLIH7MWARYe+GQzTuRE8PPWxA+w70CWm6a1T6cGZ8w1xs VciNYsX1Yp4FQBbkpn2SR6Zxt96xqFnrhEGBL5kE2da2fllhpwMJJSu3gAefgRnPPp1y aJIqds+g9Ud87ud5sTr9ILB75Y6CCU2188BTdqQDpYWBaN1mWmMllptcVpX4o9DI0WQU kRO4Bi4JwCWGXTTrdxUC37XD1lBsURpXBeOaUYJTKMEIgbWqNhpPOuM34qAzaGO5MszY aixQ== X-Forwarded-Encrypted: i=1; AJvYcCXvTUoNizdco1ISUJBCQJ3vcPKIFd8O2F09eJ6uwFDsmkrNKMqXPCesTgGDDRVlMYfA8NjUBU36NT5pLtE=@vger.kernel.org X-Gm-Message-State: AOJu0YyIN6XdpZsuMkNMt5mV7RF+SccDn9yHHSvbaPXWoSD4GiUN9Ixu 5XpVXPtHzmVtMfDDhhCj6NSBLnG56QNkfFrt+MKHXALSrV4lIYwQaU5V X-Gm-Gg: AY/fxX5Xc2GNNLOV2PvusoKSsdezgLA3NY9Yo4zeZCBxfg4Qzj18cfqivFhCFa9uBJN t7WR9tio1n/zCWrJpKfvNz3/mPfJB0oSbcx0ZjqMT8bVJChAhuazT9ijW33nOB6sDbZCOUPrxK6 DfGCnZI1JiccvlIA5jrFQy+MiPTumVCcw97Y2JyEeS/ZFVMQN7VH2dDu3eVJhUw9CXvrAX1rFFj GDJmA8UI6ye46jO0TMgzS2ZeAvqugfPNPFtRU9e/iu9R+zD+kUWm1OPMJCri2JbOlhoXpU3euWf axJf7Wfn7xASEin7Z+IVaCwIPxXM7dTNnM9KSzpXo1vM1NtQ4h+JPgQJ91Vhd7OC7EObLyz5Cbq Qy9RO9cAjhFYQ4u635dLd0nf/ElU0fzEZt6vcba68o6aWjsLUCNXGiwX61uVeOoYNgLmcs3VVC0 TvmKK3y+Z1v/eZHZtpeUHInC8AIU29EqThpO2Yyd4lLCgr0TOXtgm6DqVdF2mhcA== X-Received: by 2002:a05:7301:7c0b:b0:2ae:56d7:b02 with SMTP id 5a478bee46e88-2b6b46c6449mr1393747eec.9.1768525551316; Thu, 15 Jan 2026 17:05:51 -0800 (PST) Received: from zcache.home.zacbowling.com ([2001:5a8:60d:bc9:f1d2:502c:a6ff:5556]) by smtp.gmail.com with ESMTPSA id 5a478bee46e88-2b6b367cbc9sm1019884eec.32.2026.01.15.17.05.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 15 Jan 2026 17:05:50 -0800 (PST) Sender: Zac Bowling From: Zac To: sean.wang@kernel.org Cc: deren.wu@mediatek.com, kvalo@kernel.org, linux-kernel@vger.kernel.org, linux-mediatek@lists.infradead.org, linux-wireless@vger.kernel.org, lorenzo@kernel.org, nbd@nbd.name, linux@frame.work, ryder.lee@mediatek.com, sean.wang@mediatek.com, Zac Subject: [PATCH v4 19/21] wifi: mt76: mt7921: fix mutex deadlocks in multiple paths Date: Thu, 15 Jan 2026 17:05:17 -0800 Message-ID: <20260116010519.37001-20-zac@zacbowling.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260116010519.37001-1-zac@zacbowling.com> References: <20260116010519.37001-1-zac@zacbowling.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Fix mutex handling to prevent deadlocks: - mt7921_roc_abort_sync(): Remove internal mutex acquire/release since this function is called from contexts that already hold the mutex (mt7921_mac_sta_remove via mt76_sta_remove). Add mutex at caller sites that don't hold it (pci.c and sdio.c suspend paths). - mt7921_set_runtime_pm(): Remove internal mutex acquire/release since the only caller (debugfs) already holds the mutex. The previous patches incorrectly added mutex acquire inside functions that can be called from contexts where the mutex is already held, causing deadlocks. Signed-off-by: Zac Bowling --- drivers/net/wireless/mediatek/mt76/mt7921/main.c | 13 +++++++------ drivers/net/wireless/mediatek/mt76/mt7921/pci.c | 2 ++ drivers/net/wireless/mediatek/mt76/mt7921/sdio.c | 2 ++ 3 files changed, 11 insertions(+), 6 deletions(-) diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/main.c b/drivers/net= /wireless/mediatek/mt76/mt7921/main.c index 8fc3770d1b..9315dbdf88 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7921/main.c +++ b/drivers/net/wireless/mediatek/mt76/mt7921/main.c @@ -373,13 +373,15 @@ void mt7921_roc_abort_sync(struct mt792x_dev *dev) =20 timer_delete_sync(&phy->roc_timer); cancel_work_sync(&phy->roc_work); - if (test_and_clear_bit(MT76_STATE_ROC, &phy->mt76->state)) { - mt792x_mutex_acquire(dev); + /* Note: caller must hold mutex if ieee80211_iterate_interfaces is + * needed for ROC cleanup. Some call sites (like mt7921_mac_sta_remove) + * already hold the mutex via mt76_sta_remove(). For suspend paths, + * the mutex should be acquired before calling this function. + */ + if (test_and_clear_bit(MT76_STATE_ROC, &phy->mt76->state)) ieee80211_iterate_interfaces(mt76_hw(dev), IEEE80211_IFACE_ITER_RESUME_ALL, mt7921_roc_iter, (void *)phy); - mt792x_mutex_release(dev); - } } EXPORT_SYMBOL_GPL(mt7921_roc_abort_sync); =20 @@ -622,11 +624,10 @@ void mt7921_set_runtime_pm(struct mt792x_dev *dev) bool monitor =3D !!(hw->conf.flags & IEEE80211_CONF_MONITOR); =20 pm->enable =3D pm->enable_user && !monitor; - mt792x_mutex_acquire(dev); + /* Note: caller (debugfs) must hold mutex before calling this function */ ieee80211_iterate_active_interfaces(hw, IEEE80211_IFACE_ITER_RESUME_ALL, mt7921_pm_interface_iter, dev); - mt792x_mutex_release(dev); pm->ds_enable =3D pm->ds_enable_user && !monitor; mt76_connac_mcu_set_deep_sleep(&dev->mt76, pm->ds_enable); } diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/pci.c b/drivers/net/= wireless/mediatek/mt76/mt7921/pci.c index ec96861832..9f76b334b9 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7921/pci.c +++ b/drivers/net/wireless/mediatek/mt76/mt7921/pci.c @@ -426,7 +426,9 @@ static int mt7921_pci_suspend(struct device *device) cancel_delayed_work_sync(&pm->ps_work); cancel_work_sync(&pm->wake_work); =20 + mt792x_mutex_acquire(dev); mt7921_roc_abort_sync(dev); + mt792x_mutex_release(dev); =20 err =3D mt792x_mcu_drv_pmctrl(dev); if (err < 0) diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/sdio.c b/drivers/net= /wireless/mediatek/mt76/mt7921/sdio.c index 3421e53dc9..92ea281181 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7921/sdio.c +++ b/drivers/net/wireless/mediatek/mt76/mt7921/sdio.c @@ -219,7 +219,9 @@ static int mt7921s_suspend(struct device *__dev) cancel_delayed_work_sync(&pm->ps_work); cancel_work_sync(&pm->wake_work); =20 + mt792x_mutex_acquire(dev); mt7921_roc_abort_sync(dev); + mt792x_mutex_release(dev); =20 err =3D mt792x_mcu_drv_pmctrl(dev); if (err < 0) --=20 2.52.0 From nobody Sun Feb 8 02:22:41 2026 Received: from mail-dy1-f176.google.com (mail-dy1-f176.google.com [74.125.82.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 240F832863E for ; Fri, 16 Jan 2026 01:05:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.82.176 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768525560; cv=none; b=iqrRMUmtDXXgPbLM62FdXA5pADIP/7CPYaJDkId2qRKBWrw6fcKdeQRCtngiBncwDPybLwMZ/71yPY9e6ryFL6hpbTfS7qFHMAVVP74176IHhPYVs6eVD0BaZxKDqec3jfT64TkjC5SGL4K9GAsOd/xjS8kOO2PFeXCPfEIlNeA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768525560; c=relaxed/simple; bh=ncrRr8O6tigVgbV546c9oteIZcBP9anuVJ5asckXJHA=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=l/xXjP3Pp2qo4G6k4m5CALNHEvExaW7KobsF3dJ0aYAeQiJnRfsbGPYFT6wvgc/VKcJKAl0gwEPv4Z5dex3jIDlFPtfXa8rm0sbMP02bLKeOgzVhPBxtcFEIUxMSKCgTzYMoeTJJujw8RGrYFS0yNW4D4XkPl5WjavLSss9MWjs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=zacbowling.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=R6uFt4MI; arc=none smtp.client-ip=74.125.82.176 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=zacbowling.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="R6uFt4MI" Received: by mail-dy1-f176.google.com with SMTP id 5a478bee46e88-2ae2eb49b4bso3305612eec.0 for ; Thu, 15 Jan 2026 17:05:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768525553; x=1769130353; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:from:to:cc:subject:date :message-id:reply-to; bh=ewdMOqZu09vzVANg46kFx4cCu4Abbaa2QyPG4SOmwEs=; b=R6uFt4MIpXQzjITdhe4T8i7pgnRrnXPLdhehQ2ROl4lJgM8hKzgyudsIRzsFhg/Wnr G0p5Ip99dE1W7+vpHuXy5ojEO3FtyEucpSFE7udlOhj1y4zsBHKjmfqtQBmhF8APmY4K l9pNhF5NbNYx9NmInZj5G+5fFVwP+rErPhJgTYYOCttoATd42qgJ1GtAKQGRs2euq7HA 1uUTOo9gw95XufRdMxidzoP4kev7lhX+ybvvKmjnqTE0SKVlRDPYJ2uU5gg8/ZPOeyfU gSgEewsgFzzetUFbwhjMHAFD45EuzPaEXTN0THLdUNJoMxokjMip7oEcSZ0ytzTZyV8/ UsXw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768525553; x=1769130353; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=ewdMOqZu09vzVANg46kFx4cCu4Abbaa2QyPG4SOmwEs=; b=ibSz0j/MefLwAYv5kgBkksiwDvi3OIbKcl2wgEmEkEWu7WHqJaZLgZiWD30aIbEKRb iE/S8X1gzjQgDF7G5biKnFoSo80VylZb33Ez7s/9a5SjvgtWBduLGpqhwD0xeF+mcmkU aQpRIwZcXxCrMvaKDb9mNNrsF5u7r6CQmpFqGPoGFILbHPvFInYKbcJXhmpzD0bRi/xX btKNqvDiGDOlpaFJZZnpNudY13Diu04RIndsBHQQe/SXbMRgXNK+94Bz3/PljCceZ8Yl Fiag1656Q/7kELTZZXZ8G9YnWinP4p+b7nBiqDyHu/BfRHo7IfFhidtsE2RCulFfmEJ9 JUag== X-Forwarded-Encrypted: i=1; AJvYcCVYRkFxszlyi+DY79xkLdtIicnpkju/5WcHEhCubI65dPEb4hVZE3qusqKnpDx0z7YpP8RMVUpxWUMd7TI=@vger.kernel.org X-Gm-Message-State: AOJu0YxxqJ+P+WAuR7iVqrPPQPOqxiMAUTiyH740fRpk5roGNkTld7mX G8fLnCWD/xUKZ9sc+8CpUrVD+J7n4PThzZQ0Xr7vOTycjCE044bcDPpR X-Gm-Gg: AY/fxX6mJtV0odRNqhfeEbqYJN5AoS7oLBle/OnF3MY3pJ0UAdqK81i46QeMpKGLJde ls6oJjiO8E0FiPem+vN1iaEuY+JHdK93f98v0o6h+AGQ46uMzn6bL13GSTux/mzifrvP/YpST4X WG6Qdzm4hco53VaQ4bXfjyFE2m120Z23vSNTsyfcJFl0VHWUYkNSMYE7wJwXM77RhnlUdK0Haie 3xS4Oxk8F8CMU7Yggzn9EzMKzZsawCpNT8TpC7f6I5s7ppMCIf52RXLQ2vaOoA7HvhK3qMvX74p o7ArFPEsTmrhmMGfTPBvwiRAFP+fLr04qVcN+7Ur6SWmvilNKtPyoBL1IhsUq8uLNoWkA+kruY0 Ej/MlO7byoNI09FrkDjFtONBvVUBycDvFxp5r95TLc6inwrE4IcUqYeZTX6oolcPADYKil5EZOd kvYg5xnAxWbTF563eDIFV7/cruNoSNEqmwzFdHo+fK8xbw4bcPrZu4eGw6eYFnJOcRcWZ/lVMY X-Received: by 2002:a05:7301:1e90:b0:2ae:5020:afe1 with SMTP id 5a478bee46e88-2b6b402c47amr1281429eec.14.1768525552939; Thu, 15 Jan 2026 17:05:52 -0800 (PST) Received: from zcache.home.zacbowling.com ([2001:5a8:60d:bc9:f1d2:502c:a6ff:5556]) by smtp.gmail.com with ESMTPSA id 5a478bee46e88-2b6b367cbc9sm1019884eec.32.2026.01.15.17.05.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 15 Jan 2026 17:05:52 -0800 (PST) Sender: Zac Bowling From: Zac To: sean.wang@kernel.org Cc: deren.wu@mediatek.com, kvalo@kernel.org, linux-kernel@vger.kernel.org, linux-mediatek@lists.infradead.org, linux-wireless@vger.kernel.org, lorenzo@kernel.org, nbd@nbd.name, linux@frame.work, ryder.lee@mediatek.com, sean.wang@mediatek.com, Zac , Zac Bowling Subject: [PATCH v4 20/21] wifi: mt76: fix list corruption in mt76_wcid_cleanup Date: Thu, 15 Jan 2026 17:05:18 -0800 Message-ID: <20260116010519.37001-21-zac@zacbowling.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260116010519.37001-1-zac@zacbowling.com> References: <20260116010519.37001-1-zac@zacbowling.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" mt76_wcid_cleanup() was not removing wcid entries from sta_poll_list before mt76_reset_device() reinitializes the master list. This leaves stale pointers in wcid->poll_list, causing list corruption when mt76_wcid_add_poll() later checks list_empty() and tries to add the entry back. The fix adds proper cleanup of poll_list in mt76_wcid_cleanup(), matching how tx_list is already handled. This is similar to what mt7996_mac_sta_deinit_link() already does correctly. Fixes list corruption warnings like: list_add corruption. prev->next should be next (ffffffff...) Signed-off-by: Zac Bowling --- drivers/net/wireless/mediatek/mt76/mac80211.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/drivers/net/wireless/mediatek/mt76/mac80211.c b/drivers/net/wi= reless/mediatek/mt76/mac80211.c index 75772979f4..d0c522909e 100644 --- a/drivers/net/wireless/mediatek/mt76/mac80211.c +++ b/drivers/net/wireless/mediatek/mt76/mac80211.c @@ -1716,6 +1716,16 @@ void mt76_wcid_cleanup(struct mt76_dev *dev, struct = mt76_wcid *wcid) =20 idr_destroy(&wcid->pktid); =20 + /* Remove from sta_poll_list to prevent list corruption after reset. + * Without this, mt76_reset_device() reinitializes sta_poll_list but + * leaves wcid->poll_list with stale pointers, causing list corruption + * when mt76_wcid_add_poll() checks list_empty(). + */ + spin_lock_bh(&dev->sta_poll_lock); + if (!list_empty(&wcid->poll_list)) + list_del_init(&wcid->poll_list); + spin_unlock_bh(&dev->sta_poll_lock); + spin_lock_bh(&phy->tx_lock); =20 if (!list_empty(&wcid->tx_list)) --=20 2.52.0 From nobody Sun Feb 8 02:22:41 2026 Received: from mail-dl1-f52.google.com (mail-dl1-f52.google.com [74.125.82.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 23293328630 for ; Fri, 16 Jan 2026 01:05:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.82.52 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768525560; cv=none; b=Gkp/Eyw6lQNRf8rrPYDo/7XwBO9vZSf9xarp9X5RbQjReVbiRtxJ8ZWTunNtgaxkXkRmIw8o9/Qz+Bwy0fQP3Q45mu2aDeHtDDFHP0IE8VFIUq0UYKIhe/XDD9uXcqMNXdHmrQ+QjifCjScKycIJTRX1trEeBAYvuOsfH3MBxFM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768525560; c=relaxed/simple; bh=fEiRyuMj05TeICA1JoBhIIz3Ws39gKPSeCLw1wGtAFw=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=EdwKnQWxWUnIIBLbcgQFO88UvQ0iY1Up9DTkYpWO3M/5fmunJR4hpF4CpK5pE9T8Q/UkYtZ1afw7kKIsipnTDw1rZBOtnSJHqOSwgWKlaohPLe2o1WMsSH0GmGSBI3lr0ZkwhrG1OTsq0/5j9GY2PdIFLrGBVroBt9OX9NyAzus= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=zacbowling.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=II8OOugC; arc=none smtp.client-ip=74.125.82.52 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=zacbowling.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="II8OOugC" Received: by mail-dl1-f52.google.com with SMTP id a92af1059eb24-1233b953bebso3824267c88.1 for ; Thu, 15 Jan 2026 17:05:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768525554; x=1769130354; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:from:to:cc:subject:date :message-id:reply-to; bh=mhC8L1hQ8dg4kLrkzny6o4mFLtnYcnvkf4rrn/bndiU=; b=II8OOugCRrkOTX2aQdengwtEYX0Azu2IDT/ao1Awg5f8Uvun7XFXg9Fxo17oCGcFh6 M7phToDnzgy+qdUv6DAuoBnhetWcZXN95xZwa0lCChAt7647Rh+NsufIrNcC7z47Bugd +rS9JDnaGubzoQc3i/qNP+ce2lVdWVmiN+mx8rU/deuPs7sd0BSPD4xr1Dt11B/stNRe +RB+03FuNkJRO25qNovLlgpa/spoNpRKaMNoG67mqnS3gSHHAwbY0upzGCf2ogFz6Ymh Vd1NDRYuz4HXJIqfoiGhNG3DIRJv8MoR6EIZrpx+7RxcKsZwZq3exDqJ/ZU8U8FAGaQd r2bw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768525554; x=1769130354; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=mhC8L1hQ8dg4kLrkzny6o4mFLtnYcnvkf4rrn/bndiU=; b=Bam2Db0P/mSg5IFor3XkmCHLexq06QzzubNHWQQKTJviolh4PDWaWreQbXJOHfHnjJ 9etE3XkHi8Od9+bDMzRe/9S5o4LoNeYzmcsZG2gMyrJX6iXsz28axIfvBQz38X5Sw+fy fKG+8gPQ2KWsv9df9bDYGoQV5WQIjt9+233Yx+j6NQAA9WZTfP5SH73/GptuKgkSrn8t dnqu0v4cle/Z0ah1dHR8TcgwGzjru7RlKuJIp4xRAjIgLRp8tat3dwWfCgITPIS1V7pv pQR8TqDIjEj732KY1v2o1NfmNAk2glaoyLybZ241lplxABAj0Tm9b8zgP4UgqEPRPQ3U dZQA== X-Forwarded-Encrypted: i=1; AJvYcCXDta1CJtOvA1qnGd9lT56iwx74XjbVW0lbTYzS9XhhMAQoywKxQdXaF04SIwAvRasTreq4iTuEPXLbMMc=@vger.kernel.org X-Gm-Message-State: AOJu0YxEbqWGPIzEXDx0fWUdqFngwMXFsq6TFTGB0qE8X51IBqyYp6Qr +zDw9MQ96MIUwe9M+SKB34v8PLmvaU4GgNYrxv+mlCpDRvvu5iQJT9uz X-Gm-Gg: AY/fxX4KqdGEEh6QMQ/DsjCJpbPv1cBjXgL9N6K1M4qTHwgRKzaBrxj9Uw/YEos3Dj/ QzJeISv0vwd7thIZAPeUwHJmzIXb06TbrjxyoxdHS7lRejX81LWG3kmVFffuvuE+6cQEI6hcZby PSBNguMMpU39oZGY+F9x8LniIs8D4RjVUYuqaFNCuYRbl/h0rSmB8XQwlNQabwsPFJmKBumeP4e VTV0ld3aWUQlMtGAEqKTrZ2nK5J9MLCJBLYf9M3zMGyGlPWq3J46bI5iWlv5tLrzx3FvQePIWGG jGMXHEPPgON0GQtH+zisMjXWAU6oLECNI56wALYzWfI7icQwkHJpslAY+KZ5velC406wfG/thMQ G5y4fJcOIhdPFAW4dpebVGa4ffMGYto/gGRpYQB0ZnCrJYoY4F+qh18u8743MhuQ8fAxZiLfKVY H0ACNEKMWcJr4noLAJXItulyrKxZQSC9+DqvZrRjtUzbntiYwV9tCV1NfhmPoi+g== X-Received: by 2002:a05:7022:48e:b0:123:3461:99be with SMTP id a92af1059eb24-1244a6fe904mr2196015c88.21.1768525554364; Thu, 15 Jan 2026 17:05:54 -0800 (PST) Received: from zcache.home.zacbowling.com ([2001:5a8:60d:bc9:f1d2:502c:a6ff:5556]) by smtp.gmail.com with ESMTPSA id 5a478bee46e88-2b6b367cbc9sm1019884eec.32.2026.01.15.17.05.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 15 Jan 2026 17:05:53 -0800 (PST) Sender: Zac Bowling From: Zac To: sean.wang@kernel.org Cc: deren.wu@mediatek.com, kvalo@kernel.org, linux-kernel@vger.kernel.org, linux-mediatek@lists.infradead.org, linux-wireless@vger.kernel.org, lorenzo@kernel.org, nbd@nbd.name, linux@frame.work, ryder.lee@mediatek.com, sean.wang@mediatek.com, Zac , Zac Bowling Subject: [PATCH v4 21/21] wifi: mt76: mt7925: fix BA session teardown during beacon loss Date: Thu, 15 Jan 2026 17:05:19 -0800 Message-ID: <20260116010519.37001-22-zac@zacbowling.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260116010519.37001-1-zac@zacbowling.com> References: <20260116010519.37001-1-zac@zacbowling.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The ieee80211_stop_tx_ba_cb_irqsafe() callback was conditionally called only when the MCU command succeeded. However, during beacon connection loss, the MCU command may fail because the AP is no longer reachable. If the callback is not called, mac80211's BA session state machine gets stuck in an intermediate state. When mac80211 later tries to tear down all BA sessions during disconnection, it hits a WARN in __ieee80211_stop_tx_ba_session() due to the inconsistent state. Fix by making the callback unconditional, matching the behavior of mt7921 and mt7996 drivers. The MCU command failure is acceptable during disconnection - what matters is that mac80211 is notified to complete the session teardown. Reported-by: Sean Wang Signed-off-by: Zac Bowling --- drivers/net/wireless/mediatek/mt76/mt7925/main.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/main.c b/drivers/net= /wireless/mediatek/mt76/mt7925/main.c index 81373e479a..cc7ef2c170 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7925/main.c +++ b/drivers/net/wireless/mediatek/mt76/mt7925/main.c @@ -1323,9 +1323,13 @@ mt7925_ampdu_action(struct ieee80211_hw *hw, struct = ieee80211_vif *vif, case IEEE80211_AMPDU_TX_STOP_CONT: mtxq->aggr =3D false; clear_bit(tid, &msta->deflink.wcid.ampdu_state); - ret =3D mt7925_mcu_uni_tx_ba(dev, params, false); - if (!ret) - ieee80211_stop_tx_ba_cb_irqsafe(vif, sta->addr, tid); + /* MCU command may fail during beacon loss, but callback must + * always be called to complete the BA session teardown in + * mac80211. Otherwise the state machine gets stuck and triggers + * WARN in __ieee80211_stop_tx_ba_session(). + */ + mt7925_mcu_uni_tx_ba(dev, params, false); + ieee80211_stop_tx_ba_cb_irqsafe(vif, sta->addr, tid); break; } mt792x_mutex_release(dev); --=20 2.52.0