From nobody Mon Feb  9 15:26:03 2026
Received: from mail-dy1-f172.google.com (mail-dy1-f172.google.com
 [74.125.82.172])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 81F3D314D08
	for <linux-kernel@vger.kernel.org>; Fri, 16 Jan 2026 01:05:27 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=74.125.82.172
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1768525529; cv=none;
 b=fS8EAGC2LFkbhH9RX9UXEa4t8IiOpE/J7/80nw230tTDQHcN5enrVeO45R9kMZw9Tvupa0gt39IpAzZBE29L794wSikNMjnMH1SQDedXvw0C1sde+xA/4B8qOTxOkuctCUSzWJ71WeNHonclRLHcwYAcYZg4rTAfLts96utsXc0=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1768525529; c=relaxed/simple;
	bh=RODJo0dX5b/DRTFhY2cSaN8LgFh3iNNX0MJ6nJMpBFc=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=qeHFuzCP6NEcRt3TCu/DrfuDIAWgP8Ip1GlOLur+y+q7OEi4cUMkzXd36S8lShb3iLtxLXwmYxVeZTIC1HU3IWOEtvpXQSlo3e4MN2IXKiEYZX4sFGXTgG8kbvZG9h/+GvV4oggU7VYcQfBbo/8vENMmiPGlQNkPJr0BQXUsx1U=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=zacbowling.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=NXicS9PO; arc=none smtp.client-ip=74.125.82.172
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=zacbowling.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="NXicS9PO"
Received: by mail-dy1-f172.google.com with SMTP id
 5a478bee46e88-2b6bb644e8eso30923eec.1
        for <linux-kernel@vger.kernel.org>;
 Thu, 15 Jan 2026 17:05:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1768525527; x=1769130327;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:sender:from:to:cc:subject:date
         :message-id:reply-to;
        bh=3AlYUZTasc+1BNyrEOuxrME8CBfLRDkLtwgOBsYdMoM=;
        b=NXicS9POL4+PpSDerqVhuMTiywoBCZ/6mVfMRB2410dymDLNBVSyiAAEGRdQ51HmJS
         sPLlMp20wt1hseJWJiMCUjCbKpywp4ZN7buFXlq5d0RiTO1z4coBY6JYly02KwKPR5po
         pph3WjAK5Ise3jmCy3Pd/h7lwrQpAYd7aNFlykHLM6SLKG/OUqvFpqLKsdepZTwqzAxM
         yUTVKQZI6uUvMb+57VRXKxSdPA3HN2tjDP8i2heb2hYV06pDjf2dPAtQUqxfLXUP0I5R
         IWzSm0LiyDAazFe458DibD++jnO7pWazexuA67Dstdx/rrrm9BP/+qsQGUs77v4iHItI
         udPw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1768525527; x=1769130327;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:sender:x-gm-gg
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=3AlYUZTasc+1BNyrEOuxrME8CBfLRDkLtwgOBsYdMoM=;
        b=WNvrwcsrNisQ3Ql0z2ztpSPkYvU3722uUAoyEJQO9Ol/FF0GU4tOrICq0o1iBNIdcn
         72MFp8Bp+JksjSOs0RKpP/SekPNv+1AOGWObF8lJgvSVfc7Kcnh3Gv2evAiLpv3vh81O
         5eGtZEENk760fL5jH14wjaJ4q5fE+rL1pnPlYly8bkT5G2nvhZsEdFVmwYEyCazkuxIy
         EG0pF4vc2/8RSAzLmuuJcVeIiHTjD/m0IUrvRSPtsQxTJGQ9daU7AvBcgB7Do8lqCUVN
         0/jzTJ4UQzkUyhkoCIWfEWtkLfjyGIsSSXKJUOTWrv/ZSOUAoSrABpbcD8QsrX0kGS2H
         87pQ==
X-Forwarded-Encrypted: i=1;
 AJvYcCWhofsdNtU69OgB7F34oV8C2GcnpcMBacPxCnO1XhkVvlDYIaH5qQTy49ABaCKJZKe0q6RNL6K0igLHhKw=@vger.kernel.org
X-Gm-Message-State: AOJu0YxPr9Ii7sp7bLYNPcNnIKPG5wdDmPw546D1ksFmCMOxGcIuHRoS
	BfyJrFapGqBlSlvr7ai+SaWjkzwcEmQ2rQu5S8/8OW/14ycYidmbVm/u
X-Gm-Gg: AY/fxX6pO5iwlPwFJamwZAD4apsbsE8r1T6uoy6dzo+mMxzQPOSms7X4gEilLB2b//8
	8C31wzLHyC0EnCJIo39NN827NSLMUA7+wiiTRToinPEoK25Svx1g7w/ftP/Tzy4H5hgQ18pRE0x
	TFm69J8q0nOye2cFIDVl6KgS8q1mzgWt8t0tCjADs7mh4i52vFTjqaMIhGuxPux/BBebJtE+bnM
	kFp/bYIVin6B63Jt7vTeGpDDNHa/xgfgAAJfH9CRl58M9fcpmbX7SiXvClIiO6ayaUtsLsCUbt4
	XsGDj849lrr8Er9QpuRxqPXES4XXDNVo/DaqLesDRbF+avFXBcDQ67jAOEM9+uVfurOHILDaz4/
	Qee3e0O0PVFcbz9d9Gn6dT56OX56kQgNmKCrh+OKKRqy1mgTG1vaH4azyMGLeO6mCaPjqoYIi4F
	zq1LrmqOwVt85n6ATsS7jNWU7r1E9F4rMr1OGZRocTyeymVlXd2xt1FFZh4qX19Q==
X-Received: by 2002:a05:7301:650c:b0:2ae:51ae:5cfd with SMTP id
 5a478bee46e88-2b6b4104264mr1496968eec.22.1768525526187;
        Thu, 15 Jan 2026 17:05:26 -0800 (PST)
Received: from zcache.home.zacbowling.com
 ([2001:5a8:60d:bc9:f1d2:502c:a6ff:5556])
        by smtp.gmail.com with ESMTPSA id
 5a478bee46e88-2b6b367cbc9sm1019884eec.32.2026.01.15.17.05.24
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 15 Jan 2026 17:05:25 -0800 (PST)
Sender: Zac Bowling <zbowling@gmail.com>
From: Zac <zac@zacbowling.com>
To: sean.wang@kernel.org
Cc: deren.wu@mediatek.com,
	kvalo@kernel.org,
	linux-kernel@vger.kernel.org,
	linux-mediatek@lists.infradead.org,
	linux-wireless@vger.kernel.org,
	lorenzo@kernel.org,
	nbd@nbd.name,
	linux@frame.work,
	ryder.lee@mediatek.com,
	sean.wang@mediatek.com,
	Zac Bowling <zbowling@gmail.com>,
	Zac Bowling <zac@zacbowling.com>
Subject: [PATCH v4 02/21] wifi: mt76: mt7925: fix missing mutex protection in
 reset and ROC abort
Date: Thu, 15 Jan 2026 17:05:00 -0800
Message-ID: <20260116010519.37001-3-zac@zacbowling.com>
X-Mailer: git-send-email 2.52.0
In-Reply-To: <20260116010519.37001-1-zac@zacbowling.com>
References: 
 <CAGp9LzpuyXRDa=TxqY+Xd5ZhDVvNayWbpMGDD1T0g7apkn7P0A@mail.gmail.com>
 <20260116010519.37001-1-zac@zacbowling.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Zac Bowling <zbowling@gmail.com>

During firmware recovery and ROC (Remain On Channel) abort operations,
the driver iterates over active interfaces and calls MCU functions that
require the device mutex to be held, but the mutex was not acquired.

This causes system-wide deadlocks where the system becomes completely
unresponsive. From logs on affected systems:

  INFO: task kworker/u128:0:48737 blocked for more than 122 seconds.
  Workqueue: mt76 mt7925_mac_reset_work [mt7925_common]
  Call Trace:
   __schedule+0x426/0x12c0
   schedule+0x27/0xf0
   schedule_preempt_disabled+0x15/0x30
   __mutex_lock.constprop.0+0x3d0/0x6d0
   mt7925_mac_reset_work+0x85/0x170 [mt7925_common]

The deadlock manifests approximately every 5 minutes when the adapter
tries to hop to a better BSSID, triggering firmware reset. Network
commands (ip, ifconfig, etc.) hang indefinitely, processes get stuck
in uninterruptible sleep (D state), and reboot hangs as well.

Add mutex protection around interface iteration in:
- mt7925_mac_reset_work(): Called during firmware recovery after MCU
  timeouts to reconnect all interfaces
- mt7925_roc_abort_sync() in suspend path: Called during suspend to
  clean up Remain On Channel operations

This matches the pattern used in mt7615 and other MediaTek drivers where
interface iteration callbacks invoke MCU functions with mutex held:

  // mt7615/main.c - roc_work has mutex protection
  mt7615_mutex_acquire(phy->dev);
  ieee80211_iterate_active_interfaces(...);
  mt7615_mutex_release(phy->dev);

Note: Sean Wang from MediaTek has submitted an alternative fix for the
ROC path using cancel_delayed_work() instead of cancel_delayed_work_sync().
Both approaches address the deadlock; this one adds explicit mutex
protection which may be superseded by the upstream fix.

Fixes: c948b5da6bbe ("wifi: mt76: mt7925: add Mediatek Wi-Fi7 driver for mt=
7925 chips")
Link: https://community.frame.work/t/kernel-panic-from-wifi-mediatek-mt7925=
-nullptr-dereference/79301
Reported-by: Zac Bowling <zac@zacbowling.com>
Tested-by: Zac Bowling <zac@zacbowling.com>
Signed-off-by: Zac Bowling <zac@zacbowling.com>
---
 drivers/net/wireless/mediatek/mt76/mt7925/mac.c | 2 ++
 drivers/net/wireless/mediatek/mt76/mt7925/pci.c | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/mac.c b/drivers/net/=
wireless/mediatek/mt76/mt7925/mac.c
index 184efe8afa..06420ac6ed 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7925/mac.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7925/mac.c
@@ -1331,9 +1331,11 @@ void mt7925_mac_reset_work(struct work_struct *work)
 	dev->hw_full_reset =3D false;
 	pm->suspended =3D false;
 	ieee80211_wake_queues(hw);
+	mt792x_mutex_acquire(dev);
 	ieee80211_iterate_active_interfaces(hw,
 					    IEEE80211_IFACE_ITER_RESUME_ALL,
 					    mt7925_vif_connect_iter, NULL);
+	mt792x_mutex_release(dev);
 	mt76_connac_power_save_sched(&dev->mt76.phy, pm);
=20
 	mt7925_regd_change(&dev->phy, "00");
diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/pci.c b/drivers/net/=
wireless/mediatek/mt76/mt7925/pci.c
index c4161754c0..e9d62c6aee 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7925/pci.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7925/pci.c
@@ -455,7 +455,9 @@ static int mt7925_pci_suspend(struct device *device)
 	cancel_delayed_work_sync(&pm->ps_work);
 	cancel_work_sync(&pm->wake_work);
=20
+	mt792x_mutex_acquire(dev);
 	mt7925_roc_abort_sync(dev);
+	mt792x_mutex_release(dev);
=20
 	err =3D mt792x_mcu_drv_pmctrl(dev);
 	if (err < 0)
--=20
2.52.0