From nobody Mon Feb 9 09:09:55 2026 Received: from mail-dy1-f178.google.com (mail-dy1-f178.google.com [74.125.82.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id AEE2C374185 for ; Tue, 20 Jan 2026 06:29:00 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.82.178 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768890543; cv=none; b=Gb/xcCD/iCS41Y8j/Ccv+OUfK2l72Wj+8gdzpwZ6ifRN8KI/PJfVqafGR3HVe7pgM81VR2yNIN+7UisqN0T1xm+Q82/u/3WyRrzAKN5tFcsa2sW1oo4NjjtjZ22g9XuuknmqY+0TzqEsk0GN+y5Jp2wXAu0zrEQW1JP0RKb5crY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768890543; c=relaxed/simple; bh=U3Nyq3NqiqDHDQqkseFznMKgRIxsJy24U5IKOEvZynU=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Y+67Is6M0OZ1bCRyYAL3zKcl5tPH3mp4jAlZgBBoFIRfLkQWGN0VNiBJUCRu+vhfAT9qcFuyg9t8EwFRTMQaJV9WwRRN9PxiExx2xemBeb1qyURzBczlAJD7BV/9D15UJ42J6+kETqkVmgBpm4t6c/y80S8/olouDv/K4KSZVcs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=zacbowling.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=hjxv9Uac; arc=none smtp.client-ip=74.125.82.178 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=zacbowling.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="hjxv9Uac" Received: by mail-dy1-f178.google.com with SMTP id 5a478bee46e88-2b0ea1edf11so9056365eec.0 for ; Mon, 19 Jan 2026 22:29:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768890540; x=1769495340; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:from:to:cc:subject:date :message-id:reply-to; bh=QR+w7fOhhpyJjkq0X/V8TVo4iOOXXnMSK4qWX/dQNIE=; b=hjxv9UacipiMzOCPp4LF1+mn+BQyU+EDAC+RQaNB/xGuqe13Y78ZEkm9H8/cPUzK8D aYO5/FWmOqOjXLon0gpabv5CN4pAFPQZHAClgkOW7ZFXV7fscx/phS0rgtRzgdyu0IlI B95qyZYzy11v9zN0SdgdRaQYsMZj7XDjaTWshh/96B2CzZ6umNdDXoM6C30VUg9YldiE Zc+/10Q0mzCpzLzUX34XlMtbAIXMY9ktnzw0V5msh5GdagvQnSXy9+77U13PFt3iRj+g EV5i25L/HMNG5ex+k4xPvLHUiZ9lD+HUvnTO4g6/1dOg9djnJsYz8n8qk6dV1oj6DsSJ sEOg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768890540; x=1769495340; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=QR+w7fOhhpyJjkq0X/V8TVo4iOOXXnMSK4qWX/dQNIE=; b=Tt0hAl1wki0cuooXW7wv7P9H7aGK+I8QULOL1pldXybNDK6JSVr4KbgXp6sCLUiyBR zUHMlr+WRfRyw48vj6y+qyBIVm97yDWpVV7c8l3FP50IgrH8iQedxaofIBICqHrxHHFe DPeWEFKrEavA4+pQwSYdUYsARBvcIDoNuMR5ex0N0MboO1JuVSbqWm9ivWl6i3s5taxV NP8HG3ys8n0ho4g8AgL5vHSr+b8U2/5ldf3j4OjNpy3Yo2jof8kMf8aZPhJ63mT/z1pv WY6NCAWqJv8NIFKHOD28AcNxNWaTBRtWs+v4SLgntC6eFdTZaVuzqRJgtzDnvT5gUWWw vo1A== X-Forwarded-Encrypted: i=1; AJvYcCWudSO/UMajSTyye4+iP+wQN2aIz3sbFnHmBrf7Y2df1C2wyLCsgQRgUCCPeDvtaXNU7cjOW5WP4W/TjdA=@vger.kernel.org X-Gm-Message-State: AOJu0YxUvR2cmPh6uxTn8RdlQGq2L8b4/c/+xLj4wH8Urb0nt1Qng8ap 8qSTZzSrFDcNIKqaYiZYsLN+x9/855FlmxWdKB52uE3ahfvgVthTFeVT X-Gm-Gg: AZuq6aJhn0ZILLlBbtKPTMOTqAFtHlbIwlOhuBrCIaqaEE/XiyuRn5vdHs5sjJ+/fRR cv/YK8ic/2QHNwxCUx4DgSxBPLYBtvN6H2DxQEIrusPwSFB7xLyKAU0a0oD+L55MNXxvOE0LIuD FpaXOBQPNw1UohcAtGGiGWXAiCZpPOIJjXixEZEiq9iztizInO6TNGv580w27Sysl/UUytcs5sp QxunljPfcJYwzZw/Xszo4L544YLzEurQsrPoqqmEaK37P0uhoqUKRIkJkctMH5KetPqcRvIwsd0 jEO1UYZkN9NJDa8sjxJh3sKfUf61ddzUHQcTxxwqrLosFqpBeov0+gQuLacMsotWfhKcKXufxCR WLVxEFkIPdPC/lqAcWkRrGoGREGyA9gT4dgzAKYDtScUS6ZXrcfp/lCuy/YgxKtdQycVSISr8RN Bwvz1CiPeLu3J3hEdAhaK/228oBMHLEc1HgYiH7V+odUJ1SBUVk4CKVwTJVt7K X-Received: by 2002:a05:7300:e825:b0:2ab:f56e:bea6 with SMTP id 5a478bee46e88-2b6b505d137mr10313793eec.39.1768890539343; Mon, 19 Jan 2026 22:28:59 -0800 (PST) Received: from zcache.home.zacbowling.com ([2001:5a8:60d:bc9:f31e:1cb:296a:cc2a]) by smtp.gmail.com with ESMTPSA id 5a478bee46e88-2b6b3502c91sm15706784eec.9.2026.01.19.22.28.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 19 Jan 2026 22:28:58 -0800 (PST) Sender: Zac Bowling From: Zac To: sean.wang@kernel.org Cc: deren.wu@mediatek.com, kvalo@kernel.org, linux-kernel@vger.kernel.org, linux-mediatek@lists.infradead.org, linux-wireless@vger.kernel.org, lorenzo@kernel.org, nbd@nbd.name, ryder.lee@mediatek.com, sean.wang@mediatek.com, stable@vger.kernel.org, linux@frame.work, zbowling@gmail.com, Zac Bowling Subject: [PATCH 02/11] wifi: mt76: mt792x: fix NULL pointer and firmware reload issues Date: Mon, 19 Jan 2026 22:28:45 -0800 Message-ID: <20260120062854.126501-3-zac@zacbowling.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260120062854.126501-1-zac@zacbowling.com> References: <20260120062854.126501-1-zac@zacbowling.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Zac Bowling This patch combines two fixes for the shared mt792x code used by both MT7921 and MT7925 drivers: 1. Fix NULL pointer dereference in TX path: Add NULL pointer checks in mt792x_tx() to prevent kernel crashes when transmitting packets during MLO link removal. The function calls mt792x_sta_to_link() which can return NULL if the link is being removed, but the return value was dereferenced without checking. Similarly, the RCU-protected link_conf and link_sta pointers were used without NULL validation. This race can occur when: - A packet is queued for transmission - Concurrently, the link is being removed (mt7925_mac_link_sta_remove) - mt792x_sta_to_link() returns NULL for the removed link - Kernel crashes on wcid =3D &mlink->wcid dereference Fix by checking mlink, conf, and link_sta before use, freeing the SKB and returning early if any pointer is NULL. 2. Fix firmware reload failure after previous load crash: If the firmware loading process crashes or is interrupted after acquiring the patch semaphore but before releasing it, subsequent firmware load attempts will fail with 'Failed to get patch semaphore'. Apply the same fix from MT7915 (commit 79dd14f): release the patch semaphore before starting firmware load and restart MCU firmware to ensure clean state. Fixes: c74df1c067f2 ("wifi: mt76: mt792x: introduce mt792x-lib module") Fixes: 583204ae70f9 ("wifi: mt76: mt792x: move mt7921_load_firmware in mt79= 2x-lib module") Link: https://github.com/openwrt/mt76/commit/79dd14f2e8161b656341b665326177= 9199aedbe4 Signed-off-by: Zac Bowling --- .../net/wireless/mediatek/mt76/mt792x_core.c | 27 +++++++++++++++++-- 1 file changed, 25 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/mediatek/mt76/mt792x_core.c b/drivers/net= /wireless/mediatek/mt76/mt792x_core.c index f2ed16feb6c1..05598202b488 100644 --- a/drivers/net/wireless/mediatek/mt76/mt792x_core.c +++ b/drivers/net/wireless/mediatek/mt76/mt792x_core.c @@ -95,6 +95,8 @@ void mt792x_tx(struct ieee80211_hw *hw, struct ieee80211_= tx_control *control, IEEE80211_TX_CTRL_MLO_LINK); sta =3D (struct mt792x_sta *)control->sta->drv_priv; mlink =3D mt792x_sta_to_link(sta, link_id); + if (!mlink) + goto free_skb; wcid =3D &mlink->wcid; } =20 @@ -113,9 +115,12 @@ void mt792x_tx(struct ieee80211_hw *hw, struct ieee802= 11_tx_control *control, link_id =3D wcid->link_id; rcu_read_lock(); conf =3D rcu_dereference(vif->link_conf[link_id]); - memcpy(hdr->addr2, conf->addr, ETH_ALEN); - link_sta =3D rcu_dereference(control->sta->link[link_id]); + if (!conf || !link_sta) { + rcu_read_unlock(); + goto free_skb; + } + memcpy(hdr->addr2, conf->addr, ETH_ALEN); memcpy(hdr->addr1, link_sta->addr, ETH_ALEN); =20 if (vif->type =3D=3D NL80211_IFTYPE_STATION) @@ -136,6 +141,10 @@ void mt792x_tx(struct ieee80211_hw *hw, struct ieee802= 11_tx_control *control, } =20 mt76_connac_pm_queue_skb(hw, &dev->pm, wcid, skb); + return; + +free_skb: + ieee80211_free_txskb(hw, skb); } EXPORT_SYMBOL_GPL(mt792x_tx); =20 @@ -927,6 +936,20 @@ int mt792x_load_firmware(struct mt792x_dev *dev) { int ret; =20 + /* Release semaphore if taken by previous failed load attempt. + * This prevents "Failed to get patch semaphore" errors when + * recovering from firmware crashes or suspend/resume failures. + */ + ret =3D mt76_connac_mcu_patch_sem_ctrl(&dev->mt76, false); + if (ret < 0) + dev_dbg(dev->mt76.dev, "Semaphore release returned %d (may be expected)\= n", ret); + + /* Always restart MCU to ensure clean state before loading firmware */ + mt76_connac_mcu_restart(&dev->mt76); + + /* Wait for MCU to be ready after restart */ + msleep(100); + ret =3D mt76_connac2_load_patch(&dev->mt76, mt792x_patch_name(dev)); if (ret) return ret; --=20 2.52.0