From nobody Mon Feb 9 21:19:56 2026 Received: from mail-dl1-f50.google.com (mail-dl1-f50.google.com [74.125.82.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A135F354AF6 for ; Tue, 20 Jan 2026 20:10:55 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.82.50 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768939857; cv=none; b=Y8DtLbWEyYWm27WCCr97AFZ9anaesOcAEMRKviF5M4zEddziU0ps/R1pomwBnHwYLIS/pr0k4D7u5F3QPLmSpWXB1rvq7xeCwKssFomotRK2urcndIJ0bD4kIZPTuzs9yVW4wFJQ3XBzTvXzap28m1razSnZQtNhmuKE2gpI4a8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768939857; c=relaxed/simple; bh=U3Nyq3NqiqDHDQqkseFznMKgRIxsJy24U5IKOEvZynU=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=aZNrIf8fny4K2pzwZBOUOwcCOYqRMYgU1DowMRFxBOr5sAWI4gMagKU/svw8dduubCCAOsbkoZNdEMXi3sexhzCpFw8p2riNvha36jnFFCiwIx1qs0u44/I2ONQNPL4C6FFih1PHpGy8HV9eQdT5azQPQpLO+QUQmpKuM/pKybI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=zacbowling.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=TGIdEgcj; arc=none smtp.client-ip=74.125.82.50 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=zacbowling.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="TGIdEgcj" Received: by mail-dl1-f50.google.com with SMTP id a92af1059eb24-1233b953bebso1938687c88.1 for ; Tue, 20 Jan 2026 12:10:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768939855; x=1769544655; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:from:to:cc:subject:date :message-id:reply-to; bh=QR+w7fOhhpyJjkq0X/V8TVo4iOOXXnMSK4qWX/dQNIE=; b=TGIdEgcjYWHiic5nbcfIBEEh4OMpNTKAujKInhS7zYWu9qF0hWdvbwdGqO+M4NXM3Y P+gJ+PzBycnhVe64Ub3oS8bwGH9HLVgWii8e0hpm3uhZsb8VZvpnNWjpnPR1Eh+gFFzm c/WvBjICd+zZLdIcnENRnPJ7+1dLaYcV2UhAFRt2EwL5Nzz3Jerx/Bo8SL5XGch4U+AD vHBLIwbXC+ML3yhi3jwo/74Czvivy99tdLX1CYx5GE7D7Vi8zLSi0rzpbMOliywbzeMQ fG6PJW03L4hOnbCUd+/pw4yfyFRcTX8QIns1ekfp3DlrRhv7Ha1Yleg2zT8CrbFDHHrx joMg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768939855; x=1769544655; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=QR+w7fOhhpyJjkq0X/V8TVo4iOOXXnMSK4qWX/dQNIE=; b=LhPxSsg6AQBetVT88ornUzSdWHgmtbKWcu/Mi8oxx23lpMqaVMbOIUv7mgiDSn69Lq vP9NxOvJ9dLQ9zn3pxVzbAnjCMxD3us8mI127+kq+FWbNTC9ZjEt6z0ElaYrso8uwEeg NHnQz2rMF5VkfFtjo2eMPYrDQIH3Cgkdr4JGReAga0ByaTa071sJgwpMgIFyhEbVsHWu QpspW6aXGbyExYnNGJ9h9xgVjlczFD6lD7SRm8NSygaBKQ8fQelN/7+zTwdaXS4TE0T3 ZisQa79d4A5ilChy7SxlFxbead7SIcu/grXWwbotcTPo6QtWoNT+Y/uCNz/sPFi3uoxo axdQ== X-Forwarded-Encrypted: i=1; AJvYcCUBLgWPE/aR7eOljY0tNyril9YW3YBVLv/iiEJHYspoEkvZaliHfgacpfgzN5nPLgfEQaYGH5ezUjVqOzI=@vger.kernel.org X-Gm-Message-State: AOJu0Ywntnls7d+RX//erGice8B1NmflPfgcvGKgHDZOxZjPN9aOct8C IbvI1G9llr/HC/xJbihsGgisI3ThESaeTpJvJSDlK7V/4yTz/8BG1Jyi X-Gm-Gg: AY/fxX68hHH9YF1UZcQ19GNT/2P0/+EfN5tMbbk7gpJT94SyM3vKbGG9PI5oq7RjgY8 CuBKrUjB0iS2/kQ1tkVlyl+BaIds0b4/iFzr18V+ZT6vnoEsChQoC9YvAlmYEWQIi5Gt1qekUmm DJX4mggQsZLAVSV/S1SKurbvNf17N491TbiiT/5IS8MhC+XrDQ31V3rIMh8RXTS91ci2hzOMUmU 4oOebuL95B3Xeirnm9y9ayHl0+NTWVM9+M1knPvy1t8uD2f6G85n5xzu0ob9XKNkHmKcKFeI8Wo p9qGKBmfyC2Ip2uCTiUJd94SKBQcLxeJTx6bwJD0bY/ZeAXR2qDlaLr5KGFsHxexu/cXcnvlCTT 9ZZeO7IfRT71X1EDgyPC8g/fgSSvhe8ImBDkn1Sphgs12m5W9okLgUeT5PtZm/AVDrW1lwF1xGz RyCUgU5yHQVeVqnYOm3gCspb9fchCeIK1kr6SUrWq3N/imLoLkDLF5c2Z8WUEmAjN9OuwYFjaG X-Received: by 2002:a05:7022:458c:b0:11b:88a7:e1ac with SMTP id a92af1059eb24-1246aa8951emr2200437c88.19.1768939854707; Tue, 20 Jan 2026 12:10:54 -0800 (PST) Received: from zcache.home.zacbowling.com ([2001:5a8:60d:bc9:4a3c:9f7c:8037:90c1]) by smtp.gmail.com with ESMTPSA id a92af1059eb24-1244ad7201fsm21982990c88.7.2026.01.20.12.10.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 20 Jan 2026 12:10:53 -0800 (PST) Sender: Zac Bowling From: Zac To: sean.wang@kernel.org Cc: deren.wu@mediatek.com, kvalo@kernel.org, linux-kernel@vger.kernel.org, linux-mediatek@lists.infradead.org, linux-wireless@vger.kernel.org, linux@frame.work, lorenzo@kernel.org, nbd@nbd.name, ryder.lee@mediatek.com, sean.wang@mediatek.com, zac@zacbowling.com, zbowling@gmail.com Subject: [PATCH 03/13] wifi: mt76: mt792x: fix NULL pointer and firmware reload issues Date: Tue, 20 Jan 2026 12:10:33 -0800 Message-ID: <20260120201043.38225-4-zac@zacbowling.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260120201043.38225-1-zac@zacbowling.com> References: <20260120201043.38225-1-zac@zacbowling.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Zac Bowling This patch combines two fixes for the shared mt792x code used by both MT7921 and MT7925 drivers: 1. Fix NULL pointer dereference in TX path: Add NULL pointer checks in mt792x_tx() to prevent kernel crashes when transmitting packets during MLO link removal. The function calls mt792x_sta_to_link() which can return NULL if the link is being removed, but the return value was dereferenced without checking. Similarly, the RCU-protected link_conf and link_sta pointers were used without NULL validation. This race can occur when: - A packet is queued for transmission - Concurrently, the link is being removed (mt7925_mac_link_sta_remove) - mt792x_sta_to_link() returns NULL for the removed link - Kernel crashes on wcid =3D &mlink->wcid dereference Fix by checking mlink, conf, and link_sta before use, freeing the SKB and returning early if any pointer is NULL. 2. Fix firmware reload failure after previous load crash: If the firmware loading process crashes or is interrupted after acquiring the patch semaphore but before releasing it, subsequent firmware load attempts will fail with 'Failed to get patch semaphore'. Apply the same fix from MT7915 (commit 79dd14f): release the patch semaphore before starting firmware load and restart MCU firmware to ensure clean state. Fixes: c74df1c067f2 ("wifi: mt76: mt792x: introduce mt792x-lib module") Fixes: 583204ae70f9 ("wifi: mt76: mt792x: move mt7921_load_firmware in mt79= 2x-lib module") Link: https://github.com/openwrt/mt76/commit/79dd14f2e8161b656341b665326177= 9199aedbe4 Signed-off-by: Zac Bowling --- .../net/wireless/mediatek/mt76/mt792x_core.c | 27 +++++++++++++++++-- 1 file changed, 25 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/mediatek/mt76/mt792x_core.c b/drivers/net= /wireless/mediatek/mt76/mt792x_core.c index f2ed16feb6c1..05598202b488 100644 --- a/drivers/net/wireless/mediatek/mt76/mt792x_core.c +++ b/drivers/net/wireless/mediatek/mt76/mt792x_core.c @@ -95,6 +95,8 @@ void mt792x_tx(struct ieee80211_hw *hw, struct ieee80211_= tx_control *control, IEEE80211_TX_CTRL_MLO_LINK); sta =3D (struct mt792x_sta *)control->sta->drv_priv; mlink =3D mt792x_sta_to_link(sta, link_id); + if (!mlink) + goto free_skb; wcid =3D &mlink->wcid; } =20 @@ -113,9 +115,12 @@ void mt792x_tx(struct ieee80211_hw *hw, struct ieee802= 11_tx_control *control, link_id =3D wcid->link_id; rcu_read_lock(); conf =3D rcu_dereference(vif->link_conf[link_id]); - memcpy(hdr->addr2, conf->addr, ETH_ALEN); - link_sta =3D rcu_dereference(control->sta->link[link_id]); + if (!conf || !link_sta) { + rcu_read_unlock(); + goto free_skb; + } + memcpy(hdr->addr2, conf->addr, ETH_ALEN); memcpy(hdr->addr1, link_sta->addr, ETH_ALEN); =20 if (vif->type =3D=3D NL80211_IFTYPE_STATION) @@ -136,6 +141,10 @@ void mt792x_tx(struct ieee80211_hw *hw, struct ieee802= 11_tx_control *control, } =20 mt76_connac_pm_queue_skb(hw, &dev->pm, wcid, skb); + return; + +free_skb: + ieee80211_free_txskb(hw, skb); } EXPORT_SYMBOL_GPL(mt792x_tx); =20 @@ -927,6 +936,20 @@ int mt792x_load_firmware(struct mt792x_dev *dev) { int ret; =20 + /* Release semaphore if taken by previous failed load attempt. + * This prevents "Failed to get patch semaphore" errors when + * recovering from firmware crashes or suspend/resume failures. + */ + ret =3D mt76_connac_mcu_patch_sem_ctrl(&dev->mt76, false); + if (ret < 0) + dev_dbg(dev->mt76.dev, "Semaphore release returned %d (may be expected)\= n", ret); + + /* Always restart MCU to ensure clean state before loading firmware */ + mt76_connac_mcu_restart(&dev->mt76); + + /* Wait for MCU to be ready after restart */ + msleep(100); + ret =3D mt76_connac2_load_patch(&dev->mt76, mt792x_patch_name(dev)); if (ret) return ret; --=20 2.52.0