From nobody Sun Feb 8 15:07:38 2026 Received: from mail-dl1-f41.google.com (mail-dl1-f41.google.com [74.125.82.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B3C4137BE6A for ; Thu, 29 Jan 2026 08:18:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.82.41 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769674729; cv=none; b=o//uoUhA2gvaHmCcAg7Qmdzxrbj324hqUZbZEn1DDMnhyTS9G+W9uSpjrifrEMgMLq2m2G0kD9MR/V2w3yputfJgayAeMf8vTnQwUlbW78fn/uy/2MUtZf7ucI+BZGG/QKPQJB2NNGWDZ4FDpQZpH2ezSpP7h9un1QZDhZp5qms= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769674729; c=relaxed/simple; bh=I9vCOKJG6Meo57LJasxm1sA13EPisDbw02n/q9hTrF0=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=RMJfEGlFrIjzUV/8VAtwxQuHduI5OrkAm7LasUsVpyBmQzekJaGPOTVontxrgKCRugajnuuhuUx+85LgQOmJm0WorUv4wQjeRTNT2x4kgaL6u+oPZbb4qO1W8ogPP8gbDHTVFqK28xm0en3AveSl9VlCSm15HdDeP0m6lx9nNWs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=zacbowling.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=l7vg5oTm; arc=none smtp.client-ip=74.125.82.41 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=zacbowling.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="l7vg5oTm" Received: by mail-dl1-f41.google.com with SMTP id a92af1059eb24-11f1fb91996so1371314c88.1 for ; Thu, 29 Jan 2026 00:18:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1769674727; x=1770279527; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:from:to:cc:subject:date :message-id:reply-to; bh=wH0KX/wkF+O7L7rR2/DvCIQEVEq5fxSeUKic9d804ME=; b=l7vg5oTmGEQ016/xAZsIWXxGVThONHWcciSMBaEabfMiLzuRcNewq+J169DOGgujaf +s2fHb3lRcr544/CDibbSo5r3S/HfddkyZI/OblINWrQc2g7i8V6YtU2jM/e5uiMfmCq TcP0npRz8goCr+ulz6yyIsyyl0k6/29v4xs3sOPhfSN66Km9eUbIP5ZYnQf/E3b0IQP4 qPNp9EAH62ALM03pX689y+usmP8e6QsLOfv5goGKLnrLItoQNqE68iCF2nHvJ7bDKog2 bz9DeH+Dg/XTzvWzH4oV8P9soF6KI+DzaWU0WFgL3V+ygm2ktIzo5v31iYGKGf3dlp0y jlUA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1769674727; x=1770279527; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=wH0KX/wkF+O7L7rR2/DvCIQEVEq5fxSeUKic9d804ME=; b=Ujcll3sJ/Ub2WQxzNoI1//U//+8Y0WXBZk4gUmf2/M6iPKm5COOQ6z7JM3/1UxT6iH /derOoPrYfiLKjRlQiVwKOIdCb5XVGCngguizWAffPNoYbRiR6L+GyGUPmt4q2KZWxy+ QMCeJM7WmET6RWx9NjWulA1TYV62EI+hc4AnEEbHy7eh3SRSv2iTD0LHsXNp0rUWOJ/r Cx1ymJH0ZhqoHpYvpOjwO3wH7ESpWRtQ6sC47P1cptBQRdDeFC44olnwg1tojz2ibJ/8 oJ2MzGIa6zB2jPfbQ2gIglae7rGXYOO3ADVtpfk0ezAVXPfiW+BBB7z2AezMVr/JtFse 4q+Q== X-Forwarded-Encrypted: i=1; AJvYcCUG1Th/WpBkCaA8GB0JSd4IsSx41ghVJmAhXhLTQhvhFPjtZpqcSGx9XqIRMbbY5OkofxfqRWsDyJrtfcA=@vger.kernel.org X-Gm-Message-State: AOJu0Ywc9Uy8ljIX9aPC3sm47KzWSk3M2yum9yaPulciP5rslyzvM9wu MXhMof8HMa595PjYCHO8C/mtuKY1fX0SbUj5WLfQLizXyt3U22ftp0gZ X-Gm-Gg: AZuq6aKe5LaPN9R1lU1V6Ba9nC6niwlVJw3I2mwMnuogtWfYGV3ZPk3eFqNyI06aFCX jEV0bFGm5H4XpmEXcknokb8b74KTxiB1x4rw7BVy2CsrNXlrqt765++0amI2q63qi6tXBWLTxn+ 74OTUijsUNlnSDNuOsB3AzkVytBTI2SdX2cfdiQhAyxvCExp2tBeKGILLZo+MUaG++NCV4pbF9N Ul9Z9h6nQCdzfIBykZ/x9wbc0AIPHvxhH2vPSGNZeobUx08Rj6ON+5aTZLootxrvoKMkS4zBeSV gEXac5NN/GPmjUEmq8vIvIrWDUf8lHjh/zk2/FUEsoMQLltwWich8D+F163MrwrzGlj/ptxG3it K2ZPZXXECFrSi8wavYZBKlIY+/BQdkfecKZ1aXCovA87XH1OsgfFnZ8fHvfmDhwP73iH6b++RX1 lIziBrJWtqbhmdQ5T7QIfdXV4+VjsHvrrJp4ZA2vUxtDGErcL4uL5D4spMZ4iy X-Received: by 2002:a05:7022:4a3:b0:11b:65e:f40 with SMTP id a92af1059eb24-124a008e6a0mr4875096c88.5.1769674726799; Thu, 29 Jan 2026 00:18:46 -0800 (PST) Received: from zcache.home.zacbowling.com ([2001:5a8:60d:bc9:f31e:1cb:296a:cc2a]) by smtp.gmail.com with ESMTPSA id a92af1059eb24-124a9efb4casm5483508c88.16.2026.01.29.00.18.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 29 Jan 2026 00:18:46 -0800 (PST) Sender: Zac Bowling From: Zac To: nbd@nbd.name Cc: deren.wu@mediatek.com, kvalo@kernel.org, linux-kernel@vger.kernel.org, linux-mediatek@lists.infradead.org, linux-wireless@vger.kernel.org, linux@frame.work, lorenzo@kernel.org, ryder.lee@mediatek.com, sean.wang@kernel.org, sean.wang@mediatek.com, zac@zacbowling.com, zbowling@gmail.com Subject: [PATCH v7 1/6] wifi: mt76: mt7925: fix double wcid initialization race condition Date: Thu, 29 Jan 2026 00:18:34 -0800 Message-ID: <20260129081839.179709-2-zac@zacbowling.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260129081839.179709-1-zac@zacbowling.com> References: <20260129081839.179709-1-zac@zacbowling.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Remove duplicate mt76_wcid_init() call in mt7925_mac_link_sta_add that occurs after the wcid is already published via rcu_assign_pointer(). The wcid is correctly initialized at line 873 after allocation. However, a second mt76_wcid_init() call at line 885 reinitializes the wcid after it has been published to RCU readers, which can cause: - List head corruption (tx_list, poll_list) if concurrent code is already using the wcid - Memory leaks from reinitializing the pktid IDR - Race conditions where readers see partially initialized state Fixes: c948b5da6bbe ("wifi: mt76: mt7925: add Mediatek Wi-Fi7 driver for mt= 7925 device") Signed-off-by: Zac Bowling --- drivers/net/wireless/mediatek/mt76/mt7925/main.c | 1 - 1 file changed, 1 deletion(-) diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/main.c b/drivers/net= /wireless/mediatek/mt76/mt7925/main.c index afcc0fa4aa35..fad3b1505f67 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7925/main.c +++ b/drivers/net/wireless/mediatek/mt76/mt7925/main.c @@ -882,7 +882,6 @@ static int mt7925_mac_link_sta_add(struct mt76_dev *mde= v, wcid =3D &mlink->wcid; ewma_signal_init(&wcid->rssi); rcu_assign_pointer(dev->mt76.wcid[wcid->idx], wcid); - mt76_wcid_init(wcid, 0); ewma_avg_signal_init(&mlink->avg_ack_signal); memset(mlink->airtime_ac, 0, sizeof(msta->deflink.airtime_ac)); --=20 2.52.0 From nobody Sun Feb 8 15:07:38 2026 Received: from mail-dl1-f49.google.com (mail-dl1-f49.google.com [74.125.82.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id F144D37BE84 for ; Thu, 29 Jan 2026 08:18:49 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.82.49 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769674733; cv=none; b=mbOqKjZeVmRqCgEzg1LRGFEj17GvOz+5FlupEdaFpLgOONHM13korM2TeBdE6SKkeueK2XBr/UpQ4eA8H7dV8UtXYCzbBuwb/xiCBhiMomw/IiOzrN43o98o5kZprZJoltIo0QwwlOXPrQQzvd+eDDqkHwRfa9sbmxyHOWQ8//U= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769674733; c=relaxed/simple; bh=PVbiPBzKjrcY+30wKeQPbwFap3HDwi340Gx5QUpF0Ek=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Y0rio7qknNE3tgCz3rbqMZAQ+YmYWmq31/Ytr4UtLkSNX8+a76G2Nfhz82izwoqeFWyUSdBhZPqRqjpRCXbPfUGtLTrAhSn8GgO4pGmkOI53iCrQ68AdAAcDk9gpI/i1z9OxhENx/Jq6m99fJJ3H0jz/2DlSriaDxwVypUzSdcc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=zacbowling.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Bnr0rnbE; arc=none smtp.client-ip=74.125.82.49 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=zacbowling.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Bnr0rnbE" Received: by mail-dl1-f49.google.com with SMTP id a92af1059eb24-1249b9f5703so1035278c88.0 for ; Thu, 29 Jan 2026 00:18:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1769674729; x=1770279529; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:from:to:cc:subject:date :message-id:reply-to; bh=naEzUi5T5XiWE+zV5MsLkVzO6TX0wOB54z5FQcjozZA=; b=Bnr0rnbEnSbFCf+BmhzDjHZfI/6cZrt/vaSsQ/Gr3uwkIw2qFGsP6DARfQTc8T3Yym 4l725FsRMwBu5UR6asXNZ/650fBbWoMWJvT4hDmchkZTfQxNDrDx7RQyAmg4gxzmiSkb U0+uE6XdLGgVEbT3GrivtqimMFkw8EVRk4Wjrxso14AReiC+7FA7PLgeXLR4XtaPuhoy A4QGwWJyXKwgvB1i2C9wlZe+xNQQpW7T+Kt00m4ETfnEEBk4VrZN4RaKz69Kkgsz9u8D gyvzxDVbZO+rY2SkTGmsq9GlgEzkcO0bLOxR9qgwzWZlYFJmfIpTk3QLzTM9I4NndtiT tUIA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1769674729; x=1770279529; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=naEzUi5T5XiWE+zV5MsLkVzO6TX0wOB54z5FQcjozZA=; b=tTT3Ps72zAYmZPy0Z884fKDjiE8vm+CuvCfLgeOpvb3t8DSaqCkgCMpp06aIZSppRX KrKa16lCfIi9NU7xDOk6V6kXKW5zS9x6dBL0SN/huvJ827t7X67QGCOIz7rS7Q540Mua bUFrUovwFblUBjUFf1GsBK/+UkXdlU284vLH/6E1miC3QgLKWAFKNcMtaVPiMcQLsGCI Wl2OI6GKBGQcxQXBEW54c3ny9c4iUyrOqRvNqHrmJvk0z9Bh2liTchtZFLkEFPSfwZMh QQau9Uwsixll7yaMj5Rtbf2SAIPPyUQNAmdGfxjcPWTSySLngVMTECoVTbf5TliP6Dtn sJqg== X-Forwarded-Encrypted: i=1; AJvYcCUZ8FQStD7DvzCSbAR1zd3jL9UCLkqrqOHwUotYB2nqSMt4UH1sP/CMsEkln3hNFUw13VLRib9DYrH2F/g=@vger.kernel.org X-Gm-Message-State: AOJu0Yw6Ui7CTuj7M/NaRtvWwCH8gNpc2FiOocSDNNuquUyDuund3US5 fk5A1SrNwHZVNHvHEUin50q6K8f19ct46QgwKXQWZtJhKsJk1qVp4x5Z X-Gm-Gg: AZuq6aKurHaWmk3mIKD2ssR1u8tAlScw2mdFitXYRUgcvT5c4ab5yAQqyEFOKjfqTPH xZmZJZCOV3cm8aBGLjBZSjcuvPTcOvodhFyZjnw+Ik0fEk3HtySygVVQqOikVqcb3luqinpJoV3 FDA4oDMA15GChXwySgmrqpoKRUdc99mLfP6l29Hyf7aIfRofiuR7AuhCvtg/XFNRNrHKEjfuprh f0cKTpVpWf+ZID8ilN7epgOe+WZbJP8s7+ruL7e56O0mDWPPQzlawuH8oKDhHYsqP4QMo2FA8TR xVEgBVdVU95IjKtecQjCp+Fj2v+poCsoSs26DEbH7TDkz+peQ4q4Zk03PNE5cjhEaDj0J5rf+Y+ TfCCvdVKRkE+3qx8v+4fkYO1KnF05Cs+WfMDZV1D6RGfoNTnCwOlv46huUW3YU28NLozE0vBRwv TAOTEKbXkNDIoRulb9miaOspnTYFKxV2coGL4DiL2+e+Li64SnAKr2EXaDui2K X-Received: by 2002:a05:7022:628e:b0:124:9e46:82fb with SMTP id a92af1059eb24-124a00d183bmr4844023c88.38.1769674728985; Thu, 29 Jan 2026 00:18:48 -0800 (PST) Received: from zcache.home.zacbowling.com ([2001:5a8:60d:bc9:f31e:1cb:296a:cc2a]) by smtp.gmail.com with ESMTPSA id a92af1059eb24-124a9efb4casm5483508c88.16.2026.01.29.00.18.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 29 Jan 2026 00:18:48 -0800 (PST) Sender: Zac Bowling From: Zac To: nbd@nbd.name Cc: deren.wu@mediatek.com, kvalo@kernel.org, linux-kernel@vger.kernel.org, linux-mediatek@lists.infradead.org, linux-wireless@vger.kernel.org, linux@frame.work, lorenzo@kernel.org, ryder.lee@mediatek.com, sean.wang@kernel.org, sean.wang@mediatek.com, zac@zacbowling.com, zbowling@gmail.com Subject: [PATCH v7 2/6] wifi: mt76: mt7925: add NULL pointer protection for MLO state transitions Date: Thu, 29 Jan 2026 00:18:35 -0800 Message-ID: <20260129081839.179709-3-zac@zacbowling.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260129081839.179709-1-zac@zacbowling.com> References: <20260129081839.179709-1-zac@zacbowling.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Add NULL pointer checks for functions that return pointers to link-related structures throughout the mt7925 driver. During MLO state transitions, these functions can return NULL when link configuration is not synchronized. Functions protected: - mt792x_vif_to_bss_conf(): Returns link BSS configuration - mt792x_vif_to_link(): Returns driver link state - mt792x_sta_to_link(): Returns station link state Key changes: 1. mt7925_set_link_key(): - Check link_conf, mconf, mlink before use - During MLO roaming, allow key removal to succeed if link is already go= ne 2. mt7925_mac_link_sta_add(): - Check mlink and mconf before WCID allocation - Check link_conf before BSS info update - Add proper WCID cleanup on error paths (err_wcid label) - Check MCU return values and propagate errors 3. mt7925_mac_link_sta_assoc(): - Check mlink before use - Check link_conf and mconf before BSS info update 4. mt7925_mac_link_sta_remove(): - Check mlink before use - Check link_conf and mconf before cleanup operations Prevents crashes during: - BSSID roaming transitions - MLO setup and teardown - Hardware reset operations Fixes: c948b5da6bbe ("wifi: mt76: mt7925: add Mediatek Wi-Fi7 driver for mt= 7925 device") Signed-off-by: Zac Bowling --- .../net/wireless/mediatek/mt76/mt7925/main.c | 66 ++++++++++++++----- 1 file changed, 51 insertions(+), 15 deletions(-) diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/main.c b/drivers/net= /wireless/mediatek/mt76/mt7925/main.c index fad3b1505f67..88ee90709b75 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7925/main.c +++ b/drivers/net/wireless/mediatek/mt76/mt7925/main.c @@ -612,6 +612,17 @@ static int mt7925_set_link_key(struct ieee80211_hw *hw= , enum set_key_cmd cmd, link_sta =3D sta ? mt792x_sta_to_link_sta(vif, sta, link_id) : NULL; mconf =3D mt792x_vif_to_link(mvif, link_id); mlink =3D mt792x_sta_to_link(msta, link_id); + + if (!link_conf || !mconf || !mlink) { + /* During MLO roaming, link state may be torn down before + * mac80211 requests key removal. If removing a key and + * the link is already gone, consider it successfully removed. + */ + if (cmd !=3D SET_KEY) + return 0; + return -EINVAL; + } + wcid =3D &mlink->wcid; wcid_keyidx =3D &wcid->hw_key_idx; =20 @@ -864,12 +875,17 @@ static int mt7925_mac_link_sta_add(struct mt76_dev *m= dev, =20 msta =3D (struct mt792x_sta *)link_sta->sta->drv_priv; mlink =3D mt792x_sta_to_link(msta, link_id); + if (!mlink) + return -EINVAL; + + mconf =3D mt792x_vif_to_link(mvif, link_id); + if (!mconf) + return -EINVAL; =20 idx =3D mt76_wcid_alloc(dev->mt76.wcid_mask, MT792x_WTBL_STA - 1); if (idx < 0) return -ENOSPC; =20 - mconf =3D mt792x_vif_to_link(mvif, link_id); mt76_wcid_init(&mlink->wcid, 0); mlink->wcid.sta =3D 1; mlink->wcid.idx =3D idx; @@ -888,21 +904,28 @@ static int mt7925_mac_link_sta_add(struct mt76_dev *m= dev, =20 ret =3D mt76_connac_pm_wake(&dev->mphy, &dev->pm); if (ret) - return ret; + goto err_wcid; =20 mt7925_mac_wtbl_update(dev, idx, MT_WTBL_UPDATE_ADM_COUNT_CLEAR); =20 link_conf =3D mt792x_vif_to_bss_conf(vif, link_id); + if (!link_conf) { + ret =3D -EINVAL; + goto err_wcid; + } =20 /* should update bss info before STA add */ if (vif->type =3D=3D NL80211_IFTYPE_STATION && !link_sta->sta->tdls) { if (ieee80211_vif_is_mld(vif)) - mt7925_mcu_add_bss_info(&dev->phy, mconf->mt76.ctx, - link_conf, link_sta, link_sta !=3D mlink->pri_link); + ret =3D mt7925_mcu_add_bss_info(&dev->phy, mconf->mt76.ctx, + link_conf, link_sta, + link_sta !=3D mlink->pri_link); else - mt7925_mcu_add_bss_info(&dev->phy, mconf->mt76.ctx, - link_conf, link_sta, false); + ret =3D mt7925_mcu_add_bss_info(&dev->phy, mconf->mt76.ctx, + link_conf, link_sta, false); + if (ret) + goto err_wcid; } =20 if (ieee80211_vif_is_mld(vif) && @@ -910,28 +933,34 @@ static int mt7925_mac_link_sta_add(struct mt76_dev *m= dev, ret =3D mt7925_mcu_sta_update(dev, link_sta, vif, true, MT76_STA_INFO_STATE_NONE); if (ret) - return ret; + goto err_wcid; } else if (ieee80211_vif_is_mld(vif) && link_sta !=3D mlink->pri_link) { ret =3D mt7925_mcu_sta_update(dev, mlink->pri_link, vif, true, MT76_STA_INFO_STATE_ASSOC); if (ret) - return ret; + goto err_wcid; =20 ret =3D mt7925_mcu_sta_update(dev, link_sta, vif, true, MT76_STA_INFO_STATE_ASSOC); if (ret) - return ret; + goto err_wcid; } else { ret =3D mt7925_mcu_sta_update(dev, link_sta, vif, true, MT76_STA_INFO_STATE_NONE); if (ret) - return ret; + goto err_wcid; } =20 mt76_connac_power_save_sched(&dev->mphy, &dev->pm); =20 return 0; + +err_wcid: + rcu_assign_pointer(dev->mt76.wcid[idx], NULL); + mt76_wcid_mask_clear(dev->mt76.wcid_mask, idx); + mt76_connac_power_save_sched(&dev->mphy, &dev->pm); + return ret; } =20 static int @@ -1039,6 +1068,8 @@ static void mt7925_mac_link_sta_assoc(struct mt76_dev= *mdev, =20 msta =3D (struct mt792x_sta *)link_sta->sta->drv_priv; mlink =3D mt792x_sta_to_link(msta, link_sta->link_id); + if (!mlink) + return; =20 mt792x_mutex_acquire(dev); =20 @@ -1048,12 +1079,13 @@ static void mt7925_mac_link_sta_assoc(struct mt76_d= ev *mdev, link_conf =3D mt792x_vif_to_bss_conf(vif, vif->bss_conf.link_id); } =20 - if (vif->type =3D=3D NL80211_IFTYPE_STATION && !link_sta->sta->tdls) { + if (link_conf && vif->type =3D=3D NL80211_IFTYPE_STATION && !link_sta->st= a->tdls) { struct mt792x_bss_conf *mconf; =20 mconf =3D mt792x_link_conf_to_mconf(link_conf); - mt7925_mcu_add_bss_info(&dev->phy, mconf->mt76.ctx, - link_conf, link_sta, true); + if (mconf) + mt7925_mcu_add_bss_info(&dev->phy, mconf->mt76.ctx, + link_conf, link_sta, true); } =20 ewma_avg_signal_init(&mlink->avg_ack_signal); @@ -1100,6 +1132,8 @@ static void mt7925_mac_link_sta_remove(struct mt76_de= v *mdev, =20 msta =3D (struct mt792x_sta *)link_sta->sta->drv_priv; mlink =3D mt792x_sta_to_link(msta, link_id); + if (!mlink) + return; =20 mt7925_roc_abort_sync(dev); =20 @@ -1113,10 +1147,12 @@ static void mt7925_mac_link_sta_remove(struct mt76_= dev *mdev, =20 link_conf =3D mt792x_vif_to_bss_conf(vif, link_id); =20 - if (vif->type =3D=3D NL80211_IFTYPE_STATION && !link_sta->sta->tdls) { + if (link_conf && vif->type =3D=3D NL80211_IFTYPE_STATION && !link_sta->st= a->tdls) { struct mt792x_bss_conf *mconf; =20 mconf =3D mt792x_link_conf_to_mconf(link_conf); + if (!mconf) + goto out; =20 if (ieee80211_vif_is_mld(vif)) mt792x_mac_link_bss_remove(dev, mconf, mlink); @@ -1124,7 +1160,7 @@ static void mt7925_mac_link_sta_remove(struct mt76_de= v *mdev, mt7925_mcu_add_bss_info(&dev->phy, mconf->mt76.ctx, link_conf, link_sta, false); } - +out: spin_lock_bh(&mdev->sta_poll_lock); if (!list_empty(&mlink->wcid.poll_list)) list_del_init(&mlink->wcid.poll_list); --=20 2.52.0 From nobody Sun Feb 8 15:07:38 2026 Received: from mail-dy1-f181.google.com (mail-dy1-f181.google.com [74.125.82.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 342041A3178 for ; Thu, 29 Jan 2026 08:46:16 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.82.181 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769676379; cv=none; b=KJMlxbb1Xb5a7PsMgdvn2ulYGdEq6ICF/DVt5H+8iWN0WtXsAXsYulnT2G6cOYSJMFMj+cYEI+WnUVfDsqof8dhIIZajX2+JH/oygcs/fL2iHKRFW6XXJCJ8Nd5GM6BaTW47ljwhfviws0n0PTHfTKxyNpIc9wTpldBym8HOIzY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769676379; c=relaxed/simple; bh=vMdGwC/qf+2O0zngrxjCurOPxiTpRuxWh6CV3arQQd8=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=V06StF4jJYIV+RSEASTUQ1KcpHvDlhdLvRwWHKEFg7kw5yqKt133C9MGqMxoBa2T+hpFoFVR1qJYdTx4yryn0d+l3l4Zi/SRVggiMtJzE5yMbws0850taL4du5s64U1eyJFf0NkFTg0AlUNh17GhcaHsofifWSqnqfC3tHHjPuc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=zacbowling.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=in+aMamY; arc=none smtp.client-ip=74.125.82.181 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=zacbowling.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="in+aMamY" Received: by mail-dy1-f181.google.com with SMTP id 5a478bee46e88-2b71515d8adso766555eec.1 for ; Thu, 29 Jan 2026 00:46:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1769676374; x=1770281174; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:from:to:cc:subject:date :message-id:reply-to; bh=Tng3+pOB53pLZW+pGJL9iXigR2ZikgpGjqvJUqlRZU4=; b=in+aMamYOb8ZZb9QCzCcopK5GsZBmq6GFBPLlte5YQ31EvLkv8eiQq9c6PUz7d5SIo 8pjv3KQC15f1t7hddjF+1H8fxvgjNKf5ygL3fOrhMYv55/HjYDlubuq/7cnRJD8/mEr+ dxGtJWYzFbkaPfXp3COZ/8ROa2o28UdS09PaNwaLlZdBhb4PZ6tiBwv5mIeOGzWpi/Gg 3HmdMx8au24LamLsbUBxAw6t9wVqlGl5KzSayqRUaXR+a5vfA4XHSHsnfQ06/1dgzSC0 bZmDh6xR09wSMYyDMHamkARuJiHAjuM616QXwaKUaBpFPCMDaHz5cL2otMId5eVCvTN0 ILIQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1769676374; x=1770281174; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=Tng3+pOB53pLZW+pGJL9iXigR2ZikgpGjqvJUqlRZU4=; b=SDLGPEmHq2hYJDAeNDkvhDQLZfEcET+03oxh2AgLf6XDRCwtvuwHovjvjfEA6R12sJ RMreJ5Noglj1YmgU4wdaWLZUCu7Psa8s+soe4s8e95Tko59nessCSVUCqO7q/HNJ63Ir ecCJvAtCH8XT25tFdhONQ5QrtO+BmkqCCE4eC0mnVlcy5Q2dukDUZNO7t2XP+9o80m2o LCetSAGO3wZrYLSaZUBF3XECdMkD4W+1h//wVM/6Sb+PE/JSMoytKT+md1CQTpISIdeE mbhLIrvb/1aX9+POjVPqw/g441Au2txvQMbx+XNHVl15Q/rPyz2u4FhuwjuVuxfLbIGH esXg== X-Forwarded-Encrypted: i=1; AJvYcCVbPhK99Ym6wREhk42EKKoVjQWfY971iXd5sQMY4e5mdvv24eT3a8wHXD1WIgQLkukE6wsk5AXYjI2yvcE=@vger.kernel.org X-Gm-Message-State: AOJu0YxBBLOch8cpq99NEN0I9pfP0cjKq+Vb2uCWLUI9ARUdoEwqFhLx Cu1vET22hWT2X8GrZ2auG6ievqkQHxlRZMNFudBZkAZapW/2MDdJb8Kw X-Gm-Gg: AZuq6aLss51cOjGGDfJ4G4N7j6eQOcqqZSnSfN4wRRWAZGSr5kMpnC+iFnuekNCALLw VQSmsQj1ydu+p65zrwyfGh9fNv4Ib7kJt4AzFWLMZPP4YtYH2w94c22n6b7aZ0TVNZH3XqGVYx8 yTOEYKLhRhl+P7anZ9JFOaPyJ0vVlnGEJtOjX5WDsDHDUk5Rj11HAREiSn4gK2pt4WgbOrWQGjW fAFX349sG2UzCSRg6HikLXkDlBCM/20AH1i2IuTz5K/m8VDT6i+bj51kODJEUZlaw6OENUDSHQ9 xqMZT+qYv7KmCR+PmhUVVja/AZk1azFwboQyPS/If8gewjcVTH6Ut281wW88K4PLjzBbEa1EV7u xUxv4yTyxWRvKoQTCGTNXbVLgEJn8797WIVnkJcL8rDwgTH7tbNRrnk/LUWfq9CwXJ2Cw8UTEg6 kR2LCUXhxHlaBHuOhD/fpbqwf40QLWjoN3l2GbSnf3yxSHTOzF3HnhcdKa8lTNSWbB/ewdi1b8 X-Received: by 2002:a05:693c:3017:b0:2b0:52cc:fe69 with SMTP id 5a478bee46e88-2b78d86845dmr4198171eec.5.1769676374355; Thu, 29 Jan 2026 00:46:14 -0800 (PST) Received: from zcache.home.zacbowling.com ([2001:5a8:60d:bc9:4a3c:9f7c:8037:90c1]) by smtp.gmail.com with ESMTPSA id 5a478bee46e88-2b7a1abe92dsm5947583eec.17.2026.01.29.00.46.12 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 29 Jan 2026 00:46:13 -0800 (PST) Sender: Zac Bowling From: Zac To: nbd@nbd.name Cc: deren.wu@mediatek.com, kvalo@kernel.org, linux-kernel@vger.kernel.org, linux-mediatek@lists.infradead.org, linux-wireless@vger.kernel.org, linux@frame.work, lorenzo@kernel.org, ryder.lee@mediatek.com, sean.wang@kernel.org, sean.wang@mediatek.com, zac@zacbowling.com, zbowling@gmail.com Subject: [PATCH 2/6] wifi: mt76: mt7925: add NULL pointer protection for MLO state transitions Date: Thu, 29 Jan 2026 00:46:11 -0800 Message-ID: <20260129084611.187744-1-zac@zacbowling.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260129081839.179709-1-zac@zacbowling.com> References: <20260129081839.179709-1-zac@zacbowling.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Add NULL pointer checks for functions that return pointers to link-related structures throughout the mt7925 driver. During MLO state transitions, these functions can return NULL when link configuration is not synchronized. Functions protected: - mt792x_vif_to_bss_conf(): Returns link BSS configuration - mt792x_vif_to_link(): Returns driver link state - mt792x_sta_to_link(): Returns station link state Key changes: 1. mt7925_set_link_key(): - Check link_conf, mconf, mlink before use - During MLO roaming, allow key removal to succeed if link is already go= ne 2. mt7925_mac_link_sta_add(): - Check mlink and mconf before WCID allocation - Check link_conf before BSS info update - Add proper WCID cleanup on error paths (err_wcid label) - Check MCU return values and propagate errors 3. mt7925_mac_link_sta_assoc(): - Check mlink before use - Check link_conf and mconf before BSS info update 4. mt7925_mac_link_sta_remove(): - Check mlink before use - Check link_conf and mconf before cleanup operations Prevents crashes during: - BSSID roaming transitions - MLO setup and teardown - Hardware reset operations Fixes: c948b5da6bbe ("wifi: mt76: mt7925: add Mediatek Wi-Fi7 driver for mt= 7925 device") Signed-off-by: Zac Bowling --- .../net/wireless/mediatek/mt76/mt7925/main.c | 67 ++++++++++++++----- 1 file changed, 52 insertions(+), 15 deletions(-) diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/main.c b/drivers/net= /wireless/mediatek/mt76/mt7925/main.c index fad3b1505f67..1400633712b7 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7925/main.c +++ b/drivers/net/wireless/mediatek/mt76/mt7925/main.c @@ -612,6 +612,17 @@ static int mt7925_set_link_key(struct ieee80211_hw *hw= , enum set_key_cmd cmd, link_sta =3D sta ? mt792x_sta_to_link_sta(vif, sta, link_id) : NULL; mconf =3D mt792x_vif_to_link(mvif, link_id); mlink =3D mt792x_sta_to_link(msta, link_id); + + if (!link_conf || !mconf || !mlink) { + /* During MLO roaming, link state may be torn down before + * mac80211 requests key removal. If removing a key and + * the link is already gone, consider it successfully removed. + */ + if (cmd !=3D SET_KEY) + return 0; + return -EINVAL; + } + wcid =3D &mlink->wcid; wcid_keyidx =3D &wcid->hw_key_idx; =20 @@ -864,12 +875,17 @@ static int mt7925_mac_link_sta_add(struct mt76_dev *m= dev, =20 msta =3D (struct mt792x_sta *)link_sta->sta->drv_priv; mlink =3D mt792x_sta_to_link(msta, link_id); + if (!mlink) + return -EINVAL; + + mconf =3D mt792x_vif_to_link(mvif, link_id); + if (!mconf) + return -EINVAL; =20 idx =3D mt76_wcid_alloc(dev->mt76.wcid_mask, MT792x_WTBL_STA - 1); if (idx < 0) return -ENOSPC; =20 - mconf =3D mt792x_vif_to_link(mvif, link_id); mt76_wcid_init(&mlink->wcid, 0); mlink->wcid.sta =3D 1; mlink->wcid.idx =3D idx; @@ -888,21 +904,28 @@ static int mt7925_mac_link_sta_add(struct mt76_dev *m= dev, =20 ret =3D mt76_connac_pm_wake(&dev->mphy, &dev->pm); if (ret) - return ret; + goto err_wcid; =20 mt7925_mac_wtbl_update(dev, idx, MT_WTBL_UPDATE_ADM_COUNT_CLEAR); =20 link_conf =3D mt792x_vif_to_bss_conf(vif, link_id); + if (!link_conf) { + ret =3D -EINVAL; + goto err_wcid; + } =20 /* should update bss info before STA add */ if (vif->type =3D=3D NL80211_IFTYPE_STATION && !link_sta->sta->tdls) { if (ieee80211_vif_is_mld(vif)) - mt7925_mcu_add_bss_info(&dev->phy, mconf->mt76.ctx, - link_conf, link_sta, link_sta !=3D mlink->pri_link); + ret =3D mt7925_mcu_add_bss_info(&dev->phy, mconf->mt76.ctx, + link_conf, link_sta, + link_sta !=3D mlink->pri_link); else - mt7925_mcu_add_bss_info(&dev->phy, mconf->mt76.ctx, - link_conf, link_sta, false); + ret =3D mt7925_mcu_add_bss_info(&dev->phy, mconf->mt76.ctx, + link_conf, link_sta, false); + if (ret) + goto err_wcid; } =20 if (ieee80211_vif_is_mld(vif) && @@ -910,28 +933,35 @@ static int mt7925_mac_link_sta_add(struct mt76_dev *m= dev, ret =3D mt7925_mcu_sta_update(dev, link_sta, vif, true, MT76_STA_INFO_STATE_NONE); if (ret) - return ret; + goto err_wcid; } else if (ieee80211_vif_is_mld(vif) && link_sta !=3D mlink->pri_link) { ret =3D mt7925_mcu_sta_update(dev, mlink->pri_link, vif, true, MT76_STA_INFO_STATE_ASSOC); if (ret) - return ret; + goto err_wcid; =20 ret =3D mt7925_mcu_sta_update(dev, link_sta, vif, true, MT76_STA_INFO_STATE_ASSOC); if (ret) - return ret; + goto err_wcid; } else { ret =3D mt7925_mcu_sta_update(dev, link_sta, vif, true, MT76_STA_INFO_STATE_NONE); if (ret) - return ret; + goto err_wcid; } =20 mt76_connac_power_save_sched(&dev->mphy, &dev->pm); =20 return 0; + +err_wcid: + rcu_assign_pointer(dev->mt76.wcid[idx], NULL); + mt76_wcid_cleanup(&dev->mt76, wcid); + mt76_wcid_mask_clear(dev->mt76.wcid_mask, idx); + mt76_connac_power_save_sched(&dev->mphy, &dev->pm); + return ret; } =20 static int @@ -1039,6 +1069,8 @@ static void mt7925_mac_link_sta_assoc(struct mt76_dev= *mdev, =20 msta =3D (struct mt792x_sta *)link_sta->sta->drv_priv; mlink =3D mt792x_sta_to_link(msta, link_sta->link_id); + if (!mlink) + return; =20 mt792x_mutex_acquire(dev); =20 @@ -1048,12 +1080,13 @@ static void mt7925_mac_link_sta_assoc(struct mt76_d= ev *mdev, link_conf =3D mt792x_vif_to_bss_conf(vif, vif->bss_conf.link_id); } =20 - if (vif->type =3D=3D NL80211_IFTYPE_STATION && !link_sta->sta->tdls) { + if (link_conf && vif->type =3D=3D NL80211_IFTYPE_STATION && !link_sta->st= a->tdls) { struct mt792x_bss_conf *mconf; =20 mconf =3D mt792x_link_conf_to_mconf(link_conf); - mt7925_mcu_add_bss_info(&dev->phy, mconf->mt76.ctx, - link_conf, link_sta, true); + if (mconf) + mt7925_mcu_add_bss_info(&dev->phy, mconf->mt76.ctx, + link_conf, link_sta, true); } =20 ewma_avg_signal_init(&mlink->avg_ack_signal); @@ -1100,6 +1133,8 @@ static void mt7925_mac_link_sta_remove(struct mt76_de= v *mdev, =20 msta =3D (struct mt792x_sta *)link_sta->sta->drv_priv; mlink =3D mt792x_sta_to_link(msta, link_id); + if (!mlink) + return; =20 mt7925_roc_abort_sync(dev); =20 @@ -1113,10 +1148,12 @@ static void mt7925_mac_link_sta_remove(struct mt76_= dev *mdev, =20 link_conf =3D mt792x_vif_to_bss_conf(vif, link_id); =20 - if (vif->type =3D=3D NL80211_IFTYPE_STATION && !link_sta->sta->tdls) { + if (link_conf && vif->type =3D=3D NL80211_IFTYPE_STATION && !link_sta->st= a->tdls) { struct mt792x_bss_conf *mconf; =20 mconf =3D mt792x_link_conf_to_mconf(link_conf); + if (!mconf) + goto out; =20 if (ieee80211_vif_is_mld(vif)) mt792x_mac_link_bss_remove(dev, mconf, mlink); @@ -1124,7 +1161,7 @@ static void mt7925_mac_link_sta_remove(struct mt76_de= v *mdev, mt7925_mcu_add_bss_info(&dev->phy, mconf->mt76.ctx, link_conf, link_sta, false); } - +out: spin_lock_bh(&mdev->sta_poll_lock); if (!list_empty(&mlink->wcid.poll_list)) list_del_init(&mlink->wcid.poll_list); --=20 2.52.0 From nobody Sun Feb 8 15:07:38 2026 Received: from mail-dl1-f44.google.com (mail-dl1-f44.google.com [74.125.82.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 58AE237AA6B for ; Thu, 29 Jan 2026 08:18:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.82.44 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769674732; cv=none; b=VxTx4tvUtczTTbSHCclIzfuJ6tDhjHJIoprf/4LvducpYT4ceSGg4PJ02HoF6BT2xXoxUY1xCdX3HtXmxx7jj6uM3qXShPq+jm/tsI+peAhcwUSu6pYFSsKTANk8ebouaPLY1YYwPBxt4UFTSXCtnvsgub9XzrJVjUsBtRTZVWg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769674732; c=relaxed/simple; bh=tGrKCYWuOVVysmCKf0lksAy7dVWbeM9mIvGdn3TNHuE=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=NaG0C4TkQD55gdnAGl4n7XSWC5OviKMrkT5dScj/P+g2WlSZ8JgnExgwfNJB3aUyM4KJr6uvIgmpqsntmBNoACRSaXVrT8nBZBnf+vlyjJ2Sy/vyY1Yl/EneqNmHzY5U6jdF6vsC0fNBRAoQwRsgMw+9x+/JLJSrfq82E22XAXM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=zacbowling.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=iueXKMOF; arc=none smtp.client-ip=74.125.82.44 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=zacbowling.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="iueXKMOF" Received: by mail-dl1-f44.google.com with SMTP id a92af1059eb24-12336c0a8b6so1318107c88.1 for ; Thu, 29 Jan 2026 00:18:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1769674730; x=1770279530; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:from:to:cc:subject:date :message-id:reply-to; bh=IDaqmz+jOzRuCeSxlUAdH2cvfPDelKI52XxXT1MsurU=; b=iueXKMOFR1h+Gzek9wyCB38UYhW2QnXNkJKZH3s/142R8pmKAjriNDhh03XhGwc1qe EU7LhW7+ahhY5gu/CyN9wngfKbTFHqamMaHc725C5zhhp7uwB5cEDC4MA6mu9suN6CNo xTYEx/MHahUl883h+tDZeCEHxKsW07t1ulB/o6hb32PjrodYW1U8EC/dMZisnuCKmsGL mBt4Aw0Knq5D2Gf194trmYsfk9CvRaDTORiAm+6TTLJu8J03UhlSOEwf+j+k7rivU6cs GKsxiKb3FNu9Qm9eB6xf5+0FQLUWvTRFY4NXckK5dVohuS4drM1ImmkzqipQfff7hJac ruAw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1769674730; x=1770279530; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=IDaqmz+jOzRuCeSxlUAdH2cvfPDelKI52XxXT1MsurU=; b=NDa3quTVSUIsHjF4r4t6azxVlFKER2ad3VKZLhGDeCgQE6HpWCW1BDWDhT4/9B/M8T j6gz+r0YDP2eWaLyyERFUtBOiMxLjSnQRqFBdHCfTbkSk1cgLhZYGPmEdKdXkS+Crexl kvMSex/af2BQePR8zrlIkir3UD3yhO+TQ7XDRNTMbyTmLv7pksQLeI7o9fV7cWCLyf8C UHGzbKF+cXtZUQhtQd3y0ibhm98yRaCG0l3Gy5n5bv3s2vJUT1B5umXwaP2oV3OQ0S2a ggEKVbSMGo3wJH09e2Sq8n/G6XpXIliwR6UgtoKivGOCiuORGU+mWLxFODvjeSmsPQFH 88lA== X-Forwarded-Encrypted: i=1; AJvYcCUmU3zpzmTxUUMUgPpa8bVbT9AzZ/VfPo2X5cbI3EZiNjWruNSRodquiEfhWEm7WFTwzunu11JKgqMht7k=@vger.kernel.org X-Gm-Message-State: AOJu0Yz9ee9feIrqQBEkeVvjL6kMjpt79ucjkBbaLIMluVf9WlAVJDs+ fpL8WA+wEHKY5BxGcOfQOIWxW/Bp/yZM49eXp/kLbacxQsA9IFqShqF/ X-Gm-Gg: AZuq6aIqJ8qDRyhFKwl91uE+YvtFiPACrXcPJeI+asrPU9L48Sj+Sq0GwGNf32jc7hC EJtBlAzi0mU8b2pio3VjFCkPIm42BdkgVI3T3jjzk6zKiGbFNG0AVSyGLJRB2JFZj+mnbrRVUFD PTRrky1yHFuAB2DqlJqz0Na24Mrzrm59xQH+wQZtAi1hUKapNIDTSXxlXtd8LK8ZDIDNbEmT4ZJ OqRDKU6YCa9sIG5q/urAXRjTIncgv+EqqmjZwfR70wt5QrUBbNnDpbMLv1ajuriiNT9Wra9pRtR CBy4EFkM8wWiEg4iYtx0rdUR0aAWO53ks/pZaFk8zac5vUW+4gtQciHjHE80uITQcmKXYd7ODbw wUXhaivHMaMqV5c634Y4ELK45gPydUn8Y7490Pt+TpgKpXtTVHuOwNcvaK/WeQmgSrAdvgpXy4p 07C8rKfleZB83uVnIzmEVSiDPIe0NYyxPWYKxtzL/lu7W3YcwIMrYpsfY1RblLvZrfUHLob8Y= X-Received: by 2002:a05:7022:e0e:b0:11e:70d8:5dbb with SMTP id a92af1059eb24-124a005f9damr4371735c88.7.1769674730326; Thu, 29 Jan 2026 00:18:50 -0800 (PST) Received: from zcache.home.zacbowling.com ([2001:5a8:60d:bc9:f31e:1cb:296a:cc2a]) by smtp.gmail.com with ESMTPSA id a92af1059eb24-124a9efb4casm5483508c88.16.2026.01.29.00.18.49 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 29 Jan 2026 00:18:49 -0800 (PST) Sender: Zac Bowling From: Zac To: nbd@nbd.name Cc: deren.wu@mediatek.com, kvalo@kernel.org, linux-kernel@vger.kernel.org, linux-mediatek@lists.infradead.org, linux-wireless@vger.kernel.org, linux@frame.work, lorenzo@kernel.org, ryder.lee@mediatek.com, sean.wang@kernel.org, sean.wang@mediatek.com, zac@zacbowling.com, zbowling@gmail.com Subject: [PATCH v7 3/6] wifi: mt76: mt7925: add mutex protection in critical paths Date: Thu, 29 Jan 2026 00:18:36 -0800 Message-ID: <20260129081839.179709-4-zac@zacbowling.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260129081839.179709-1-zac@zacbowling.com> References: <20260129081839.179709-1-zac@zacbowling.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Add proper mutex protection for mt7925 driver operations that access hardware state without proper synchronization. This fixes race conditions that can cause system instability during power management and recovery. Fixes: 1. mac.c: mt7925_mac_reset_work() - Wrap ieee80211_iterate_active_interfaces() with mt792x_mutex - The vif_connect_iter callback accesses hardware state 2. main.c: mt7925_set_runtime_pm() - Add mutex protection around ieee80211_iterate_active_interfaces() - Runtime PM can race with other operations These protections ensure consistent hardware state access during power management transitions and recovery operations. Fixes: c948b5da6bbe ("wifi: mt76: mt7925: add Mediatek Wi-Fi7 driver for mt= 7925 device") Signed-off-by: Zac Bowling --- drivers/net/wireless/mediatek/mt76/mt7925/mac.c | 2 ++ drivers/net/wireless/mediatek/mt76/mt7925/main.c | 2 ++ 2 files changed, 4 insertions(+) diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/mac.c b/drivers/net/= wireless/mediatek/mt76/mt7925/mac.c index f1f0bc9eab04..88cf214ab452 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7925/mac.c +++ b/drivers/net/wireless/mediatek/mt76/mt7925/mac.c @@ -1330,9 +1330,11 @@ void mt7925_mac_reset_work(struct work_struct *work) dev->hw_full_reset =3D false; pm->suspended =3D false; ieee80211_wake_queues(hw); + mt792x_mutex_acquire(dev); ieee80211_iterate_active_interfaces(hw, IEEE80211_IFACE_ITER_RESUME_ALL, mt7925_vif_connect_iter, NULL); + mt792x_mutex_release(dev); mt76_connac_power_save_sched(&dev->mt76.phy, pm); =20 mt7925_regd_change(&dev->phy, "00"); diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/main.c b/drivers/net= /wireless/mediatek/mt76/mt7925/main.c index 88ee90709b75..82de6f30ec27 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7925/main.c +++ b/drivers/net/wireless/mediatek/mt76/mt7925/main.c @@ -770,9 +770,11 @@ void mt7925_set_runtime_pm(struct mt792x_dev *dev) bool monitor =3D !!(hw->conf.flags & IEEE80211_CONF_MONITOR); =20 pm->enable =3D pm->enable_user && !monitor; + mt792x_mutex_acquire(dev); ieee80211_iterate_active_interfaces(hw, IEEE80211_IFACE_ITER_RESUME_ALL, mt7925_pm_interface_iter, dev); + mt792x_mutex_release(dev); pm->ds_enable =3D pm->ds_enable_user && !monitor; mt7925_mcu_set_deep_sleep(dev, pm->ds_enable); } --=20 2.52.0 From nobody Sun Feb 8 15:07:38 2026 Received: from mail-dl1-f45.google.com (mail-dl1-f45.google.com [74.125.82.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C98F637BE74 for ; Thu, 29 Jan 2026 08:18:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.82.45 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769674734; cv=none; b=N3/eXQULukXdGoLqTcfnZC29KLd12/WJKdWUgd1B6K2vMcdjF+smGe6C1Es6VgTSL3IP/bLpRlIrWuqAob20R5e2+VxYVofZSPtdm/vAvH5uRXNL1TTt6Qq9UwzFpuzaXimo1PUcAeDvmu3etVhTTLrbHBl5QW1Sav4Ipb+lwlc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769674734; c=relaxed/simple; bh=zLCOroas8zXs/FEWrMgLQ0DEsN6MpeN96pQBLNH+XAM=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=jPr2B2c5t1lD1/Oe5gg4GY7QUxUEXyG1SLZH1+ze46oLU2OYEc4yc7694WQzmu+Cak/BKzukZazRPdH5S3ty981213Xhph0wlXrP0vpJj2xoPh3toU2c/B2wOXgvZTiZNA+IKVpDFvpKc0zkf+gnA7EpwFHPX3MoMoeX1rmYvr0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=zacbowling.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=XbOrnyCQ; arc=none smtp.client-ip=74.125.82.45 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=zacbowling.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="XbOrnyCQ" Received: by mail-dl1-f45.google.com with SMTP id a92af1059eb24-1233c155a42so1054022c88.1 for ; Thu, 29 Jan 2026 00:18:52 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1769674732; x=1770279532; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:from:to:cc:subject:date :message-id:reply-to; bh=sv2sCi1LhoxanCq/pgAsKlL6gjjvT4vp60gwfpl3NMU=; b=XbOrnyCQ1qaMsObaBNZE92bk0HdIORm4ZnIxtSUrQKZy83NntCu6NAkA83bV1UXOqW Dep2BUGPKAJKSLVmMZ6713nycnCKUrJf9RZe8wBhAzZNfqc641+xqhD23N9x/mg+YpVy igVqRCF3oL6rBg2iGOVqn6F4m86jDyAQGiJo1cbeJx+aUU0l3SAMcQPDo4vXyuTBO738 74m0/y3v1eFpUSk5HDv2FyBjIEK81rhqov2l7leA2SE26mw+k8Uexc4Owu0bOtnmlZKt oLduvCS8rGPl93mlPwxeoeEZVrxGoNK9EDBsO6Rx4H6PeCKh6KRtceeZ434oSwLuYmMc uWhw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1769674732; x=1770279532; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=sv2sCi1LhoxanCq/pgAsKlL6gjjvT4vp60gwfpl3NMU=; b=kItgAUsTNSsdjT+g8FjzBaF2sL0hEyAIR5ArO1JvOJsd3kHIQA5i4FRozVwrWPixQm XvL25ky19cTwR3iB8aWgJhJz/ed5DqgNHxwYZqicN+S9E6/J+41nQPl0WXQFv33eLUHw ik5qHA+XXo9m1d9KhO+fNcMR6DPb6ghdJYfTLI7J4i+JNDX0ioEliD/A+f7u7JSQUwHS kwCJhFo7yhHcloBa0F9qkuUZyPp62/rJQW1wg15HTHBzBsk32CTb+eoCNrCwxdj12ONG ltr53xznRZLbudGRBIHSH9pF0dAoEiIGhz61wKVXxwvPHB141NIxBJMdOTeWYj682cCk mYKw== X-Forwarded-Encrypted: i=1; AJvYcCWv8mw5ATdV2UQ59CRtWlhyJjSByDLYfu8Ka4F7LI891NYpnV1J0N339hRrIoUFJ7X9XCO5URF0N+a0opo=@vger.kernel.org X-Gm-Message-State: AOJu0YxJ8KvRF56tvIidnGFN4WikLC5vyzuLM8ZXFkvvrYZyVvjBGT7U 9oKCRoSWsVb54vpAFk35zxhOhdBskQHeXQLO/Bhu/WVlQmoXzxjFh5dk X-Gm-Gg: AZuq6aJXctKqnUZBxV+lXI6qYlBvXeY0hVt5lQUbP+HMY4CUV6a8i4nxuoTnujl5KbG jIYr+NQMxtvp4a9NjUf0joCcSgeaHspyS7BUv4AHuOh25vkDXnu/I1Japph3paWxgJ+u4NUWZly uQTUgOg4xY7GhIUX2LnW8q4dqQLyu2H60lduSkz8x3pVIEKLinRLK7l46cri7rY+wS/kbHnlykU pgF69vNiSZRBU2EBi3S+vb1ua/AMHN5Xuo0842d3imvBxLfLI0uqn0nlFJwo9tmGoqHh5a+7nZC /G++3cCZXo6Y6UO1ZChWhvZz4Odncm3HF+k3H4N/Iy2tE939HuzXCtKmgc9HhPqhrqjfc5+elqj 8XYIjVOzqAJGdc9VGp/fny+zc2B+ai2eld56XGWz3GZZHfTG1D67YcxYnyeUm2m5W061c/+WYwX /m7sFl/+cDHkwU56SjumTHYHXkqAN1OimdR4WrCuX0MCSOeaKmYYkolzkyiONSSKGFbGn1Q5U= X-Received: by 2002:a05:7022:6a0:b0:11b:9386:826c with SMTP id a92af1059eb24-124a00d64dbmr5188230c88.41.1769674731965; Thu, 29 Jan 2026 00:18:51 -0800 (PST) Received: from zcache.home.zacbowling.com ([2001:5a8:60d:bc9:f31e:1cb:296a:cc2a]) by smtp.gmail.com with ESMTPSA id a92af1059eb24-124a9efb4casm5483508c88.16.2026.01.29.00.18.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 29 Jan 2026 00:18:51 -0800 (PST) Sender: Zac Bowling From: Zac To: nbd@nbd.name Cc: deren.wu@mediatek.com, kvalo@kernel.org, linux-kernel@vger.kernel.org, linux-mediatek@lists.infradead.org, linux-wireless@vger.kernel.org, linux@frame.work, lorenzo@kernel.org, ryder.lee@mediatek.com, sean.wang@kernel.org, sean.wang@mediatek.com, zac@zacbowling.com, zbowling@gmail.com Subject: [PATCH v7 4/6] wifi: mt76: mt7925: add MCU command error handling in ampdu_action Date: Thu, 29 Jan 2026 00:18:37 -0800 Message-ID: <20260129081839.179709-5-zac@zacbowling.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260129081839.179709-1-zac@zacbowling.com> References: <20260129081839.179709-1-zac@zacbowling.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Add proper error handling for MCU command return values that were previously being ignored. Without proper error handling, failures in MCU communication can leave the driver in an inconsistent state. Changes: - Check mt7925_mcu_uni_tx_ba() return value - Check mt7925_mcu_uni_rx_ba() return value - Return error to mac80211 on failure Special case for IEEE80211_AMPDU_TX_STOP_CONT: The ieee80211_stop_tx_ba_cb_irqsafe() callback is kept unconditional because during beacon loss, the MCU command may fail but mac80211 MUST be notified to complete the BA session teardown. Otherwise the state machine gets stuck and triggers WARN in __ieee80211_stop_tx_ba_session(). This matches the behavior of mt7921 and mt7996 drivers. Fixes: c948b5da6bbe ("wifi: mt76: mt7925: add Mediatek Wi-Fi7 driver for mt= 7925 device") Signed-off-by: Zac Bowling --- drivers/net/wireless/mediatek/mt76/mt7925/main.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/main.c b/drivers/net= /wireless/mediatek/mt76/mt7925/main.c index 82de6f30ec27..8236edb1fb48 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7925/main.c +++ b/drivers/net/wireless/mediatek/mt76/mt7925/main.c @@ -1300,22 +1300,22 @@ mt7925_ampdu_action(struct ieee80211_hw *hw, struct= ieee80211_vif *vif, case IEEE80211_AMPDU_RX_START: mt76_rx_aggr_start(&dev->mt76, &msta->deflink.wcid, tid, ssn, params->buf_size); - mt7925_mcu_uni_rx_ba(dev, params, true); + ret =3D mt7925_mcu_uni_rx_ba(dev, params, true); break; case IEEE80211_AMPDU_RX_STOP: mt76_rx_aggr_stop(&dev->mt76, &msta->deflink.wcid, tid); - mt7925_mcu_uni_rx_ba(dev, params, false); + ret =3D mt7925_mcu_uni_rx_ba(dev, params, false); break; case IEEE80211_AMPDU_TX_OPERATIONAL: mtxq->aggr =3D true; mtxq->send_bar =3D false; - mt7925_mcu_uni_tx_ba(dev, params, true); + ret =3D mt7925_mcu_uni_tx_ba(dev, params, true); break; case IEEE80211_AMPDU_TX_STOP_FLUSH: case IEEE80211_AMPDU_TX_STOP_FLUSH_CONT: mtxq->aggr =3D false; clear_bit(tid, &msta->deflink.wcid.ampdu_state); - mt7925_mcu_uni_tx_ba(dev, params, false); + ret =3D mt7925_mcu_uni_tx_ba(dev, params, false); break; case IEEE80211_AMPDU_TX_START: set_bit(tid, &msta->deflink.wcid.ampdu_state); @@ -1324,6 +1324,11 @@ mt7925_ampdu_action(struct ieee80211_hw *hw, struct = ieee80211_vif *vif, case IEEE80211_AMPDU_TX_STOP_CONT: mtxq->aggr =3D false; clear_bit(tid, &msta->deflink.wcid.ampdu_state); + /* MCU command may fail during beacon loss, but callback must + * always be called to complete the BA session teardown in + * mac80211. Otherwise the state machine gets stuck and triggers + * WARN in __ieee80211_stop_tx_ba_session(). + */ mt7925_mcu_uni_tx_ba(dev, params, false); ieee80211_stop_tx_ba_cb_irqsafe(vif, sta->addr, tid); break; --=20 2.52.0 From nobody Sun Feb 8 15:07:38 2026 Received: from mail-dl1-f65.google.com (mail-dl1-f65.google.com [74.125.82.65]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5B54837BE8E for ; Thu, 29 Jan 2026 08:18:54 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.82.65 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769674735; cv=none; b=K6OkwIKkm72BCBlbB5LZtwefTBd8QTPN2UhkrASAGNKLrsEhjZwgv6xKBfIKkfwit+gxnJbytCwyRpfa8f5yiNAnjJHo59s5L0yy5Cw6GLmAvSycZIng+N/zKX60Rcy1P1A3ou0IYCB4R7Aq2SKGqNfdOg4UyGsnGm/11sjm9ns= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769674735; c=relaxed/simple; bh=xl3UgJeqbTdzlSajXSm9VOSPzyX9z7hRNR2pLFxKQuk=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=INfhv7IMuNbuaYgUHGA0vlLs5kHxcuDnbn2qA9ZRcdspPolmXHQARTC9eW3V758CTWTtBeb9x0riDTPZ7b7LiTy82PUjd3IUnPMZc1wtSVUMktMq8VXfauHMwLilxuXFgNq2iva5hXNxDWX6jq5/wjzqpe5Igqxut+2su2EQrTU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=zacbowling.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=D7WES9ZF; arc=none smtp.client-ip=74.125.82.65 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=zacbowling.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="D7WES9ZF" Received: by mail-dl1-f65.google.com with SMTP id a92af1059eb24-124a635476fso976266c88.0 for ; Thu, 29 Jan 2026 00:18:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1769674733; x=1770279533; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:from:to:cc:subject:date :message-id:reply-to; bh=UKrm2KEh+DPYHiCEU3ivvoqMw474gqaI6xe0hQwvxHI=; b=D7WES9ZF158rHXc0DHk0UPnBeXIuiMxh8L3KvuwRbSpWQn7FkROjz9Orr2nU6qiO6v e3GGAYZROKzXHcNzge9kV9hQTtxA7SB/BLDNLP2FTYqGrX9VT/nqqtvmFFnKw+fCno8g QUrilUAQ2HOsOT7CqZZbDgr+ng+KJToUX1UTZ6LZvSKhE96zPROAq/uCf+52Jeuxc5MR w/ww9P2sA4411PZxQu8pPqr6Fp0xjqSECrfyRekFxo0uH1AVNiH6vq3t99GOvzCAaR28 1slTBY5LoQolyPkobi1u8RbHWZ8eJEOWV78JkjdIQI2m1CJDR9FKKEMmahIxxYU/l65W F/HA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1769674733; x=1770279533; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=UKrm2KEh+DPYHiCEU3ivvoqMw474gqaI6xe0hQwvxHI=; b=qRRxiY7laxFhdYQshwHzmvjM/xbmue04h5T9xV6j1p5bKCumjSFUgZukAtQj1UW2fM Z/CAAn4x6wq8HNMx1kKOcK4joXrKvHZL29MSXiSnSmcXXqkUFYitYldr5L1v01m4f9k1 4ZtbDZd7ER98xagp8Y5+kW3h199Tw/r7Dlg3veSnY83wU+ajgXyXiD6bHDJt2l+t85gF 7X6IFvdeCNFx6rkeEEzSJsU72Kc6S9Fl5VAZfAE5/OevpTDpryMb3ZM4A1+9tuT9Ptzn MlauTOgHIPWx9l83l8sesWnI8fUx63AkAGxOcortk2xAvh05h41lk1xMpC45nfIAbADv tuXA== X-Forwarded-Encrypted: i=1; AJvYcCUkXPH3bE4C0BeHkWueNQZqdllS7nUKv8ksZ1S6i8364IhU1Tru00B75b7wnbewMG/3ulkzuguBMWSou/g=@vger.kernel.org X-Gm-Message-State: AOJu0YwvpkNqyNFYs8vNn7GvxdU+L5hMbEhuCwEEyynL+kRawEPePbBs z1s0aQtEG3ZXi60EO/MhzoOeNRIqhwyleW549XoBds0D2DmP5DQ+f2j6 X-Gm-Gg: AZuq6aLgRuMvzsNCEs1hlDTG2LlneUq1AIrtQTju0nxNneGxp711i1lNHtM9brJJWwI idMmfKacGPsQ+TnE1HStxjXBJOB8EiVsQX7duVjAQLlmqqZ1xz1u2nUtcfAeODvY5Vze6KxDfPE Ce3z0/x2jxbz7GglutSegpZPmyttVIjrhOkOzUUjZebMAM+H26bNm1YWOwtKiN0Uz2OKG0ihmKn qsrbK+LWj53IMj80Y5x36kamoLp/ijTq7ygHAjPHSYOYL/0xS/3HtnbqgefVDPIrql4kijq/D4q 2Q0k8BbeZ6n23mvYAqKZQFRvEIs8wregX5gPavZBXAy6UR3CVOKykofMvEfh2+TjAKNP10TcMOK jOltm20Aqd61GhphfYMe0PGQLdZoo5/Wp8VOJ9Lqxx2pkCXAH8CzmJzWbf9CpwtxSulsumlFBkF q/fWDHQP+TOzqy3I6I6eZMD4T6soE3BY/iWR3lKJfZlh0eSgpJb3sYxfyvOJQs X-Received: by 2002:a05:7022:24a9:b0:122:345:a944 with SMTP id a92af1059eb24-124a00f4ecdmr3632733c88.29.1769674733341; Thu, 29 Jan 2026 00:18:53 -0800 (PST) Received: from zcache.home.zacbowling.com ([2001:5a8:60d:bc9:f31e:1cb:296a:cc2a]) by smtp.gmail.com with ESMTPSA id a92af1059eb24-124a9efb4casm5483508c88.16.2026.01.29.00.18.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 29 Jan 2026 00:18:52 -0800 (PST) Sender: Zac Bowling From: Zac To: nbd@nbd.name Cc: deren.wu@mediatek.com, kvalo@kernel.org, linux-kernel@vger.kernel.org, linux-mediatek@lists.infradead.org, linux-wireless@vger.kernel.org, linux@frame.work, lorenzo@kernel.org, ryder.lee@mediatek.com, sean.wang@kernel.org, sean.wang@mediatek.com, zac@zacbowling.com, zbowling@gmail.com Subject: [PATCH v7 5/6] wifi: mt76: mt7925: add lockdep assertions for mutex verification Date: Thu, 29 Jan 2026 00:18:38 -0800 Message-ID: <20260129081839.179709-6-zac@zacbowling.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260129081839.179709-1-zac@zacbowling.com> References: <20260129081839.179709-1-zac@zacbowling.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Add lockdep_assert_held() calls to critical MCU functions to help catch mutex violations during development and debugging. This follows the pattern used in other mt76 drivers (mt7996, mt7915, mt7615). Functions with new assertions: - mt7925_mcu_add_bss_info(): Core BSS configuration MCU command - mt7925_mcu_sta_update(): Station record update MCU command - mt7925_mcu_uni_bss_ps(): Power save state MCU command These functions modify firmware state and must be called with the device mutex held to prevent race conditions. The lockdep assertions will trigger warnings at runtime if code paths exist that call these functions without proper mutex protection. Also fixes a potential NULL pointer issue in mt7925_mcu_sta_update() by initializing mlink to NULL and checking it before use. Signed-off-by: Zac Bowling --- drivers/net/wireless/mediatek/mt76/mt7925/mcu.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c b/drivers/net/= wireless/mediatek/mt76/mt7925/mcu.c index 1379bf6a26b5..2ed4af282120 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c +++ b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c @@ -1532,6 +1532,8 @@ int mt7925_mcu_uni_bss_ps(struct mt792x_dev *dev, }, }; =20 + lockdep_assert_held(&dev->mt76.mutex); + if (link_conf->vif->type !=3D NL80211_IFTYPE_STATION) return -EOPNOTSUPP; =20 @@ -2032,13 +2034,15 @@ int mt7925_mcu_sta_update(struct mt792x_dev *dev, .rcpi =3D to_rcpi(rssi), }; struct mt792x_sta *msta; - struct mt792x_link_sta *mlink; + struct mt792x_link_sta *mlink =3D NULL; + + lockdep_assert_held(&dev->mt76.mutex); =20 if (link_sta) { msta =3D (struct mt792x_sta *)link_sta->sta->drv_priv; mlink =3D mt792x_sta_to_link(msta, link_sta->link_id); } - info.wcid =3D link_sta ? &mlink->wcid : &mvif->sta.deflink.wcid; + info.wcid =3D (link_sta && mlink) ? &mlink->wcid : &mvif->sta.deflink.wci= d; info.newly =3D state !=3D MT76_STA_INFO_STATE_ASSOC; =20 return mt7925_mcu_sta_cmd(&dev->mphy, &info); @@ -2840,6 +2844,8 @@ int mt7925_mcu_add_bss_info(struct mt792x_phy *phy, struct mt792x_link_sta *mlink_bc; struct sk_buff *skb; =20 + lockdep_assert_held(&dev->mt76.mutex); + skb =3D __mt7925_mcu_alloc_bss_req(&dev->mt76, &mconf->mt76, MT7925_BSS_UPDATE_MAX_SIZE); if (IS_ERR(skb)) --=20 2.52.0 From nobody Sun Feb 8 15:07:38 2026 Received: from mail-dy1-f173.google.com (mail-dy1-f173.google.com [74.125.82.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 620C1372B3D for ; Thu, 29 Jan 2026 08:18:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.82.173 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769674737; cv=none; b=p1sjf+Jo25j9ZWjsUacnUbK333zXOPM6YIlwIdSC+mKq8hB2ct4Jgn+GM2EvWQCLZ9XF96MzAAIsr0WbHmcu7fWy+JscV5nI6upCnf8asVG5sFNmUhuxquFmFysc6ttsndCHk+qGKPE2LAx5wKWVrQMV22kqFU25uLCl5yjT5fQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769674737; c=relaxed/simple; bh=yQMWxOQ7To8SqJpkDZDwLnRGe4qHkGxdoilEnftC3Po=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=HUCn9OGYsYJMYcMhkPJxrPLguGGP+DM8qWE22BTQ3KeNSBXsaC4+N8kRYKwsvXGed5TpH0NTZwbt0sSPNLUjIAQzZlz4XpB7l862kkycE2rzcQ3uCuvktHxX1hMJOjz9b8dIZ1F3E6Oi1HXeje4aYyQFjaWrHpIaPFtbWIv8zw4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=zacbowling.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=lZGEqU+E; arc=none smtp.client-ip=74.125.82.173 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=zacbowling.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="lZGEqU+E" Received: by mail-dy1-f173.google.com with SMTP id 5a478bee46e88-2b6fd5bec41so1509487eec.1 for ; Thu, 29 Jan 2026 00:18:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1769674735; x=1770279535; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:from:to:cc:subject:date :message-id:reply-to; bh=q14ebJgYOBwi4oXp2H6aUXb34czVGi/YpKLXXPgCXl0=; b=lZGEqU+EpMijB5ztHUWucWTfWblCOHKDx1XR8U951t9p78rPD/AzH9qUJ2WuHcdFF/ 5KVdCxH1nIWXINXGh2KoJuqXSqLyu/hokYWD3kilCtA7KvNEoo61ALn4iqe1HfBstsH/ F9J7nB3c1ZzblWIb9EAooLDggLJUD71nUSgR41JJ82QASLbsDkpi76ymRq1jq2zCpct/ iIYVo6cNRpvfCSdXP940wQwnS85pViMgOvZSKt/mUCZ/0DGDwPzGUs05521UOMY5X2Cp 3NbykRSUxe4SA5GcIPwVJBzvDO3flx+So7iEDBuyMVBR9PgygQMiRjxt3yQbwIlGjUCI xO/Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1769674735; x=1770279535; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=q14ebJgYOBwi4oXp2H6aUXb34czVGi/YpKLXXPgCXl0=; b=vq2DMYOsiNl8Xoj8E3zMtdgbSO41/Xfu1TOH0kLopRZofm7ftgKklhoKqivvc7oOfe 5itbhBRQQhRb4eK6loxg/3pra+iOLUNem67xr46zkJAtsBQwIfL8MFGaSLNkHYpDUmdL k1XdEHvK0DjojeyottE/pM613xlKt2hjPWXGRkwk6JHP5CgHCDC/gnLANDuxPanEviRQ maNFod0Q+cgKWPekMsnBrgNr93i0md2rFzyyHqj4LBiIu0ky+DktnSx2qSjvPtGfwAZQ RCxp9fK8wHeD6l6cAd2wJn2H4eVeXr0Kbzl+VEfn7GyFB9y3m4wel4Rc73djgbbL40CD QRog== X-Forwarded-Encrypted: i=1; AJvYcCWPHOgzaFtxf2dP71tw4jx+jk3M+VVqHKplLScrgHvPF+UPd3KJdX27Di8aWxwOazbrbd2aJEk4jPznkrU=@vger.kernel.org X-Gm-Message-State: AOJu0YxZxfStZHRTuZw/al1eMpxBFGnbSbgnph5L1ygpGoDfY0pTShU+ sP3LXXGZ2+T7y0sn2qsiHMBS/AuRsyLwnubDTu/mD3yTD7jCojh5Wh1A X-Gm-Gg: AZuq6aL0rkPsfMT9LpWK/BgoENlO2GBWfp/4dT8Rcl3WFYLCowduBvli+6iAXD4kUOG Yvb/0tNVCSw/JMP7sXtcyYG1UjFPxzrAguCByxwPIak2r5o3Pxcnt0pJaE9zzFV1GOQXwMy8t16 QDl5BlIcVFUIVjqXfAl3FWds5u7U4KdoGvWOxsK/+D9/zaRd/5vDaEVOSYpd+pFeTl+maZXOwWp Faea4z5lqLPu9LnOV/bfPEwr6U5j3VseDg5WoFjKvPpXdZo6CCjZfgoPyQbECGhfAIND8vK1O63 oJ3hBPCYKW6q8vH8UF4pHS+EHm9ON2ZtoYG0Y5LptQqrSvwBLGpB9vrsrm4cECRJ3fDARukH5h6 RjwgM5CQNsY4LpRDU91TqlUiXWBITqasQeyPS/PbDgNyWq+wWStj6lzgpEKJy5E6HlqWowZJ4LE jOmpICvn+xtFuBye035FcCFBXO6S86JKWJccW4OoOoM9zp0m1htmMbnBQsQPx5 X-Received: by 2002:a05:7300:7307:b0:2b0:5012:734a with SMTP id 5a478bee46e88-2b78d9f0bc0mr4601976eec.34.1769674735088; Thu, 29 Jan 2026 00:18:55 -0800 (PST) Received: from zcache.home.zacbowling.com ([2001:5a8:60d:bc9:f31e:1cb:296a:cc2a]) by smtp.gmail.com with ESMTPSA id a92af1059eb24-124a9efb4casm5483508c88.16.2026.01.29.00.18.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 29 Jan 2026 00:18:54 -0800 (PST) Sender: Zac Bowling From: Zac To: nbd@nbd.name Cc: deren.wu@mediatek.com, kvalo@kernel.org, linux-kernel@vger.kernel.org, linux-mediatek@lists.infradead.org, linux-wireless@vger.kernel.org, linux@frame.work, lorenzo@kernel.org, ryder.lee@mediatek.com, sean.wang@kernel.org, sean.wang@mediatek.com, zac@zacbowling.com, zbowling@gmail.com Subject: [PATCH v7 6/6] wifi: mt76: mt7925: fix MLO ROC setup error handling Date: Thu, 29 Jan 2026 00:18:39 -0800 Message-ID: <20260129081839.179709-7-zac@zacbowling.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260129081839.179709-1-zac@zacbowling.com> References: <20260129081839.179709-1-zac@zacbowling.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Replace noisy WARN_ON_ONCE checks with silent returns in mt7925_mcu_set_mlo_roc(). During MLO setup, links may not be fully configured when ROC is requested. The WARN_ON_ONCE statements were triggering unnecessary kernel warnings during normal operation. Changes: - Replace WARN_ON_ONCE(!link_conf) with silent if (!link_conf) - Replace WARN_ON_ONCE(!links[i].chan) with silent check - Add explicit mconf NULL check before use - Use -ENOLINK error code to indicate link not ready - Replace continue with return to fail fast on invalid links The -ENOLINK error code properly indicates that the link is not yet ready for ROC, allowing upper layers to retry later without generating spurious kernel warnings. Fixes: c948b5da6bbe ("wifi: mt76: mt7925: add Mediatek Wi-Fi7 driver for mt= 7925 device") Signed-off-by: Zac Bowling --- .../net/wireless/mediatek/mt76/mt7925/mcu.c | 20 +++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c b/drivers/net/= wireless/mediatek/mt76/mt7925/mcu.c index 2ed4af282120..5ca2106b1ce0 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c +++ b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c @@ -1341,15 +1341,23 @@ int mt7925_mcu_set_mlo_roc(struct mt792x_phy *phy, = struct mt792x_bss_conf *mconf for (i =3D 0; i < ARRAY_SIZE(links); i++) { links[i].id =3D i ? __ffs(~BIT(mconf->link_id) & sel_links) : mconf->link_id; + link_conf =3D mt792x_vif_to_bss_conf(vif, links[i].id); - if (WARN_ON_ONCE(!link_conf)) - return -EPERM; + if (!link_conf) + return -ENOLINK; =20 links[i].chan =3D link_conf->chanreq.oper.chan; - if (WARN_ON_ONCE(!links[i].chan)) - return -EPERM; + if (!links[i].chan) + /* Channel not configured yet - this can happen during + * MLO AP setup when links are being added sequentially. + * Return -ENOLINK to indicate link not ready. + */ + return -ENOLINK; =20 links[i].mconf =3D mt792x_vif_to_link(mvif, links[i].id); + if (!links[i].mconf) + return -ENOLINK; + links[i].tag =3D links[i].id =3D=3D mconf->link_id ? UNI_ROC_ACQUIRE : UNI_ROC_SUB_LINK; =20 @@ -1364,8 +1372,8 @@ int mt7925_mcu_set_mlo_roc(struct mt792x_phy *phy, st= ruct mt792x_bss_conf *mconf type =3D MT7925_ROC_REQ_JOIN; =20 for (i =3D 0; i < ARRAY_SIZE(links) && i < hweight16(vif->active_links); = i++) { - if (WARN_ON_ONCE(!links[i].mconf || !links[i].chan)) - continue; + if (!links[i].mconf || !links[i].chan) + return -ENOLINK; =20 chan =3D links[i].chan; center_ch =3D ieee80211_frequency_to_channel(chan->center_freq); --=20 2.52.0