From nobody Tue Feb 10 22:17:43 2026 Received: from mx0b-0031df01.pphosted.com (mx0b-0031df01.pphosted.com [205.220.180.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 127692D876F for ; Tue, 10 Feb 2026 03:07:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=205.220.180.131 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770692873; cv=none; b=rpqrebLPXkVbU2EkIeZ16XXBRGV7Ww16nEAU8KJMS7MszGT/kYifWDcq+vLxnphYOa+t7Gu28MktVR605NxodUXoS/o9pxj2EtIg3ySg+60GRUSN/J+kal2IjkyphcjSM9yUOh7dA9fc3YkC8kUDRLugWHjE+plT5941w9E7UZk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770692873; c=relaxed/simple; bh=mx/ZMY1qwnveDYFCMTbdwj1wQ9/r/kOCs5MsMKnH77k=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:To:Cc; b=pc+g+eIUa5lvwHggn3k1G9ohZoJAeRPomnb2nvTiMAXkoHPM0nEZxX/++cH5N70gTmRnisvjL7oGtLneoi0EXawe3UXIS+C6gNS65HLBAWMi6fqvOz8BFTw57M4Rgv5LkHY46PlF8DhViwdFSpNQtOwJ2lZ0kB9wZCgEdbfYV8U= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oss.qualcomm.com; spf=pass smtp.mailfrom=oss.qualcomm.com; dkim=pass (2048-bit key) header.d=qualcomm.com header.i=@qualcomm.com header.b=ojQTTvcU; dkim=pass (2048-bit key) header.d=oss.qualcomm.com header.i=@oss.qualcomm.com header.b=f9FVZisZ; arc=none smtp.client-ip=205.220.180.131 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oss.qualcomm.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=oss.qualcomm.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=qualcomm.com header.i=@qualcomm.com header.b="ojQTTvcU"; dkim=pass (2048-bit key) header.d=oss.qualcomm.com header.i=@oss.qualcomm.com header.b="f9FVZisZ" Received: from pps.filterd (m0279868.ppops.net [127.0.0.1]) by mx0a-0031df01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 619GVXsc4102259 for ; Tue, 10 Feb 2026 03:07:51 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qualcomm.com; h= cc:content-transfer-encoding:content-type:date:from:message-id :mime-version:subject:to; s=qcppdkim1; bh=ExK72ja4yh8yu/tb5MMW3I lYKu3JA+KhCd2SUHccSVA=; b=ojQTTvcUeSzQRAsgLEo5wauOkglUIdH/tPftqe as70mtAp7wMEKbYDZ50JEpcjacbGtvX4w2ayZTMWd3Mfhb4lW5bIiXbJKHL1GLh7 CR4Qd1KpwI/+Rjh1gYmNHoUym9hoyo37088WsO1JpcVL5+7dcI5NBmTBW2wlgAz8 i9qAwZeabCKsBQFTE4ZpstC/pAOQJ6iPD1kTzPLb2DV4r9h6d/l6LFkscGne3HdJ j/gG80qWg2hfqUa7fs9eHykUb3RuyrIN9mklnc7PMr/AqEb4ePlOj1HOCZUN2m1c 3hQdBLTw2NVxuy99EDmN5n93Pob+LmqnpyVkNVbvbsrZ5VAw== Received: from mail-pj1-f70.google.com (mail-pj1-f70.google.com [209.85.216.70]) by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 4c7k61hv2h-1 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NOT) for ; Tue, 10 Feb 2026 03:07:50 +0000 (GMT) Received: by mail-pj1-f70.google.com with SMTP id 98e67ed59e1d1-3545cc84ab1so12880864a91.0 for ; Mon, 09 Feb 2026 19:07:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oss.qualcomm.com; s=google; t=1770692869; x=1771297669; darn=vger.kernel.org; h=cc:to:message-id:content-transfer-encoding:mime-version:subject :date:from:from:to:cc:subject:date:message-id:reply-to; bh=ExK72ja4yh8yu/tb5MMW3IlYKu3JA+KhCd2SUHccSVA=; b=f9FVZisZ2irUk5mFLpmrvUCQfa5CWgu1E+O5+MiaKzICUvXtK1cCkdEFQ0eEavPeLC 8hlTTmQGbOgVlL3ocEDp31Td1p+aKkID1DfAWrR4W+qmhKLzo5hKUtEQdGdhy6nq2nEg Wn5N+/VvI7GHJZej7H6bNgJa5mYSjLbuh5DzRkEdTf6C6AdeR8oirkpqZEt7MekoJOQP 1fjdQrDMyaIjcZROpxlD/TDnoKchxKr/tZ+J5NvLKrbXOSFdic4oM1zXY2Ny6XixU21j 4rgm3byvU8CAG0zfoYMSFmn7XMXINb7pMjM5EHN89zhBWVF0r7EaxwcIjK5hAAa/A8gx VgYg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770692869; x=1771297669; h=cc:to:message-id:content-transfer-encoding:mime-version:subject :date:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=ExK72ja4yh8yu/tb5MMW3IlYKu3JA+KhCd2SUHccSVA=; b=ftfu+LdkGMwzBclTxaM7fU9a7MbB8Ey9az6G/ZbayRN1PhoCHp2Bxre5I9MXCOl6XA DFbtMGubptX1Si75xv0bZwGqAQ8qJ3wwbZz7RIwPQUygG/kWoWXblhmiutHjNtp4/zXW Bxn3UsjnU0CuriWVNVO6UMyCbU1GpAoLRkhiy6f+mDhtMhYAJKm1oYrxdzm3LVO1Yxb3 bi/LdGxp2V+zUzPCKtWr6KsCxQKgYemwwlF3Lp2rr7NoPlDIQPpErytmQk3OkRXUlZDC Gog/KWE2V82TVBHCMPwDF3YljwoCMSlV8c+/9XIfV6zshEzz3EvzXAaPoO3z9kExIiTz EDHA== X-Forwarded-Encrypted: i=1; AJvYcCW4gUU0x4f79yGV6C+XCT0KVbkGRgoi2150BoB4xEmrA9shXZVb0dA2fIBJdGP7q6NPWAQyF1Bl2XFC9Yg=@vger.kernel.org X-Gm-Message-State: AOJu0Yx2qtHfV30a//KoVJY3uEJfavjpWywZtIyhsEafTZibN99gw+aF 2B1nl5c2DrFqgtRs6dRKEdjxH1XYX0NYzu2IglO4akzrhISMPjf9ss6qAvX230Y4VNAdxttnSib 1XkjprbeZeqbndls+/xEqs+NGQJQdS/m3rPw2PZD6K+R0J70yoohxTfIc1iX5NSWRlORTpK9n10 g= X-Gm-Gg: AZuq6aIWpz4KGpX/qmZLkWnysyLm4CiZLccvHbBjD2ja8nA3k8j4U9ZXQDiJ2dXkbIG 2Uj3/OoaTuUnLPRyVZDKXGkvNtg86pR7lg65ZXV0o/2nOY+FydW9zsUbE/wrM/Bs1gi6QRfQLrO DITo/Dh0qGJD0wR+aAUhlAN9tsDCk4x7Lw9vuONjJGaGLV51oZ78A9pD8ei0GThbpn0GJdSifjf n26fGCjabGaJAh2gSGBSk1FHfvTuwYA1T3WcfNLVA5S90lSg2vsMRC2pIbfHndgEimUC0BJcuvQ zt1gjzioU2KOyY/ZjVeB5/wdVpbh7UytRq/ptJjjt+G5jPlbqidhg0h6OJdAXvB/jhDQWpCaHI5 PCvomad+NU7QCpGHXIEnIKTt3FA7hugGhnDXSi6sB3Aq5tmbh8lJhpFCSxxRXOwoiKllu4grTHP w= X-Received: by 2002:a17:90b:4e90:b0:356:2c7b:c026 with SMTP id 98e67ed59e1d1-35667d522c9mr652713a91.23.1770692869368; Mon, 09 Feb 2026 19:07:49 -0800 (PST) X-Received: by 2002:a17:90b:4e90:b0:356:2c7b:c026 with SMTP id 98e67ed59e1d1-35667d522c9mr652695a91.23.1770692868950; Mon, 09 Feb 2026 19:07:48 -0800 (PST) Received: from [127.0.1.1] (tpe-colo-wan-fw-bordernet.qualcomm.com. [103.229.16.4]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-354b30f899csm5180790a91.3.2026.02.09.19.07.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 09 Feb 2026 19:07:48 -0800 (PST) From: Baochen Qiang Date: Tue, 10 Feb 2026 11:07:31 +0800 Subject: [PATCH ath-current] wifi: ath12k: prepare REO update element only for primary link Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260210-ath12k-rxtid-double-free-v1-1-8b523fb2886d@oss.qualcomm.com> X-B4-Tracking: v=1; b=H4sIAPKgimkC/4WNTQ6CMBCFr0Jm7ZBOkaa68h6GBbSDNCLVthAM4 e42XMDNS768vw0iB8cRrsUGgRcXnZ8y0KkAM7TTg9HZzCCFVIKkxjYNJJ8Y1uQsWj93I2MfmFH qCwnRdTWpCnL9Hbh36zF9h9xCM4fAU4Imm4OLyYfvcbvQEfn/sBASaqOsrelc9VrdfIzlZ25H4 1+vMgs0+77/ACqBclfUAAAA X-Change-ID: 20260128-ath12k-rxtid-double-free-289100bb5163 To: Jeff Johnson Cc: linux-wireless@vger.kernel.org, ath12k@lists.infradead.org, linux-kernel@vger.kernel.org, Baochen Qiang X-Mailer: b4 0.14.3 X-Authority-Analysis: v=2.4 cv=M8lA6iws c=1 sm=1 tr=0 ts=698aa106 cx=c_pps a=0uOsjrqzRL749jD1oC5vDA==:117 a=nuhDOHQX5FNHPW3J6Bj6AA==:17 a=IkcTkHD0fZMA:10 a=HzLeVaNsDn8A:10 a=s4-Qcg_JpJYA:10 a=VkNPw1HP01LnGYTKEx00:22 a=Mpw57Om8IfrbqaoTuvik:22 a=GgsMoib0sEa3-_RKJdDe:22 a=VwQbUJbxAAAA:8 a=EUspDBNiAAAA:8 a=Z60ED8iFgELaZGRuqMgA:9 a=QEXdDO2ut3YA:10 a=mQ_c8vxmzFEMiUWkPHU9:22 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwMjEwMDAyNCBTYWx0ZWRfX3J6RrjLhmuue +1ZHRPA9Jd0cC6hYXy92RsM+KHoFf9nJ4NOS2pcvjIx/+UF6JJOkEPIJtDW0pNWyZdYUuetd6yH d7I735LrjXFQbouytg6QL+9HYQwcJBOWLUBEbnibcGaIqYMqkCo/oZNJdZ+REJVcJjv03C4Yc1h 7zVSwXM0pUDPpl+4O+ihWN7sZrNL6XZQnUMmOhS0JIfWbjG7gwFi0iEBjLzOIHnQlODSX8lATBY d/9dcjMTlBqjEQvrjTcxeM0Dh/MPOmG8pHENH5435tlyTXGdxt2WKhHdwCZkEQqF3qp8dLRG83+ RAP3XpLkB26aqu4ju72c76/cT4WIHwdqUvxT8TWI2mP1u53Q0PDsJMG1rJEgXG6jiAKU7TYJI9W ozCg9mydclt30YOdyjIvq7eoUcubyMfajnxW2tRaoZmZxwsub95rrUoZtt59Xoyx+nmNE5U45uk fOjvF74WhThrrx04TLA== X-Proofpoint-GUID: amfamcJj5AD1mWv9eVYy-90wnYeuDaFZ X-Proofpoint-ORIG-GUID: amfamcJj5AD1mWv9eVYy-90wnYeuDaFZ X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-02-09_01,2026-02-09_04,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 lowpriorityscore=0 malwarescore=0 suspectscore=0 spamscore=0 bulkscore=0 adultscore=0 clxscore=1015 impostorscore=0 priorityscore=1501 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2601150000 definitions=main-2602100024 Commit [1] introduces dp->reo_cmd_update_rx_queue_list for the purpose of tracking all pending REO queue flush commands. The helper ath12k_dp_prepare_reo_update_elem() allocates an element and populates it with REO queue information, then add it to the list. The element would be helpful during clean up stage to finally unmap/free the corresponding REO queue buffer. In MLO scenarios with more than one links, for non dp_primary_link_only chips like WCN7850, that helper is called for each link peer. This results in multiple elements added to the list but all of them pointing to the same REO queue buffer. Consequently the same buffer gets unmap/freed multiple times: BUG kmalloc-2k (Tainted: G B W O ): Object already free ---------------------------------------------------------------------------= -- Allocated in ath12k_wifi7_dp_rx_assign_reoq+0xce/0x280 [ath12k_wifi7] age= =3D7436 cpu=3D10 pid=3D16130 __kmalloc_noprof ath12k_wifi7_dp_rx_assign_reoq ath12k_dp_rx_peer_tid_setup ath12k_dp_peer_setup ath12k_mac_station_add ath12k_mac_op_sta_state [...] Freed in ath12k_dp_rx_tid_cleanup.part.0+0x25/0x40 [ath12k] age=3D1 cpu=3D2= 7 pid=3D16137 kfree ath12k_dp_rx_tid_cleanup.part.0 ath12k_dp_rx_reo_cmd_list_cleanup ath12k_dp_cmn_device_deinit ath12k_core_stop ath12k_core_hw_group_cleanup ath12k_pci_remove Fix this by allowing list addition for primary link only. Note dp_primary_link_only chips like QCN9274 are not affected by this change, because that's what they were doing in the first place. Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.1.c5-00302-QCAHMTSWPL_V1.0_V2.0_SIL= ICONZ-1.115823.3 Fixes: 3bf2e57e7d6c ("wifi: ath12k: Add Retry Mechanism for REO RX Queue Up= date Failures") # [1] Closes: https://bugzilla.kernel.org/show_bug.cgi?id=3D221011 Signed-off-by: Baochen Qiang --- drivers/net/wireless/ath/ath12k/dp_rx.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/net/wireless/ath/ath12k/dp_rx.c b/drivers/net/wireless= /ath/ath12k/dp_rx.c index a32ee9f8061a..6995de7761df 100644 --- a/drivers/net/wireless/ath/ath12k/dp_rx.c +++ b/drivers/net/wireless/ath/ath12k/dp_rx.c @@ -565,6 +565,9 @@ static int ath12k_dp_prepare_reo_update_elem(struct ath= 12k_dp *dp, =20 lockdep_assert_held(&dp->dp_lock); =20 + if (!peer->primary_link) + return 0; + elem =3D kzalloc(sizeof(*elem), GFP_ATOMIC); if (!elem) return -ENOMEM; --- base-commit: d9a2be2d72d4f9035f0334e0ff49180fe9df6e52 change-id: 20260128-ath12k-rxtid-double-free-289100bb5163 Best regards, --=20 Baochen Qiang