From nobody Tue May 26 04:50:40 2026
Received: from mx0a-0031df01.pphosted.com (mx0a-0031df01.pphosted.com
 [205.220.168.131])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4312E2C21F2
	for <linux-kernel@vger.kernel.org>; Tue, 12 May 2026 04:49:23 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=205.220.168.131
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1778561364; cv=none;
 b=mheWyRvRtPFJF12yghW430NennvGhroagTkNwZfMRL9K0DGQFxm1a4oaELxDKcAyZ8jiB16NnHUQTX61IA8QnbdjJrMETpe+tDylsYmUV5V0HGTJSm635twU4CfMaRCkUxuHaBU6pCKrB+V13d7H9ic9sw3ez+ur9EW2Ni+5Xp0=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1778561364; c=relaxed/simple;
	bh=WJFStmZXXBBcgKpckYOAjG0JfXh8GMy3h8ik9SZbkxI=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=lTTZHjE296WuVAMJIqeIuqFceSeHQir+Z7GMVMjjn6KSzXt7eLjTXu+VOP6HwFM5CaJHzeX79CzsFTSqjvQkOMwBdMZTWoMhSY/lf/RD4BgtUCoANw/bZkCPHwlGo1ReP/N3NHvRMTVWe0LeKeS2bg+rhh5uXYV9hTXhCrlvE/A=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=oss.qualcomm.com;
 spf=pass smtp.mailfrom=oss.qualcomm.com;
 dkim=pass (2048-bit key) header.d=qualcomm.com header.i=@qualcomm.com
 header.b=kBuMXMVB;
 dkim=pass (2048-bit key) header.d=oss.qualcomm.com header.i=@oss.qualcomm.com
 header.b=iwuR8hp3; arc=none smtp.client-ip=205.220.168.131
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=oss.qualcomm.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=oss.qualcomm.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=qualcomm.com header.i=@qualcomm.com
 header.b="kBuMXMVB";
	dkim=pass (2048-bit key) header.d=oss.qualcomm.com header.i=@oss.qualcomm.com
 header.b="iwuR8hp3"
Received: from pps.filterd (m0279864.ppops.net [127.0.0.1])
	by mx0a-0031df01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id
 64BK6bdp2573819
	for <linux-kernel@vger.kernel.org>; Tue, 12 May 2026 04:49:22 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qualcomm.com; h=
	cc:content-transfer-encoding:date:from:in-reply-to:message-id
	:mime-version:references:subject:to; s=qcppdkim1; bh=M7qw0Fy03F3
	odGqvlO/Dqk6ieb60Odj4xpF8aLqR5+0=; b=kBuMXMVBg/+vmLwQtJn5hmxkEYx
	q2qiSB0K9hjYjPoOH3vUgjsIfJfiiVTdLdKp/qGwznIkScW2LJgI1YHe4tCeZUGF
	l5xe+t7Dmpm7nSMB3plt8Rpw39ZXxCXfdrOdXV2UHDwX1zhk/jtriCGQ8aw8lQA+
	nXse2lTEu6Z6Rpukt9mUsSpUXvg/jyV4w6OEMzDaMKd4abnHcsFtXYk/JisLWfbh
	21BiAe5Mu9dTDhFpKm5QadMPscVWBqMfN3vM+oF9PXw6il6MO9WLTRz9kUD5TNrn
	l2gUUgajJ/2bYbgVGVwQt7bi7/wba7eQeok1MV8VyDwzLSE77/I6sr3FDbQ==
Received: from mail-dy1-f197.google.com (mail-dy1-f197.google.com
 [74.125.82.197])
	by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 4e3nv29g9d-1
	(version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NOT)
	for <linux-kernel@vger.kernel.org>; Tue, 12 May 2026 04:49:22 +0000 (GMT)
Received: by mail-dy1-f197.google.com with SMTP id
 5a478bee46e88-2f3ec2e8d07so7895368eec.1
        for <linux-kernel@vger.kernel.org>;
 Mon, 11 May 2026 21:49:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=oss.qualcomm.com; s=google; t=1778561361; x=1779166161;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=M7qw0Fy03F3odGqvlO/Dqk6ieb60Odj4xpF8aLqR5+0=;
        b=iwuR8hp3suVWRny92xPVeFqYdD8/nNfy87kf34enR/qee7Z8MQcrHRaHdnQRkAgoob
         wsKABZXmBG4AHoddEs4333pUC50yGZuz+IT1HYM1vK6oRssts5AVvn/R8/5PRaQS8Rcg
         xrHNbgvHyXk/WSv8Hbthk8PpvekO++AI/oPhFp0NOIoEnkpKt72nFjMebVk0X5wJYXyN
         wGOvuFbFyDVI7ibScEqNPLcVscInOsiPT9K+APG+rAFYrn5z4ERN4sTGCZyF6OtwDUXr
         ejVL4iAMlyRw9dr9bwRaSNCi4h73/d20JGEghE9STiaMB8dEsOOXZucxUrKyl1tu7Afh
         uF2A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1778561361; x=1779166161;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=M7qw0Fy03F3odGqvlO/Dqk6ieb60Odj4xpF8aLqR5+0=;
        b=hkqppH2CSNDq2K30WMZ8YjO0AEFwn3OlBF40LCGxfhEG4gVi23i+h3FsYjkuYarJLe
         gCHoGWM9VcTpeYF1z4s1S45FeQSdwQb4QAqrC7YgHTrycyxnYgvarVqBk6MvnxgmatRJ
         PeiVPdj6IMlJqCJb+jsu2KbUTtaKM/H6kqEaE2Rggs19ThjWJnyrzPytppeOhFKGieJ8
         8K6kyS4k5K/MWx+Y6BBVxmviWnL3AZ9b6O+mf8HsujkM19h9lcYC5cu9EOjy+nJTigof
         81eqZXZh/0VbEGD82rPvwsVEbgQv9051N4b+47dm+qnL2iZWXzfyYabTrHu7/dDvrKGu
         MVaQ==
X-Forwarded-Encrypted: i=1;
 AFNElJ/buhF0gwXwi8X6xSvOxBV+QWpSVPk4sQzJMkdit7AkKEPlq3r9nDV1ma4dJpVk+WhUaNRg8FpzZ9QCKZA=@vger.kernel.org
X-Gm-Message-State: AOJu0YwNVwXcPt2I2pggf1DWoseJ15lZP9JjUpS57U8B2IQCwbHRVphc
	WZGZ41JjRHmpEP5SdQe+0A3FJbTZ33D5vK2NU7HW+/jgK9LQslc8KtXfI6FuMGZdGQvqBnGpHCG
	DX1biktNqrR6LdzR2dMXqRyOwmhSctyZw9qbEspxGiqM+S+KRh+W902vAG2EXaN/1F2E=
X-Gm-Gg: Acq92OH9tMQgp59mYYwi7KQiVsmUfIZ7KPun7f1bENSayo5mc0KrhmCTkaA+E0JRd+9
	6xhkU8EUTnpQ7qOn3fD1E62DFyEtFCYbAhx8U5NGpC9Y+qBGEtqtiY7FX+ayx3v03QbI7wluFSS
	lIQRHVwrdMWBnCMgUNOwxICnqxpQvtAdZ9sYY8Nz691ODCEQWhnt9JTxQ08rTpqWo3zn04LhYHq
	KvaU+rNjwpAViIKjTIldGZnCBxjSlvnC6kw2/DjyK744PWW0B0NW+FjfH5L8PhOCSYaPLtcYJNR
	seAvROGpO0xR7nhATYbM7h88hs/k4bkIk5tf57+qfhumMYrQfIhKx+A5xyX0/+aIiM2WnHSIso5
	P0xSNVAVWzMlh10axUrHwhTaqjDeO4NrFJziR36Q3RHTL6AzagjXU0nd/BzfZ5layyvF3SgXNuU
	1ZtA==
X-Received: by 2002:a05:7300:478e:b0:2dd:405f:89b3 with SMTP id
 5a478bee46e88-2f858348089mr9746719eec.0.1778561361134;
        Mon, 11 May 2026 21:49:21 -0700 (PDT)
X-Received: by 2002:a05:7300:478e:b0:2dd:405f:89b3 with SMTP id
 5a478bee46e88-2f858348089mr9746703eec.0.1778561360548;
        Mon, 11 May 2026 21:49:20 -0700 (PDT)
Received: from san-w175-na3-01.qualcomm.com (i-global254.qualcomm.com.
 [199.106.103.254])
        by smtp.gmail.com with ESMTPSA id
 5a478bee46e88-2f8862d43b4sm16032926eec.11.2026.05.11.21.49.20
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 11 May 2026 21:49:20 -0700 (PDT)
From: Wei Zhang <wei.zhang@oss.qualcomm.com>
To: jeff.johnson@oss.qualcomm.com
Cc: ath12k@lists.infradead.org, linux-wireless@vger.kernel.org,
        linux-kernel@vger.kernel.org, wei.zhang@oss.qualcomm.com
Subject: [PATCH ath-next 1/2] wifi: ath12k: fix inconsistent arvif state in
 vdev_create error paths
Date: Mon, 11 May 2026 21:49:04 -0700
Message-ID: <20260512044906.1735821-2-wei.zhang@oss.qualcomm.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20260512044906.1735821-1-wei.zhang@oss.qualcomm.com>
References: <20260512044906.1735821-1-wei.zhang@oss.qualcomm.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-Authority-Analysis: v=2.4 cv=IsAutr/g c=1 sm=1 tr=0 ts=6a02b152 cx=c_pps
 a=Uww141gWH0fZj/3QKPojxA==:117 a=JYp8KDb2vCoCEuGobkYCKw==:17
 a=NGcC8JguVDcA:10 a=s4-Qcg_JpJYA:10 a=VkNPw1HP01LnGYTKEx00:22
 a=u7WPNUs3qKkmUXheDGA7:22 a=DJpcGTmdVt4CTyJn9g5Z:22 a=EUspDBNiAAAA:8
 a=ZZFM_UldhxCcaClkVvkA:9 a=PxkB5W3o20Ba91AHUih5:22
X-Proofpoint-GUID: cYPjDd1dGrJRU19qusiI8MlNBhQ28zFk
X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNTEyMDA0MSBTYWx0ZWRfX6LhuVf/90nDC
 ZyvL0Dd/zOkB4sTXI0F6kos6StasDjGO7XaWlMbD6lOnpLcxayPTAWAh5FGiCOjNgsV5XoCw+Ub
 P0KsHNEcWL74JXKK8tUT45v7kdLGyFxdLN5SjKODUxoLMeYbbmyRahosea6aX+TDRhW//tLDlCX
 oWLs8w11GtKN7fBUaFwFodRYg2kHhQvgQHy1/BcXPbsOpybPLf1BcGuEYgbJp4OIHbEGCnTE7Rh
 fYTZNRWTc8j/+awwg6r3mDXwVEAXo96Rtj2Ge3SZ6PqkOrP6WhRS/9BiA9cUc9HgxdfWpxVAu0E
 mcG6L4f/ShJf2XCrCkxL3fwn8QqgGDA2yPusjVh6VFOzuNvlf8AUQ9g9nJUgxc73mSy81UIdkbK
 isIRXfA2oZqvx9n3UnmTAzzMxr5/n4VglZx01CplyQPmm7oKwNo7jReuzSYlknpCrp4NM8O+ZxV
 rMa7ATYNjv9cEyQV4hA==
X-Proofpoint-ORIG-GUID: cYPjDd1dGrJRU19qusiI8MlNBhQ28zFk
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49
 definitions=2026-05-11_05,2026-05-08_02,2025-10-01_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0
 lowpriorityscore=0 spamscore=0 bulkscore=0 clxscore=1015 phishscore=0
 malwarescore=0 impostorscore=0 priorityscore=1501 adultscore=0 suspectscore=0
 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0
 reason=mlx scancount=1 engine=8.22.0-2605050000 definitions=main-2605120041
Content-Type: text/plain; charset="utf-8"

ath12k_mac_vdev_create() has three error path issues that leave arvif
in an inconsistent state:

1. When ath12k_wmi_vdev_create() fails, the function returns directly
   without clearing arvif->ar, which was already set before the WMI
   call. Subsequent code checking arvif->ar to determine vdev readiness
   will see a non-NULL value despite no vdev existing in firmware.

2. When ath12k_wmi_send_peer_delete_cmd() fails in err_peer_del, the
   code jumped to err: skipping the DP peer cleanup and vdev rollback,
   leaving num_created_vdevs, vdev maps and arvif list membership live.

3. When ath12k_wait_for_peer_delete_done() fails, the code jumped to
   err_vdev_del: skipping the DP peer cleanup.

Fix by changing the ath12k_wmi_vdev_create() failure to goto err instead
of returning directly, routing both err_peer_del failure paths through
err_dp_peer_del: for proper DP peer and vdev rollback, and consolidating
the arvif state cleanup at err:.

Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.1.c5-00302-QCAHMTSWPL_V1.0_V2.0_SIL=
ICONZ-1.115823.3

Fixes: 477cabfdb776 ("wifi: ath12k: modify link arvif creation and removal =
for MLO")
Signed-off-by: Wei Zhang <wei.zhang@oss.qualcomm.com>
---
 drivers/net/wireless/ath/ath12k/mac.c | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/drivers/net/wireless/ath/ath12k/mac.c b/drivers/net/wireless/a=
th/ath12k/mac.c
index 2dc7dba53ec8..8f8456509468 100644
--- a/drivers/net/wireless/ath/ath12k/mac.c
+++ b/drivers/net/wireless/ath/ath12k/mac.c
@@ -10290,7 +10290,7 @@ int ath12k_mac_vdev_create(struct ath12k *ar, struc=
t ath12k_link_vif *arvif)
 	if (ret) {
 		ath12k_warn(ab, "failed to create WMI vdev %d: %d\n",
 			    arvif->vdev_id, ret);
-		return ret;
+		goto err;
 	}
=20
 	ar->num_created_vdevs++;
@@ -10437,13 +10437,13 @@ int ath12k_mac_vdev_create(struct ath12k *ar, str=
uct ath12k_link_vif *arvif)
 		if (ret) {
 			ath12k_warn(ar->ab, "failed to delete peer vdev_id %d addr %pM\n",
 				    arvif->vdev_id, arvif->bssid);
-			goto err;
+			goto err_dp_peer_del;
 		}
=20
 		ret =3D ath12k_wait_for_peer_delete_done(ar, arvif->vdev_id,
 						       arvif->bssid);
 		if (ret)
-			goto err_vdev_del;
+			goto err_dp_peer_del;
=20
 		ar->num_peers--;
 	}
@@ -10460,8 +10460,6 @@ int ath12k_mac_vdev_create(struct ath12k *ar, struc=
t ath12k_link_vif *arvif)
=20
 	ath12k_wmi_vdev_delete(ar, arvif->vdev_id);
 	ar->num_created_vdevs--;
-	arvif->is_created =3D false;
-	arvif->ar =3D NULL;
 	ar->allocated_vdev_map &=3D ~(1LL << arvif->vdev_id);
 	ab->free_vdev_map |=3D 1LL << arvif->vdev_id;
 	ab->free_vdev_stats_id_map &=3D ~(1LL << arvif->vdev_stats_id);
@@ -10470,6 +10468,7 @@ int ath12k_mac_vdev_create(struct ath12k *ar, struc=
t ath12k_link_vif *arvif)
 	spin_unlock_bh(&ar->data_lock);
=20
 err:
+	arvif->is_created =3D false;
 	arvif->ar =3D NULL;
 	return ret;
 }
--=20
2.34.1
From nobody Tue May 26 04:50:40 2026
Received: from mx0a-0031df01.pphosted.com (mx0a-0031df01.pphosted.com
 [205.220.168.131])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0E23A3264F2
	for <linux-kernel@vger.kernel.org>; Tue, 12 May 2026 04:49:24 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=205.220.168.131
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1778561366; cv=none;
 b=lRJE7JXgAnI/wGcVBW8gFX0OC6LwDO96JdFcKXKeyCJ5g6uxYHHdIPkXuTEMfIhk5an/W91oNM3HXzSLtYGjsJsjC84sr6ZF7/IrwLKjAtRH5cob/hLpjvewrYVy672jBD+gmI0ruT7ol/RPwG7eTP9MDtlCq1nXGrhdPR3gDuE=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1778561366; c=relaxed/simple;
	bh=eq70pSBDPpv1qxRtghvsdz+5yk0RTCO1a0feY91VYYo=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=n6u3H2ODM3dzBO7b6nWtTG8vC12KMJDIWrK0bUzTUnMGrlNzd1sS4b8BfHq2X2NfYNqOc520qAvY1qhRJG/TQ3RSqkJzDTMB4dINzTmabvga7xeZA7ctuTWIJ60PkQef/7yCGVA+KeDzHO/bvTzIorIFxqnrml//eZTmpO+UUXA=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=oss.qualcomm.com;
 spf=pass smtp.mailfrom=oss.qualcomm.com;
 dkim=pass (2048-bit key) header.d=qualcomm.com header.i=@qualcomm.com
 header.b=mgwPL65a;
 dkim=pass (2048-bit key) header.d=oss.qualcomm.com header.i=@oss.qualcomm.com
 header.b=SMNYq1rg; arc=none smtp.client-ip=205.220.168.131
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=oss.qualcomm.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=oss.qualcomm.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=qualcomm.com header.i=@qualcomm.com
 header.b="mgwPL65a";
	dkim=pass (2048-bit key) header.d=oss.qualcomm.com header.i=@oss.qualcomm.com
 header.b="SMNYq1rg"
Received: from pps.filterd (m0279867.ppops.net [127.0.0.1])
	by mx0a-0031df01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id
 64BK6U9V2202251
	for <linux-kernel@vger.kernel.org>; Tue, 12 May 2026 04:49:24 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qualcomm.com; h=
	cc:content-transfer-encoding:date:from:in-reply-to:message-id
	:mime-version:references:subject:to; s=qcppdkim1; bh=9iIPH/EreHB
	hCKOQUYLGHDzjj9qbMcXYyayD8tZa/wA=; b=mgwPL65a8kB4GOJeH5s+SOX4kmK
	PkvU6k2APw2WDBC+HnddZvCFYh/k2voALPpQ8oeNauhsT/vvXwNGzNKOJGCCyCAP
	l5l1G9beh4JgldjrqKJoRZF69Lsew4V0h/EEyfL8sZ3Pl4vq+uhjJl2faE3m3IlE
	ui9HfqImWEHp7skxC42fuLssSM7aqiiDVUdSGBnJcG9/SflsU5hxgrIJrD7WEi+j
	gqKrJt58nX41IWBJ37oGWjDjpVRNg+QYuHuOGUkPle2+RRW8YEKboPDwSN76FktQ
	XK4p0k3uMcIBVqlImk5nwxhxcrr9m3okTU7szIC4VQtQ0cMPMqiZJIXWUbA==
Received: from mail-dy1-f200.google.com (mail-dy1-f200.google.com
 [74.125.82.200])
	by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 4e3nuyhf74-1
	(version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NOT)
	for <linux-kernel@vger.kernel.org>; Tue, 12 May 2026 04:49:24 +0000 (GMT)
Received: by mail-dy1-f200.google.com with SMTP id
 5a478bee46e88-2c16233ee11so6844731eec.1
        for <linux-kernel@vger.kernel.org>;
 Mon, 11 May 2026 21:49:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=oss.qualcomm.com; s=google; t=1778561363; x=1779166163;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=9iIPH/EreHBhCKOQUYLGHDzjj9qbMcXYyayD8tZa/wA=;
        b=SMNYq1rgZCPNHtuxSp3wKU6RwuJlcP00ptRL6sqEAFGfUO5suh9uUcINUqdr07AbOA
         et04Km0iqDKA6pML3dsjWk+NueSaudiCKaLB3jIPwazqauO108hDVTUQspLC928dNtLu
         89Y8HtMQ9KwcRhDJOnv0ZCnfntBLF6dfIPzV+2mng07OLMKh3AcP2Gx04WU8JwqoEUpg
         RwH+s+a0yrqq+QnZ9mtTvTLjAO1sCejRuw4unLN9vF+agDcRR0g2Z5ZVwkTk/xNBXOjb
         MQ6813vWhnqo59fmw6OT6dBPj+7rlleydsaUqw3j4nSc3eiRpejH/nBeNz4mYonhMrHu
         wVFQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1778561363; x=1779166163;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=9iIPH/EreHBhCKOQUYLGHDzjj9qbMcXYyayD8tZa/wA=;
        b=McTQrktYu2+NoDmpp4grOsE8zyoLcrvOFo3r21vatOj3W5lV2jxCnMBNZ3Yj42Us/B
         q34UH4TZU/k3nVXWNDICbsP/2uylnSefrN6uobttKuQLGJ3eZSCRhdRT8iayIQyjUDW3
         kyGNNx/FsyKe4mA9iytSmKjBO4u70CEeOiiB6puFxMuwlyYUop46RkLdLtxqBvqXNlVE
         r1yida1iBkSyBedlIBytFz//I1gbJR217O3eIwARDUik/oMpcLnGUWJ9Ql1Yv1H3mPxo
         x6v4piSh1OzQd78fx3jgP6mAcd4MWySQSoL+Gf3bscfr1BdCB5lmT01t3HzAFVlU8d9u
         WWwg==
X-Forwarded-Encrypted: i=1;
 AFNElJ8i5tbZ8yiCz6W8Ty1phcfgCW3m2+JN4iRtEd6g/Jvbky4IGnmXfprdUM6KIITuBhN9Ef34/C/dcmABKlk=@vger.kernel.org
X-Gm-Message-State: AOJu0Yyirm9hkHQMHfQ0KioRoYAIvIn2NIsrgqcli0LP7tpmOlNGKAmJ
	G9xa6FaJE+WjFqzs64xFlxkAKYRlhbhb+gERzt6pogPfVEvPqhhqrXmrlX4bvlXeb3J4rn917A2
	j+K/SvzfoYEqZWyp3ggVC45Sesw1ABJbOhZcOoKXAbD0u0PeoqQsRMC3WEZ9tSUvVOq0=
X-Gm-Gg: Acq92OHpyeMDxElXXqEWxJs7pOIEGnTMeo8G9RAN00ZLiL5PfkW3ZcNDrTMrICqk3Bl
	63YJvY3viiGZA6OLKa74kcem5OpqCkef5rYEuolon1xLYfXjxczN6bCwpWINwQlI+8EoP8kkwIU
	EpQSmTqJFflfoTUixSdiC22/OlkPjCLYzwN5S2AV+TI2O69Ly6tARsiIZH4i/CtGOriyzzXH17c
	Ro22zGNaOSfIjdf3tw7lfzSKZzPiLMY/fzi2AsjXiFoYJ5PP0O6xwnKnqeSYO4X5aJtCS96ovdZ
	OYK7itHGQTuZfdT8cKGJJ9BbttMN8IAQD5Wo6poOEYjXLiaD0h75nqjxQVvgBBkkI4P32IYPjRY
	MC4NdPotXVJA5oPIdXXLhbYLBR5nn42EG9McynG9UnxrEAXS4Iw931qyWLSLya4UMgBFLPO4xIs
	6ePw==
X-Received: by 2002:a05:7300:fd0b:b0:2c4:dd55:ffc1 with SMTP id
 5a478bee46e88-2fb4b82cd05mr5874960eec.2.1778561363334;
        Mon, 11 May 2026 21:49:23 -0700 (PDT)
X-Received: by 2002:a05:7300:fd0b:b0:2c4:dd55:ffc1 with SMTP id
 5a478bee46e88-2fb4b82cd05mr5874946eec.2.1778561362692;
        Mon, 11 May 2026 21:49:22 -0700 (PDT)
Received: from san-w175-na3-01.qualcomm.com (i-global254.qualcomm.com.
 [199.106.103.254])
        by smtp.gmail.com with ESMTPSA id
 5a478bee46e88-2f8862d43b4sm16032926eec.11.2026.05.11.21.49.22
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 11 May 2026 21:49:22 -0700 (PDT)
From: Wei Zhang <wei.zhang@oss.qualcomm.com>
To: jeff.johnson@oss.qualcomm.com
Cc: ath12k@lists.infradead.org, linux-wireless@vger.kernel.org,
        linux-kernel@vger.kernel.org, wei.zhang@oss.qualcomm.com
Subject: [PATCH ath-next 2/2] wifi: ath12k: fix NULL deref in change_sta_links
 for unready link
Date: Mon, 11 May 2026 21:49:05 -0700
Message-ID: <20260512044906.1735821-3-wei.zhang@oss.qualcomm.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20260512044906.1735821-1-wei.zhang@oss.qualcomm.com>
References: <20260512044906.1735821-1-wei.zhang@oss.qualcomm.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNTEyMDA0MSBTYWx0ZWRfX2Yv3p4pqsbce
 +quJ4zqAoOyLjfdnptQkrNcfZHQLdFB/isfK3QL3HgKOPsV4XsfIX1UGhJBfCcNb+SarHeubh0D
 cxjaainBgFONetdyhs955BEE1Nm5sk+oOR0ZXz6xBaGUx3m/zVwIthlPVcv+48zgMOFT/Gw355j
 OITpVn2KNYR8CQcSEnr52DvuqMmJx6dU9QUErIUFzp7n6UuuXptc8Lhh1XMLUVyQPQUr5J5r0jc
 M4mA3d5Ld4fKxoqVpVLbVyfPQD4QFYcjLrl7beBcBhUxmga/62nIjEhHPa/+LQ6Jv7EQF9822NQ
 PlJQFu352lpeCbQtkTcHRE6QjZbfkY5/u7B3jjFZJigpyAE1LMVlPaBMUCwt3O/Ig4x6EtpHnmo
 +bA0cFu/153H03l4NUAt77aiIzccZFmRewQ4rRUQLoxSfBPC8NZbCQKvMsBbdiHU4qbM/4BcDhO
 VRp5iN4a24hcWsuelhQ==
X-Proofpoint-GUID: TspGGeUW8_LQgZQdBkk8DBcLAHjYmih4
X-Proofpoint-ORIG-GUID: TspGGeUW8_LQgZQdBkk8DBcLAHjYmih4
X-Authority-Analysis: v=2.4 cv=Y5XIdBeN c=1 sm=1 tr=0 ts=6a02b154 cx=c_pps
 a=PfFC4Oe2JQzmKTvty2cRDw==:117 a=JYp8KDb2vCoCEuGobkYCKw==:17
 a=NGcC8JguVDcA:10 a=s4-Qcg_JpJYA:10 a=VkNPw1HP01LnGYTKEx00:22
 a=u7WPNUs3qKkmUXheDGA7:22 a=eoimf2acIAo5FJnRuUoq:22 a=EUspDBNiAAAA:8
 a=5nEK3cMyjPeeF0Mhq6kA:9 a=6Ab_bkdmUrQuMsNx7PHu:22
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49
 definitions=2026-05-11_05,2026-05-08_02,2025-10-01_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0
 spamscore=0 malwarescore=0 lowpriorityscore=0 impostorscore=0 suspectscore=0
 adultscore=0 phishscore=0 priorityscore=1501 clxscore=1015 bulkscore=0
 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0
 reason=mlx scancount=1 engine=8.22.0-2605050000 definitions=main-2605120041
Content-Type: text/plain; charset="utf-8"

_ieee80211_set_active_links() calls _ieee80211_link_use_channel() for
each newly-added link and WARN_ON_ONCE()s if it fails. The call uses
assign_on_failure=3Dtrue, which allows mac80211 to continue despite
driver failures, but when a mac80211-level channel validation fails
(e.g., combinations check, DFS, or no available radio),
drv_assign_vif_chanctx() is never reached. Since ath12k_mac_vdev_create()
is only called from that path, arvif->is_created remains false and
arvif->ar remains NULL for the failed link.

The subsequent drv_change_sta_links() call reaches
ath12k_mac_op_change_sta_links(), which allocates an arsta and sets
ahsta->links_map |=3D BIT(link_id) for the broken link before checking
whether the link is ready. When the vdev was never created, only
station_add() is skipped, but the link remains in links_map.

Any subsequent operation iterating links_map and dereferencing arvif->ar
without a NULL check will crash. Two observed examples are NULL deref in
ath12k_mac_ml_station_remove() on disconnect and in ath12k_mac_op_set_key()
when wpa_supplicant installs PTK keys.

  BUG: Unable to handle kernel NULL pointer dereference at 0x00000000
  pc : ath12k_mac_station_post_remove+0x40/0xe8 [ath12k]
  Call trace:
   ath12k_mac_station_post_remove+0x40/0xe8 [ath12k]
   ath12k_mac_op_sta_state+0xb60/0x1720 [ath12k]
   drv_sta_state+0x100/0xbd8 [mac80211]
   __sta_info_destroy_part2+0x148/0x178 [mac80211]
   ieee80211_set_disassoc+0x500/0x678 [mac80211]

  BUG: Unable to handle kernel NULL pointer dereference at 0x00000000
  pc : ath12k_mac_op_set_key+0x1f8/0x2c0 [ath12k]
  Call trace:
   ath12k_mac_op_set_key+0x1f8/0x2c0 [ath12k]
   drv_set_key+0x70/0x100 [mac80211]
   ieee80211_key_enable_hw_accel+0x78/0x260 [mac80211]
   ieee80211_add_key+0x16c/0x2ac [mac80211]
   nl80211_new_key+0x138/0x280 [cfg80211]

Fix this by checking arvif->is_created before calling
ath12k_mac_alloc_assign_link_sta(). This prevents the broken link from
entering links_map, so all subsequent operations iterating the bitmap
are protected. The reliability of arvif->is_created across all error
paths is ensured by the preceding patch.

Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.1.c5-00302-QCAHMTSWPL_V1.0_V2.0_SIL=
ICONZ-1.115823.3

Fixes: a27fa6148dac ("wifi: ath12k: support change_sta_links() mac80211 op")
Signed-off-by: Wei Zhang <wei.zhang@oss.qualcomm.com>
---
 drivers/net/wireless/ath/ath12k/mac.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/drivers/net/wireless/ath/ath12k/mac.c b/drivers/net/wireless/a=
th/ath12k/mac.c
index 8f8456509468..529a693fdd28 100644
--- a/drivers/net/wireless/ath/ath12k/mac.c
+++ b/drivers/net/wireless/ath/ath12k/mac.c
@@ -8045,16 +8045,16 @@ int ath12k_mac_op_change_sta_links(struct ieee80211=
_hw *hw,
 			continue;
=20
 		arvif =3D wiphy_dereference(hw->wiphy, ahvif->link[link_id]);
-		arsta =3D ath12k_mac_alloc_assign_link_sta(ah, ahsta, ahvif, link_id);
+		if (!arvif || !arvif->is_created)
+			continue;
=20
-		if (!arvif || !arsta) {
+		arsta =3D ath12k_mac_alloc_assign_link_sta(ah, ahsta, ahvif, link_id);
+		if (!arsta) {
 			ath12k_hw_warn(ah, "Failed to alloc/assign link sta");
 			continue;
 		}
=20
 		ar =3D arvif->ar;
-		if (!ar)
-			continue;
=20
 		ret =3D ath12k_mac_station_add(ar, arvif, arsta);
 		if (ret) {
--=20
2.34.1