From nobody Mon Jun 8 22:54:50 2026 Received: from mailgw.kylinos.cn (mailgw.kylinos.cn [124.126.103.232]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D333C1DBB3A; Tue, 26 May 2026 06:09:07 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=124.126.103.232 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779775751; cv=none; b=D5nvLTsrWYaXeoURWipG6aUPG6Xj33ji5NznM8H9fzRAQJdivIv/+xIjt80pnsKJIsq4R4onMJq3aUawlAzfv567d3T31KSQx1s6H0IBBSjXNVWY4sqbEn9F5jfOL0SuJy84xVf8MX9yIjv/u1ovaODqBNiRmb+aytq0fp7KFkk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779775751; c=relaxed/simple; bh=ZmQX+gjNHZdvvD+B4H7W4XcZiDobKqvNMmWCzHtBQl4=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=t8coTzN/45CQpaDHFed4XfYfaRGHQuP/hJWwNebOD4vYqagBr5NTlGmubVUjPKgNoCvgzX7t0AQD28km2SQBQje2m9lA6Eg6oXAJQa7qaiCWvM52Imc90ddm8UMwT4AdunSzzg7+d8+pFNL1z2FlAnco1irju9IUKBAtOqBExMY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=kylinos.cn; spf=pass smtp.mailfrom=kylinos.cn; arc=none smtp.client-ip=124.126.103.232 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=kylinos.cn Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=kylinos.cn X-UUID: 63d14fe858c911f1aa26b74ffac11d73-20260526 X-CID-P-RULE: Release_Ham X-CID-O-INFO: VERSION:1.3.12,REQID:d8e5edf1-6dc9-4bcb-934f-2113a4b15081,IP:0,U RL:0,TC:0,Content:-25,EDM:0,RT:0,SF:0,FILE:0,BULK:0,RULE:Release_Ham,ACTIO N:release,TS:-25 X-CID-META: VersionHash:e7bac3a,CLOUDID:d63f01bd65cc66a9646d46786aa81cf6,BulkI D:nil,BulkQuantity:0,Recheck:0,SF:102|865|898,TC:nil,Content:0|15|50,EDM:- 3,IP:nil,URL:0,File:nil,RT:nil,Bulk:nil,QS:nil,BEC:nil,COL:0,OSI:0,OSA:0,A V:0,LES:1,SPR:NO,DKR:0,DKP:0,BRR:0,BRE:0,ARC:0 X-CID-BVR: 2,SSN|SDN X-CID-BAS: 2,SSN|SDN,0,_ X-CID-FACTOR: TF_CID_SPAM_SNR X-CID-RHF: D41D8CD98F00B204E9800998ECF8427E X-UUID: 63d14fe858c911f1aa26b74ffac11d73-20260526 X-User: liujiajia@kylinos.cn Received: from nature.lan [(10.44.16.150)] by mailgw.kylinos.cn (envelope-from ) (Generic MTA with TLSv1.3 TLS_AES_256_GCM_SHA384 256/256) with ESMTP id 1555042781; Tue, 26 May 2026 14:09:01 +0800 From: Jiajia Liu To: Felix Fietkau , Lorenzo Bianconi , Ryder Lee , Shayne Chen , Sean Wang , Matthias Brugger , AngeloGioacchino Del Regno , Ming Yen Hsieh , Michael Lo , Leon Yen Cc: linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-mediatek@lists.infradead.org, Jiajia Liu Subject: [PATCH] wifi: mt76: mt7925: add wcid publish check in mt76_sta_add Date: Tue, 26 May 2026 14:08:41 +0800 Message-ID: <20260526060841.49161-1-liujiajia@kylinos.cn> X-Mailer: git-send-email 2.53.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Since mt7925_mac_sta_add publishes wcid, add publish check in mt76_sta_add to avoid reinitializing the wcid->poll_list for mt7925. Found dev->sta_poll_list corruption when using mt7925 and 7.0-rc4. According to the corruption information, prev->next was changed to itself. wlan0: disconnect from AP 90:fb:5d:94:8b:e3 for new auth to 90:fb:5d:94:8b:= e2 wlan0: authenticate with 90:fb:5d:94:8b:e2 (local address=3D84:9e:56:9c:7e:= 6b) wlan0: send auth to 90:fb:5d:94:8b:e2 (try 1/3) slab kmalloc-8k start ffff8c80958a6000 pointer offset 4160 size 8192 list_add corruption. prev->next should be next (ffff8c808a7488f8), but was = ffff8c80958a7040. (prev=3Dffff8c80958a7040). mt76_wcid_add_poll+0x95/0xd0 [mt76] mt7925_mac_add_txs.part.0+0xa5/0xe0 [mt7925_common] mt7925_rx_check+0xa7/0xc0 [mt7925_common] mt76_dma_rx_poll+0x50d/0x790 [mt76] mt792x_poll_rx+0x52/0xe0 [mt792x_lib] Signed-off-by: Jiajia Liu --- Reproduced and tested using the script below over ssh. Roam between two bssids with the same SSID on a router. #!/bin/bash set -ex while :; do num=3D$(sudo iw wlan0 scan | grep Polaris | wc -l) if [ $num -eq 2 ]; then break fi done for i in $(seq 1 500); do echo "index $i" wpa_cli -i wlan0 roam 90:fb:5d:94:8b:e3 sleep 5 wpa_cli -i wlan0 roam 90:fb:5d:94:8b:e2 sleep 5 done --- drivers/net/wireless/mediatek/mt76/mac80211.c | 11 ++++++++--- drivers/net/wireless/mediatek/mt76/mt76.h | 1 + drivers/net/wireless/mediatek/mt76/mt7925/main.c | 3 +++ 3 files changed, 12 insertions(+), 3 deletions(-) diff --git a/drivers/net/wireless/mediatek/mt76/mac80211.c b/drivers/net/wi= reless/mediatek/mt76/mac80211.c index 4ae5e4715a9c..83f4f941b890 100644 --- a/drivers/net/wireless/mediatek/mt76/mac80211.c +++ b/drivers/net/wireless/mediatek/mt76/mac80211.c @@ -1595,11 +1595,16 @@ mt76_sta_add(struct mt76_phy *phy, struct ieee80211= _vif *vif, mtxq->wcid =3D wcid->idx; } =20 - ewma_signal_init(&wcid->rssi); - rcu_assign_pointer(dev->wcid[wcid->idx], wcid); + if (!test_bit(MT_WCID_FLAG_DRV_PUBLISH, &wcid->flags)) { + ewma_signal_init(&wcid->rssi); + rcu_assign_pointer(dev->wcid[wcid->idx], wcid); + mt76_wcid_init(wcid, phy->band_idx); + } else { + wcid->phy_idx =3D phy->band_idx; + } + phy->num_sta++; =20 - mt76_wcid_init(wcid, phy->band_idx); out: mutex_unlock(&dev->mutex); =20 diff --git a/drivers/net/wireless/mediatek/mt76/mt76.h b/drivers/net/wirele= ss/mediatek/mt76/mt76.h index 527bef97e122..8bfce686bff7 100644 --- a/drivers/net/wireless/mediatek/mt76/mt76.h +++ b/drivers/net/wireless/mediatek/mt76/mt76.h @@ -361,6 +361,7 @@ enum mt76_wcid_flags { MT_WCID_FLAG_PS, MT_WCID_FLAG_4ADDR, MT_WCID_FLAG_HDR_TRANS, + MT_WCID_FLAG_DRV_PUBLISH, }; =20 #define MT76_N_WCIDS 1088 diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/main.c b/drivers/net= /wireless/mediatek/mt76/mt7925/main.c index 73d3722739d0..35b5c718475c 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7925/main.c +++ b/drivers/net/wireless/mediatek/mt76/mt7925/main.c @@ -1102,6 +1102,9 @@ int mt7925_mac_sta_add(struct mt76_dev *mdev, struct = ieee80211_vif *vif, &msta->deflink); } =20 + if (!err) + set_bit(MT_WCID_FLAG_DRV_PUBLISH, &msta->deflink.wcid.flags); + return err; } EXPORT_SYMBOL_GPL(mt7925_mac_sta_add); --=20 2.53.0