* [PATCH v2] wifi: mt76: add wcid publish check in mt76_sta_add
@ 2026-05-28 3:38 Jiajia Liu
2026-06-30 11:29 ` Thorsten Leemhuis
0 siblings, 1 reply; 5+ messages in thread
From: Jiajia Liu @ 2026-05-28 3:38 UTC (permalink / raw)
To: Felix Fietkau, Lorenzo Bianconi, Ryder Lee, Shayne Chen,
Sean Wang, Matthias Brugger, AngeloGioacchino Del Regno,
Ming Yen Hsieh, Leon Yen
Cc: linux-wireless, linux-kernel, linux-arm-kernel, linux-mediatek,
Jiajia Liu
Since mt7925_mac_sta_add publishes wcid, add publish check in mt76_sta_add
to avoid reinitializing the wcid->poll_list.
Found dev->sta_poll_list corruption when using mt7925 and 7.1-rc4.
According to the corruption information, prev->next was changed to itself.
wlan0: disconnect from AP 90:fb:5d:94:8b:e3 for new auth to 90:fb:5d:94:8b:e2
wlan0: authenticate with 90:fb:5d:94:8b:e2 (local address=84:9e:56:9c:7e:6b)
wlan0: send auth to 90:fb:5d:94:8b:e2 (try 1/3)
slab kmalloc-8k start ffff8c80958a6000 pointer offset 4160 size 8192
list_add corruption. prev->next should be next (ffff8c808a7488f8), but was ffff8c80958a7040. (prev=ffff8c80958a7040).
mt76_wcid_add_poll+0x95/0xd0 [mt76]
mt7925_mac_add_txs.part.0+0xa5/0xe0 [mt7925_common]
mt7925_rx_check+0xa7/0xc0 [mt7925_common]
mt76_dma_rx_poll+0x50d/0x790 [mt76]
mt792x_poll_rx+0x52/0xe0 [mt792x_lib]
Signed-off-by: Jiajia Liu <liujiajia@kylinos.cn>
---
Changes in v2:
- use dev->wcid table instead of adding MT_WCID_FLAG_DRV_PUBLSH for
wcid publish check suggested by Sean
- subject and commit message update
---
drivers/net/wireless/mediatek/mt76/mac80211.c | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
diff --git a/drivers/net/wireless/mediatek/mt76/mac80211.c b/drivers/net/wireless/mediatek/mt76/mac80211.c
index 4ae5e4715a9c..b78b4cd206e0 100644
--- a/drivers/net/wireless/mediatek/mt76/mac80211.c
+++ b/drivers/net/wireless/mediatek/mt76/mac80211.c
@@ -1576,6 +1576,7 @@ mt76_sta_add(struct mt76_phy *phy, struct ieee80211_vif *vif,
{
struct mt76_wcid *wcid = (struct mt76_wcid *)sta->drv_priv;
struct mt76_dev *dev = phy->dev;
+ struct mt76_wcid *published;
int ret;
int i;
@@ -1595,11 +1596,19 @@ mt76_sta_add(struct mt76_phy *phy, struct ieee80211_vif *vif,
mtxq->wcid = wcid->idx;
}
- ewma_signal_init(&wcid->rssi);
- rcu_assign_pointer(dev->wcid[wcid->idx], wcid);
+ published = rcu_dereference_protected(dev->wcid[wcid->idx],
+ lockdep_is_held(&dev->mutex));
+ if (published != wcid) {
+ WARN_ON_ONCE(published);
+ ewma_signal_init(&wcid->rssi);
+ rcu_assign_pointer(dev->wcid[wcid->idx], wcid);
+ mt76_wcid_init(wcid, phy->band_idx);
+ } else {
+ wcid->phy_idx = phy->band_idx;
+ }
+
phy->num_sta++;
- mt76_wcid_init(wcid, phy->band_idx);
out:
mutex_unlock(&dev->mutex);
--
2.53.0
^ permalink raw reply related [flat|nested] 5+ messages in thread* Re: [PATCH v2] wifi: mt76: add wcid publish check in mt76_sta_add 2026-05-28 3:38 [PATCH v2] wifi: mt76: add wcid publish check in mt76_sta_add Jiajia Liu @ 2026-06-30 11:29 ` Thorsten Leemhuis 2026-07-01 5:39 ` Jiajia Liu 0 siblings, 1 reply; 5+ messages in thread From: Thorsten Leemhuis @ 2026-06-30 11:29 UTC (permalink / raw) To: Jiajia Liu, Felix Fietkau, Lorenzo Bianconi, Ryder Lee, Shayne Chen, Sean Wang, Matthias Brugger, AngeloGioacchino Del Regno, Ming Yen Hsieh, Leon Yen Cc: linux-wireless, linux-kernel, linux-arm-kernel, linux-mediatek, Linux kernel regressions list On 5/28/26 05:38, Jiajia Liu wrote: > Since mt7925_mac_sta_add publishes wcid, add publish check in mt76_sta_add > to avoid reinitializing the wcid->poll_list. > > Found dev->sta_poll_list corruption when using mt7925 and 7.1-rc4. Jiajia Liu, Felox: given that the problem seems to be in 7.1, should we ask the stable team to pick this regression fix up, as this change was mainlined (as 20b126920a259d ("wifi: mt76: add wcid publish check in mt76_sta_add") [v7.2-rc1]), but lacks both a Fixes and a Stable tag? Ciao, Thorsten > According to the corruption information, prev->next was changed to itself. > > wlan0: disconnect from AP 90:fb:5d:94:8b:e3 for new auth to 90:fb:5d:94:8b:e2 > wlan0: authenticate with 90:fb:5d:94:8b:e2 (local address=84:9e:56:9c:7e:6b) > wlan0: send auth to 90:fb:5d:94:8b:e2 (try 1/3) > slab kmalloc-8k start ffff8c80958a6000 pointer offset 4160 size 8192 > list_add corruption. prev->next should be next (ffff8c808a7488f8), but was ffff8c80958a7040. (prev=ffff8c80958a7040). > > mt76_wcid_add_poll+0x95/0xd0 [mt76] > mt7925_mac_add_txs.part.0+0xa5/0xe0 [mt7925_common] > mt7925_rx_check+0xa7/0xc0 [mt7925_common] > mt76_dma_rx_poll+0x50d/0x790 [mt76] > mt792x_poll_rx+0x52/0xe0 [mt792x_lib] > > Signed-off-by: Jiajia Liu <liujiajia@kylinos.cn> > --- > > Changes in v2: > - use dev->wcid table instead of adding MT_WCID_FLAG_DRV_PUBLSH for > wcid publish check suggested by Sean > - subject and commit message update > > --- > drivers/net/wireless/mediatek/mt76/mac80211.c | 15 ++++++++++++--- > 1 file changed, 12 insertions(+), 3 deletions(-) > > diff --git a/drivers/net/wireless/mediatek/mt76/mac80211.c b/drivers/net/wireless/mediatek/mt76/mac80211.c > index 4ae5e4715a9c..b78b4cd206e0 100644 > --- a/drivers/net/wireless/mediatek/mt76/mac80211.c > +++ b/drivers/net/wireless/mediatek/mt76/mac80211.c > @@ -1576,6 +1576,7 @@ mt76_sta_add(struct mt76_phy *phy, struct ieee80211_vif *vif, > { > struct mt76_wcid *wcid = (struct mt76_wcid *)sta->drv_priv; > struct mt76_dev *dev = phy->dev; > + struct mt76_wcid *published; > int ret; > int i; > > @@ -1595,11 +1596,19 @@ mt76_sta_add(struct mt76_phy *phy, struct ieee80211_vif *vif, > mtxq->wcid = wcid->idx; > } > > - ewma_signal_init(&wcid->rssi); > - rcu_assign_pointer(dev->wcid[wcid->idx], wcid); > + published = rcu_dereference_protected(dev->wcid[wcid->idx], > + lockdep_is_held(&dev->mutex)); > + if (published != wcid) { > + WARN_ON_ONCE(published); > + ewma_signal_init(&wcid->rssi); > + rcu_assign_pointer(dev->wcid[wcid->idx], wcid); > + mt76_wcid_init(wcid, phy->band_idx); > + } else { > + wcid->phy_idx = phy->band_idx; > + } > + > phy->num_sta++; > > - mt76_wcid_init(wcid, phy->band_idx); > out: > mutex_unlock(&dev->mutex); > ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v2] wifi: mt76: add wcid publish check in mt76_sta_add 2026-06-30 11:29 ` Thorsten Leemhuis @ 2026-07-01 5:39 ` Jiajia Liu 2026-07-01 6:16 ` Thorsten Leemhuis 0 siblings, 1 reply; 5+ messages in thread From: Jiajia Liu @ 2026-07-01 5:39 UTC (permalink / raw) To: Thorsten Leemhuis Cc: Felix Fietkau, Lorenzo Bianconi, Ryder Lee, Shayne Chen, Sean Wang, Matthias Brugger, AngeloGioacchino Del Regno, Ming Yen Hsieh, Leon Yen, linux-wireless, linux-kernel, linux-arm-kernel, linux-mediatek, Linux kernel regressions list On Tue, Jun 30, 2026 at 01:29:51PM +0200, Thorsten Leemhuis wrote: > On 5/28/26 05:38, Jiajia Liu wrote: > > Since mt7925_mac_sta_add publishes wcid, add publish check in mt76_sta_add > > to avoid reinitializing the wcid->poll_list. > > > > Found dev->sta_poll_list corruption when using mt7925 and 7.1-rc4. > > Jiajia Liu, Felox: given that the problem seems to be in 7.1, should we > ask the stable team to pick this regression fix up, as this change was > mainlined (as 20b126920a259d ("wifi: mt76: add wcid publish check in > mt76_sta_add") [v7.2-rc1]), but lacks both a Fixes and a Stable tag? Yes. It seems to be related to cbf5e61da660 ("wifi: mt76: initialize more wcid fields mt76_wcid_init") [v6.14-rc1]. But I didn't reproduce when I checked it out and tested. So Fixes was not added. > > Ciao, Thorsten > > > According to the corruption information, prev->next was changed to itself. > > > > wlan0: disconnect from AP 90:fb:5d:94:8b:e3 for new auth to 90:fb:5d:94:8b:e2 > > wlan0: authenticate with 90:fb:5d:94:8b:e2 (local address=84:9e:56:9c:7e:6b) > > wlan0: send auth to 90:fb:5d:94:8b:e2 (try 1/3) > > slab kmalloc-8k start ffff8c80958a6000 pointer offset 4160 size 8192 > > list_add corruption. prev->next should be next (ffff8c808a7488f8), but was ffff8c80958a7040. (prev=ffff8c80958a7040). > > > > mt76_wcid_add_poll+0x95/0xd0 [mt76] > > mt7925_mac_add_txs.part.0+0xa5/0xe0 [mt7925_common] > > mt7925_rx_check+0xa7/0xc0 [mt7925_common] > > mt76_dma_rx_poll+0x50d/0x790 [mt76] > > mt792x_poll_rx+0x52/0xe0 [mt792x_lib] > > > > Signed-off-by: Jiajia Liu <liujiajia@kylinos.cn> > > --- > > > > Changes in v2: > > - use dev->wcid table instead of adding MT_WCID_FLAG_DRV_PUBLSH for > > wcid publish check suggested by Sean > > - subject and commit message update > > > > --- > > drivers/net/wireless/mediatek/mt76/mac80211.c | 15 ++++++++++++--- > > 1 file changed, 12 insertions(+), 3 deletions(-) > > > > diff --git a/drivers/net/wireless/mediatek/mt76/mac80211.c b/drivers/net/wireless/mediatek/mt76/mac80211.c > > index 4ae5e4715a9c..b78b4cd206e0 100644 > > --- a/drivers/net/wireless/mediatek/mt76/mac80211.c > > +++ b/drivers/net/wireless/mediatek/mt76/mac80211.c > > @@ -1576,6 +1576,7 @@ mt76_sta_add(struct mt76_phy *phy, struct ieee80211_vif *vif, > > { > > struct mt76_wcid *wcid = (struct mt76_wcid *)sta->drv_priv; > > struct mt76_dev *dev = phy->dev; > > + struct mt76_wcid *published; > > int ret; > > int i; > > > > @@ -1595,11 +1596,19 @@ mt76_sta_add(struct mt76_phy *phy, struct ieee80211_vif *vif, > > mtxq->wcid = wcid->idx; > > } > > > > - ewma_signal_init(&wcid->rssi); > > - rcu_assign_pointer(dev->wcid[wcid->idx], wcid); > > + published = rcu_dereference_protected(dev->wcid[wcid->idx], > > + lockdep_is_held(&dev->mutex)); > > + if (published != wcid) { > > + WARN_ON_ONCE(published); > > + ewma_signal_init(&wcid->rssi); > > + rcu_assign_pointer(dev->wcid[wcid->idx], wcid); > > + mt76_wcid_init(wcid, phy->band_idx); > > + } else { > > + wcid->phy_idx = phy->band_idx; > > + } > > + > > phy->num_sta++; > > > > - mt76_wcid_init(wcid, phy->band_idx); > > out: > > mutex_unlock(&dev->mutex); > > ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v2] wifi: mt76: add wcid publish check in mt76_sta_add 2026-07-01 5:39 ` Jiajia Liu @ 2026-07-01 6:16 ` Thorsten Leemhuis 2026-07-01 13:48 ` Greg KH 0 siblings, 1 reply; 5+ messages in thread From: Thorsten Leemhuis @ 2026-07-01 6:16 UTC (permalink / raw) To: stable@vger.kernel.org, Greg KH, Sasha Levin Cc: Felix Fietkau, Lorenzo Bianconi, Jiajia Liu, Ryder Lee, Shayne Chen, Sean Wang, Matthias Brugger, AngeloGioacchino Del Regno, Ming Yen Hsieh, Leon Yen, linux-wireless, linux-kernel, linux-arm-kernel, linux-mediatek, Linux kernel regressions list On 7/1/26 07:39, Jiajia Liu wrote: > On Tue, Jun 30, 2026 at 01:29:51PM +0200, Thorsten Leemhuis wrote: >> On 5/28/26 05:38, Jiajia Liu wrote: >>> Since mt7925_mac_sta_add publishes wcid, add publish check in mt76_sta_add >>> to avoid reinitializing the wcid->poll_list. >>> >>> Found dev->sta_poll_list corruption when using mt7925 and 7.1-rc4. >> >> Jiajia Liu, Felox: BTW: @Felix, sorry for the typo! >> given that the problem seems to be in 7.1, should we >> ask the stable team to pick this regression fix up, as this change was >> mainlined (as 20b126920a259d ("wifi: mt76: add wcid publish check in >> mt76_sta_add") [v7.2-rc1]), but lacks both a Fixes and a Stable tag? > > Yes. It seems to be related to cbf5e61da660 ("wifi: mt76: initialize > more wcid fields mt76_wcid_init") [v6.14-rc1]. But I didn't reproduce > when I checked it out and tested. So Fixes was not added. In that case: @Stable team, you you please pick up 20b126920a259d ("wifi: mt76: add wcid publish check in mt76_sta_add") [v7.2-rc1] for 7.1? It lacks a fixes tag and the problem might be older, but I saw two reports about this with 7.1-rc -- so it seems some recent change made that problem more likely to occur, so it might be good to fix it at least in 7.1.y. Ciao, Thorsten >>> According to the corruption information, prev->next was changed to itself. >>> >>> wlan0: disconnect from AP 90:fb:5d:94:8b:e3 for new auth to 90:fb:5d:94:8b:e2 >>> wlan0: authenticate with 90:fb:5d:94:8b:e2 (local address=84:9e:56:9c:7e:6b) >>> wlan0: send auth to 90:fb:5d:94:8b:e2 (try 1/3) >>> slab kmalloc-8k start ffff8c80958a6000 pointer offset 4160 size 8192 >>> list_add corruption. prev->next should be next (ffff8c808a7488f8), but was ffff8c80958a7040. (prev=ffff8c80958a7040). >>> >>> mt76_wcid_add_poll+0x95/0xd0 [mt76] >>> mt7925_mac_add_txs.part.0+0xa5/0xe0 [mt7925_common] >>> mt7925_rx_check+0xa7/0xc0 [mt7925_common] >>> mt76_dma_rx_poll+0x50d/0x790 [mt76] >>> mt792x_poll_rx+0x52/0xe0 [mt792x_lib] >>> >>> Signed-off-by: Jiajia Liu <liujiajia@kylinos.cn> >>> --- >>> >>> Changes in v2: >>> - use dev->wcid table instead of adding MT_WCID_FLAG_DRV_PUBLSH for >>> wcid publish check suggested by Sean >>> - subject and commit message update >>> >>> --- >>> drivers/net/wireless/mediatek/mt76/mac80211.c | 15 ++++++++++++--- >>> 1 file changed, 12 insertions(+), 3 deletions(-) >>> >>> diff --git a/drivers/net/wireless/mediatek/mt76/mac80211.c b/drivers/net/wireless/mediatek/mt76/mac80211.c >>> index 4ae5e4715a9c..b78b4cd206e0 100644 >>> --- a/drivers/net/wireless/mediatek/mt76/mac80211.c >>> +++ b/drivers/net/wireless/mediatek/mt76/mac80211.c >>> @@ -1576,6 +1576,7 @@ mt76_sta_add(struct mt76_phy *phy, struct ieee80211_vif *vif, >>> { >>> struct mt76_wcid *wcid = (struct mt76_wcid *)sta->drv_priv; >>> struct mt76_dev *dev = phy->dev; >>> + struct mt76_wcid *published; >>> int ret; >>> int i; >>> >>> @@ -1595,11 +1596,19 @@ mt76_sta_add(struct mt76_phy *phy, struct ieee80211_vif *vif, >>> mtxq->wcid = wcid->idx; >>> } >>> >>> - ewma_signal_init(&wcid->rssi); >>> - rcu_assign_pointer(dev->wcid[wcid->idx], wcid); >>> + published = rcu_dereference_protected(dev->wcid[wcid->idx], >>> + lockdep_is_held(&dev->mutex)); >>> + if (published != wcid) { >>> + WARN_ON_ONCE(published); >>> + ewma_signal_init(&wcid->rssi); >>> + rcu_assign_pointer(dev->wcid[wcid->idx], wcid); >>> + mt76_wcid_init(wcid, phy->band_idx); >>> + } else { >>> + wcid->phy_idx = phy->band_idx; >>> + } >>> + >>> phy->num_sta++; >>> >>> - mt76_wcid_init(wcid, phy->band_idx); >>> out: >>> mutex_unlock(&dev->mutex); >>> ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v2] wifi: mt76: add wcid publish check in mt76_sta_add 2026-07-01 6:16 ` Thorsten Leemhuis @ 2026-07-01 13:48 ` Greg KH 0 siblings, 0 replies; 5+ messages in thread From: Greg KH @ 2026-07-01 13:48 UTC (permalink / raw) To: Thorsten Leemhuis Cc: stable@vger.kernel.org, Sasha Levin, Felix Fietkau, Lorenzo Bianconi, Jiajia Liu, Ryder Lee, Shayne Chen, Sean Wang, Matthias Brugger, AngeloGioacchino Del Regno, Ming Yen Hsieh, Leon Yen, linux-wireless, linux-kernel, linux-arm-kernel, linux-mediatek, Linux kernel regressions list On Wed, Jul 01, 2026 at 08:16:07AM +0200, Thorsten Leemhuis wrote: > On 7/1/26 07:39, Jiajia Liu wrote: > > On Tue, Jun 30, 2026 at 01:29:51PM +0200, Thorsten Leemhuis wrote: > >> On 5/28/26 05:38, Jiajia Liu wrote: > >>> Since mt7925_mac_sta_add publishes wcid, add publish check in mt76_sta_add > >>> to avoid reinitializing the wcid->poll_list. > >>> > >>> Found dev->sta_poll_list corruption when using mt7925 and 7.1-rc4. > >> > >> Jiajia Liu, Felox: > > BTW: @Felix, sorry for the typo! > > >> given that the problem seems to be in 7.1, should we > >> ask the stable team to pick this regression fix up, as this change was > >> mainlined (as 20b126920a259d ("wifi: mt76: add wcid publish check in > >> mt76_sta_add") [v7.2-rc1]), but lacks both a Fixes and a Stable tag? > > > > Yes. It seems to be related to cbf5e61da660 ("wifi: mt76: initialize > > more wcid fields mt76_wcid_init") [v6.14-rc1]. But I didn't reproduce > > when I checked it out and tested. So Fixes was not added. > > In that case: > > @Stable team, you you please pick up 20b126920a259d ("wifi: mt76: add > wcid publish check in mt76_sta_add") [v7.2-rc1] for 7.1? It lacks a > fixes tag and the problem might be older, but I saw two reports about > this with 7.1-rc -- so it seems some recent change made that problem > more likely to occur, so it might be good to fix it at least in 7.1.y. Now queued up for 6.18.y and 7.1.y, thanks. greg k-h ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2026-07-01 13:48 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2026-05-28 3:38 [PATCH v2] wifi: mt76: add wcid publish check in mt76_sta_add Jiajia Liu 2026-06-30 11:29 ` Thorsten Leemhuis 2026-07-01 5:39 ` Jiajia Liu 2026-07-01 6:16 ` Thorsten Leemhuis 2026-07-01 13:48 ` Greg KH
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox