From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 256AE32B9B5; Wed, 20 May 2026 16:30:40 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779294641; cv=none; b=FS2B4HG/l9nufyRssocPq9Ik/JCNLhAXVmcT774H2oUJuxXgdDGwifSizryUhgYhN799j1+fIGG3LgOATO4l9HbAuj8JJ5Dhc8oA2ibJ5xXvHKGlDvFJmF7+1ob0HU4GyaEk1jkoRb4GTHm3JGUcyDh0Uogl2oljRXVVYJf5e+M= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779294641; c=relaxed/simple; bh=LPpwuwO29+ysVX16lJRFvtbyRmFwPlgU7RDMpT7fNqM=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=dWCTTJRxxYpRUaUAKnGEzk3Wd/yfaGTF2pyvoUiHZq5L3/RAIVvK9YtTJ7GnmZeCDhvHPEYo9xgASNvuSzMK5OsDV6+67apZ8spg1Moueorz9U7VdOZVx9MJ4HEssNFGNn4gmnu+Sol558YNdfcizCFwnd6k/419L9qweWpoN68= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=SfEVUEuv; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="SfEVUEuv" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 8B81B1F000E9; Wed, 20 May 2026 16:30:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linuxfoundation.org; s=korg; t=1779294640; bh=2HhC8hUkK+HW7Xxy42TBDs/fJLz+LyV7yzpDG+kRyo8=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=SfEVUEuvWaqlbaMopXnnsQK20QWcBCfhCI8/8X7pNdF1X8YojwWMC3tgBtxWd2s7l LKcJ3fLWolUQukttkZJeGrZfOpqlb8SWGFWZ3ZGbHnx2Vhz/RvrZk6ZYPCPK/WJ7Cv oXeO2o/UgnWg79dDa6Kao3NqCyti6c46OYoly1Es= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Quan Zhou , Sean Wang , Felix Fietkau , Sasha Levin Subject: [PATCH 7.0 0115/1146] wifi: mt76: mt7921: fix potential deadlock in mt7921_roc_abort_sync Date: Wed, 20 May 2026 18:06:05 +0200 Message-ID: <20260520162150.937816181@linuxfoundation.org> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260520162148.390695140@linuxfoundation.org> References: <20260520162148.390695140@linuxfoundation.org> User-Agent: quilt/0.69 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 7.0-stable review patch. If anyone has any objections, please let me know. ------------------ From: Sean Wang [ Upstream commit d5059e52fd8bc624ec4255c9fa01a266513d126b ] roc_abort_sync() can deadlock with roc_work(). roc_work() holds dev->mt76.mutex, while cancel_work_sync() waits for roc_work() to finish. If the caller already owns the same mutex, both sides block and no progress is possible. This deadlock can occur during station removal when mt76_sta_state() -> mt76_sta_remove() -> mt7921_mac_sta_remove() -> mt7921_roc_abort_sync() invokes cancel_work_sync() while roc_work() is still running and holding dev->mt76.mutex. This avoids the mutex deadlock and preserves exactly-once work ownership. Fixes: 352d966126e6 ("wifi: mt76: mt7921: fix a potential association failure upon resuming") Co-developed-by: Quan Zhou Signed-off-by: Quan Zhou Signed-off-by: Sean Wang Link: https://patch.msgid.link/20260126180013.8167-1-sean.wang@kernel.org Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin --- drivers/net/wireless/mediatek/mt76/mt7921/main.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/main.c b/drivers/net/wireless/mediatek/mt76/mt7921/main.c index f42e40f9663d8..42b9514e04e71 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7921/main.c +++ b/drivers/net/wireless/mediatek/mt76/mt7921/main.c @@ -371,12 +371,15 @@ void mt7921_roc_abort_sync(struct mt792x_dev *dev) { struct mt792x_phy *phy = &dev->phy; + if (!test_and_clear_bit(MT76_STATE_ROC, &phy->mt76->state)) + return; + timer_delete_sync(&phy->roc_timer); - cancel_work_sync(&phy->roc_work); - if (test_and_clear_bit(MT76_STATE_ROC, &phy->mt76->state)) - ieee80211_iterate_interfaces(mt76_hw(dev), - IEEE80211_IFACE_ITER_RESUME_ALL, - mt7921_roc_iter, (void *)phy); + cancel_work(&phy->roc_work); + + ieee80211_iterate_interfaces(mt76_hw(dev), + IEEE80211_IFACE_ITER_RESUME_ALL, + mt7921_roc_iter, (void *)phy); } EXPORT_SYMBOL_GPL(mt7921_roc_abort_sync); -- 2.53.0