From: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
To: Vasanthakumar Thiagarajan
<vasanthakumar.thiagarajan@oss.qualcomm.com>,
Baochen Qiang <baochen.qiang@oss.qualcomm.com>,
Jeff Johnson <jjohnson@kernel.org>
Cc: linux-wireless@vger.kernel.org, ath12k@lists.infradead.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH ath-current] wifi: ath12k: prepare REO update element only for primary link
Date: Thu, 19 Mar 2026 07:14:23 -0700 [thread overview]
Message-ID: <1a037a6b-f39d-4624-8f3d-1298da8c50bf@oss.qualcomm.com> (raw)
In-Reply-To: <8056cb5f-cdde-4890-b8cf-3b37d1c3483f@oss.qualcomm.com>
On 3/18/2026 8:46 PM, Vasanthakumar Thiagarajan wrote:
>
>
> On 2/10/2026 8:37 AM, Baochen Qiang wrote:
>> Commit [1] introduces dp->reo_cmd_update_rx_queue_list for the purpose
>> of tracking all pending REO queue flush commands. The helper
>> ath12k_dp_prepare_reo_update_elem() allocates an element and populates
>> it with REO queue information, then add it to the list. The element would
>> be helpful during clean up stage to finally unmap/free the corresponding
>> REO queue buffer.
>>
>> In MLO scenarios with more than one links, for non dp_primary_link_only
>> chips like WCN7850, that helper is called for each link peer. This
>> results in multiple elements added to the list but all of them pointing
>> to the same REO queue buffer. Consequently the same buffer gets
>> unmap/freed multiple times:
>>
>> BUG kmalloc-2k (Tainted: G B W O ): Object already free
>> -----------------------------------------------------------------------------
>> Allocated in ath12k_wifi7_dp_rx_assign_reoq+0xce/0x280 [ath12k_wifi7] age=7436 cpu=10 pid=16130
>> __kmalloc_noprof
>> ath12k_wifi7_dp_rx_assign_reoq
>> ath12k_dp_rx_peer_tid_setup
>> ath12k_dp_peer_setup
>> ath12k_mac_station_add
>> ath12k_mac_op_sta_state
>> [...]
>> Freed in ath12k_dp_rx_tid_cleanup.part.0+0x25/0x40 [ath12k] age=1 cpu=27 pid=16137
>> kfree
>> ath12k_dp_rx_tid_cleanup.part.0
>> ath12k_dp_rx_reo_cmd_list_cleanup
>> ath12k_dp_cmn_device_deinit
>> ath12k_core_stop
>> ath12k_core_hw_group_cleanup
>> ath12k_pci_remove
>>
>> Fix this by allowing list addition for primary link only. Note
>> dp_primary_link_only chips like QCN9274 are not affected by this change,
>> because that's what they were doing in the first place.
>>
>> Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.1.c5-00302-QCAHMTSWPL_V1.0_V2.0_SILICONZ-1.115823.3
>>
>> Fixes: 3bf2e57e7d6c ("wifi: ath12k: Add Retry Mechanism for REO RX Queue Update Failures") # [1]
>> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=221011
>> Signed-off-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
>
> Vasanthakumar Thiagarajan <vasanthakumar.thiagarajan@oss.qualcomm.com>
Was there supposed to be a tag in front of that?
next prev parent reply other threads:[~2026-03-19 14:14 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-10 3:07 [PATCH ath-current] wifi: ath12k: prepare REO update element only for primary link Baochen Qiang
2026-03-19 3:46 ` Vasanthakumar Thiagarajan
2026-03-19 14:14 ` Jeff Johnson [this message]
2026-03-19 16:23 ` Vasanthakumar Thiagarajan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1a037a6b-f39d-4624-8f3d-1298da8c50bf@oss.qualcomm.com \
--to=jeff.johnson@oss.qualcomm.com \
--cc=ath12k@lists.infradead.org \
--cc=baochen.qiang@oss.qualcomm.com \
--cc=jjohnson@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=vasanthakumar.thiagarajan@oss.qualcomm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox