From: Zac Bowling <zbowling@gmail.com>
To: zbowling@gmail.com
Cc: deren.wu@mediatek.com, kvalo@kernel.org,
linux-kernel@vger.kernel.org, linux-mediatek@lists.infradead.org,
linux-wireless@vger.kernel.org, lorenzo@kernel.org, nbd@nbd.name,
ryder.lee@mediatek.com, sean.wang@mediatek.com,
zac@zacbowling.com
Subject: [PATCH 3/3] wifi: mt76: mt7925: fix missing mutex protection in runtime PM and MLO PM
Date: Wed, 31 Dec 2025 16:23:21 -0800 [thread overview]
Message-ID: <20260101002321.19332-1-zbowling@gmail.com> (raw)
In-Reply-To: <20251231223702.30957-1-zbowling@gmail.com>
From: Zac Bowling <zac@zacbowling.com>
Two additional code paths were identified that iterate over active
interfaces and call MCU functions without proper mutex protection:
1. mt7925_set_runtime_pm(): Called when runtime PM settings change.
The callback mt7925_pm_interface_iter() calls mt7925_mcu_set_beacon_filter()
which in turn calls mt7925_mcu_set_rxfilter(). These MCU functions require
the device mutex to be held.
2. mt7925_mlo_pm_work(): A workqueue function for MLO power management.
The callback mt7925_mlo_pm_iter() was acquiring mutex internally, which
is inconsistent with the rest of the driver where the caller holds the
mutex during interface iteration. Move the mutex to the caller for
consistency and to prevent potential race conditions.
The impact of these bugs:
- mt7925_set_runtime_pm(): Can cause deadlocks when power management
settings are changed while WiFi is active
- mt7925_mlo_pm_work(): Can cause race conditions during MLO power save
state transitions
Note: Similar bugs exist in the mt7921 driver and should be fixed in a
separate patch series.
Reported-by: Zac Bowling <zac@zacbowling.com>
Tested-by: Zac Bowling <zac@zacbowling.com>
Signed-off-by: Zac Bowling <zac@zacbowling.com>
---
drivers/net/wireless/mediatek/mt76/mt7925/main.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/main.c b/drivers/net/wireless/mediatek/mt76/mt7925/main.c
index 3001a62a8b67..9f17b21aef1c 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7925/main.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7925/main.c
@@ -751,9 +751,11 @@ void mt7925_set_runtime_pm(struct mt792x_dev *dev)
bool monitor = !!(hw->conf.flags & IEEE80211_CONF_MONITOR);
pm->enable = pm->enable_user && !monitor;
+ mt792x_mutex_acquire(dev);
ieee80211_iterate_active_interfaces(hw,
IEEE80211_IFACE_ITER_RESUME_ALL,
mt7925_pm_interface_iter, dev);
+ mt792x_mutex_release(dev);
pm->ds_enable = pm->ds_enable_user && !monitor;
mt7925_mcu_set_deep_sleep(dev, pm->ds_enable);
}
@@ -1301,14 +1303,12 @@ mt7925_mlo_pm_iter(void *priv, u8 *mac, struct ieee80211_vif *vif)
if (mvif->mlo_pm_state != MT792x_MLO_CHANGED_PS)
return;
- mt792x_mutex_acquire(dev);
for_each_set_bit(i, &valid, IEEE80211_MLD_MAX_NUM_LINKS) {
bss_conf = mt792x_vif_to_bss_conf(vif, i);
if (!bss_conf)
continue;
mt7925_mcu_uni_bss_ps(dev, bss_conf);
}
- mt792x_mutex_release(dev);
}
void mt7925_mlo_pm_work(struct work_struct *work)
@@ -1317,9 +1317,11 @@ void mt7925_mlo_pm_work(struct work_struct *work)
mlo_pm_work.work);
struct ieee80211_hw *hw = mt76_hw(dev);
+ mt792x_mutex_acquire(dev);
ieee80211_iterate_active_interfaces(hw,
IEEE80211_IFACE_ITER_RESUME_ALL,
mt7925_mlo_pm_iter, dev);
+ mt792x_mutex_release(dev);
}
void mt7925_scan_work(struct work_struct *work)
--
2.51.0
next prev parent reply other threads:[~2026-01-01 0:23 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-31 5:29 [PATCH] wifi: mt76: mt7925: fix NULL pointer dereference in vif iteration loops Zac Bowling
2025-12-31 22:37 ` [PATCH] wifi: mt76: mt7925: fix missing mutex protection in reset and ROC abort paths Zac Bowling
2026-01-01 0:22 ` [PATCH 2/3] wifi: mt76: mt7925: fix missing mutex protection in reset and ROC abort Zac Bowling
2026-01-01 0:23 ` Zac Bowling [this message]
2026-01-01 0:41 ` [PATCH 3/3] wifi: mt76: mt7925: fix missing mutex protection in runtime PM and MLO PM Zac Bowling
2026-01-01 6:25 ` [PATCH] wifi: mt76: mt7925: add NULL checks in MCU STA TLV functions Zac Bowling
2026-01-01 6:25 ` [PATCH] wifi: mt76: mt7925: add NULL checks for link_conf and mlink in main.c Zac Bowling
2026-01-01 6:25 ` [PATCH] wifi: mt76: mt7925: add NULL checks in MLO link and chanctx functions Zac Bowling
2026-01-01 6:25 ` [PATCH] wifi: mt76: mt7925: add error handling for AMPDU MCU commands Zac Bowling
2026-01-01 6:25 ` [PATCH] wifi: mt76: mt7925: add error handling for BSS info MCU command in sta_add Zac Bowling
2026-01-01 6:25 ` [PATCH] wifi: mt76: mt7925: add error handling for BSS info in key setup Zac Bowling
2026-01-01 6:25 ` [PATCH] wifi: mt76: mt7921: fix missing mutex protection in multiple paths Zac Bowling
2026-01-01 6:25 ` [PATCH] wifi: mt76: mt7925: add lockdep assertions for mutex verification Zac Bowling
2026-01-02 20:03 ` [PATCH v2 0/6] wifi: mt76: mt7925/mt792x: additional stability fixes Zac Bowling
2026-01-02 20:03 ` [PATCH] wifi: mt76: mt7925: fix key removal failure during MLO roaming Zac Bowling
2026-01-02 20:03 ` [PATCH] wifi: mt76: mt7925: fix kernel warning in MLO ROC setup when channel not configured Zac Bowling
2026-01-02 20:03 ` [PATCH] wifi: mt76: mt7925: add NULL checks for MLO link pointers in MCU functions Zac Bowling
2026-01-02 20:03 ` [PATCH] wifi: mt76: mt792x: fix firmware reload failure after previous load crash Zac Bowling
2026-01-03 6:46 ` Sean Wang
2026-01-03 18:42 ` Zac Bowling
2026-01-02 20:03 ` [PATCH] wifi: mt76: mt7925: add mutex protection in resume path Zac Bowling
2026-01-02 20:03 ` [PATCH] wifi: mt76: mt7925: add NULL checks and error handling for MCU calls Zac Bowling
2026-01-02 20:05 ` [PATCH] wifi: mt76: mt7925: comprehensive stability fixes Zac Bowling
2026-01-03 6:25 ` Sean Wang
2026-01-03 19:11 ` Zac Bowling
2026-01-05 0:26 ` [PATCH v3 00/17] wifi: mt76: mt7925/mt792x: " Zac Bowling
2026-01-05 0:26 ` [PATCH 01/17] wifi: mt76: mt7925: fix NULL pointer dereference in vif iteration Zac Bowling
2026-01-05 0:26 ` [PATCH 02/17] wifi: mt76: mt7925: fix missing mutex protection in reset and ROC abort Zac Bowling
2026-01-05 0:26 ` [PATCH 03/17] wifi: mt76: mt7925: fix missing mutex protection in runtime PM and MLO PM Zac Bowling
2026-01-05 0:26 ` [PATCH 04/17] wifi: mt76: mt7925: add NULL checks in MCU STA TLV functions Zac Bowling
2026-01-05 0:26 ` [PATCH 05/17] wifi: mt76: mt7925: add NULL checks for link_conf and mlink in main.c Zac Bowling
2026-01-05 0:26 ` [PATCH 06/17] wifi: mt76: mt7925: add error handling for AMPDU MCU commands Zac Bowling
2026-01-05 0:26 ` [PATCH 07/17] wifi: mt76: mt7925: add error handling for BSS info MCU command in sta_add Zac Bowling
2026-01-05 0:26 ` [PATCH 08/17] wifi: mt76: mt7925: add error handling for BSS info in key setup Zac Bowling
2026-01-05 0:26 ` [PATCH 09/17] wifi: mt76: mt7925: add NULL checks in MLO link and chanctx functions Zac Bowling
2026-01-05 0:26 ` [PATCH 10/17] wifi: mt76: mt792x: fix NULL pointer dereference in TX path Zac Bowling
2026-01-05 0:26 ` [PATCH 11/17] wifi: mt76: mt7925: add lockdep assertions for mutex verification Zac Bowling
2026-01-05 0:26 ` [PATCH 12/17] wifi: mt76: mt7925: fix key removal failure during MLO roaming Zac Bowling
2026-01-05 0:26 ` [PATCH 13/17] wifi: mt76: mt7925: fix kernel warning in MLO ROC setup Zac Bowling
2026-01-05 0:26 ` [PATCH 14/17] wifi: mt76: mt7925: add NULL checks for MLO link pointers in MCU functions Zac Bowling
2026-01-05 0:26 ` [PATCH 15/17] wifi: mt76: mt792x: fix firmware reload failure after previous load crash Zac Bowling
2026-01-05 0:26 ` [PATCH 16/17] wifi: mt76: mt7925: add mutex protection in resume path Zac Bowling
2026-01-05 0:26 ` [PATCH 17/17] wifi: mt76: mt7925: add NULL checks in link station and TX queue setup Zac Bowling
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260101002321.19332-1-zbowling@gmail.com \
--to=zbowling@gmail.com \
--cc=deren.wu@mediatek.com \
--cc=kvalo@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mediatek@lists.infradead.org \
--cc=linux-wireless@vger.kernel.org \
--cc=lorenzo@kernel.org \
--cc=nbd@nbd.name \
--cc=ryder.lee@mediatek.com \
--cc=sean.wang@mediatek.com \
--cc=zac@zacbowling.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).