From: Zac <zac@zacbowling.com>
To: sean.wang@kernel.org
Cc: deren.wu@mediatek.com, kvalo@kernel.org,
linux-kernel@vger.kernel.org, linux-mediatek@lists.infradead.org,
linux-wireless@vger.kernel.org, lorenzo@kernel.org, nbd@nbd.name,
linux@frame.work, ryder.lee@mediatek.com, sean.wang@mediatek.com,
Zac Bowling <zbowling@gmail.com>,
Zac Bowling <zac@zacbowling.com>
Subject: [PATCH v4 03/21] wifi: mt76: mt7925: fix missing mutex protection in runtime PM and MLO PM
Date: Thu, 15 Jan 2026 17:05:01 -0800 [thread overview]
Message-ID: <20260116010519.37001-4-zac@zacbowling.com> (raw)
In-Reply-To: <20260116010519.37001-1-zac@zacbowling.com>
From: Zac Bowling <zbowling@gmail.com>
Two additional code paths iterate over active interfaces and call MCU
functions without proper mutex protection:
1. mt7925_set_runtime_pm(): Called when runtime PM settings change.
The callback mt7925_pm_interface_iter() calls mt7925_mcu_set_beacon_filter()
which in turn calls mt7925_mcu_set_rxfilter(). These MCU functions require
the device mutex to be held.
2. mt7925_mlo_pm_work(): A workqueue function for MLO power management.
The callback mt7925_mlo_pm_iter() was acquiring mutex internally, which
is inconsistent with the rest of the driver where the caller holds the
mutex during interface iteration.
These bugs can cause deadlocks when:
- Power management settings are changed while WiFi is active
- MLO power save state transitions occur during roaming
Move the mutex to the caller in mt7925_mlo_pm_work() for consistency
with the rest of the driver, and add mutex protection in
mt7925_set_runtime_pm().
Found through static analysis (clang-tidy) and comparison with the
MT7615 driver which correctly acquires mutex before interface iteration.
Fixes: c948b5da6bbe ("wifi: mt76: mt7925: add Mediatek Wi-Fi7 driver for mt7925 chips")
Reported-by: Zac Bowling <zac@zacbowling.com>
Tested-by: Zac Bowling <zac@zacbowling.com>
Signed-off-by: Zac Bowling <zac@zacbowling.com>
---
drivers/net/wireless/mediatek/mt76/mt7925/main.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/main.c b/drivers/net/wireless/mediatek/mt76/mt7925/main.c
index 3001a62a8b..9f17b21aef 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7925/main.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7925/main.c
@@ -751,9 +751,11 @@ void mt7925_set_runtime_pm(struct mt792x_dev *dev)
bool monitor = !!(hw->conf.flags & IEEE80211_CONF_MONITOR);
pm->enable = pm->enable_user && !monitor;
+ mt792x_mutex_acquire(dev);
ieee80211_iterate_active_interfaces(hw,
IEEE80211_IFACE_ITER_RESUME_ALL,
mt7925_pm_interface_iter, dev);
+ mt792x_mutex_release(dev);
pm->ds_enable = pm->ds_enable_user && !monitor;
mt7925_mcu_set_deep_sleep(dev, pm->ds_enable);
}
@@ -1301,14 +1303,12 @@ mt7925_mlo_pm_iter(void *priv, u8 *mac, struct ieee80211_vif *vif)
if (mvif->mlo_pm_state != MT792x_MLO_CHANGED_PS)
return;
- mt792x_mutex_acquire(dev);
for_each_set_bit(i, &valid, IEEE80211_MLD_MAX_NUM_LINKS) {
bss_conf = mt792x_vif_to_bss_conf(vif, i);
if (!bss_conf)
continue;
mt7925_mcu_uni_bss_ps(dev, bss_conf);
}
- mt792x_mutex_release(dev);
}
void mt7925_mlo_pm_work(struct work_struct *work)
@@ -1317,9 +1317,11 @@ void mt7925_mlo_pm_work(struct work_struct *work)
mlo_pm_work.work);
struct ieee80211_hw *hw = mt76_hw(dev);
+ mt792x_mutex_acquire(dev);
ieee80211_iterate_active_interfaces(hw,
IEEE80211_IFACE_ITER_RESUME_ALL,
mt7925_mlo_pm_iter, dev);
+ mt792x_mutex_release(dev);
}
void mt7925_scan_work(struct work_struct *work)
--
2.52.0
next prev parent reply other threads:[~2026-01-16 1:05 UTC|newest]
Thread overview: 113+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-31 5:29 [PATCH] wifi: mt76: mt7925: fix NULL pointer dereference in vif iteration loops Zac Bowling
2025-12-31 22:37 ` [PATCH] wifi: mt76: mt7925: fix missing mutex protection in reset and ROC abort paths Zac Bowling
2026-01-01 0:22 ` [PATCH 2/3] wifi: mt76: mt7925: fix missing mutex protection in reset and ROC abort Zac Bowling
2026-01-01 0:23 ` [PATCH 3/3] wifi: mt76: mt7925: fix missing mutex protection in runtime PM and MLO PM Zac Bowling
2026-01-01 0:41 ` Zac Bowling
2026-01-01 6:25 ` [PATCH] wifi: mt76: mt7925: add NULL checks in MCU STA TLV functions Zac Bowling
2026-01-01 6:25 ` [PATCH] wifi: mt76: mt7925: add NULL checks for link_conf and mlink in main.c Zac Bowling
2026-01-01 6:25 ` [PATCH] wifi: mt76: mt7925: add NULL checks in MLO link and chanctx functions Zac Bowling
2026-01-01 6:25 ` [PATCH] wifi: mt76: mt7925: add error handling for AMPDU MCU commands Zac Bowling
2026-01-01 6:25 ` [PATCH] wifi: mt76: mt7925: add error handling for BSS info MCU command in sta_add Zac Bowling
2026-01-01 6:25 ` [PATCH] wifi: mt76: mt7925: add error handling for BSS info in key setup Zac Bowling
2026-01-01 6:25 ` [PATCH] wifi: mt76: mt7921: fix missing mutex protection in multiple paths Zac Bowling
2026-01-01 6:25 ` [PATCH] wifi: mt76: mt7925: add lockdep assertions for mutex verification Zac Bowling
2026-01-02 20:03 ` [PATCH v2 0/6] wifi: mt76: mt7925/mt792x: additional stability fixes Zac Bowling
2026-01-02 20:03 ` [PATCH] wifi: mt76: mt7925: fix key removal failure during MLO roaming Zac Bowling
2026-01-02 20:03 ` [PATCH] wifi: mt76: mt7925: fix kernel warning in MLO ROC setup when channel not configured Zac Bowling
2026-01-02 20:03 ` [PATCH] wifi: mt76: mt7925: add NULL checks for MLO link pointers in MCU functions Zac Bowling
2026-01-02 20:03 ` [PATCH] wifi: mt76: mt792x: fix firmware reload failure after previous load crash Zac Bowling
2026-01-03 6:46 ` Sean Wang
2026-01-03 18:42 ` Zac Bowling
2026-01-15 7:19 ` Zac Bowling
2026-01-02 20:03 ` [PATCH] wifi: mt76: mt7925: add mutex protection in resume path Zac Bowling
2026-01-02 20:03 ` [PATCH] wifi: mt76: mt7925: add NULL checks and error handling for MCU calls Zac Bowling
2026-01-02 20:05 ` [PATCH] wifi: mt76: mt7925: comprehensive stability fixes Zac Bowling
2026-01-03 6:25 ` Sean Wang
2026-01-03 19:11 ` Zac Bowling
2026-01-05 0:26 ` [PATCH v3 00/17] wifi: mt76: mt7925/mt792x: " Zac Bowling
2026-01-05 0:26 ` [PATCH 01/17] wifi: mt76: mt7925: fix NULL pointer dereference in vif iteration Zac Bowling
2026-01-05 0:26 ` [PATCH 02/17] wifi: mt76: mt7925: fix missing mutex protection in reset and ROC abort Zac Bowling
2026-01-05 0:26 ` [PATCH 03/17] wifi: mt76: mt7925: fix missing mutex protection in runtime PM and MLO PM Zac Bowling
2026-01-05 0:26 ` [PATCH 04/17] wifi: mt76: mt7925: add NULL checks in MCU STA TLV functions Zac Bowling
2026-01-05 0:26 ` [PATCH 05/17] wifi: mt76: mt7925: add NULL checks for link_conf and mlink in main.c Zac Bowling
2026-01-05 0:26 ` [PATCH 06/17] wifi: mt76: mt7925: add error handling for AMPDU MCU commands Zac Bowling
2026-01-05 0:26 ` [PATCH 07/17] wifi: mt76: mt7925: add error handling for BSS info MCU command in sta_add Zac Bowling
2026-01-05 0:26 ` [PATCH 08/17] wifi: mt76: mt7925: add error handling for BSS info in key setup Zac Bowling
2026-01-05 0:26 ` [PATCH 09/17] wifi: mt76: mt7925: add NULL checks in MLO link and chanctx functions Zac Bowling
2026-01-05 0:26 ` [PATCH 10/17] wifi: mt76: mt792x: fix NULL pointer dereference in TX path Zac Bowling
2026-01-05 0:26 ` [PATCH 11/17] wifi: mt76: mt7925: add lockdep assertions for mutex verification Zac Bowling
2026-01-05 0:26 ` [PATCH 12/17] wifi: mt76: mt7925: fix key removal failure during MLO roaming Zac Bowling
2026-01-05 0:26 ` [PATCH 13/17] wifi: mt76: mt7925: fix kernel warning in MLO ROC setup Zac Bowling
2026-01-05 0:26 ` [PATCH 14/17] wifi: mt76: mt7925: add NULL checks for MLO link pointers in MCU functions Zac Bowling
2026-01-05 0:26 ` [PATCH 15/17] wifi: mt76: mt792x: fix firmware reload failure after previous load crash Zac Bowling
2026-01-05 0:26 ` [PATCH 16/17] wifi: mt76: mt7925: add mutex protection in resume path Zac Bowling
2026-01-05 0:26 ` [PATCH 17/17] wifi: mt76: mt7925: add NULL checks in link station and TX queue setup Zac Bowling
2026-01-11 3:13 ` Zac Bowling
2026-01-11 3:36 ` Zac Bowling
2026-01-16 0:15 ` [PATCH v3 00/17] wifi: mt76: mt7925/mt792x: comprehensive stability fixes Sean Wang
2026-01-16 0:43 ` Zac Bowling
2026-01-16 1:04 ` [PATCH v4 00/21] wifi: mt76: mt7925/mt7921: stability and MLO fixes Zac
2026-01-16 1:04 ` [PATCH v4 01/21] wifi: mt76: mt7925: fix NULL pointer dereference in vif iteration Zac
2026-01-16 1:05 ` [PATCH v4 02/21] wifi: mt76: mt7925: fix missing mutex protection in reset and ROC abort Zac
2026-01-16 1:05 ` Zac [this message]
2026-01-16 1:05 ` [PATCH v4 04/21] wifi: mt76: mt7925: add NULL checks in MCU STA TLV functions Zac
2026-01-16 1:05 ` [PATCH v4 05/21] wifi: mt76: mt7925: add NULL checks for link_conf and mlink in main.c Zac
2026-01-16 1:05 ` [PATCH v4 06/21] wifi: mt76: mt7925: add error handling for AMPDU MCU commands Zac
2026-01-16 1:05 ` [PATCH v4 07/21] wifi: mt76: mt7925: add error handling for BSS info MCU command in sta_add Zac
2026-01-16 1:05 ` [PATCH v4 08/21] wifi: mt76: mt7925: add error handling for BSS info in key setup Zac
2026-01-16 1:05 ` [PATCH v4 09/21] wifi: mt76: mt7925: add NULL checks in MLO link and chanctx functions Zac
2026-01-16 1:05 ` [PATCH v4 10/21] wifi: mt76: mt792x: fix NULL pointer dereference in TX path Zac
2026-01-16 1:05 ` [PATCH v4 11/21] wifi: mt76: mt7925: add lockdep assertions for mutex verification Zac
2026-01-16 1:05 ` [PATCH v4 12/21] wifi: mt76: mt7925: fix key removal failure during MLO roaming Zac
2026-01-16 1:05 ` [PATCH v4 13/21] wifi: mt76: mt7925: fix kernel warning in MLO ROC setup Zac
2026-01-16 1:05 ` [PATCH v4 14/21] wifi: mt76: mt7925: add NULL checks for MLO link pointers in MCU functions Zac
2026-01-16 1:05 ` [PATCH v4 15/21] wifi: mt76: mt792x: fix firmware reload failure after previous load crash Zac
2026-01-16 1:05 ` [PATCH v4 16/21] wifi: mt76: mt7925: add mutex protection in resume path Zac
2026-01-16 1:05 ` [PATCH v4 17/21] wifi: mt76: mt7925: add NULL checks in link station and TX queue setup Zac
2026-01-16 1:05 ` [PATCH v4 18/21] wifi: mt76: mt7921: fix missing mutex protection in multiple paths Zac
2026-01-16 1:05 ` [PATCH v4 19/21] wifi: mt76: mt7921: fix mutex deadlocks " Zac
2026-01-16 1:05 ` [PATCH v4 20/21] wifi: mt76: fix list corruption in mt76_wcid_cleanup Zac
2026-01-16 1:05 ` [PATCH v4 21/21] wifi: mt76: mt7925: fix BA session teardown during beacon loss Zac
2026-01-20 6:28 ` [PATCH v5 00/11] wifi: mt76: mt7925/mt7921 stability fixes Zac
2026-01-20 6:28 ` [PATCH 01/11] wifi: mt76: fix list corruption in mt76_wcid_cleanup Zac
2026-01-20 6:28 ` [PATCH 02/11] wifi: mt76: mt792x: fix NULL pointer and firmware reload issues Zac
2026-01-20 7:04 ` Greg KH
2026-01-20 6:28 ` [PATCH 03/11] wifi: mt76: mt7921: add mutex protection in critical paths Zac
2026-01-20 6:28 ` [PATCH 04/11] wifi: mt76: mt7921: fix deadlock in sta removal and suspend ROC abort Zac
2026-01-20 6:28 ` [PATCH 05/11] wifi: mt76: mt7925: add comprehensive NULL pointer protection for MLO Zac
2026-01-20 6:28 ` [PATCH 06/11] wifi: mt76: mt7925: add mutex protection in critical paths Zac
2026-01-20 6:28 ` [PATCH 07/11] wifi: mt76: mt7925: add MCU command error handling Zac
2026-01-20 6:28 ` [PATCH 08/11] wifi: mt76: mt7925: add lockdep assertions for mutex verification Zac
2026-01-20 6:28 ` [PATCH 09/11] wifi: mt76: mt7925: fix MLO roaming and ROC setup issues Zac
2026-01-20 6:28 ` [PATCH 10/11] wifi: mt76: mt7925: fix BA session teardown during beacon loss Zac
2026-01-20 6:28 ` [PATCH 11/11] wifi: mt76: mt7925: fix ROC deadlocks and race conditions Zac
2026-01-20 8:25 ` Sean Wang
2026-01-20 17:59 ` Zac Bowling
2026-01-20 20:10 ` [PATCH v6 00/13] wifi: mt76: stability fixes for deadlocks, NULL derefs, " Zac
2026-01-20 20:10 ` [PATCH 01/13] wifi: mt76: mt7925: fix potential deadlock in mt7925_roc_abort_sync Zac
2026-01-20 20:10 ` [PATCH 02/13] wifi: mt76: fix list corruption in mt76_wcid_cleanup Zac
2026-01-20 20:10 ` [PATCH 03/13] wifi: mt76: mt792x: fix NULL pointer and firmware reload issues Zac
2026-01-20 20:10 ` [PATCH 04/13] wifi: mt76: mt7921: add mutex protection in critical paths Zac
2026-01-27 10:59 ` Felix Fietkau
2026-01-29 6:19 ` Zac Bowling
2026-01-20 20:10 ` [PATCH 05/13] wifi: mt76: mt7921: fix deadlock in sta removal and suspend ROC abort Zac
2026-01-20 20:10 ` [PATCH 06/13] wifi: mt76: mt7925: add comprehensive NULL pointer protection for MLO Zac
2026-01-20 20:10 ` [PATCH 08/13] wifi: mt76: mt7925: add MCU command error handling Zac
2026-01-20 20:10 ` [PATCH 09/13] wifi: mt76: mt7925: add lockdep assertions for mutex verification Zac
2026-01-20 20:10 ` [PATCH 10/13] wifi: mt76: mt7925: fix MLO roaming and ROC setup issues Zac
2026-01-20 20:10 ` [PATCH 11/13] wifi: mt76: mt7925: fix BA session teardown during beacon loss Zac
2026-01-20 20:10 ` [PATCH 12/13] wifi: mt76: mt7925: fix ROC deadlocks and race conditions Zac
2026-01-27 11:06 ` Felix Fietkau
2026-01-20 20:10 ` [PATCH 13/13] wifi: mt76: mt7925: fix double wcid initialization race condition Zac
2026-01-27 10:58 ` [PATCH v6 00/13] wifi: mt76: stability fixes for deadlocks, NULL derefs, and race conditions Felix Fietkau
2026-01-29 8:18 ` [PATCH v7 0/6] wifi: mt76: mt7925: MLO stability fixes Zac
2026-01-29 8:18 ` [PATCH v7 1/6] wifi: mt76: mt7925: fix double wcid initialization race condition Zac
2026-01-29 8:18 ` [PATCH v7 2/6] wifi: mt76: mt7925: add NULL pointer protection for MLO state transitions Zac
2026-01-29 8:18 ` [PATCH v7 3/6] wifi: mt76: mt7925: add mutex protection in critical paths Zac
2026-01-29 8:18 ` [PATCH v7 4/6] wifi: mt76: mt7925: add MCU command error handling in ampdu_action Zac
2026-01-29 8:18 ` [PATCH v7 5/6] wifi: mt76: mt7925: add lockdep assertions for mutex verification Zac
2026-01-29 8:18 ` [PATCH v7 6/6] wifi: mt76: mt7925: fix MLO ROC setup error handling Zac
2026-01-29 8:46 ` [PATCH 2/6] wifi: mt76: mt7925: add NULL pointer protection for MLO state transitions Zac
2026-01-29 9:05 ` [v7 PATCH 7/7] wifi: mt76: mt7925: add error logging for MLO ROC setup in set_links Zac
2026-01-20 11:42 ` [PATCH 11/11] wifi: mt76: mt7925: fix ROC deadlocks and race conditions kernel test robot
2026-01-20 13:26 ` kernel test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260116010519.37001-4-zac@zacbowling.com \
--to=zac@zacbowling.com \
--cc=deren.wu@mediatek.com \
--cc=kvalo@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mediatek@lists.infradead.org \
--cc=linux-wireless@vger.kernel.org \
--cc=linux@frame.work \
--cc=lorenzo@kernel.org \
--cc=nbd@nbd.name \
--cc=ryder.lee@mediatek.com \
--cc=sean.wang@kernel.org \
--cc=sean.wang@mediatek.com \
--cc=zbowling@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox