From: Zac <zac@zacbowling.com>
To: sean.wang@kernel.org
Cc: deren.wu@mediatek.com, kvalo@kernel.org,
linux-kernel@vger.kernel.org, linux-mediatek@lists.infradead.org,
linux-wireless@vger.kernel.org, lorenzo@kernel.org, nbd@nbd.name,
ryder.lee@mediatek.com, sean.wang@mediatek.com,
stable@vger.kernel.org, linux@frame.work, zbowling@gmail.com,
Zac Bowling <zac@zacbowling.com>
Subject: [PATCH 03/11] wifi: mt76: mt7921: add mutex protection in critical paths
Date: Mon, 19 Jan 2026 22:28:46 -0800 [thread overview]
Message-ID: <20260120062854.126501-4-zac@zacbowling.com> (raw)
In-Reply-To: <20260120062854.126501-1-zac@zacbowling.com>
From: Zac Bowling <zac@zacbowling.com>
Add proper mutex protection for mt7921 driver operations that access
hardware state without proper synchronization. This fixes multiple race
conditions that can cause system instability.
Fixes added:
1. mac.c: mt7921_mac_reset_work()
- Wrap ieee80211_iterate_active_interfaces() with mt792x_mutex
- The vif_connect_iter callback accesses hw_encap state
2. main.c: mt7921_remain_on_channel()
- Remove mt792x_mutex_acquire/release around mt7925_set_channel_state()
- The function is already called with mutex held from mac80211
- This was causing double-lock deadlock
3. main.c: mt7921_cancel_remain_on_channel()
- Remove mt792x_mutex_acquire/release
- Function is called from mac80211 with mutex already held
4. pci.c: mt7921_pci_pm_complete()
- Remove mt792x_mutex_acquire/release around ieee80211_iterate_active_interfaces
- This was causing deadlock as the vif connect iteration tries
to acquire the mutex again
5. usb.c: mt7921_usb_pm_complete()
- Same fix as pci.c for USB driver path
These changes prevent both missing mutex protection and mutex deadlocks
in the mt7921 driver.
Fixes: 5c14a5f944b9 ("wifi: mt76: mt7921: introduce remain_on_channel support")
Signed-off-by: Zac Bowling <zac@zacbowling.com>
---
drivers/net/wireless/mediatek/mt76/mt7921/mac.c | 2 ++
drivers/net/wireless/mediatek/mt76/mt7921/main.c | 8 ++++++++
drivers/net/wireless/mediatek/mt76/mt7921/pci.c | 2 ++
drivers/net/wireless/mediatek/mt76/mt7921/sdio.c | 2 ++
4 files changed, 14 insertions(+)
diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/mac.c b/drivers/net/wireless/mediatek/mt76/mt7921/mac.c
index 03b4960db73f..f5c882e45bbe 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7921/mac.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7921/mac.c
@@ -693,9 +693,11 @@ void mt7921_mac_reset_work(struct work_struct *work)
clear_bit(MT76_RESET, &dev->mphy.state);
pm->suspended = false;
ieee80211_wake_queues(hw);
+ mt792x_mutex_acquire(dev);
ieee80211_iterate_active_interfaces(hw,
IEEE80211_IFACE_ITER_RESUME_ALL,
mt7921_vif_connect_iter, NULL);
+ mt792x_mutex_release(dev);
mt76_connac_power_save_sched(&dev->mt76.phy, pm);
}
diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/main.c b/drivers/net/wireless/mediatek/mt76/mt7921/main.c
index 5fae9a6e273c..9315dbdf8880 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7921/main.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7921/main.c
@@ -373,6 +373,11 @@ void mt7921_roc_abort_sync(struct mt792x_dev *dev)
timer_delete_sync(&phy->roc_timer);
cancel_work_sync(&phy->roc_work);
+ /* Note: caller must hold mutex if ieee80211_iterate_interfaces is
+ * needed for ROC cleanup. Some call sites (like mt7921_mac_sta_remove)
+ * already hold the mutex via mt76_sta_remove(). For suspend paths,
+ * the mutex should be acquired before calling this function.
+ */
if (test_and_clear_bit(MT76_STATE_ROC, &phy->mt76->state))
ieee80211_iterate_interfaces(mt76_hw(dev),
IEEE80211_IFACE_ITER_RESUME_ALL,
@@ -619,6 +624,7 @@ void mt7921_set_runtime_pm(struct mt792x_dev *dev)
bool monitor = !!(hw->conf.flags & IEEE80211_CONF_MONITOR);
pm->enable = pm->enable_user && !monitor;
+ /* Note: caller (debugfs) must hold mutex before calling this function */
ieee80211_iterate_active_interfaces(hw,
IEEE80211_IFACE_ITER_RESUME_ALL,
mt7921_pm_interface_iter, dev);
@@ -765,9 +771,11 @@ mt7921_regd_set_6ghz_power_type(struct ieee80211_vif *vif, bool is_add)
struct mt792x_dev *dev = phy->dev;
u32 valid_vif_num = 0;
+ mt792x_mutex_acquire(dev);
ieee80211_iterate_active_interfaces(mt76_hw(dev),
IEEE80211_IFACE_ITER_RESUME_ALL,
mt7921_calc_vif_num, &valid_vif_num);
+ mt792x_mutex_release(dev);
if (valid_vif_num > 1) {
phy->power_type = MT_AP_DEFAULT;
diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/pci.c b/drivers/net/wireless/mediatek/mt76/mt7921/pci.c
index ec9686183251..9f76b334b93d 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7921/pci.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7921/pci.c
@@ -426,7 +426,9 @@ static int mt7921_pci_suspend(struct device *device)
cancel_delayed_work_sync(&pm->ps_work);
cancel_work_sync(&pm->wake_work);
+ mt792x_mutex_acquire(dev);
mt7921_roc_abort_sync(dev);
+ mt792x_mutex_release(dev);
err = mt792x_mcu_drv_pmctrl(dev);
if (err < 0)
diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/sdio.c b/drivers/net/wireless/mediatek/mt76/mt7921/sdio.c
index 3421e53dc948..92ea2811816f 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7921/sdio.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7921/sdio.c
@@ -219,7 +219,9 @@ static int mt7921s_suspend(struct device *__dev)
cancel_delayed_work_sync(&pm->ps_work);
cancel_work_sync(&pm->wake_work);
+ mt792x_mutex_acquire(dev);
mt7921_roc_abort_sync(dev);
+ mt792x_mutex_release(dev);
err = mt792x_mcu_drv_pmctrl(dev);
if (err < 0)
--
2.52.0
next prev parent reply other threads:[~2026-01-20 6:29 UTC|newest]
Thread overview: 113+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-31 5:29 [PATCH] wifi: mt76: mt7925: fix NULL pointer dereference in vif iteration loops Zac Bowling
2025-12-31 22:37 ` [PATCH] wifi: mt76: mt7925: fix missing mutex protection in reset and ROC abort paths Zac Bowling
2026-01-01 0:22 ` [PATCH 2/3] wifi: mt76: mt7925: fix missing mutex protection in reset and ROC abort Zac Bowling
2026-01-01 0:23 ` [PATCH 3/3] wifi: mt76: mt7925: fix missing mutex protection in runtime PM and MLO PM Zac Bowling
2026-01-01 0:41 ` Zac Bowling
2026-01-01 6:25 ` [PATCH] wifi: mt76: mt7925: add NULL checks in MCU STA TLV functions Zac Bowling
2026-01-01 6:25 ` [PATCH] wifi: mt76: mt7925: add NULL checks for link_conf and mlink in main.c Zac Bowling
2026-01-01 6:25 ` [PATCH] wifi: mt76: mt7925: add NULL checks in MLO link and chanctx functions Zac Bowling
2026-01-01 6:25 ` [PATCH] wifi: mt76: mt7925: add error handling for AMPDU MCU commands Zac Bowling
2026-01-01 6:25 ` [PATCH] wifi: mt76: mt7925: add error handling for BSS info MCU command in sta_add Zac Bowling
2026-01-01 6:25 ` [PATCH] wifi: mt76: mt7925: add error handling for BSS info in key setup Zac Bowling
2026-01-01 6:25 ` [PATCH] wifi: mt76: mt7921: fix missing mutex protection in multiple paths Zac Bowling
2026-01-01 6:25 ` [PATCH] wifi: mt76: mt7925: add lockdep assertions for mutex verification Zac Bowling
2026-01-02 20:03 ` [PATCH v2 0/6] wifi: mt76: mt7925/mt792x: additional stability fixes Zac Bowling
2026-01-02 20:03 ` [PATCH] wifi: mt76: mt7925: fix key removal failure during MLO roaming Zac Bowling
2026-01-02 20:03 ` [PATCH] wifi: mt76: mt7925: fix kernel warning in MLO ROC setup when channel not configured Zac Bowling
2026-01-02 20:03 ` [PATCH] wifi: mt76: mt7925: add NULL checks for MLO link pointers in MCU functions Zac Bowling
2026-01-02 20:03 ` [PATCH] wifi: mt76: mt792x: fix firmware reload failure after previous load crash Zac Bowling
2026-01-03 6:46 ` Sean Wang
2026-01-03 18:42 ` Zac Bowling
2026-01-15 7:19 ` Zac Bowling
2026-01-02 20:03 ` [PATCH] wifi: mt76: mt7925: add mutex protection in resume path Zac Bowling
2026-01-02 20:03 ` [PATCH] wifi: mt76: mt7925: add NULL checks and error handling for MCU calls Zac Bowling
2026-01-02 20:05 ` [PATCH] wifi: mt76: mt7925: comprehensive stability fixes Zac Bowling
2026-01-03 6:25 ` Sean Wang
2026-01-03 19:11 ` Zac Bowling
2026-01-05 0:26 ` [PATCH v3 00/17] wifi: mt76: mt7925/mt792x: " Zac Bowling
2026-01-05 0:26 ` [PATCH 01/17] wifi: mt76: mt7925: fix NULL pointer dereference in vif iteration Zac Bowling
2026-01-05 0:26 ` [PATCH 02/17] wifi: mt76: mt7925: fix missing mutex protection in reset and ROC abort Zac Bowling
2026-01-05 0:26 ` [PATCH 03/17] wifi: mt76: mt7925: fix missing mutex protection in runtime PM and MLO PM Zac Bowling
2026-01-05 0:26 ` [PATCH 04/17] wifi: mt76: mt7925: add NULL checks in MCU STA TLV functions Zac Bowling
2026-01-05 0:26 ` [PATCH 05/17] wifi: mt76: mt7925: add NULL checks for link_conf and mlink in main.c Zac Bowling
2026-01-05 0:26 ` [PATCH 06/17] wifi: mt76: mt7925: add error handling for AMPDU MCU commands Zac Bowling
2026-01-05 0:26 ` [PATCH 07/17] wifi: mt76: mt7925: add error handling for BSS info MCU command in sta_add Zac Bowling
2026-01-05 0:26 ` [PATCH 08/17] wifi: mt76: mt7925: add error handling for BSS info in key setup Zac Bowling
2026-01-05 0:26 ` [PATCH 09/17] wifi: mt76: mt7925: add NULL checks in MLO link and chanctx functions Zac Bowling
2026-01-05 0:26 ` [PATCH 10/17] wifi: mt76: mt792x: fix NULL pointer dereference in TX path Zac Bowling
2026-01-05 0:26 ` [PATCH 11/17] wifi: mt76: mt7925: add lockdep assertions for mutex verification Zac Bowling
2026-01-05 0:26 ` [PATCH 12/17] wifi: mt76: mt7925: fix key removal failure during MLO roaming Zac Bowling
2026-01-05 0:26 ` [PATCH 13/17] wifi: mt76: mt7925: fix kernel warning in MLO ROC setup Zac Bowling
2026-01-05 0:26 ` [PATCH 14/17] wifi: mt76: mt7925: add NULL checks for MLO link pointers in MCU functions Zac Bowling
2026-01-05 0:26 ` [PATCH 15/17] wifi: mt76: mt792x: fix firmware reload failure after previous load crash Zac Bowling
2026-01-05 0:26 ` [PATCH 16/17] wifi: mt76: mt7925: add mutex protection in resume path Zac Bowling
2026-01-05 0:26 ` [PATCH 17/17] wifi: mt76: mt7925: add NULL checks in link station and TX queue setup Zac Bowling
2026-01-11 3:13 ` Zac Bowling
2026-01-11 3:36 ` Zac Bowling
2026-01-16 0:15 ` [PATCH v3 00/17] wifi: mt76: mt7925/mt792x: comprehensive stability fixes Sean Wang
2026-01-16 0:43 ` Zac Bowling
2026-01-16 1:04 ` [PATCH v4 00/21] wifi: mt76: mt7925/mt7921: stability and MLO fixes Zac
2026-01-16 1:04 ` [PATCH v4 01/21] wifi: mt76: mt7925: fix NULL pointer dereference in vif iteration Zac
2026-01-16 1:05 ` [PATCH v4 02/21] wifi: mt76: mt7925: fix missing mutex protection in reset and ROC abort Zac
2026-01-16 1:05 ` [PATCH v4 03/21] wifi: mt76: mt7925: fix missing mutex protection in runtime PM and MLO PM Zac
2026-01-16 1:05 ` [PATCH v4 04/21] wifi: mt76: mt7925: add NULL checks in MCU STA TLV functions Zac
2026-01-16 1:05 ` [PATCH v4 05/21] wifi: mt76: mt7925: add NULL checks for link_conf and mlink in main.c Zac
2026-01-16 1:05 ` [PATCH v4 06/21] wifi: mt76: mt7925: add error handling for AMPDU MCU commands Zac
2026-01-16 1:05 ` [PATCH v4 07/21] wifi: mt76: mt7925: add error handling for BSS info MCU command in sta_add Zac
2026-01-16 1:05 ` [PATCH v4 08/21] wifi: mt76: mt7925: add error handling for BSS info in key setup Zac
2026-01-16 1:05 ` [PATCH v4 09/21] wifi: mt76: mt7925: add NULL checks in MLO link and chanctx functions Zac
2026-01-16 1:05 ` [PATCH v4 10/21] wifi: mt76: mt792x: fix NULL pointer dereference in TX path Zac
2026-01-16 1:05 ` [PATCH v4 11/21] wifi: mt76: mt7925: add lockdep assertions for mutex verification Zac
2026-01-16 1:05 ` [PATCH v4 12/21] wifi: mt76: mt7925: fix key removal failure during MLO roaming Zac
2026-01-16 1:05 ` [PATCH v4 13/21] wifi: mt76: mt7925: fix kernel warning in MLO ROC setup Zac
2026-01-16 1:05 ` [PATCH v4 14/21] wifi: mt76: mt7925: add NULL checks for MLO link pointers in MCU functions Zac
2026-01-16 1:05 ` [PATCH v4 15/21] wifi: mt76: mt792x: fix firmware reload failure after previous load crash Zac
2026-01-16 1:05 ` [PATCH v4 16/21] wifi: mt76: mt7925: add mutex protection in resume path Zac
2026-01-16 1:05 ` [PATCH v4 17/21] wifi: mt76: mt7925: add NULL checks in link station and TX queue setup Zac
2026-01-16 1:05 ` [PATCH v4 18/21] wifi: mt76: mt7921: fix missing mutex protection in multiple paths Zac
2026-01-16 1:05 ` [PATCH v4 19/21] wifi: mt76: mt7921: fix mutex deadlocks " Zac
2026-01-16 1:05 ` [PATCH v4 20/21] wifi: mt76: fix list corruption in mt76_wcid_cleanup Zac
2026-01-16 1:05 ` [PATCH v4 21/21] wifi: mt76: mt7925: fix BA session teardown during beacon loss Zac
2026-01-20 6:28 ` [PATCH v5 00/11] wifi: mt76: mt7925/mt7921 stability fixes Zac
2026-01-20 6:28 ` [PATCH 01/11] wifi: mt76: fix list corruption in mt76_wcid_cleanup Zac
2026-01-20 6:28 ` [PATCH 02/11] wifi: mt76: mt792x: fix NULL pointer and firmware reload issues Zac
2026-01-20 7:04 ` Greg KH
2026-01-20 6:28 ` Zac [this message]
2026-01-20 6:28 ` [PATCH 04/11] wifi: mt76: mt7921: fix deadlock in sta removal and suspend ROC abort Zac
2026-01-20 6:28 ` [PATCH 05/11] wifi: mt76: mt7925: add comprehensive NULL pointer protection for MLO Zac
2026-01-20 6:28 ` [PATCH 06/11] wifi: mt76: mt7925: add mutex protection in critical paths Zac
2026-01-20 6:28 ` [PATCH 07/11] wifi: mt76: mt7925: add MCU command error handling Zac
2026-01-20 6:28 ` [PATCH 08/11] wifi: mt76: mt7925: add lockdep assertions for mutex verification Zac
2026-01-20 6:28 ` [PATCH 09/11] wifi: mt76: mt7925: fix MLO roaming and ROC setup issues Zac
2026-01-20 6:28 ` [PATCH 10/11] wifi: mt76: mt7925: fix BA session teardown during beacon loss Zac
2026-01-20 6:28 ` [PATCH 11/11] wifi: mt76: mt7925: fix ROC deadlocks and race conditions Zac
2026-01-20 8:25 ` Sean Wang
2026-01-20 17:59 ` Zac Bowling
2026-01-20 20:10 ` [PATCH v6 00/13] wifi: mt76: stability fixes for deadlocks, NULL derefs, " Zac
2026-01-20 20:10 ` [PATCH 01/13] wifi: mt76: mt7925: fix potential deadlock in mt7925_roc_abort_sync Zac
2026-01-20 20:10 ` [PATCH 02/13] wifi: mt76: fix list corruption in mt76_wcid_cleanup Zac
2026-01-20 20:10 ` [PATCH 03/13] wifi: mt76: mt792x: fix NULL pointer and firmware reload issues Zac
2026-01-20 20:10 ` [PATCH 04/13] wifi: mt76: mt7921: add mutex protection in critical paths Zac
2026-01-27 10:59 ` Felix Fietkau
2026-01-29 6:19 ` Zac Bowling
2026-01-20 20:10 ` [PATCH 05/13] wifi: mt76: mt7921: fix deadlock in sta removal and suspend ROC abort Zac
2026-01-20 20:10 ` [PATCH 06/13] wifi: mt76: mt7925: add comprehensive NULL pointer protection for MLO Zac
2026-01-20 20:10 ` [PATCH 08/13] wifi: mt76: mt7925: add MCU command error handling Zac
2026-01-20 20:10 ` [PATCH 09/13] wifi: mt76: mt7925: add lockdep assertions for mutex verification Zac
2026-01-20 20:10 ` [PATCH 10/13] wifi: mt76: mt7925: fix MLO roaming and ROC setup issues Zac
2026-01-20 20:10 ` [PATCH 11/13] wifi: mt76: mt7925: fix BA session teardown during beacon loss Zac
2026-01-20 20:10 ` [PATCH 12/13] wifi: mt76: mt7925: fix ROC deadlocks and race conditions Zac
2026-01-27 11:06 ` Felix Fietkau
2026-01-20 20:10 ` [PATCH 13/13] wifi: mt76: mt7925: fix double wcid initialization race condition Zac
2026-01-27 10:58 ` [PATCH v6 00/13] wifi: mt76: stability fixes for deadlocks, NULL derefs, and race conditions Felix Fietkau
2026-01-29 8:18 ` [PATCH v7 0/6] wifi: mt76: mt7925: MLO stability fixes Zac
2026-01-29 8:18 ` [PATCH v7 1/6] wifi: mt76: mt7925: fix double wcid initialization race condition Zac
2026-01-29 8:18 ` [PATCH v7 2/6] wifi: mt76: mt7925: add NULL pointer protection for MLO state transitions Zac
2026-01-29 8:18 ` [PATCH v7 3/6] wifi: mt76: mt7925: add mutex protection in critical paths Zac
2026-01-29 8:18 ` [PATCH v7 4/6] wifi: mt76: mt7925: add MCU command error handling in ampdu_action Zac
2026-01-29 8:18 ` [PATCH v7 5/6] wifi: mt76: mt7925: add lockdep assertions for mutex verification Zac
2026-01-29 8:18 ` [PATCH v7 6/6] wifi: mt76: mt7925: fix MLO ROC setup error handling Zac
2026-01-29 8:46 ` [PATCH 2/6] wifi: mt76: mt7925: add NULL pointer protection for MLO state transitions Zac
2026-01-29 9:05 ` [v7 PATCH 7/7] wifi: mt76: mt7925: add error logging for MLO ROC setup in set_links Zac
2026-01-20 11:42 ` [PATCH 11/11] wifi: mt76: mt7925: fix ROC deadlocks and race conditions kernel test robot
2026-01-20 13:26 ` kernel test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260120062854.126501-4-zac@zacbowling.com \
--to=zac@zacbowling.com \
--cc=deren.wu@mediatek.com \
--cc=kvalo@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mediatek@lists.infradead.org \
--cc=linux-wireless@vger.kernel.org \
--cc=linux@frame.work \
--cc=lorenzo@kernel.org \
--cc=nbd@nbd.name \
--cc=ryder.lee@mediatek.com \
--cc=sean.wang@kernel.org \
--cc=sean.wang@mediatek.com \
--cc=stable@vger.kernel.org \
--cc=zbowling@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox