[PATCH ath-current] wifi: ath12k: prepare REO update element only for primary link

[PATCH ath-current] wifi: ath12k: prepare REO update element only for primary link

[Baochen Qiang]

Commit [1] introduces dp->reo_cmd_update_rx_queue_list for the purpose
of tracking all pending REO queue flush commands. The helper
ath12k_dp_prepare_reo_update_elem() allocates an element and populates
it with REO queue information, then add it to the list. The element would
be helpful during clean up stage to finally unmap/free the corresponding
REO queue buffer.

In MLO scenarios with more than one links, for non dp_primary_link_only
chips like WCN7850, that helper is called for each link peer. This
results in multiple elements added to the list but all of them pointing
to the same REO queue buffer. Consequently the same buffer gets
unmap/freed multiple times:

BUG kmalloc-2k (Tainted: G    B   W  O       ): Object already free
-----------------------------------------------------------------------------
Allocated in ath12k_wifi7_dp_rx_assign_reoq+0xce/0x280 [ath12k_wifi7] age=7436 cpu=10 pid=16130
 __kmalloc_noprof
 ath12k_wifi7_dp_rx_assign_reoq
 ath12k_dp_rx_peer_tid_setup
 ath12k_dp_peer_setup
 ath12k_mac_station_add
 ath12k_mac_op_sta_state
 [...]
Freed in ath12k_dp_rx_tid_cleanup.part.0+0x25/0x40 [ath12k] age=1 cpu=27 pid=16137
 kfree
 ath12k_dp_rx_tid_cleanup.part.0
 ath12k_dp_rx_reo_cmd_list_cleanup
 ath12k_dp_cmn_device_deinit
 ath12k_core_stop
 ath12k_core_hw_group_cleanup
 ath12k_pci_remove

Fix this by allowing list addition for primary link only. Note
dp_primary_link_only chips like QCN9274 are not affected by this change,
because that's what they were doing in the first place.

Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.1.c5-00302-QCAHMTSWPL_V1.0_V2.0_SILICONZ-1.115823.3

Fixes: 3bf2e57e7d6c ("wifi: ath12k: Add Retry Mechanism for REO RX Queue Update Failures") # [1]
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=221011
Signed-off-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
---
 drivers/net/wireless/ath/ath12k/dp_rx.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/net/wireless/ath/ath12k/dp_rx.c b/drivers/net/wireless/ath/ath12k/dp_rx.c
index a32ee9f8061a..6995de7761df 100644
--- a/drivers/net/wireless/ath/ath12k/dp_rx.c
+++ b/drivers/net/wireless/ath/ath12k/dp_rx.c
@@ -565,6 +565,9 @@ static int ath12k_dp_prepare_reo_update_elem(struct ath12k_dp *dp,
 
 	lockdep_assert_held(&dp->dp_lock);
 
+	if (!peer->primary_link)
+		return 0;
+
 	elem = kzalloc(sizeof(*elem), GFP_ATOMIC);
 	if (!elem)
 		return -ENOMEM;

---
base-commit: d9a2be2d72d4f9035f0334e0ff49180fe9df6e52
change-id: 20260128-ath12k-rxtid-double-free-289100bb5163

Best regards,
-- 
Baochen Qiang <baochen.qiang@oss.qualcomm.com>

Re: [PATCH ath-current] wifi: ath12k: prepare REO update element only for primary link

[Vasanthakumar Thiagarajan]

On 2/10/2026 8:37 AM, Baochen Qiang wrote:
> Commit [1] introduces dp->reo_cmd_update_rx_queue_list for the purpose
> of tracking all pending REO queue flush commands. The helper
> ath12k_dp_prepare_reo_update_elem() allocates an element and populates
> it with REO queue information, then add it to the list. The element would
> be helpful during clean up stage to finally unmap/free the corresponding
> REO queue buffer.
> 
> In MLO scenarios with more than one links, for non dp_primary_link_only
> chips like WCN7850, that helper is called for each link peer. This
> results in multiple elements added to the list but all of them pointing
> to the same REO queue buffer. Consequently the same buffer gets
> unmap/freed multiple times:
> 
> BUG kmalloc-2k (Tainted: G    B   W  O       ): Object already free
> -----------------------------------------------------------------------------
> Allocated in ath12k_wifi7_dp_rx_assign_reoq+0xce/0x280 [ath12k_wifi7] age=7436 cpu=10 pid=16130
>   __kmalloc_noprof
>   ath12k_wifi7_dp_rx_assign_reoq
>   ath12k_dp_rx_peer_tid_setup
>   ath12k_dp_peer_setup
>   ath12k_mac_station_add
>   ath12k_mac_op_sta_state
>   [...]
> Freed in ath12k_dp_rx_tid_cleanup.part.0+0x25/0x40 [ath12k] age=1 cpu=27 pid=16137
>   kfree
>   ath12k_dp_rx_tid_cleanup.part.0
>   ath12k_dp_rx_reo_cmd_list_cleanup
>   ath12k_dp_cmn_device_deinit
>   ath12k_core_stop
>   ath12k_core_hw_group_cleanup
>   ath12k_pci_remove
> 
> Fix this by allowing list addition for primary link only. Note
> dp_primary_link_only chips like QCN9274 are not affected by this change,
> because that's what they were doing in the first place.
> 
> Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.1.c5-00302-QCAHMTSWPL_V1.0_V2.0_SILICONZ-1.115823.3
> 
> Fixes: 3bf2e57e7d6c ("wifi: ath12k: Add Retry Mechanism for REO RX Queue Update Failures") # [1]
> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=221011
> Signed-off-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com>

Vasanthakumar Thiagarajan <vasanthakumar.thiagarajan@oss.qualcomm.com>

Re: [PATCH ath-current] wifi: ath12k: prepare REO update element only for primary link

[Jeff Johnson]

On 3/18/2026 8:46 PM, Vasanthakumar Thiagarajan wrote:
> 
> 
> On 2/10/2026 8:37 AM, Baochen Qiang wrote:
>> Commit [1] introduces dp->reo_cmd_update_rx_queue_list for the purpose
>> of tracking all pending REO queue flush commands. The helper
>> ath12k_dp_prepare_reo_update_elem() allocates an element and populates
>> it with REO queue information, then add it to the list. The element would
>> be helpful during clean up stage to finally unmap/free the corresponding
>> REO queue buffer.
>>
>> In MLO scenarios with more than one links, for non dp_primary_link_only
>> chips like WCN7850, that helper is called for each link peer. This
>> results in multiple elements added to the list but all of them pointing
>> to the same REO queue buffer. Consequently the same buffer gets
>> unmap/freed multiple times:
>>
>> BUG kmalloc-2k (Tainted: G    B   W  O       ): Object already free
>> -----------------------------------------------------------------------------
>> Allocated in ath12k_wifi7_dp_rx_assign_reoq+0xce/0x280 [ath12k_wifi7] age=7436 cpu=10 pid=16130
>>   __kmalloc_noprof
>>   ath12k_wifi7_dp_rx_assign_reoq
>>   ath12k_dp_rx_peer_tid_setup
>>   ath12k_dp_peer_setup
>>   ath12k_mac_station_add
>>   ath12k_mac_op_sta_state
>>   [...]
>> Freed in ath12k_dp_rx_tid_cleanup.part.0+0x25/0x40 [ath12k] age=1 cpu=27 pid=16137
>>   kfree
>>   ath12k_dp_rx_tid_cleanup.part.0
>>   ath12k_dp_rx_reo_cmd_list_cleanup
>>   ath12k_dp_cmn_device_deinit
>>   ath12k_core_stop
>>   ath12k_core_hw_group_cleanup
>>   ath12k_pci_remove
>>
>> Fix this by allowing list addition for primary link only. Note
>> dp_primary_link_only chips like QCN9274 are not affected by this change,
>> because that's what they were doing in the first place.
>>
>> Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.1.c5-00302-QCAHMTSWPL_V1.0_V2.0_SILICONZ-1.115823.3
>>
>> Fixes: 3bf2e57e7d6c ("wifi: ath12k: Add Retry Mechanism for REO RX Queue Update Failures") # [1]
>> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=221011
>> Signed-off-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
> 
> Vasanthakumar Thiagarajan <vasanthakumar.thiagarajan@oss.qualcomm.com>

Was there supposed to be a tag in front of that?

Re: [PATCH ath-current] wifi: ath12k: prepare REO update element only for primary link

[Vasanthakumar Thiagarajan]

On 3/19/2026 7:44 PM, Jeff Johnson wrote:
> On 3/18/2026 8:46 PM, Vasanthakumar Thiagarajan wrote:
>>
>>
>> On 2/10/2026 8:37 AM, Baochen Qiang wrote:
>>> Commit [1] introduces dp->reo_cmd_update_rx_queue_list for the purpose
>>> of tracking all pending REO queue flush commands. The helper
>>> ath12k_dp_prepare_reo_update_elem() allocates an element and populates
>>> it with REO queue information, then add it to the list. The element would
>>> be helpful during clean up stage to finally unmap/free the corresponding
>>> REO queue buffer.
>>>
>>> In MLO scenarios with more than one links, for non dp_primary_link_only
>>> chips like WCN7850, that helper is called for each link peer. This
>>> results in multiple elements added to the list but all of them pointing
>>> to the same REO queue buffer. Consequently the same buffer gets
>>> unmap/freed multiple times:
>>>
>>> BUG kmalloc-2k (Tainted: G    B   W  O       ): Object already free
>>> -----------------------------------------------------------------------------
>>> Allocated in ath12k_wifi7_dp_rx_assign_reoq+0xce/0x280 [ath12k_wifi7] age=7436 cpu=10 pid=16130
>>>    __kmalloc_noprof
>>>    ath12k_wifi7_dp_rx_assign_reoq
>>>    ath12k_dp_rx_peer_tid_setup
>>>    ath12k_dp_peer_setup
>>>    ath12k_mac_station_add
>>>    ath12k_mac_op_sta_state
>>>    [...]
>>> Freed in ath12k_dp_rx_tid_cleanup.part.0+0x25/0x40 [ath12k] age=1 cpu=27 pid=16137
>>>    kfree
>>>    ath12k_dp_rx_tid_cleanup.part.0
>>>    ath12k_dp_rx_reo_cmd_list_cleanup
>>>    ath12k_dp_cmn_device_deinit
>>>    ath12k_core_stop
>>>    ath12k_core_hw_group_cleanup
>>>    ath12k_pci_remove
>>>
>>> Fix this by allowing list addition for primary link only. Note
>>> dp_primary_link_only chips like QCN9274 are not affected by this change,
>>> because that's what they were doing in the first place.
>>>
>>> Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.1.c5-00302-QCAHMTSWPL_V1.0_V2.0_SILICONZ-1.115823.3
>>>
>>> Fixes: 3bf2e57e7d6c ("wifi: ath12k: Add Retry Mechanism for REO RX Queue Update Failures") # [1]
>>> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=221011
>>> Signed-off-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
>>
>> Vasanthakumar Thiagarajan <vasanthakumar.thiagarajan@oss.qualcomm.com>
> 
> Was there supposed to be a tag in front of that?
> 

Oops, sorry!

Reviewed-by: Vasanthakumar Thiagarajan <vasanthakumar.thiagarajan@oss.qualcomm.com>