From: Lorenzo Bianconi <lorenzo@kernel.org>
To: Chad Monroe <chad@monroe.io>
Cc: Felix Fietkau <nbd@nbd.name>,
Johannes Berg <johannes.berg@intel.com>,
Lorenzo Bianconi <lorenzo.bianconi@redhat.com>,
Shayne Chen <shayne.chen@mediatek.com>,
Evelyn Tsai <evelyn.tsai@mediatek.com>,
Ryder Lee <ryder.lee@mediatek.com>,
linux-wireless@vger.kernel.org,
linux-mediatek@lists.infradead.org
Subject: Re: [PATCH] wifi: mt76: fix deadlock in remain-on-channel
Date: Mon, 8 Dec 2025 15:19:35 +0100 [thread overview]
Message-ID: <aTbed-BC8vEmwpzD@lore-desk> (raw)
In-Reply-To: <3fceebb12dcb672cfae11f993a373b457a35e228.1765198130.git.chad@monroe.io>
[-- Attachment #1: Type: text/plain, Size: 2288 bytes --]
> mt76_remain_on_channel() and mt76_roc_complete() call mt76_set_channel()
> while already holding dev->mutex. Since mt76_set_channel() also acquires
> dev->mutex, this results in a deadlock.
>
> Use __mt76_set_channel() instead of mt76_set_channel().
> Add cancel_delayed_work_sync() for mac_work before acquiring the mutex
> in mt76_remain_on_channel() to prevent a secondary deadlock with the
> mac_work workqueue.
I think we need a Fixes tag here.
Regards,
Lorenzo
>
> Signed-off-by: Chad Monroe <chad@monroe.io>
> ---
> drivers/net/wireless/mediatek/mt76/channel.c | 13 +++++++++++--
> 1 file changed, 11 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/net/wireless/mediatek/mt76/channel.c b/drivers/net/wireless/mediatek/mt76/channel.c
> index 2b705bdb7993..d9f8529db7ed 100644
> --- a/drivers/net/wireless/mediatek/mt76/channel.c
> +++ b/drivers/net/wireless/mediatek/mt76/channel.c
> @@ -326,7 +326,7 @@ void mt76_roc_complete(struct mt76_phy *phy)
> mlink->mvif->roc_phy = NULL;
> if (phy->main_chandef.chan &&
> !test_bit(MT76_MCU_RESET, &dev->phy.state))
> - mt76_set_channel(phy, &phy->main_chandef, false);
> + __mt76_set_channel(phy, &phy->main_chandef, false);
> mt76_put_vif_phy_link(phy, phy->roc_vif, phy->roc_link);
> phy->roc_vif = NULL;
> phy->roc_link = NULL;
> @@ -370,6 +370,8 @@ int mt76_remain_on_channel(struct ieee80211_hw *hw, struct ieee80211_vif *vif,
> if (!phy)
> return -EINVAL;
>
> + cancel_delayed_work_sync(&phy->mac_work);
> +
> mutex_lock(&dev->mutex);
>
> if (phy->roc_vif || dev->scan.phy == phy ||
> @@ -388,7 +390,14 @@ int mt76_remain_on_channel(struct ieee80211_hw *hw, struct ieee80211_vif *vif,
> phy->roc_vif = vif;
> phy->roc_link = mlink;
> cfg80211_chandef_create(&chandef, chan, NL80211_CHAN_HT20);
> - mt76_set_channel(phy, &chandef, true);
> + ret = __mt76_set_channel(phy, &chandef, true);
> + if (ret) {
> + mlink->mvif->roc_phy = NULL;
> + phy->roc_vif = NULL;
> + phy->roc_link = NULL;
> + mt76_put_vif_phy_link(phy, vif, mlink);
> + goto out;
> + }
> ieee80211_ready_on_channel(hw);
> ieee80211_queue_delayed_work(phy->hw, &phy->roc_work,
> msecs_to_jiffies(duration));
> --
> 2.47.3
>
>
>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
next prev parent reply other threads:[~2025-12-08 14:19 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-08 12:49 [PATCH] wifi: mt76: fix deadlock in remain-on-channel Chad Monroe
2025-12-08 14:19 ` Lorenzo Bianconi [this message]
2025-12-08 17:41 ` Chad Monroe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aTbed-BC8vEmwpzD@lore-desk \
--to=lorenzo@kernel.org \
--cc=chad@monroe.io \
--cc=evelyn.tsai@mediatek.com \
--cc=johannes.berg@intel.com \
--cc=linux-mediatek@lists.infradead.org \
--cc=linux-wireless@vger.kernel.org \
--cc=lorenzo.bianconi@redhat.com \
--cc=nbd@nbd.name \
--cc=ryder.lee@mediatek.com \
--cc=shayne.chen@mediatek.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox