> mt76_remain_on_channel() and mt76_roc_complete() call mt76_set_channel() > while already holding dev->mutex. Since mt76_set_channel() also acquires > dev->mutex, this results in a deadlock. > > Use __mt76_set_channel() instead of mt76_set_channel(). > Add cancel_delayed_work_sync() for mac_work before acquiring the mutex > in mt76_remain_on_channel() to prevent a secondary deadlock with the > mac_work workqueue. I think we need a Fixes tag here. Regards, Lorenzo > > Signed-off-by: Chad Monroe > --- > drivers/net/wireless/mediatek/mt76/channel.c | 13 +++++++++++-- > 1 file changed, 11 insertions(+), 2 deletions(-) > > diff --git a/drivers/net/wireless/mediatek/mt76/channel.c b/drivers/net/wireless/mediatek/mt76/channel.c > index 2b705bdb7993..d9f8529db7ed 100644 > --- a/drivers/net/wireless/mediatek/mt76/channel.c > +++ b/drivers/net/wireless/mediatek/mt76/channel.c > @@ -326,7 +326,7 @@ void mt76_roc_complete(struct mt76_phy *phy) > mlink->mvif->roc_phy = NULL; > if (phy->main_chandef.chan && > !test_bit(MT76_MCU_RESET, &dev->phy.state)) > - mt76_set_channel(phy, &phy->main_chandef, false); > + __mt76_set_channel(phy, &phy->main_chandef, false); > mt76_put_vif_phy_link(phy, phy->roc_vif, phy->roc_link); > phy->roc_vif = NULL; > phy->roc_link = NULL; > @@ -370,6 +370,8 @@ int mt76_remain_on_channel(struct ieee80211_hw *hw, struct ieee80211_vif *vif, > if (!phy) > return -EINVAL; > > + cancel_delayed_work_sync(&phy->mac_work); > + > mutex_lock(&dev->mutex); > > if (phy->roc_vif || dev->scan.phy == phy || > @@ -388,7 +390,14 @@ int mt76_remain_on_channel(struct ieee80211_hw *hw, struct ieee80211_vif *vif, > phy->roc_vif = vif; > phy->roc_link = mlink; > cfg80211_chandef_create(&chandef, chan, NL80211_CHAN_HT20); > - mt76_set_channel(phy, &chandef, true); > + ret = __mt76_set_channel(phy, &chandef, true); > + if (ret) { > + mlink->mvif->roc_phy = NULL; > + phy->roc_vif = NULL; > + phy->roc_link = NULL; > + mt76_put_vif_phy_link(phy, vif, mlink); > + goto out; > + } > ieee80211_ready_on_channel(hw); > ieee80211_queue_delayed_work(phy->hw, &phy->roc_work, > msecs_to_jiffies(duration)); > -- > 2.47.3 > > >