[PATCH] wifi: mt76: fix deadlock in remain-on-channel

public inbox for linux-wireless@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH] wifi: mt76: fix deadlock in remain-on-channel
@ 2025-12-08 12:49 Chad Monroe
  2025-12-08 14:19 ` Lorenzo Bianconi
  0 siblings, 1 reply; 3+ messages in thread
From: Chad Monroe @ 2025-12-08 12:49 UTC (permalink / raw)
  To: Felix Fietkau, Johannes Berg
  Cc: Lorenzo Bianconi, Shayne Chen, Evelyn Tsai, Ryder Lee,
	linux-wireless, linux-mediatek, Chad Monroe

mt76_remain_on_channel() and mt76_roc_complete() call mt76_set_channel()
while already holding dev->mutex. Since mt76_set_channel() also acquires
dev->mutex, this results in a deadlock.

Use __mt76_set_channel() instead of mt76_set_channel().
Add cancel_delayed_work_sync() for mac_work before acquiring the mutex
in mt76_remain_on_channel() to prevent a secondary deadlock with the
mac_work workqueue.

Signed-off-by: Chad Monroe <chad@monroe.io>
---
 drivers/net/wireless/mediatek/mt76/channel.c | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/drivers/net/wireless/mediatek/mt76/channel.c b/drivers/net/wireless/mediatek/mt76/channel.c
index 2b705bdb7993..d9f8529db7ed 100644
--- a/drivers/net/wireless/mediatek/mt76/channel.c
+++ b/drivers/net/wireless/mediatek/mt76/channel.c
@@ -326,7 +326,7 @@ void mt76_roc_complete(struct mt76_phy *phy)
 		mlink->mvif->roc_phy = NULL;
 	if (phy->main_chandef.chan &&
 	    !test_bit(MT76_MCU_RESET, &dev->phy.state))
-		mt76_set_channel(phy, &phy->main_chandef, false);
+		__mt76_set_channel(phy, &phy->main_chandef, false);
 	mt76_put_vif_phy_link(phy, phy->roc_vif, phy->roc_link);
 	phy->roc_vif = NULL;
 	phy->roc_link = NULL;
@@ -370,6 +370,8 @@ int mt76_remain_on_channel(struct ieee80211_hw *hw, struct ieee80211_vif *vif,
 	if (!phy)
 		return -EINVAL;
 
+	cancel_delayed_work_sync(&phy->mac_work);
+
 	mutex_lock(&dev->mutex);
 
 	if (phy->roc_vif || dev->scan.phy == phy ||
@@ -388,7 +390,14 @@ int mt76_remain_on_channel(struct ieee80211_hw *hw, struct ieee80211_vif *vif,
 	phy->roc_vif = vif;
 	phy->roc_link = mlink;
 	cfg80211_chandef_create(&chandef, chan, NL80211_CHAN_HT20);
-	mt76_set_channel(phy, &chandef, true);
+	ret = __mt76_set_channel(phy, &chandef, true);
+	if (ret) {
+		mlink->mvif->roc_phy = NULL;
+		phy->roc_vif = NULL;
+		phy->roc_link = NULL;
+		mt76_put_vif_phy_link(phy, vif, mlink);
+		goto out;
+	}
 	ieee80211_ready_on_channel(hw);
 	ieee80211_queue_delayed_work(phy->hw, &phy->roc_work,
 				     msecs_to_jiffies(duration));
-- 
2.47.3



^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH] wifi: mt76: fix deadlock in remain-on-channel
  2025-12-08 12:49 [PATCH] wifi: mt76: fix deadlock in remain-on-channel Chad Monroe
@ 2025-12-08 14:19 ` Lorenzo Bianconi
  2025-12-08 17:41   ` Chad Monroe
  0 siblings, 1 reply; 3+ messages in thread
From: Lorenzo Bianconi @ 2025-12-08 14:19 UTC (permalink / raw)
  To: Chad Monroe
  Cc: Felix Fietkau, Johannes Berg, Lorenzo Bianconi, Shayne Chen,
	Evelyn Tsai, Ryder Lee, linux-wireless, linux-mediatek

[-- Attachment #1: Type: text/plain, Size: 2288 bytes --]

> mt76_remain_on_channel() and mt76_roc_complete() call mt76_set_channel()
> while already holding dev->mutex. Since mt76_set_channel() also acquires
> dev->mutex, this results in a deadlock.
> 
> Use __mt76_set_channel() instead of mt76_set_channel().
> Add cancel_delayed_work_sync() for mac_work before acquiring the mutex
> in mt76_remain_on_channel() to prevent a secondary deadlock with the
> mac_work workqueue.

I think we need a Fixes tag here.

Regards,
Lorenzo

> 
> Signed-off-by: Chad Monroe <chad@monroe.io>
> ---
>  drivers/net/wireless/mediatek/mt76/channel.c | 13 +++++++++++--
>  1 file changed, 11 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/net/wireless/mediatek/mt76/channel.c b/drivers/net/wireless/mediatek/mt76/channel.c
> index 2b705bdb7993..d9f8529db7ed 100644
> --- a/drivers/net/wireless/mediatek/mt76/channel.c
> +++ b/drivers/net/wireless/mediatek/mt76/channel.c
> @@ -326,7 +326,7 @@ void mt76_roc_complete(struct mt76_phy *phy)
>  		mlink->mvif->roc_phy = NULL;
>  	if (phy->main_chandef.chan &&
>  	    !test_bit(MT76_MCU_RESET, &dev->phy.state))
> -		mt76_set_channel(phy, &phy->main_chandef, false);
> +		__mt76_set_channel(phy, &phy->main_chandef, false);
>  	mt76_put_vif_phy_link(phy, phy->roc_vif, phy->roc_link);
>  	phy->roc_vif = NULL;
>  	phy->roc_link = NULL;
> @@ -370,6 +370,8 @@ int mt76_remain_on_channel(struct ieee80211_hw *hw, struct ieee80211_vif *vif,
>  	if (!phy)
>  		return -EINVAL;
>  
> +	cancel_delayed_work_sync(&phy->mac_work);
> +
>  	mutex_lock(&dev->mutex);
>  
>  	if (phy->roc_vif || dev->scan.phy == phy ||
> @@ -388,7 +390,14 @@ int mt76_remain_on_channel(struct ieee80211_hw *hw, struct ieee80211_vif *vif,
>  	phy->roc_vif = vif;
>  	phy->roc_link = mlink;
>  	cfg80211_chandef_create(&chandef, chan, NL80211_CHAN_HT20);
> -	mt76_set_channel(phy, &chandef, true);
> +	ret = __mt76_set_channel(phy, &chandef, true);
> +	if (ret) {
> +		mlink->mvif->roc_phy = NULL;
> +		phy->roc_vif = NULL;
> +		phy->roc_link = NULL;
> +		mt76_put_vif_phy_link(phy, vif, mlink);
> +		goto out;
> +	}
>  	ieee80211_ready_on_channel(hw);
>  	ieee80211_queue_delayed_work(phy->hw, &phy->roc_work,
>  				     msecs_to_jiffies(duration));
> -- 
> 2.47.3
> 
> 
> 

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] wifi: mt76: fix deadlock in remain-on-channel
  2025-12-08 14:19 ` Lorenzo Bianconi
@ 2025-12-08 17:41   ` Chad Monroe
  0 siblings, 0 replies; 3+ messages in thread
From: Chad Monroe @ 2025-12-08 17:41 UTC (permalink / raw)
  To: Lorenzo Bianconi
  Cc: Felix Fietkau, Johannes Berg, Lorenzo Bianconi, Shayne Chen,
	Evelyn Tsai, Ryder Lee, linux-wireless, linux-mediatek






On Monday, December 8th, 2025 at 6:19 AM, Lorenzo Bianconi <lorenzo@kernel.org> wrote:

> 
> 
> > mt76_remain_on_channel() and mt76_roc_complete() call mt76_set_channel()
> 
> > while already holding dev->mutex. Since mt76_set_channel() also acquires
> > dev->mutex, this results in a deadlock.
> > 
> > Use __mt76_set_channel() instead of mt76_set_channel().
> > Add cancel_delayed_work_sync() for mac_work before acquiring the mutex
> > in mt76_remain_on_channel() to prevent a secondary deadlock with the
> > mac_work workqueue.
> 
> 
> I think we need a Fixes tag here.
> 
> Regards,
> Lorenzo
> 

Good call.. added and submitted v2. Thank you,

    -Chad

> > Signed-off-by: Chad Monroe chad@monroe.io
> > ---
> > drivers/net/wireless/mediatek/mt76/channel.c | 13 +++++++++++--
> > 1 file changed, 11 insertions(+), 2 deletions(-)
> > 
> > diff --git a/drivers/net/wireless/mediatek/mt76/channel.c b/drivers/net/wireless/mediatek/mt76/channel.c
> > index 2b705bdb7993..d9f8529db7ed 100644
> > --- a/drivers/net/wireless/mediatek/mt76/channel.c
> > +++ b/drivers/net/wireless/mediatek/mt76/channel.c
> > @@ -326,7 +326,7 @@ void mt76_roc_complete(struct mt76_phy *phy)
> > mlink->mvif->roc_phy = NULL;
> > if (phy->main_chandef.chan &&
> > !test_bit(MT76_MCU_RESET, &dev->phy.state))
> > - mt76_set_channel(phy, &phy->main_chandef, false);
> > + __mt76_set_channel(phy, &phy->main_chandef, false);
> > mt76_put_vif_phy_link(phy, phy->roc_vif, phy->roc_link);
> > phy->roc_vif = NULL;
> > phy->roc_link = NULL;
> > @@ -370,6 +370,8 @@ int mt76_remain_on_channel(struct ieee80211_hw *hw, struct ieee80211_vif *vif,
> > if (!phy)
> > return -EINVAL;
> > 
> > + cancel_delayed_work_sync(&phy->mac_work);
> > +
> > mutex_lock(&dev->mutex);
> > 
> > if (phy->roc_vif || dev->scan.phy == phy ||
> > @@ -388,7 +390,14 @@ int mt76_remain_on_channel(struct ieee80211_hw *hw, struct ieee80211_vif *vif,
> > phy->roc_vif = vif;
> > phy->roc_link = mlink;
> > cfg80211_chandef_create(&chandef, chan, NL80211_CHAN_HT20);
> > - mt76_set_channel(phy, &chandef, true);
> > + ret = __mt76_set_channel(phy, &chandef, true);
> > + if (ret) {
> > + mlink->mvif->roc_phy = NULL;
> > + phy->roc_vif = NULL;
> > + phy->roc_link = NULL;
> > + mt76_put_vif_phy_link(phy, vif, mlink);
> > + goto out;
> > + }
> > ieee80211_ready_on_channel(hw);
> > ieee80211_queue_delayed_work(phy->hw, &phy->roc_work,
> > msecs_to_jiffies(duration));
> > --
> > 2.47.3

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2025-12-08 17:41 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-12-08 12:49 [PATCH] wifi: mt76: fix deadlock in remain-on-channel Chad Monroe
2025-12-08 14:19 ` Lorenzo Bianconi
2025-12-08 17:41   ` Chad Monroe

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox