* [PATCH ath-next 0/2] wifi: ath12k: fix peer delete race in MLO scenario
@ 2026-06-17 9:28 Baochen Qiang
2026-06-17 9:28 ` [PATCH ath-next 1/2] wifi: ath12k: fix dp_link_peer dangling references on AP vdev rollback Baochen Qiang
2026-06-17 9:28 ` [PATCH ath-next 2/2] wifi: ath12k: fix MLO peer delete race Baochen Qiang
0 siblings, 2 replies; 6+ messages in thread
From: Baochen Qiang @ 2026-06-17 9:28 UTC (permalink / raw)
To: Jeff Johnson; +Cc: linux-wireless, ath12k, Baochen Qiang
Patch 1 fixes a pre-existing UAF in ath12k_mac_vdev_create()'s
err_peer_del rollback path.
Patch 2 fixes "Timeout in receiving peer delete response" on MLO
disconnect, caused by a per-radio shared completion that gets
clobbered between back-to-back WMI peer_delete sends.
Signed-off-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
---
Baochen Qiang (2):
wifi: ath12k: fix dp_link_peer dangling references on AP vdev rollback
wifi: ath12k: fix MLO peer delete race
drivers/net/wireless/ath/ath12k/core.c | 2 +-
drivers/net/wireless/ath/ath12k/core.h | 5 +-
drivers/net/wireless/ath/ath12k/mac.c | 20 +----
drivers/net/wireless/ath/ath12k/peer.c | 130 ++++++++++++++++++++++++++-------
drivers/net/wireless/ath/ath12k/peer.h | 19 ++++-
drivers/net/wireless/ath/ath12k/wmi.c | 16 ++--
6 files changed, 138 insertions(+), 54 deletions(-)
---
base-commit: 4987a85fb0475defee458fa11af877c8e02f764a
change-id: 20260602-ath12k-mlo-peer-delete-race-74fdaf880017
Best regards,
--
Baochen Qiang <baochen.qiang@oss.qualcomm.com>
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH ath-next 1/2] wifi: ath12k: fix dp_link_peer dangling references on AP vdev rollback
2026-06-17 9:28 [PATCH ath-next 0/2] wifi: ath12k: fix peer delete race in MLO scenario Baochen Qiang
@ 2026-06-17 9:28 ` Baochen Qiang
2026-06-29 5:35 ` Rameshkumar Sundaram
2026-06-17 9:28 ` [PATCH ath-next 2/2] wifi: ath12k: fix MLO peer delete race Baochen Qiang
1 sibling, 1 reply; 6+ messages in thread
From: Baochen Qiang @ 2026-06-17 9:28 UTC (permalink / raw)
To: Jeff Johnson; +Cc: linux-wireless, ath12k, Baochen Qiang
ath12k_mac_vdev_create() for an AP vdev creates the bss self-peer via
ath12k_peer_create(), which finishes by calling
ath12k_dp_link_peer_assign() to publish the dp_link_peer in the
dp_hw->dp_peers[peerid_index] RCU table, in the dp_peer's
link_peers[] array, and in the per-addr rhashtable.
If a step after ath12k_peer_create() fails the function jumps to
err_peer_del, which open-codes a WMI peer_delete and waits for the
unmap / delete_resp events. The wait_for_peer_delete_done() path
relies on ath12k_dp_link_peer_unmap_event() freeing the dp_link_peer
when the unmap arrives, but err_peer_del never calls
ath12k_dp_link_peer_unassign() first. The published references in
the dp_hw RCU table, dp_peer->link_peers[] and the rhashtable are
left pointing at the dp_link_peer that unmap_event then frees,
producing dangling pointers and use-after-free on subsequent
lookups.
Replace the open-coded sequence with a call to ath12k_peer_delete(),
which already does ath12k_dp_link_peer_unassign() before sending the
WMI command. This drops the published references before the
dp_link_peer is freed, in the same order as the normal teardown path
in ath12k_mac_remove_link_interface().
Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.1.c7-00108-QCAHMTSWPL_V1.0_V2.0_SILICONZ_UPSTREAM-3
Fixes: 5525f12fa671 ("wifi: ath12k: Attach and detach ath12k_dp_link_peer to ath12k_dp_peer")
Signed-off-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
---
drivers/net/wireless/ath/ath12k/mac.c | 18 ++----------------
1 file changed, 2 insertions(+), 16 deletions(-)
diff --git a/drivers/net/wireless/ath/ath12k/mac.c b/drivers/net/wireless/ath/ath12k/mac.c
index af354bef5c0d..2e5a075191ae 100644
--- a/drivers/net/wireless/ath/ath12k/mac.c
+++ b/drivers/net/wireless/ath/ath12k/mac.c
@@ -10564,22 +10564,8 @@ int ath12k_mac_vdev_create(struct ath12k *ar, struct ath12k_link_vif *arvif)
err_peer_del:
if (ahvif->vdev_type == WMI_VDEV_TYPE_AP) {
- reinit_completion(&ar->peer_delete_done);
-
- ret = ath12k_wmi_send_peer_delete_cmd(ar, arvif->bssid,
- arvif->vdev_id);
- if (ret) {
- ath12k_warn(ar->ab, "failed to delete peer vdev_id %d addr %pM\n",
- arvif->vdev_id, arvif->bssid);
- goto err_dp_peer_del;
- }
-
- ret = ath12k_wait_for_peer_delete_done(ar, arvif->vdev_id,
- arvif->bssid);
- if (ret)
- goto err_dp_peer_del;
-
- ar->num_peers--;
+ /* ignore return value: propagate the original error */
+ ath12k_peer_delete(ar, arvif->vdev_id, arvif->bssid);
}
err_dp_peer_del:
--
2.25.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH ath-next 2/2] wifi: ath12k: fix MLO peer delete race
2026-06-17 9:28 [PATCH ath-next 0/2] wifi: ath12k: fix peer delete race in MLO scenario Baochen Qiang
2026-06-17 9:28 ` [PATCH ath-next 1/2] wifi: ath12k: fix dp_link_peer dangling references on AP vdev rollback Baochen Qiang
@ 2026-06-17 9:28 ` Baochen Qiang
2026-06-29 5:34 ` Rameshkumar Sundaram
1 sibling, 1 reply; 6+ messages in thread
From: Baochen Qiang @ 2026-06-17 9:28 UTC (permalink / raw)
To: Jeff Johnson; +Cc: linux-wireless, ath12k, Baochen Qiang
ath12k_peer_mlo_link_peers_delete() sends WMI peer_delete for every
link before waiting for any peer_unmap / peer_delete_resp event. The
shared per-radio completion ar->peer_delete_done could not
disambiguate which peer a response was for: every call to
ath12k_peer_delete_send() did
reinit_completion(&ar->peer_delete_done), so when an event for the
first link arrived between two sends it raised the count to 1 and
the second send promptly cleared it; the wait for the second link
then timed out with
Timeout in receiving peer delete response
Replace the shared completion with a per-radio waiter list, with
each pending ath12k_peer_delete() caller queueing an
ath12k_peer_delete_wait carrying its (vdev_id, addr) and a private
struct completion. ath12k_peer_delete_resp_event() matches the
response against the list under ar->data_lock and signals the
matching waiter.
Also correct the endian conversion in ath12k_peer_delete_resp_event()
logging, and add the missing \n in some logging.
Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.1.c7-00108-QCAHMTSWPL_V1.0_V2.0_SILICONZ_UPSTREAM-3
Fixes: 8e6f8bc28603 ("wifi: ath12k: Add MLO station state change handling")
Signed-off-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
---
drivers/net/wireless/ath/ath12k/core.c | 2 +-
drivers/net/wireless/ath/ath12k/core.h | 5 +-
drivers/net/wireless/ath/ath12k/mac.c | 2 +-
drivers/net/wireless/ath/ath12k/peer.c | 130 ++++++++++++++++++++++++++-------
drivers/net/wireless/ath/ath12k/peer.h | 19 ++++-
drivers/net/wireless/ath/ath12k/wmi.c | 16 ++--
6 files changed, 136 insertions(+), 38 deletions(-)
diff --git a/drivers/net/wireless/ath/ath12k/core.c b/drivers/net/wireless/ath/ath12k/core.c
index 742d4fd1b598..f71650039292 100644
--- a/drivers/net/wireless/ath/ath12k/core.c
+++ b/drivers/net/wireless/ath/ath12k/core.c
@@ -1524,7 +1524,7 @@ static void ath12k_core_pre_reconfigure_recovery(struct ath12k_base *ab)
complete_all(&ar->scan.completed);
complete(&ar->scan.on_channel);
complete(&ar->peer_assoc_done);
- complete(&ar->peer_delete_done);
+ ath12k_peer_delete_wait_flush(ar);
complete(&ar->install_key_done);
complete(&ar->vdev_setup_done);
complete(&ar->vdev_delete_done);
diff --git a/drivers/net/wireless/ath/ath12k/core.h b/drivers/net/wireless/ath/ath12k/core.h
index fc5127b5c1a3..1436ff4316e7 100644
--- a/drivers/net/wireless/ath/ath12k/core.h
+++ b/drivers/net/wireless/ath/ath12k/core.h
@@ -665,7 +665,8 @@ struct ath12k {
/* protects the radio specific data like debug stats, ppdu_stats_info stats,
* vdev_stop_status info, scan data, ath12k_sta info, ath12k_link_vif info,
- * channel context data, survey info, test mode data, regd_channel_update_queue.
+ * channel context data, survey info, test mode data, regd_channel_update_queue,
+ * peer_delete_waits.
*/
spinlock_t data_lock;
@@ -687,7 +688,7 @@ struct ath12k {
u8 radio_idx;
struct completion peer_assoc_done;
- struct completion peer_delete_done;
+ struct list_head peer_delete_waits;
int install_key_status;
struct completion install_key_done;
diff --git a/drivers/net/wireless/ath/ath12k/mac.c b/drivers/net/wireless/ath/ath12k/mac.c
index 2e5a075191ae..4c86a8eb5841 100644
--- a/drivers/net/wireless/ath/ath12k/mac.c
+++ b/drivers/net/wireless/ath/ath12k/mac.c
@@ -15040,11 +15040,11 @@ static void ath12k_mac_setup(struct ath12k *ar)
spin_lock_init(&ar->dp.ppdu_list_lock);
INIT_LIST_HEAD(&ar->arvifs);
INIT_LIST_HEAD(&ar->dp.ppdu_stats_info);
+ INIT_LIST_HEAD(&ar->peer_delete_waits);
init_completion(&ar->vdev_setup_done);
init_completion(&ar->vdev_delete_done);
init_completion(&ar->peer_assoc_done);
- init_completion(&ar->peer_delete_done);
init_completion(&ar->install_key_done);
init_completion(&ar->bss_survey_done);
init_completion(&ar->scan.started);
diff --git a/drivers/net/wireless/ath/ath12k/peer.c b/drivers/net/wireless/ath/ath12k/peer.c
index c222bdaa333c..98509c63c580 100644
--- a/drivers/net/wireless/ath/ath12k/peer.c
+++ b/drivers/net/wireless/ath/ath12k/peer.c
@@ -9,6 +9,55 @@
#include "debug.h"
#include "debugfs.h"
+void ath12k_peer_delete_wait_register(struct ath12k *ar,
+ struct ath12k_peer_delete_wait *wait,
+ u32 vdev_id, const u8 *addr)
+{
+ wait->vdev_id = vdev_id;
+ ether_addr_copy(wait->addr, addr);
+ init_completion(&wait->done);
+
+ spin_lock_bh(&ar->data_lock);
+ list_add(&wait->list, &ar->peer_delete_waits);
+ spin_unlock_bh(&ar->data_lock);
+}
+
+void ath12k_peer_delete_wait_unregister(struct ath12k *ar,
+ struct ath12k_peer_delete_wait *wait)
+{
+ spin_lock_bh(&ar->data_lock);
+ list_del(&wait->list);
+ spin_unlock_bh(&ar->data_lock);
+}
+
+void ath12k_peer_delete_resp_signal(struct ath12k *ar, u32 vdev_id, const u8 *addr)
+{
+ struct ath12k_peer_delete_wait *wait;
+
+ guard(spinlock_bh)(&ar->data_lock);
+
+ list_for_each_entry(wait, &ar->peer_delete_waits, list) {
+ if (wait->vdev_id == vdev_id &&
+ ether_addr_equal(wait->addr, addr)) {
+ complete(&wait->done);
+ return;
+ }
+ }
+
+ ath12k_warn(ar->ab, "failed to find link peer with vdev id %u addr %pM\n",
+ vdev_id, addr);
+}
+
+void ath12k_peer_delete_wait_flush(struct ath12k *ar)
+{
+ struct ath12k_peer_delete_wait *wait;
+
+ spin_lock_bh(&ar->data_lock);
+ list_for_each_entry(wait, &ar->peer_delete_waits, list)
+ complete(&wait->done);
+ spin_unlock_bh(&ar->data_lock);
+}
+
static int ath12k_wait_for_dp_link_peer_common(struct ath12k_base *ab, int vdev_id,
const u8 *addr, bool expect_mapped)
{
@@ -62,20 +111,19 @@ static int ath12k_wait_for_peer_deleted(struct ath12k *ar, int vdev_id, const u8
return ath12k_wait_for_dp_link_peer_common(ar->ab, vdev_id, addr, false);
}
-int ath12k_wait_for_peer_delete_done(struct ath12k *ar, u32 vdev_id,
- const u8 *addr)
+int ath12k_wait_for_peer_delete_done(struct ath12k *ar,
+ struct ath12k_peer_delete_wait *wait)
{
- int ret;
unsigned long time_left;
+ int ret;
- ret = ath12k_wait_for_peer_deleted(ar, vdev_id, addr);
+ ret = ath12k_wait_for_peer_deleted(ar, wait->vdev_id, wait->addr);
if (ret) {
- ath12k_warn(ar->ab, "failed wait for peer deleted");
+ ath12k_warn(ar->ab, "failed wait for peer deleted\n");
return ret;
}
- time_left = wait_for_completion_timeout(&ar->peer_delete_done,
- 3 * HZ);
+ time_left = wait_for_completion_timeout(&wait->done, 3 * HZ);
if (time_left == 0) {
ath12k_warn(ar->ab, "Timeout in receiving peer delete response\n");
return -ETIMEDOUT;
@@ -91,8 +139,6 @@ static int ath12k_peer_delete_send(struct ath12k *ar, u32 vdev_id, const u8 *add
lockdep_assert_wiphy(ath12k_ar_to_hw(ar)->wiphy);
- reinit_completion(&ar->peer_delete_done);
-
ret = ath12k_wmi_send_peer_delete_cmd(ar, addr, vdev_id);
if (ret) {
ath12k_warn(ab,
@@ -106,6 +152,7 @@ static int ath12k_peer_delete_send(struct ath12k *ar, u32 vdev_id, const u8 *add
int ath12k_peer_delete(struct ath12k *ar, u32 vdev_id, u8 *addr)
{
+ struct ath12k_peer_delete_wait wait;
int ret;
lockdep_assert_wiphy(ath12k_ar_to_hw(ar)->wiphy);
@@ -114,17 +161,25 @@ int ath12k_peer_delete(struct ath12k *ar, u32 vdev_id, u8 *addr)
&(ath12k_ar_to_ah(ar)->dp_hw), vdev_id,
addr, ar->hw_link_id);
+ /*
+ * Register the stack waiter before sending so the resp_event for
+ * this peer cannot arrive while no waiter is queued.
+ */
+ ath12k_peer_delete_wait_register(ar, &wait, vdev_id, addr);
+
ret = ath12k_peer_delete_send(ar, vdev_id, addr);
if (ret)
- return ret;
+ goto out;
- ret = ath12k_wait_for_peer_delete_done(ar, vdev_id, addr);
+ ret = ath12k_wait_for_peer_delete_done(ar, &wait);
if (ret)
- return ret;
+ goto out;
ar->num_peers--;
- return 0;
+out:
+ ath12k_peer_delete_wait_unregister(ar, &wait);
+ return ret;
}
static int ath12k_wait_for_peer_created(struct ath12k *ar, int vdev_id, const u8 *addr)
@@ -184,22 +239,26 @@ int ath12k_peer_create(struct ath12k *ar, struct ath12k_link_vif *arvif,
peer = ath12k_dp_link_peer_find_by_vdev_and_addr(dp, arg->vdev_id,
arg->peer_addr);
if (!peer) {
+ struct ath12k_peer_delete_wait wait;
+
spin_unlock_bh(&dp->dp_lock);
ath12k_warn(ar->ab, "failed to find peer %pM on vdev %i after creation\n",
arg->peer_addr, arg->vdev_id);
- reinit_completion(&ar->peer_delete_done);
+ ath12k_peer_delete_wait_register(ar, &wait, arg->vdev_id,
+ arg->peer_addr);
ret = ath12k_wmi_send_peer_delete_cmd(ar, arg->peer_addr,
arg->vdev_id);
if (ret) {
ath12k_warn(ar->ab, "failed to delete peer vdev_id %d addr %pM\n",
arg->vdev_id, arg->peer_addr);
+ ath12k_peer_delete_wait_unregister(ar, &wait);
return ret;
}
- ret = ath12k_wait_for_peer_delete_done(ar, arg->vdev_id,
- arg->peer_addr);
+ ret = ath12k_wait_for_peer_delete_done(ar, &wait);
+ ath12k_peer_delete_wait_unregister(ar, &wait);
if (ret)
return ret;
@@ -283,13 +342,14 @@ u16 ath12k_peer_ml_alloc(struct ath12k_hw *ah)
int ath12k_peer_mlo_link_peers_delete(struct ath12k_vif *ahvif, struct ath12k_sta *ahsta)
{
+ DECLARE_BITMAP(registered, IEEE80211_MLD_MAX_NUM_LINKS);
struct ieee80211_sta *sta = ath12k_ahsta_to_sta(ahsta);
struct ath12k_hw *ah = ahvif->ah;
struct ath12k_link_vif *arvif;
struct ath12k_link_sta *arsta;
+ int ret, err_ret = 0;
unsigned long links;
struct ath12k *ar;
- int ret, err_ret = 0;
u8 link_id;
lockdep_assert_wiphy(ah->hw->wiphy);
@@ -297,8 +357,19 @@ int ath12k_peer_mlo_link_peers_delete(struct ath12k_vif *ahvif, struct ath12k_st
if (!sta->mlo)
return -EINVAL;
- /* FW expects delete of all link peers at once before waiting for reception
- * of peer unmap or delete responses
+ struct ath12k_peer_delete_wait *waits __free(kfree) =
+ kzalloc_objs(*waits, IEEE80211_MLD_MAX_NUM_LINKS);
+ if (!waits)
+ return -ENOMEM;
+
+ bitmap_zero(registered, IEEE80211_MLD_MAX_NUM_LINKS);
+
+ /*
+ * Firmware expects delete of all link peers at once before waiting
+ * for reception of peer unmap or delete responses. Phase 1 registers
+ * a per-link stack waiter and sends WMI peer delete for every
+ * link; the resp_event handler matches each response to its
+ * (vdev_id, addr) waiter on ar->peer_delete_waits.
*/
links = ahsta->links_map;
for_each_set_bit(link_id, &links, IEEE80211_MLD_MAX_NUM_LINKS) {
@@ -318,29 +389,36 @@ int ath12k_peer_mlo_link_peers_delete(struct ath12k_vif *ahvif, struct ath12k_st
arvif->vdev_id, arsta->addr,
ar->hw_link_id);
+ ath12k_peer_delete_wait_register(ar, &waits[link_id],
+ arvif->vdev_id, arsta->addr);
+
ret = ath12k_peer_delete_send(ar, arvif->vdev_id, arsta->addr);
if (ret) {
ath12k_warn(ar->ab,
"failed to delete peer vdev_id %d addr %pM ret %d\n",
arvif->vdev_id, arsta->addr, ret);
err_ret = ret;
+ ath12k_peer_delete_wait_unregister(ar, &waits[link_id]);
continue;
}
+
+ set_bit(link_id, registered);
}
- /* Ensure all link peers are deleted and unmapped */
+ /*
+ * Phase 2: wait for unmap + delete_resp on each registered link
+ * and tear down the waiter.
+ */
links = ahsta->links_map;
for_each_set_bit(link_id, &links, IEEE80211_MLD_MAX_NUM_LINKS) {
- arvif = wiphy_dereference(ah->hw->wiphy, ahvif->link[link_id]);
- arsta = wiphy_dereference(ah->hw->wiphy, ahsta->link[link_id]);
- if (!arvif || !arsta)
+ if (!test_bit(link_id, registered))
continue;
+ arvif = wiphy_dereference(ah->hw->wiphy, ahvif->link[link_id]);
ar = arvif->ar;
- if (!ar)
- continue;
- ret = ath12k_wait_for_peer_delete_done(ar, arvif->vdev_id, arsta->addr);
+ ret = ath12k_wait_for_peer_delete_done(ar, &waits[link_id]);
+ ath12k_peer_delete_wait_unregister(ar, &waits[link_id]);
if (ret) {
err_ret = ret;
continue;
diff --git a/drivers/net/wireless/ath/ath12k/peer.h b/drivers/net/wireless/ath/ath12k/peer.h
index 49d89796bc46..3dc720a3dc12 100644
--- a/drivers/net/wireless/ath/ath12k/peer.h
+++ b/drivers/net/wireless/ath/ath12k/peer.h
@@ -9,13 +9,28 @@
#include "dp_peer.h"
+struct ath12k_peer_delete_wait {
+ struct list_head list;
+ u32 vdev_id;
+ u8 addr[ETH_ALEN];
+ struct completion done;
+};
+
+void ath12k_peer_delete_wait_register(struct ath12k *ar,
+ struct ath12k_peer_delete_wait *wait,
+ u32 vdev_id, const u8 *addr);
+void ath12k_peer_delete_wait_unregister(struct ath12k *ar,
+ struct ath12k_peer_delete_wait *wait);
+void ath12k_peer_delete_resp_signal(struct ath12k *ar, u32 vdev_id, const u8 *addr);
+void ath12k_peer_delete_wait_flush(struct ath12k *ar);
+
void ath12k_peer_cleanup(struct ath12k *ar, u32 vdev_id);
int ath12k_peer_delete(struct ath12k *ar, u32 vdev_id, u8 *addr);
int ath12k_peer_create(struct ath12k *ar, struct ath12k_link_vif *arvif,
struct ieee80211_sta *sta,
struct ath12k_wmi_peer_create_arg *arg);
-int ath12k_wait_for_peer_delete_done(struct ath12k *ar, u32 vdev_id,
- const u8 *addr);
+int ath12k_wait_for_peer_delete_done(struct ath12k *ar,
+ struct ath12k_peer_delete_wait *wait);
int ath12k_peer_mlo_link_peers_delete(struct ath12k_vif *ahvif, struct ath12k_sta *ahsta);
struct ath12k_ml_peer *ath12k_peer_ml_find(struct ath12k_hw *ah,
const u8 *addr);
diff --git a/drivers/net/wireless/ath/ath12k/wmi.c b/drivers/net/wireless/ath/ath12k/wmi.c
index 84a31b953db8..6066ca8d9fc4 100644
--- a/drivers/net/wireless/ath/ath12k/wmi.c
+++ b/drivers/net/wireless/ath/ath12k/wmi.c
@@ -7072,25 +7072,29 @@ static void ath12k_peer_delete_resp_event(struct ath12k_base *ab, struct sk_buff
{
struct wmi_peer_delete_resp_event peer_del_resp;
struct ath12k *ar;
+ u32 vdev_id;
if (ath12k_pull_peer_del_resp_ev(ab, skb, &peer_del_resp) != 0) {
- ath12k_warn(ab, "failed to extract peer delete resp");
+ ath12k_warn(ab, "failed to extract peer delete resp\n");
return;
}
+ vdev_id = le32_to_cpu(peer_del_resp.vdev_id);
+
rcu_read_lock();
- ar = ath12k_mac_get_ar_by_vdev_id(ab, le32_to_cpu(peer_del_resp.vdev_id));
+ ar = ath12k_mac_get_ar_by_vdev_id(ab, vdev_id);
if (!ar) {
- ath12k_warn(ab, "invalid vdev id in peer delete resp ev %d",
- peer_del_resp.vdev_id);
+ ath12k_warn(ab, "invalid vdev id in peer delete resp ev %d\n",
+ vdev_id);
rcu_read_unlock();
return;
}
- complete(&ar->peer_delete_done);
+ ath12k_peer_delete_resp_signal(ar, vdev_id,
+ peer_del_resp.peer_macaddr.addr);
rcu_read_unlock();
ath12k_dbg(ab, ATH12K_DBG_WMI, "peer delete resp for vdev id %d addr %pM\n",
- peer_del_resp.vdev_id, peer_del_resp.peer_macaddr.addr);
+ vdev_id, peer_del_resp.peer_macaddr.addr);
}
static void ath12k_vdev_delete_resp_event(struct ath12k_base *ab,
--
2.25.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH ath-next 2/2] wifi: ath12k: fix MLO peer delete race
2026-06-17 9:28 ` [PATCH ath-next 2/2] wifi: ath12k: fix MLO peer delete race Baochen Qiang
@ 2026-06-29 5:34 ` Rameshkumar Sundaram
2026-06-29 6:54 ` Baochen Qiang
0 siblings, 1 reply; 6+ messages in thread
From: Rameshkumar Sundaram @ 2026-06-29 5:34 UTC (permalink / raw)
To: Baochen Qiang, Jeff Johnson; +Cc: linux-wireless, ath12k
On 6/17/2026 2:58 PM, Baochen Qiang wrote:
> ath12k_peer_mlo_link_peers_delete() sends WMI peer_delete for every
> link before waiting for any peer_unmap / peer_delete_resp event. The
> shared per-radio completion ar->peer_delete_done could not
> disambiguate which peer a response was for: every call to
> ath12k_peer_delete_send() did
> reinit_completion(&ar->peer_delete_done), so when an event for the
> first link arrived between two sends it raised the count to 1 and
> the second send promptly cleared it; the wait for the second link
> then timed out with
>
> Timeout in receiving peer delete response
>
> Replace the shared completion with a per-radio waiter list, with
> each pending ath12k_peer_delete() caller queueing an
> ath12k_peer_delete_wait carrying its (vdev_id, addr) and a private
> struct completion. ath12k_peer_delete_resp_event() matches the
> response against the list under ar->data_lock and signals the
> matching waiter.
>
> Also correct the endian conversion in ath12k_peer_delete_resp_event()
> logging, and add the missing \n in some logging.
>
> Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.1.c7-00108-QCAHMTSWPL_V1.0_V2.0_SILICONZ_UPSTREAM-3
>
> Fixes: 8e6f8bc28603 ("wifi: ath12k: Add MLO station state change handling")
> Signed-off-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
> ---
> drivers/net/wireless/ath/ath12k/core.c | 2 +-
> drivers/net/wireless/ath/ath12k/core.h | 5 +-
> drivers/net/wireless/ath/ath12k/mac.c | 2 +-
> drivers/net/wireless/ath/ath12k/peer.c | 130 ++++++++++++++++++++++++++-------
> drivers/net/wireless/ath/ath12k/peer.h | 19 ++++-
> drivers/net/wireless/ath/ath12k/wmi.c | 16 ++--
> 6 files changed, 136 insertions(+), 38 deletions(-)
>
> diff --git a/drivers/net/wireless/ath/ath12k/core.c b/drivers/net/wireless/ath/ath12k/core.c
> index 742d4fd1b598..f71650039292 100644
> --- a/drivers/net/wireless/ath/ath12k/core.c
> +++ b/drivers/net/wireless/ath/ath12k/core.c
{ ... }
> diff --git a/drivers/net/wireless/ath/ath12k/peer.h b/drivers/net/wireless/ath/ath12k/peer.h
> index 49d89796bc46..3dc720a3dc12 100644
> --- a/drivers/net/wireless/ath/ath12k/peer.h
> +++ b/drivers/net/wireless/ath/ath12k/peer.h
> @@ -9,13 +9,28 @@
>
> #include "dp_peer.h"
>
> +struct ath12k_peer_delete_wait {
> + struct list_head list;
> + u32 vdev_id;
> + u8 addr[ETH_ALEN];
> + struct completion done;
> +};
> +
> +void ath12k_peer_delete_wait_register(struct ath12k *ar,
> + struct ath12k_peer_delete_wait *wait,
> + u32 vdev_id, const u8 *addr);
> +void ath12k_peer_delete_wait_unregister(struct ath12k *ar,
> + struct ath12k_peer_delete_wait *wait);
The struct and functions appear to be used only within peer.c and are
not referenced elsewhere. Could the function be made static in peer.c ?
> +void ath12k_peer_delete_resp_signal(struct ath12k *ar, u32 vdev_id, const u8 *addr);
> +void ath12k_peer_delete_wait_flush(struct ath12k *ar);
--
Ramesh
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH ath-next 1/2] wifi: ath12k: fix dp_link_peer dangling references on AP vdev rollback
2026-06-17 9:28 ` [PATCH ath-next 1/2] wifi: ath12k: fix dp_link_peer dangling references on AP vdev rollback Baochen Qiang
@ 2026-06-29 5:35 ` Rameshkumar Sundaram
0 siblings, 0 replies; 6+ messages in thread
From: Rameshkumar Sundaram @ 2026-06-29 5:35 UTC (permalink / raw)
To: Baochen Qiang, Jeff Johnson; +Cc: linux-wireless, ath12k
On 6/17/2026 2:58 PM, Baochen Qiang wrote:
> ath12k_mac_vdev_create() for an AP vdev creates the bss self-peer via
> ath12k_peer_create(), which finishes by calling
> ath12k_dp_link_peer_assign() to publish the dp_link_peer in the
> dp_hw->dp_peers[peerid_index] RCU table, in the dp_peer's
> link_peers[] array, and in the per-addr rhashtable.
>
> If a step after ath12k_peer_create() fails the function jumps to
> err_peer_del, which open-codes a WMI peer_delete and waits for the
> unmap / delete_resp events. The wait_for_peer_delete_done() path
> relies on ath12k_dp_link_peer_unmap_event() freeing the dp_link_peer
> when the unmap arrives, but err_peer_del never calls
> ath12k_dp_link_peer_unassign() first. The published references in
> the dp_hw RCU table, dp_peer->link_peers[] and the rhashtable are
> left pointing at the dp_link_peer that unmap_event then frees,
> producing dangling pointers and use-after-free on subsequent
> lookups.
>
> Replace the open-coded sequence with a call to ath12k_peer_delete(),
> which already does ath12k_dp_link_peer_unassign() before sending the
> WMI command. This drops the published references before the
> dp_link_peer is freed, in the same order as the normal teardown path
> in ath12k_mac_remove_link_interface().
>
> Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.1.c7-00108-QCAHMTSWPL_V1.0_V2.0_SILICONZ_UPSTREAM-3
>
> Fixes: 5525f12fa671 ("wifi: ath12k: Attach and detach ath12k_dp_link_peer to ath12k_dp_peer")
> Signed-off-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
Reviewed-by: Rameshkumar Sundaram <rameshkumar.sundaram@oss.qualcomm.com>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH ath-next 2/2] wifi: ath12k: fix MLO peer delete race
2026-06-29 5:34 ` Rameshkumar Sundaram
@ 2026-06-29 6:54 ` Baochen Qiang
0 siblings, 0 replies; 6+ messages in thread
From: Baochen Qiang @ 2026-06-29 6:54 UTC (permalink / raw)
To: Rameshkumar Sundaram, Jeff Johnson; +Cc: linux-wireless, ath12k
On 6/29/2026 1:34 PM, Rameshkumar Sundaram wrote:
> On 6/17/2026 2:58 PM, Baochen Qiang wrote:
>> ath12k_peer_mlo_link_peers_delete() sends WMI peer_delete for every
>> link before waiting for any peer_unmap / peer_delete_resp event. The
>> shared per-radio completion ar->peer_delete_done could not
>> disambiguate which peer a response was for: every call to
>> ath12k_peer_delete_send() did
>> reinit_completion(&ar->peer_delete_done), so when an event for the
>> first link arrived between two sends it raised the count to 1 and
>> the second send promptly cleared it; the wait for the second link
>> then timed out with
>>
>> Timeout in receiving peer delete response
>>
>> Replace the shared completion with a per-radio waiter list, with
>> each pending ath12k_peer_delete() caller queueing an
>> ath12k_peer_delete_wait carrying its (vdev_id, addr) and a private
>> struct completion. ath12k_peer_delete_resp_event() matches the
>> response against the list under ar->data_lock and signals the
>> matching waiter.
>>
>> Also correct the endian conversion in ath12k_peer_delete_resp_event()
>> logging, and add the missing \n in some logging.
>>
>> Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.1.c7-00108-QCAHMTSWPL_V1.0_V2.0_SILICONZ_UPSTREAM-3
>>
>> Fixes: 8e6f8bc28603 ("wifi: ath12k: Add MLO station state change handling")
>> Signed-off-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
>> ---
>> drivers/net/wireless/ath/ath12k/core.c | 2 +-
>> drivers/net/wireless/ath/ath12k/core.h | 5 +-
>> drivers/net/wireless/ath/ath12k/mac.c | 2 +-
>> drivers/net/wireless/ath/ath12k/peer.c | 130 ++++++++++++++++++++++++++-------
>> drivers/net/wireless/ath/ath12k/peer.h | 19 ++++-
>> drivers/net/wireless/ath/ath12k/wmi.c | 16 ++--
>> 6 files changed, 136 insertions(+), 38 deletions(-)
>>
>> diff --git a/drivers/net/wireless/ath/ath12k/core.c b/drivers/net/wireless/ath/ath12k/
>> core.c
>> index 742d4fd1b598..f71650039292 100644
>> --- a/drivers/net/wireless/ath/ath12k/core.c
>> +++ b/drivers/net/wireless/ath/ath12k/core.c
>
> { ... }
>
>> diff --git a/drivers/net/wireless/ath/ath12k/peer.h b/drivers/net/wireless/ath/ath12k/
>> peer.h
>> index 49d89796bc46..3dc720a3dc12 100644
>> --- a/drivers/net/wireless/ath/ath12k/peer.h
>> +++ b/drivers/net/wireless/ath/ath12k/peer.h
>> @@ -9,13 +9,28 @@
>> #include "dp_peer.h"
>> +struct ath12k_peer_delete_wait {
>> + struct list_head list;
>> + u32 vdev_id;
>> + u8 addr[ETH_ALEN];
>> + struct completion done;
>> +};
>> +
>> +void ath12k_peer_delete_wait_register(struct ath12k *ar,
>> + struct ath12k_peer_delete_wait *wait,
>> + u32 vdev_id, const u8 *addr);
>> +void ath12k_peer_delete_wait_unregister(struct ath12k *ar,
>> + struct ath12k_peer_delete_wait *wait);
>
>
> The struct and functions appear to be used only within peer.c and are not referenced
> elsewhere. Could the function be made static in peer.c ?
Yeah, I can do that.
>
>> +void ath12k_peer_delete_resp_signal(struct ath12k *ar, u32 vdev_id, const u8 *addr);
>> +void ath12k_peer_delete_wait_flush(struct ath12k *ar);
>
>
> --
> Ramesh
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2026-06-29 6:54 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-17 9:28 [PATCH ath-next 0/2] wifi: ath12k: fix peer delete race in MLO scenario Baochen Qiang
2026-06-17 9:28 ` [PATCH ath-next 1/2] wifi: ath12k: fix dp_link_peer dangling references on AP vdev rollback Baochen Qiang
2026-06-29 5:35 ` Rameshkumar Sundaram
2026-06-17 9:28 ` [PATCH ath-next 2/2] wifi: ath12k: fix MLO peer delete race Baochen Qiang
2026-06-29 5:34 ` Rameshkumar Sundaram
2026-06-29 6:54 ` Baochen Qiang
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox