From: Greg KH <gregkh@linuxfoundation.org>
To: Zac <zac@zacbowling.com>
Cc: sean.wang@kernel.org, deren.wu@mediatek.com, kvalo@kernel.org,
linux-kernel@vger.kernel.org, linux-mediatek@lists.infradead.org,
linux-wireless@vger.kernel.org, lorenzo@kernel.org, nbd@nbd.name,
ryder.lee@mediatek.com, sean.wang@mediatek.com,
stable@vger.kernel.org, linux@frame.work, zbowling@gmail.com
Subject: Re: [PATCH 02/11] wifi: mt76: mt792x: fix NULL pointer and firmware reload issues
Date: Tue, 20 Jan 2026 08:04:42 +0100 [thread overview]
Message-ID: <2026012028-barmaid-ouch-e53b@gregkh> (raw)
In-Reply-To: <20260120062854.126501-3-zac@zacbowling.com>
On Mon, Jan 19, 2026 at 10:28:45PM -0800, Zac wrote:
> From: Zac Bowling <zac@zacbowling.com>
>
> This patch combines two fixes for the shared mt792x code used by both
> MT7921 and MT7925 drivers:
>
> 1. Fix NULL pointer dereference in TX path:
>
> Add NULL pointer checks in mt792x_tx() to prevent kernel crashes when
> transmitting packets during MLO link removal.
>
> The function calls mt792x_sta_to_link() which can return NULL if the
> link is being removed, but the return value was dereferenced without
> checking. Similarly, the RCU-protected link_conf and link_sta pointers
> were used without NULL validation.
>
> This race can occur when:
> - A packet is queued for transmission
> - Concurrently, the link is being removed (mt7925_mac_link_sta_remove)
> - mt792x_sta_to_link() returns NULL for the removed link
> - Kernel crashes on wcid = &mlink->wcid dereference
>
> Fix by checking mlink, conf, and link_sta before use, freeing the SKB
> and returning early if any pointer is NULL.
>
> 2. Fix firmware reload failure after previous load crash:
>
> If the firmware loading process crashes or is interrupted after
> acquiring the patch semaphore but before releasing it, subsequent
> firmware load attempts will fail with 'Failed to get patch semaphore'.
>
> Apply the same fix from MT7915 (commit 79dd14f): release the patch
> semaphore before starting firmware load and restart MCU firmware to
> ensure clean state.
>
> Fixes: c74df1c067f2 ("wifi: mt76: mt792x: introduce mt792x-lib module")
> Fixes: 583204ae70f9 ("wifi: mt76: mt792x: move mt7921_load_firmware in mt792x-lib module")
> Link: https://github.com/openwrt/mt76/commit/79dd14f2e8161b656341b6653261779199aedbe4
> Signed-off-by: Zac Bowling <zac@zacbowling.com>
> ---
> .../net/wireless/mediatek/mt76/mt792x_core.c | 27 +++++++++++++++++--
> 1 file changed, 25 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/net/wireless/mediatek/mt76/mt792x_core.c b/drivers/net/wireless/mediatek/mt76/mt792x_core.c
> index f2ed16feb6c1..05598202b488 100644
> --- a/drivers/net/wireless/mediatek/mt76/mt792x_core.c
> +++ b/drivers/net/wireless/mediatek/mt76/mt792x_core.c
> @@ -95,6 +95,8 @@ void mt792x_tx(struct ieee80211_hw *hw, struct ieee80211_tx_control *control,
> IEEE80211_TX_CTRL_MLO_LINK);
> sta = (struct mt792x_sta *)control->sta->drv_priv;
> mlink = mt792x_sta_to_link(sta, link_id);
> + if (!mlink)
> + goto free_skb;
> wcid = &mlink->wcid;
> }
>
> @@ -113,9 +115,12 @@ void mt792x_tx(struct ieee80211_hw *hw, struct ieee80211_tx_control *control,
> link_id = wcid->link_id;
> rcu_read_lock();
> conf = rcu_dereference(vif->link_conf[link_id]);
> - memcpy(hdr->addr2, conf->addr, ETH_ALEN);
> -
> link_sta = rcu_dereference(control->sta->link[link_id]);
> + if (!conf || !link_sta) {
> + rcu_read_unlock();
> + goto free_skb;
> + }
> + memcpy(hdr->addr2, conf->addr, ETH_ALEN);
> memcpy(hdr->addr1, link_sta->addr, ETH_ALEN);
>
> if (vif->type == NL80211_IFTYPE_STATION)
> @@ -136,6 +141,10 @@ void mt792x_tx(struct ieee80211_hw *hw, struct ieee80211_tx_control *control,
> }
>
> mt76_connac_pm_queue_skb(hw, &dev->pm, wcid, skb);
> + return;
> +
> +free_skb:
> + ieee80211_free_txskb(hw, skb);
> }
> EXPORT_SYMBOL_GPL(mt792x_tx);
>
> @@ -927,6 +936,20 @@ int mt792x_load_firmware(struct mt792x_dev *dev)
> {
> int ret;
>
> + /* Release semaphore if taken by previous failed load attempt.
> + * This prevents "Failed to get patch semaphore" errors when
> + * recovering from firmware crashes or suspend/resume failures.
> + */
> + ret = mt76_connac_mcu_patch_sem_ctrl(&dev->mt76, false);
> + if (ret < 0)
> + dev_dbg(dev->mt76.dev, "Semaphore release returned %d (may be expected)\n", ret);
> +
> + /* Always restart MCU to ensure clean state before loading firmware */
> + mt76_connac_mcu_restart(&dev->mt76);
> +
> + /* Wait for MCU to be ready after restart */
> + msleep(100);
> +
> ret = mt76_connac2_load_patch(&dev->mt76, mt792x_patch_name(dev));
> if (ret)
> return ret;
> --
> 2.52.0
>
<formletter>
This is not the correct way to submit patches for inclusion in the
stable kernel tree. Please read:
https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html
for how to do this properly.
</formletter>
next prev parent reply other threads:[~2026-01-20 7:04 UTC|newest]
Thread overview: 113+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-31 5:29 [PATCH] wifi: mt76: mt7925: fix NULL pointer dereference in vif iteration loops Zac Bowling
2025-12-31 22:37 ` [PATCH] wifi: mt76: mt7925: fix missing mutex protection in reset and ROC abort paths Zac Bowling
2026-01-01 0:22 ` [PATCH 2/3] wifi: mt76: mt7925: fix missing mutex protection in reset and ROC abort Zac Bowling
2026-01-01 0:23 ` [PATCH 3/3] wifi: mt76: mt7925: fix missing mutex protection in runtime PM and MLO PM Zac Bowling
2026-01-01 0:41 ` Zac Bowling
2026-01-01 6:25 ` [PATCH] wifi: mt76: mt7925: add NULL checks in MCU STA TLV functions Zac Bowling
2026-01-01 6:25 ` [PATCH] wifi: mt76: mt7925: add NULL checks for link_conf and mlink in main.c Zac Bowling
2026-01-01 6:25 ` [PATCH] wifi: mt76: mt7925: add NULL checks in MLO link and chanctx functions Zac Bowling
2026-01-01 6:25 ` [PATCH] wifi: mt76: mt7925: add error handling for AMPDU MCU commands Zac Bowling
2026-01-01 6:25 ` [PATCH] wifi: mt76: mt7925: add error handling for BSS info MCU command in sta_add Zac Bowling
2026-01-01 6:25 ` [PATCH] wifi: mt76: mt7925: add error handling for BSS info in key setup Zac Bowling
2026-01-01 6:25 ` [PATCH] wifi: mt76: mt7921: fix missing mutex protection in multiple paths Zac Bowling
2026-01-01 6:25 ` [PATCH] wifi: mt76: mt7925: add lockdep assertions for mutex verification Zac Bowling
2026-01-02 20:03 ` [PATCH v2 0/6] wifi: mt76: mt7925/mt792x: additional stability fixes Zac Bowling
2026-01-02 20:03 ` [PATCH] wifi: mt76: mt7925: fix key removal failure during MLO roaming Zac Bowling
2026-01-02 20:03 ` [PATCH] wifi: mt76: mt7925: fix kernel warning in MLO ROC setup when channel not configured Zac Bowling
2026-01-02 20:03 ` [PATCH] wifi: mt76: mt7925: add NULL checks for MLO link pointers in MCU functions Zac Bowling
2026-01-02 20:03 ` [PATCH] wifi: mt76: mt792x: fix firmware reload failure after previous load crash Zac Bowling
2026-01-03 6:46 ` Sean Wang
2026-01-03 18:42 ` Zac Bowling
2026-01-15 7:19 ` Zac Bowling
2026-01-02 20:03 ` [PATCH] wifi: mt76: mt7925: add mutex protection in resume path Zac Bowling
2026-01-02 20:03 ` [PATCH] wifi: mt76: mt7925: add NULL checks and error handling for MCU calls Zac Bowling
2026-01-02 20:05 ` [PATCH] wifi: mt76: mt7925: comprehensive stability fixes Zac Bowling
2026-01-03 6:25 ` Sean Wang
2026-01-03 19:11 ` Zac Bowling
2026-01-05 0:26 ` [PATCH v3 00/17] wifi: mt76: mt7925/mt792x: " Zac Bowling
2026-01-05 0:26 ` [PATCH 01/17] wifi: mt76: mt7925: fix NULL pointer dereference in vif iteration Zac Bowling
2026-01-05 0:26 ` [PATCH 02/17] wifi: mt76: mt7925: fix missing mutex protection in reset and ROC abort Zac Bowling
2026-01-05 0:26 ` [PATCH 03/17] wifi: mt76: mt7925: fix missing mutex protection in runtime PM and MLO PM Zac Bowling
2026-01-05 0:26 ` [PATCH 04/17] wifi: mt76: mt7925: add NULL checks in MCU STA TLV functions Zac Bowling
2026-01-05 0:26 ` [PATCH 05/17] wifi: mt76: mt7925: add NULL checks for link_conf and mlink in main.c Zac Bowling
2026-01-05 0:26 ` [PATCH 06/17] wifi: mt76: mt7925: add error handling for AMPDU MCU commands Zac Bowling
2026-01-05 0:26 ` [PATCH 07/17] wifi: mt76: mt7925: add error handling for BSS info MCU command in sta_add Zac Bowling
2026-01-05 0:26 ` [PATCH 08/17] wifi: mt76: mt7925: add error handling for BSS info in key setup Zac Bowling
2026-01-05 0:26 ` [PATCH 09/17] wifi: mt76: mt7925: add NULL checks in MLO link and chanctx functions Zac Bowling
2026-01-05 0:26 ` [PATCH 10/17] wifi: mt76: mt792x: fix NULL pointer dereference in TX path Zac Bowling
2026-01-05 0:26 ` [PATCH 11/17] wifi: mt76: mt7925: add lockdep assertions for mutex verification Zac Bowling
2026-01-05 0:26 ` [PATCH 12/17] wifi: mt76: mt7925: fix key removal failure during MLO roaming Zac Bowling
2026-01-05 0:26 ` [PATCH 13/17] wifi: mt76: mt7925: fix kernel warning in MLO ROC setup Zac Bowling
2026-01-05 0:26 ` [PATCH 14/17] wifi: mt76: mt7925: add NULL checks for MLO link pointers in MCU functions Zac Bowling
2026-01-05 0:26 ` [PATCH 15/17] wifi: mt76: mt792x: fix firmware reload failure after previous load crash Zac Bowling
2026-01-05 0:26 ` [PATCH 16/17] wifi: mt76: mt7925: add mutex protection in resume path Zac Bowling
2026-01-05 0:26 ` [PATCH 17/17] wifi: mt76: mt7925: add NULL checks in link station and TX queue setup Zac Bowling
2026-01-11 3:13 ` Zac Bowling
2026-01-11 3:36 ` Zac Bowling
2026-01-16 0:15 ` [PATCH v3 00/17] wifi: mt76: mt7925/mt792x: comprehensive stability fixes Sean Wang
2026-01-16 0:43 ` Zac Bowling
2026-01-16 1:04 ` [PATCH v4 00/21] wifi: mt76: mt7925/mt7921: stability and MLO fixes Zac
2026-01-16 1:04 ` [PATCH v4 01/21] wifi: mt76: mt7925: fix NULL pointer dereference in vif iteration Zac
2026-01-16 1:05 ` [PATCH v4 02/21] wifi: mt76: mt7925: fix missing mutex protection in reset and ROC abort Zac
2026-01-16 1:05 ` [PATCH v4 03/21] wifi: mt76: mt7925: fix missing mutex protection in runtime PM and MLO PM Zac
2026-01-16 1:05 ` [PATCH v4 04/21] wifi: mt76: mt7925: add NULL checks in MCU STA TLV functions Zac
2026-01-16 1:05 ` [PATCH v4 05/21] wifi: mt76: mt7925: add NULL checks for link_conf and mlink in main.c Zac
2026-01-16 1:05 ` [PATCH v4 06/21] wifi: mt76: mt7925: add error handling for AMPDU MCU commands Zac
2026-01-16 1:05 ` [PATCH v4 07/21] wifi: mt76: mt7925: add error handling for BSS info MCU command in sta_add Zac
2026-01-16 1:05 ` [PATCH v4 08/21] wifi: mt76: mt7925: add error handling for BSS info in key setup Zac
2026-01-16 1:05 ` [PATCH v4 09/21] wifi: mt76: mt7925: add NULL checks in MLO link and chanctx functions Zac
2026-01-16 1:05 ` [PATCH v4 10/21] wifi: mt76: mt792x: fix NULL pointer dereference in TX path Zac
2026-01-16 1:05 ` [PATCH v4 11/21] wifi: mt76: mt7925: add lockdep assertions for mutex verification Zac
2026-01-16 1:05 ` [PATCH v4 12/21] wifi: mt76: mt7925: fix key removal failure during MLO roaming Zac
2026-01-16 1:05 ` [PATCH v4 13/21] wifi: mt76: mt7925: fix kernel warning in MLO ROC setup Zac
2026-01-16 1:05 ` [PATCH v4 14/21] wifi: mt76: mt7925: add NULL checks for MLO link pointers in MCU functions Zac
2026-01-16 1:05 ` [PATCH v4 15/21] wifi: mt76: mt792x: fix firmware reload failure after previous load crash Zac
2026-01-16 1:05 ` [PATCH v4 16/21] wifi: mt76: mt7925: add mutex protection in resume path Zac
2026-01-16 1:05 ` [PATCH v4 17/21] wifi: mt76: mt7925: add NULL checks in link station and TX queue setup Zac
2026-01-16 1:05 ` [PATCH v4 18/21] wifi: mt76: mt7921: fix missing mutex protection in multiple paths Zac
2026-01-16 1:05 ` [PATCH v4 19/21] wifi: mt76: mt7921: fix mutex deadlocks " Zac
2026-01-16 1:05 ` [PATCH v4 20/21] wifi: mt76: fix list corruption in mt76_wcid_cleanup Zac
2026-01-16 1:05 ` [PATCH v4 21/21] wifi: mt76: mt7925: fix BA session teardown during beacon loss Zac
2026-01-20 6:28 ` [PATCH v5 00/11] wifi: mt76: mt7925/mt7921 stability fixes Zac
2026-01-20 6:28 ` [PATCH 01/11] wifi: mt76: fix list corruption in mt76_wcid_cleanup Zac
2026-01-20 6:28 ` [PATCH 02/11] wifi: mt76: mt792x: fix NULL pointer and firmware reload issues Zac
2026-01-20 7:04 ` Greg KH [this message]
2026-01-20 6:28 ` [PATCH 03/11] wifi: mt76: mt7921: add mutex protection in critical paths Zac
2026-01-20 6:28 ` [PATCH 04/11] wifi: mt76: mt7921: fix deadlock in sta removal and suspend ROC abort Zac
2026-01-20 6:28 ` [PATCH 05/11] wifi: mt76: mt7925: add comprehensive NULL pointer protection for MLO Zac
2026-01-20 6:28 ` [PATCH 06/11] wifi: mt76: mt7925: add mutex protection in critical paths Zac
2026-01-20 6:28 ` [PATCH 07/11] wifi: mt76: mt7925: add MCU command error handling Zac
2026-01-20 6:28 ` [PATCH 08/11] wifi: mt76: mt7925: add lockdep assertions for mutex verification Zac
2026-01-20 6:28 ` [PATCH 09/11] wifi: mt76: mt7925: fix MLO roaming and ROC setup issues Zac
2026-01-20 6:28 ` [PATCH 10/11] wifi: mt76: mt7925: fix BA session teardown during beacon loss Zac
2026-01-20 6:28 ` [PATCH 11/11] wifi: mt76: mt7925: fix ROC deadlocks and race conditions Zac
2026-01-20 8:25 ` Sean Wang
2026-01-20 17:59 ` Zac Bowling
2026-01-20 20:10 ` [PATCH v6 00/13] wifi: mt76: stability fixes for deadlocks, NULL derefs, " Zac
2026-01-20 20:10 ` [PATCH 01/13] wifi: mt76: mt7925: fix potential deadlock in mt7925_roc_abort_sync Zac
2026-01-20 20:10 ` [PATCH 02/13] wifi: mt76: fix list corruption in mt76_wcid_cleanup Zac
2026-01-20 20:10 ` [PATCH 03/13] wifi: mt76: mt792x: fix NULL pointer and firmware reload issues Zac
2026-01-20 20:10 ` [PATCH 04/13] wifi: mt76: mt7921: add mutex protection in critical paths Zac
2026-01-27 10:59 ` Felix Fietkau
2026-01-29 6:19 ` Zac Bowling
2026-01-20 20:10 ` [PATCH 05/13] wifi: mt76: mt7921: fix deadlock in sta removal and suspend ROC abort Zac
2026-01-20 20:10 ` [PATCH 06/13] wifi: mt76: mt7925: add comprehensive NULL pointer protection for MLO Zac
2026-01-20 20:10 ` [PATCH 08/13] wifi: mt76: mt7925: add MCU command error handling Zac
2026-01-20 20:10 ` [PATCH 09/13] wifi: mt76: mt7925: add lockdep assertions for mutex verification Zac
2026-01-20 20:10 ` [PATCH 10/13] wifi: mt76: mt7925: fix MLO roaming and ROC setup issues Zac
2026-01-20 20:10 ` [PATCH 11/13] wifi: mt76: mt7925: fix BA session teardown during beacon loss Zac
2026-01-20 20:10 ` [PATCH 12/13] wifi: mt76: mt7925: fix ROC deadlocks and race conditions Zac
2026-01-27 11:06 ` Felix Fietkau
2026-01-20 20:10 ` [PATCH 13/13] wifi: mt76: mt7925: fix double wcid initialization race condition Zac
2026-01-27 10:58 ` [PATCH v6 00/13] wifi: mt76: stability fixes for deadlocks, NULL derefs, and race conditions Felix Fietkau
2026-01-29 8:18 ` [PATCH v7 0/6] wifi: mt76: mt7925: MLO stability fixes Zac
2026-01-29 8:18 ` [PATCH v7 1/6] wifi: mt76: mt7925: fix double wcid initialization race condition Zac
2026-01-29 8:18 ` [PATCH v7 2/6] wifi: mt76: mt7925: add NULL pointer protection for MLO state transitions Zac
2026-01-29 8:18 ` [PATCH v7 3/6] wifi: mt76: mt7925: add mutex protection in critical paths Zac
2026-01-29 8:18 ` [PATCH v7 4/6] wifi: mt76: mt7925: add MCU command error handling in ampdu_action Zac
2026-01-29 8:18 ` [PATCH v7 5/6] wifi: mt76: mt7925: add lockdep assertions for mutex verification Zac
2026-01-29 8:18 ` [PATCH v7 6/6] wifi: mt76: mt7925: fix MLO ROC setup error handling Zac
2026-01-29 8:46 ` [PATCH 2/6] wifi: mt76: mt7925: add NULL pointer protection for MLO state transitions Zac
2026-01-29 9:05 ` [v7 PATCH 7/7] wifi: mt76: mt7925: add error logging for MLO ROC setup in set_links Zac
2026-01-20 11:42 ` [PATCH 11/11] wifi: mt76: mt7925: fix ROC deadlocks and race conditions kernel test robot
2026-01-20 13:26 ` kernel test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2026012028-barmaid-ouch-e53b@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=deren.wu@mediatek.com \
--cc=kvalo@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mediatek@lists.infradead.org \
--cc=linux-wireless@vger.kernel.org \
--cc=linux@frame.work \
--cc=lorenzo@kernel.org \
--cc=nbd@nbd.name \
--cc=ryder.lee@mediatek.com \
--cc=sean.wang@kernel.org \
--cc=sean.wang@mediatek.com \
--cc=stable@vger.kernel.org \
--cc=zac@zacbowling.com \
--cc=zbowling@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox