From: Greg KH <gregkh@linuxfoundation.org>
To: Zac <zac@zacbowling.com>
Cc: sean.wang@kernel.org, deren.wu@mediatek.com, kvalo@kernel.org,
linux-kernel@vger.kernel.org, linux-mediatek@lists.infradead.org,
linux-wireless@vger.kernel.org, lorenzo@kernel.org, nbd@nbd.name,
ryder.lee@mediatek.com, sean.wang@mediatek.com,
stable@vger.kernel.org, linux@frame.work, zbowling@gmail.com
Subject: Re: [PATCH 02/11] wifi: mt76: mt792x: fix NULL pointer and firmware reload issues
Date: Tue, 20 Jan 2026 08:04:42 +0100 [thread overview]
Message-ID: <2026012028-barmaid-ouch-e53b@gregkh> (raw)
In-Reply-To: <20260120062854.126501-3-zac@zacbowling.com>
On Mon, Jan 19, 2026 at 10:28:45PM -0800, Zac wrote:
> From: Zac Bowling <zac@zacbowling.com>
>
> This patch combines two fixes for the shared mt792x code used by both
> MT7921 and MT7925 drivers:
>
> 1. Fix NULL pointer dereference in TX path:
>
> Add NULL pointer checks in mt792x_tx() to prevent kernel crashes when
> transmitting packets during MLO link removal.
>
> The function calls mt792x_sta_to_link() which can return NULL if the
> link is being removed, but the return value was dereferenced without
> checking. Similarly, the RCU-protected link_conf and link_sta pointers
> were used without NULL validation.
>
> This race can occur when:
> - A packet is queued for transmission
> - Concurrently, the link is being removed (mt7925_mac_link_sta_remove)
> - mt792x_sta_to_link() returns NULL for the removed link
> - Kernel crashes on wcid = &mlink->wcid dereference
>
> Fix by checking mlink, conf, and link_sta before use, freeing the SKB
> and returning early if any pointer is NULL.
>
> 2. Fix firmware reload failure after previous load crash:
>
> If the firmware loading process crashes or is interrupted after
> acquiring the patch semaphore but before releasing it, subsequent
> firmware load attempts will fail with 'Failed to get patch semaphore'.
>
> Apply the same fix from MT7915 (commit 79dd14f): release the patch
> semaphore before starting firmware load and restart MCU firmware to
> ensure clean state.
>
> Fixes: c74df1c067f2 ("wifi: mt76: mt792x: introduce mt792x-lib module")
> Fixes: 583204ae70f9 ("wifi: mt76: mt792x: move mt7921_load_firmware in mt792x-lib module")
> Link: https://github.com/openwrt/mt76/commit/79dd14f2e8161b656341b6653261779199aedbe4
> Signed-off-by: Zac Bowling <zac@zacbowling.com>
> ---
> .../net/wireless/mediatek/mt76/mt792x_core.c | 27 +++++++++++++++++--
> 1 file changed, 25 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/net/wireless/mediatek/mt76/mt792x_core.c b/drivers/net/wireless/mediatek/mt76/mt792x_core.c
> index f2ed16feb6c1..05598202b488 100644
> --- a/drivers/net/wireless/mediatek/mt76/mt792x_core.c
> +++ b/drivers/net/wireless/mediatek/mt76/mt792x_core.c
> @@ -95,6 +95,8 @@ void mt792x_tx(struct ieee80211_hw *hw, struct ieee80211_tx_control *control,
> IEEE80211_TX_CTRL_MLO_LINK);
> sta = (struct mt792x_sta *)control->sta->drv_priv;
> mlink = mt792x_sta_to_link(sta, link_id);
> + if (!mlink)
> + goto free_skb;
> wcid = &mlink->wcid;
> }
>
> @@ -113,9 +115,12 @@ void mt792x_tx(struct ieee80211_hw *hw, struct ieee80211_tx_control *control,
> link_id = wcid->link_id;
> rcu_read_lock();
> conf = rcu_dereference(vif->link_conf[link_id]);
> - memcpy(hdr->addr2, conf->addr, ETH_ALEN);
> -
> link_sta = rcu_dereference(control->sta->link[link_id]);
> + if (!conf || !link_sta) {
> + rcu_read_unlock();
> + goto free_skb;
> + }
> + memcpy(hdr->addr2, conf->addr, ETH_ALEN);
> memcpy(hdr->addr1, link_sta->addr, ETH_ALEN);
>
> if (vif->type == NL80211_IFTYPE_STATION)
> @@ -136,6 +141,10 @@ void mt792x_tx(struct ieee80211_hw *hw, struct ieee80211_tx_control *control,
> }
>
> mt76_connac_pm_queue_skb(hw, &dev->pm, wcid, skb);
> + return;
> +
> +free_skb:
> + ieee80211_free_txskb(hw, skb);
> }
> EXPORT_SYMBOL_GPL(mt792x_tx);
>
> @@ -927,6 +936,20 @@ int mt792x_load_firmware(struct mt792x_dev *dev)
> {
> int ret;
>
> + /* Release semaphore if taken by previous failed load attempt.
> + * This prevents "Failed to get patch semaphore" errors when
> + * recovering from firmware crashes or suspend/resume failures.
> + */
> + ret = mt76_connac_mcu_patch_sem_ctrl(&dev->mt76, false);
> + if (ret < 0)
> + dev_dbg(dev->mt76.dev, "Semaphore release returned %d (may be expected)\n", ret);
> +
> + /* Always restart MCU to ensure clean state before loading firmware */
> + mt76_connac_mcu_restart(&dev->mt76);
> +
> + /* Wait for MCU to be ready after restart */
> + msleep(100);
> +
> ret = mt76_connac2_load_patch(&dev->mt76, mt792x_patch_name(dev));
> if (ret)
> return ret;
> --
> 2.52.0
>
<formletter>
This is not the correct way to submit patches for inclusion in the
stable kernel tree. Please read:
https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html
for how to do this properly.
</formletter>
next prev parent reply other threads:[~2026-01-20 7:04 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CAGp9LzpuyXRDa=TxqY+Xd5ZhDVvNayWbpMGDD1T0g7apkn7P0A@mail.gmail.com>
2026-01-20 6:28 ` [PATCH v5 00/11] wifi: mt76: mt7925/mt7921 stability fixes Zac
2026-01-20 6:28 ` [PATCH 01/11] wifi: mt76: fix list corruption in mt76_wcid_cleanup Zac
2026-01-20 6:28 ` [PATCH 02/11] wifi: mt76: mt792x: fix NULL pointer and firmware reload issues Zac
2026-01-20 7:04 ` Greg KH [this message]
2026-01-20 6:28 ` [PATCH 03/11] wifi: mt76: mt7921: add mutex protection in critical paths Zac
2026-01-20 6:28 ` [PATCH 04/11] wifi: mt76: mt7921: fix deadlock in sta removal and suspend ROC abort Zac
2026-01-20 6:28 ` [PATCH 05/11] wifi: mt76: mt7925: add comprehensive NULL pointer protection for MLO Zac
2026-01-20 6:28 ` [PATCH 06/11] wifi: mt76: mt7925: add mutex protection in critical paths Zac
2026-01-20 6:28 ` [PATCH 07/11] wifi: mt76: mt7925: add MCU command error handling Zac
2026-01-20 6:28 ` [PATCH 08/11] wifi: mt76: mt7925: add lockdep assertions for mutex verification Zac
2026-01-20 6:28 ` [PATCH 09/11] wifi: mt76: mt7925: fix MLO roaming and ROC setup issues Zac
2026-01-20 6:28 ` [PATCH 10/11] wifi: mt76: mt7925: fix BA session teardown during beacon loss Zac
2026-01-20 6:28 ` [PATCH 11/11] wifi: mt76: mt7925: fix ROC deadlocks and race conditions Zac
2026-01-20 8:25 ` Sean Wang
2026-01-20 17:59 ` Zac Bowling
2026-01-20 11:42 ` kernel test robot
2026-01-20 13:26 ` kernel test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2026012028-barmaid-ouch-e53b@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=deren.wu@mediatek.com \
--cc=kvalo@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mediatek@lists.infradead.org \
--cc=linux-wireless@vger.kernel.org \
--cc=linux@frame.work \
--cc=lorenzo@kernel.org \
--cc=nbd@nbd.name \
--cc=ryder.lee@mediatek.com \
--cc=sean.wang@kernel.org \
--cc=sean.wang@mediatek.com \
--cc=stable@vger.kernel.org \
--cc=zac@zacbowling.com \
--cc=zbowling@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox