wifi: iwlwifi: mld: add support for iwl_mcc_allowed_ap_type_cmd v2
There is a new version of this command to indicate which AP type in
UNII-9 is supported per country.
This adds support for a new UEFI table that will include that data to be
filled in the new AP type table.
Rename the uats_table field in firmware_runtime structure since it
includes now the UATS and the new UNEB table coming from UEFI.
For the same reason, rename iwl_mld_init_uats.
Marco Crivellari [Tue, 10 Feb 2026 14:33:32 +0000 (15:33 +0100)]
wifi: iwlwifi: mvm: replace use of system_wq with system_percpu_wq
This patch continues the effort to refactor workqueue APIs, which has begun
with the changes introducing new workqueues and a new alloc_workqueue flag:
commit 128ea9f6ccfb ("workqueue: Add system_percpu_wq and system_dfl_wq")
commit 930c2ea566af ("workqueue: Add new WQ_PERCPU flag")
The point of the refactoring is to eventually alter the default behavior of
workqueues to become unbound by default so that their workload placement is
optimized by the scheduler.
Before that to happen after a careful review and conversion of each individual
case, workqueue users must be converted to the better named new workqueues with
no intended behaviour changes:
Marco Crivellari [Thu, 20 Nov 2025 10:08:49 +0000 (11:08 +0100)]
wifi: iwlwifi: fw: replace use of system_unbound_wq with system_dfl_wq
This patch continues the effort to refactor workqueue APIs, which has begun
with the changes introducing new workqueues and a new alloc_workqueue flag:
commit 128ea9f6ccfb ("workqueue: Add system_percpu_wq and system_dfl_wq")
commit 930c2ea566af ("workqueue: Add new WQ_PERCPU flag")
The point of the refactoring is to eventually alter the default behavior of
workqueues to become unbound by default so that their workload placement is
optimized by the scheduler.
Before that to happen after a careful review and conversion of each individual
case, workqueue users must be converted to the better named new workqueues with
no intended behaviour changes:
Marco Crivellari [Thu, 20 Nov 2025 10:08:48 +0000 (11:08 +0100)]
wifi: iwlwifi: replace use of system_unbound_wq with system_dfl_wq
This patch continues the effort to refactor workqueue APIs, which has begun
with the changes introducing new workqueues and a new alloc_workqueue flag:
commit 128ea9f6ccfb ("workqueue: Add system_percpu_wq and system_dfl_wq")
commit 930c2ea566af ("workqueue: Add new WQ_PERCPU flag")
The point of the refactoring is to eventually alter the default behavior of
workqueues to become unbound by default so that their workload placement is
optimized by the scheduler.
Before that to happen after a careful review and conversion of each individual
case, workqueue users must be converted to the better named new workqueues with
no intended behaviour changes:
Lorenzo Bianconi [Sun, 15 Mar 2026 10:26:29 +0000 (11:26 +0100)]
wifi: mt76: mt7996: Destroy active sta links in mt7996_mac_sta_remove()
Similar to vif link management, postpone sta link destuction in
mt7996_mac_sta_remove() introducing mt7996_mac_sta_remove_link utility
routine and just disable sta link running mt7996_mac_sta_remove_links
routine.
This is a preliminary patch in order to support MLO link reconfiguration
in MT7996 driver.
Shayne Chen [Sun, 15 Mar 2026 10:26:28 +0000 (11:26 +0100)]
wifi: mt76: mt7996: Add mcu APIs to enable/disable vif links.
Introduce mt7996_mcu_mld_reconf_stop_link and mt7996_mcu_mld_link_oper
utility routines in order to communicate to the mcu fw to disable/enable
a specific vif link. Please note these APIs are currently supported by
the MT7996 firmware only in AP mode.
Lorenzo Bianconi [Sun, 15 Mar 2026 10:26:27 +0000 (11:26 +0100)]
wifi: mt76: mt7996: Destroy vif active links in mt7996_remove_interface()
MT7996 hw requires to remove active links from the mcu BSSINFO table
destroying the interface. For this reason introduce mt7996_vif_link_destroy
routine and remove active (non-offchannel) vif links running
mt7996_remove_interface routine.
This is a preliminary patch in order to support MLO link reconfiguration
in MT7996 driver.
Shayne Chen [Sun, 15 Mar 2026 10:26:26 +0000 (11:26 +0100)]
wifi: mt76: mt7996: Move mlink deallocation in mt7996_vif_link_remove()
Destroy mt76_vif_link struct in mt7996_vif_link_remove routine and not
in mt76_unassign_vif_chanctx(). This is necessary since, in order to
properly support MLO link reconfiguration, we will destroy mt76_vif_link
struct during AP tear-down process and not running unassign_vif_chanctx
mac80211 callback.
This patch does not introduce any regression since
mt76_assign_vif_chanctx/mt76_unassign_vif_chanctx APIs are currently
used just by MT7996 driver.
Shayne Chen [Sun, 15 Mar 2026 10:26:25 +0000 (11:26 +0100)]
wifi: mt76: mt7996: Account active links in valid_links fields
Track active vif links in mt7996_vif_link_add and mt7996_vif_link_remove
routines.
This is a preliminary patch in order to remove AP MLD links from MCU
configuration during AP tear-down process and to support MLO link
reconfiguration in MT7996 driver.
Lorenzo Bianconi [Sun, 15 Mar 2026 10:26:24 +0000 (11:26 +0100)]
wifi: mt76: mt7996: Rely on msta_link link_id in mt7996_vif_link_remove()
Rely on msta_link link_id value in mt7996_vif_link_remove routine
instead of using link_conf pointer. This assumption is correct since
msta_link link_id is set to link_conf link_id value in mt7996_vif_link_add
routine.
Moreover, fallback to default ieee80211_bss_conf struct if the link_conf
pointer in mt7996_vif_link_remove() is NULL.
MT7996 hw requires to remove AP MLD links from MCU configuration during
AP tear-down process (e.g. running mt7996_remove_interface()). Doing so,
we can't assume link_conf pointer is always non-NULL running
mt7996_vif_link_remove routine.
Sean Wang [Fri, 6 Mar 2026 23:22:37 +0000 (17:22 -0600)]
wifi: mt76: mt7925: publish msta->link after successful link add
Move the msta->link[link_id] publication until after
mt7925_mac_link_sta_add() succeeds.
msta->link[] is RCU-visible, so publishing it before setup completes can
expose a link whose add path later fails. Publish it only after success
to avoid partially initialized link state becoming visible.
Sean Wang [Fri, 6 Mar 2026 23:22:36 +0000 (17:22 -0600)]
wifi: mt76: mt7925: switch link STA allocation to RCU lifetime
Allocate mt792x_link_sta with kzalloc() and free it with kfree_rcu()
instead of devm-managed memory.
msta->link[] is published via RCU, so the link STA must remain valid
until readers have quiesced after teardown. Manage the object lifetime
with kfree_rcu() to match its RCU-visible publication.
Sean Wang [Fri, 6 Mar 2026 23:22:33 +0000 (17:22 -0600)]
wifi: mt76: mt7925: unwind WCID setup on link STA add failure
Undo the published WCID state when mt7925_mac_link_sta_add() fails after
WCID setup.
The add path can fail after dev->mt76.wcid[] is published, so the error
path must clear the partial host-side WCID state to avoid leaving stale
entries behind.
Sean Wang [Fri, 6 Mar 2026 23:22:32 +0000 (17:22 -0600)]
wifi: mt76: mt7925: make WCID cleanup unconditional in sta_remove_links()
Drop the dead pri_link check in mt7925_mac_sta_remove_links() and
perform WCID cleanup unconditionally.
mlink->pri_link is already cleared before the test, making the branch
ineffective. This matches the actual teardown behaviour and simplifies
the remove path.
Sean Wang [Fri, 6 Mar 2026 23:22:31 +0000 (17:22 -0600)]
wifi: mt76: mt7925: pass mconf and mlink to wtbl_update_hdr_trans()
Drop the mt792x_vif_to_link() lookup in mt7925_mcu_wtbl_update_hdr_trans()
and pass the resolved mconf and mlink from the caller instead. The link
context is already known at the call site, making the lookup redundant.
This keeps the helper lookup-free and makes link ownership explicit.
Sean Wang [Fri, 6 Mar 2026 23:22:30 +0000 (17:22 -0600)]
wifi: mt76: mt7925: resolve link after acquiring mt76 mutex
mt792x_sta_to_link() uses rcu_dereference_protected() and therefore
expects mt76.mutex to be held. Move the lookup after
mt792x_mutex_acquire() to make the locking explicit and correct.
Sean Wang [Fri, 6 Mar 2026 23:22:29 +0000 (17:22 -0600)]
wifi: mt76: mt7925: pass mlink to set_link_key()
Drop the mt792x_sta_to_link() lookup in mt7925_set_link_key() and pass
the resolved mlink from the caller instead. The link context is already
known at the call site, making the lookup redundant.
This keeps the helper lookup-free and makes link ownership explicit.
Sean Wang [Fri, 6 Mar 2026 23:22:28 +0000 (17:22 -0600)]
wifi: mt76: mt7925: pass mlink to wtbl_update_hdr_trans()
Drop the mt792x_sta_to_link() lookup in mt7925_mcu_wtbl_update_hdr_trans()
and pass the resolved mlink from the caller instead. The link context is
already known at the call site, making the lookup redundant.
This keeps the helper lookup-free and makes link ownership explicit.
Sean Wang [Fri, 6 Mar 2026 23:22:26 +0000 (17:22 -0600)]
wifi: mt76: mt7925: pass mlink to sta_hdr_trans_tlv()
Drop the mt792x_sta_to_link() lookup in mt7925_mcu_sta_hdr_trans_tlv()
and pass the resolved mlink from the caller instead. The link is
already known at the call site, making the lookup redundant.
This keeps the helper lookup-free and makes WCID selection explicit.
Sean Wang [Fri, 6 Mar 2026 23:22:25 +0000 (17:22 -0600)]
wifi: mt76: mt7925: pass mlink to mac_link_sta_remove()
Drop the mt792x_sta_to_link() lookup in mt7925_mac_link_sta_remove()
and pass mlink from mt7925_mac_sta_remove_links() instead. The link is
already resolved there, making the extra lookup redundant.
This keeps the remove helper lookup-free and avoids hidden dependence on
msta->link[link_id] during teardown.
Sean Wang [Fri, 6 Mar 2026 23:22:24 +0000 (17:22 -0600)]
wifi: mt76: mt7925: resolve primary mlink via def_wcid
Use mlink->wcid.def_wcid to obtain the primary mlink in
mt7925_mac_link_sta_add() instead of calling mt792x_sta_to_link().
The primary link context is already carried by the WCID, so the extra
lookup is redundant. This makes the add path follow the existing WCID
association directly.
Sean Wang [Fri, 6 Mar 2026 23:22:23 +0000 (17:22 -0600)]
wifi: mt76: mt7925: pass mlink to mcu_sta_update()
Drop the mt792x_sta_to_link() lookup in mt7925_mcu_sta_update() and
pass the resolved mlink from the caller instead. The link context is
already known at the call site, making the lookup redundant.
This keeps the helper lookup-free and makes WCID selection explicit.
Sean Wang [Fri, 6 Mar 2026 23:22:22 +0000 (17:22 -0600)]
wifi: mt76: mt7925: pass mlink and mconf to sta_mld_tlv()
Drop the mt792x_sta_to_link() lookup in mt7925_mcu_sta_mld_tlv() and
pass mlink and mconf from the caller instead. The link context is
already known at the call site, making the lookup redundant.
This keeps the helper lookup-free and makes MLD link selection
explicit.
Sean Wang [Fri, 6 Mar 2026 23:22:21 +0000 (17:22 -0600)]
wifi: mt76: mt7925: pass WCID indices to bss_basic_tlv()
Drop the mt792x_sta_to_link() lookup in mt7925_mcu_bss_basic_tlv() and
pass the resolved WCID indices from the caller instead. The link
context is already known, so the lookup is redundant.
This makes link ownership explicit and keeps the helper lookup-free.
Sean Wang [Fri, 6 Mar 2026 23:22:20 +0000 (17:22 -0600)]
wifi: mt76: mt7925: pass mlink to sta_amsdu_tlv()
Drop the mt792x_sta_to_link() lookup in mt7925_mcu_sta_amsdu_tlv() and
pass mlink from the caller instead. The link context is already known
so the lookup is redundant.
This makes link ownership explicit and keeps the helper lookup-free.
StanleyYP Wang [Thu, 12 Mar 2026 09:57:24 +0000 (17:57 +0800)]
wifi: mt76: mt7996: fix issues with manually triggered radar detection
Disallow triggering radar detection on non-DFS channels to prevent paused
TX queues from failing to resume, as a channel switch is not performed in
this case.
Rex Lu [Thu, 12 Mar 2026 09:57:22 +0000 (17:57 +0800)]
wifi: mt76: mt7996: adjust timeout value for boot-up calibration commands
Align the vendor driver by adjusting the timeout values for the
MCU_UNI_CMD_EFUSE_CTRL and MCU_UNI_CMD_EXT_EEPROM_CTRL commands.
Without this adjustment, false positive command timeout errors may occur,
especially on some iPA variants.
Peter Chiu [Thu, 12 Mar 2026 09:57:21 +0000 (17:57 +0800)]
wifi: mt76: mt7996: update WFSYS reset flow for MT7990 chipsets
Skip WFSYS reset during bootup for MT7990 chipsets; only reset if L0.5
recovery is triggered.
Without this fix, the following kernel error may occur:
Internal error: synchronous external abort.
Felix Fietkau [Mon, 9 Mar 2026 06:07:30 +0000 (06:07 +0000)]
wifi: mt76: add per-link beacon monitoring for MLO
With chanctx drivers using hardware scan or remain-on-channel,
mac80211 does not know when the radio goes off-channel, which breaks
its software beacon loss detection.
Implement per-link beacon monitoring in the driver. Track the last
beacon timestamp per link and check for beacon loss periodically from
the mac_work handler.
Beacon monitoring is initialized on association and on late link
activation, and cleared on disassociation. The beacon_mon_last
timestamp is reset when returning from offchannel and after channel
switches to prevent false beacon loss detection.
Felix Fietkau [Mon, 9 Mar 2026 06:07:29 +0000 (06:07 +0000)]
wifi: mt76: wait for firmware TX completion of mgmt frames before channel switch
After flushing software-pending frames to DMA, mt76_has_tx_pending()
only checks DMA ring q->queued. For token-based drivers, q->queued is
decremented at DMA consumption, but firmware may not have transmitted
the frame yet. Waiting for all tokens is not feasible because data
frames may be stuck in firmware powersave/aggregation queues.
Track PSD queue tokens (firmware ALTX) per phy using an atomic counter.
These frames are sent by firmware immediately without PS buffering, so
the counter reliably reaches zero after transmission.
Increment the counter in mt76_token_consume() and decrement it in
mt76_token_release(), only for PSD queue tokens. Include the counter
in mt76_has_tx_pending() so channel switch waits for firmware TX
completion of management and nullfunc frames.
mt7615 (uses mt76_token_get/put) and non-token drivers are unaffected
as they never call mt76_token_consume/release.
Felix Fietkau [Mon, 9 Mar 2026 06:07:28 +0000 (06:07 +0000)]
wifi: mt76: route nullfunc frames to PSD/ALTX queue
ieee80211_is_data() returns true for nullfunc/QoS-nullfunc frames, so
they bypass the PSD queue routing and go through the regular VO data
queue. This means firmware processes them through the normal TID queue
instead of the ALTX queue, which doesn't guarantee immediate
transmission.
Use ieee80211_is_data_present() instead, which returns false for both
management frames and nullfunc/QoS-nullfunc (no payload), routing them
to MT_TXQ_PSD. Firmware maps PSD to the ALTX queue, which transmits
immediately without PS buffering.
This only affects frames from the mt76_tx() pending path. Regular
mac80211 TXQ scheduling is unchanged.
Felix Fietkau [Mon, 9 Mar 2026 06:07:27 +0000 (06:07 +0000)]
wifi: mt76: flush pending TX before channel switch
mt76_tx() queues frames on wcid->tx_pending for async processing by
tx_worker. In __mt76_set_channel(), the worker gets disabled before it
may have run, and the subsequent wait only checks DMA ring queues, not
the software pending list. This means frames like nullfunc PS frames
from mt76_offchannel_notify() may never be transmitted on the correct
channel.
Fix this by running mt76_txq_schedule_pending() synchronously after
disabling the tx_worker but before setting MT76_RESET, which would
otherwise cause mt76_txq_schedule_pending_wcid() to bail out.
Felix Fietkau [Mon, 9 Mar 2026 06:07:26 +0000 (06:07 +0000)]
wifi: mt76: send nullfunc PS frames on offchannel transitions
Since mt76 uses chanctx, mac80211 does not send nullfunc power save
notifications when the driver goes offchannel for scan or ROC.
Add mt76_offchannel_notify() to send nullfunc PM=1 before going
offchannel and PM=0 after returning, so that the AP can buffer
frames during the absence.
For MLO, iterate all vif links on the phy and set
IEEE80211_TX_CTRL_MLO_LINK so that the driver's tx_prepare_skb
resolves the correct per-link wcid.
Felix Fietkau [Mon, 9 Mar 2026 06:07:25 +0000 (06:07 +0000)]
wifi: mt76: optimize ROC for same-channel case
mt76_remain_on_channel() always creates an HT20 chandef and goes
offchannel, even when the ROC channel matches the operating channel.
This unnecessarily narrows bandwidth and triggers beacon stop/restart.
When the ROC channel matches the current operating channel, preserve
the full chandef and skip the offchannel transition, matching the
optimization already present in the scan code.
Extract the shared same-channel detection into mt76_offchannel_chandef()
and use it in both ROC and scan paths.
Felix Fietkau [Mon, 9 Mar 2026 06:07:24 +0000 (06:07 +0000)]
wifi: mt76: abort ROC on chanctx changes
mt76_change_chanctx() calls mt76_phy_update_channel() which switches
the hardware channel. If ROC is active on the same phy, this switches
away from the ROC channel and clears offchannel, but leaves ROC state
intact. Mac80211 still thinks the phy is on the ROC channel.
Abort any active ROC before proceeding, matching the pattern already
used in add, remove, assign, unassign, and switch chanctx functions.
Felix Fietkau [Mon, 9 Mar 2026 06:07:23 +0000 (06:07 +0000)]
wifi: mt76: check chanctx before restoring channel after ROC
mt76_remove_chanctx() sets phy->chanctx to NULL but does not clear
phy->main_chandef. If ROC is later performed on that phy, completion
tries to restore the stale main_chandef channel, programming the
hardware to sit on a channel with no active context.
Add a chanctx check to avoid restoring a channel when no context is
active.
Felix Fietkau [Mon, 9 Mar 2026 06:07:22 +0000 (06:07 +0000)]
wifi: mt76: add offchannel check to mt76_roc_complete
mt76_roc_complete() unconditionally calls __mt76_set_channel() to
restore the operating channel. The scan equivalent mt76_scan_complete()
checks phy->offchannel first, skipping the restore if the phy is
already back on-channel.
Without this check, ROC completion performs a redundant full hardware
channel switch when something has already moved the phy back.
Chad Monroe [Mon, 9 Mar 2026 06:07:21 +0000 (06:07 +0000)]
wifi: mt76: support upgrading passive scans to active
On channels with NO_IR or RADAR flags, wait for beacon before sending
probe requests. Allows active scanning and WPS on restricted channels
if another AP is already present.
wifi: mt76: mt7996: Remove link pointer dependency in mt7996_mac_sta_remove_links()
Remove link pointer dependency in mt7996_mac_sta_remove_links routine to
get the mt7996_phy pointer since the link can be already offchannel
running mt7996_mac_sta_remove_links(). Rely on __mt7996_phy routine
instead.
Enable missing CHANCTX_STA_CSA property required for MLO.
Fixes: f5160304d57c ("wifi: mt76: mt7996: Enable MLO support for client interfaces") Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org> Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com> Link: https://patch.msgid.link/20250928-mt7996_chanctx_sta_csa-v1-1-82e455185990@kernel.org Signed-off-by: Felix Fietkau <nbd@nbd.name>
Quan Zhou [Wed, 25 Feb 2026 09:47:22 +0000 (17:47 +0800)]
wifi: mt76: mt7925: fix incorrect TLV length in CLC command
The previous implementation of __mt7925_mcu_set_clc() set the TLV length
field (.len) incorrectly during CLC command construction. The length was
initialized as sizeof(req) - 4, regardless of the actual segment length.
This could cause the WiFi firmware to misinterpret the command payload,
resulting in command execution errors.
This patch moves the TLV length assignment to after the segment is
selected, and sets .len to sizeof(req) + seg->len - 4, matching the
actual command content. This ensures the firmware receives the
correct TLV length and parses the command properly.
Ziyi Guo [Sat, 31 Jan 2026 03:52:10 +0000 (03:52 +0000)]
wifi: mt76: add missing lock protection in mt76_sta_state for sta_event callback
mt76_sta_state() calls the sta_event callback without holding dev->mutex.
However, mt7915_mac_sta_event() (MT7915 implementation of this callback)
calls mt7915_mac_twt_teardown_flow() which has
lockdep_assert_held(&dev->mt76.mutex) indicating that callers must
hold this lock.
The locking pattern in mt76_sta_state() is inconsistent:
- mt76_sta_add() acquires dev->mutex before calling dev->drv->sta_add
- mt76_sta_remove() acquires dev->mutex before calling __mt76_sta_remove
- But sta_event callback is called without acquiring the lock
Add mutex_lock()/mutex_unlock() around the mt7915_mac_twt_teardown_flow
invocation to fix the missing lock protection and maintain consistency
with the existing locking pattern.
Michael Lo [Wed, 11 Feb 2026 09:50:25 +0000 (17:50 +0800)]
wifi: mt76: mt7921: fix 6GHz regulatory update on connection
Call mt7921_regd_update() instead of mt7921_mcu_set_clc() when setting
the 6GHz power type after connection, so that regulatory limits and SAR
power are also applied.
Duoming Zhou [Sat, 31 Jan 2026 02:47:31 +0000 (10:47 +0800)]
wifi: mt76: mt7996: fix use-after-free bugs in mt7996_mac_dump_work()
When the mt7996 pci chip is detaching, the mt7996_crash_data is
released in mt7996_coredump_unregister(). However, the work item
dump_work may still be running or pending, leading to UAF bugs
when the already freed crash_data is dereferenced again in
mt7996_mac_dump_work().
Fix this by ensuring dump_work is properly canceled before
the crash_data is deallocated. Add cancel_work_sync() in
mt7996_unregister_device() to synchronize with any pending
or executing dump work.
Duoming Zhou [Fri, 30 Jan 2026 14:57:59 +0000 (22:57 +0800)]
wifi: mt76: mt7915: fix use-after-free bugs in mt7915_mac_dump_work()
When the mt7915 pci chip is detaching, the mt7915_crash_data is
released in mt7915_coredump_unregister(). However, the work item
dump_work may still be running or pending, leading to UAF bugs
when the already freed crash_data is dereferenced again in
mt7915_mac_dump_work().
Fix this by ensuring dump_work is properly canceled before
the crash_data is deallocated. Add cancel_work_sync() in
mt7915_unregister_device() to synchronize with any pending
or executing dump work.
David Bauer [Thu, 29 Jan 2026 23:23:20 +0000 (00:23 +0100)]
wifi: mt76: don't return TXQ when exceeding max non-AQL packets
mt76_txq_send_burst does check if the number of non-AQL frames exceeds
the maximum. In this case the queue is returned to ieee80211_return_txq
when iterating over the scheduled TXQs in mt76_txq_schedule_list.
This has the effect of inserting said TXQ at the head of the list. This
means the loop will get the same TXQ again, which will terminate the
scheduling round. TXQs following in the list thus never get scheduled
for transmission.
This can manifest in high latency low throughput or broken connections
for said STAs.
Check if the non-AQL packet count exceeds the limit and not return the
TXQ in this case.
Schedule all TXQs for the STA in case the non-AQL limit can be satisfied
again.
StanleyYP Wang [Tue, 3 Feb 2026 15:55:32 +0000 (23:55 +0800)]
wifi: mt76: mt7996: fix queue pause after scan due to wrong channel switch reason
Previously, we used the IEEE80211_CONF_IDLE flag to avoid setting the
parking channel with the CH_SWITCH_NORMAL reason, which could trigger TX
emission before bootup CAC.
However, we found that this flag can be set after triggering scanning on a
connected station interface, and the reason CH_SWITCH_SCAN_BYPASS_DPD will
be used when switching back to the operating channel, which makes the
firmware failed to resume paused AC queues.
Seems that we should avoid relying on this flag after switching to single
multi-radio architecture. Instead, use the existence of chanctx as the
condition.
StanleyYP Wang [Tue, 3 Feb 2026 15:55:31 +0000 (23:55 +0800)]
wifi: mt76: avoid to set ACK for MCU command if wait_resp is not set
When wait_resp is not set but the ACK option is enabled in the MCU TXD,
the ACK event is enqueued to the MCU event queue without being dequeued
by the original MCU command request.
Any orphaned ACK events will only be removed from the queue when another
MCU command requests a response. Due to sequence index mismatches, these
events are discarded one by one until a matching sequence index is found.
However, if several MCU commands that do not require a response continue
to fill up the event queue, there is a risk that when an MCU command with
wait_resp enabled is issued, it may dequeue the wrong event skb,
especially if the queue contains events with all possible sequence
indices.
Sean Wang [Thu, 19 Feb 2026 00:40:02 +0000 (18:40 -0600)]
wifi: mt76: mt792x: add PSE handling barrier for the large MCU cmd
Add a dummy register read in mt76_connac_mcu_rate_txpower_band() to act as
a PSE barrier. This would release PSE pages and prevents buffer underflow
issues when handling MCU commands with larger payloads without the response
in mt76_connac_mcu_set_rate_txpower().
This is a prerequisite patch before enabling MT7902 PCIe and SDIO support.
Co-developed-by: Xiong Huang <xiong.huang@mediatek.com> Signed-off-by: Xiong Huang <xiong.huang@mediatek.com> Signed-off-by: Sean Wang <sean.wang@mediatek.com> Link: https://patch.msgid.link/20260219004007.19733-6-sean.wang@kernel.org Signed-off-by: Felix Fietkau <nbd@nbd.name>
Sean Wang [Thu, 19 Feb 2026 00:39:59 +0000 (18:39 -0600)]
wifi: mt76: mt7921: handle MT7902 irq_map quirk with mutable copy
MT7902 PCIe requires a different wm2_complete_mask value, so introduce a
mutable per-device copy of the default irq_map and override the field
only for this chip. Other devices continue using the shared const
template.
This is a prerequisite patch before enabling MT7902 PCIe support.
Co-developed-by: Xiong Huang <xiong.huang@mediatek.com> Signed-off-by: Xiong Huang <xiong.huang@mediatek.com> Signed-off-by: Sean Wang <sean.wang@mediatek.com> Link: https://patch.msgid.link/20260219004007.19733-3-sean.wang@kernel.org Signed-off-by: Felix Fietkau <nbd@nbd.name>
Sean Wang [Thu, 19 Feb 2026 00:39:57 +0000 (18:39 -0600)]
wifi: mt76: connac: use is_connac2() to replace is_mt7921() checks
Unify all per-chip conditionals under the new is_connac2() helper. This
avoids confusion caused by the previous is_mt7921() check, which
implicitly covered multiple connac2 chipsets and no longer reflected its
actual scope. This is a clean-up only change with no functional impact.
StanleyYP Wang [Thu, 12 Feb 2026 09:03:10 +0000 (17:03 +0800)]
wifi: mt76: mt7996: apply calibration-free data from OTP
Before sending the current EEPROM data to the firmware, read the
calibration-free data (FT data) from the efuse and merge it with
the existing EEPROM data.
StanleyYP Wang [Thu, 12 Feb 2026 09:03:08 +0000 (17:03 +0800)]
wifi: mt76: add external EEPROM support for mt799x chipsets
For the MT7992 and MT7990 chipsets, efuse mode is not supported because
there is insufficient space in the efuse to store the calibration data.
Therefore, an additional on-chip EEPROM is added to address this
limitation.
Miri Korenblit [Fri, 20 Mar 2026 12:15:32 +0000 (14:15 +0200)]
wifi: mac80211: don't consider the sband when processing capabilities
In NAN, we have one set of (HT, VHT, HE) capabilities for all bands,
which means that we will need to process those capabilities without a
given sband.
To prepare for that, remove the sband argument from
ieee80211_ht_cap_ie_to_sta_ht_cap and ieee80211_he_cap_ie_to_sta_he_cap
and pass our own capabilities instead.
For ieee80211_vht_cap_ie_to_sta_vht_cap, make the sband argument
optional, since it is also used to check if there is at least one channel
that supports 80 MHz.
(Note that this check doesn't make much sense, but this can be handled in
a different patch.)
Miri Korenblit [Fri, 20 Mar 2026 12:13:46 +0000 (14:13 +0200)]
wifi: mac80211: properly handle error in ieee80211_add_virtual_monitor
In case of an error in ieee80211_add_virtual_monitor,
SDATA_STATE_RUNNING should be cleared as it was set in this function.
Do it there instead of in the error path of ieee80211_do_open.
wifi: cfg80211: support UNII-9 channels in ieee80211_channel_to_freq_khz
Devices that support UNII-9 will call ieee80211_channel_to_freq_khz
with a channel number that can go up to 253.
Allow the new channel numbers in ieee80211_channel_to_freq_khz.
Miri Korenblit [Fri, 20 Mar 2026 08:19:59 +0000 (10:19 +0200)]
wifi: mac80211: make ieee80211_find_chanctx link-unaware
Currently we have only one user for a channel context: the link.
With NAN, a new type of the channel context user will be added - the NAN
channel.
To prepare for this, we need to separate the channel context code from
the link code.
Removes the link argument from ieee80211_find_chanctx. Since the issue that led
to commit 5e0c422d12b5 ("wifi: mac80211: reserve chanctx during find") - that
added the link argument - is relevant for any user of the channel context, add
a boolean to the chanctx itself, indicating that the chanctx is in the process
of getting used.
When this indication is set, the reference count of the channel context
will be incremented by one, so even if it is getting released from a link
(or another user) it won't be freed.
Kees Cook [Mon, 23 Mar 2026 17:20:16 +0000 (10:20 -0700)]
wifi: mac80211: Replace strncpy() with strscpy_pad() in drv_switch_vif_chanctx tracepoint
Replace the deprecated[1] strncpy() with strscpy_pad() for copying the
interface name into a tracepoint entry.
The source "sdata->name" is a NUL-terminated char[IFNAMSIZ] buffer
populated via NUL-guaranteeing paths: strscpy() in ieee80211_if_add(),
snprintf() in ieee80211_add_virtual_monitor(), or memcpy() from
ndev->name in ieee80211_if_add() and netdev_notify()
(net/mac80211/iface.c). In the memcpy() cases, the source ndev->name
is itself always NUL-terminated (populated via snprintf() or strscpy()
in __dev_alloc_name() and dev_prep_valid_name() in net/core/dev.c).
The destination "local_vifs[i].vif.vif_name" is a char[IFNAMSIZ] field
in struct trace_vif_entry, stored in a __dynamic_array within the trace
ring buffer. Since ring buffer entries are not zeroed on allocation,
strscpy_pad() is used to zero-fill trailing bytes and prevent exposing
stale ring buffer contents to userspace readers of tracefs.
No behavioral change: since interface names are always at most 15
characters plus a NUL terminator, strscpy_pad() with size IFNAMSIZ (16)
produces identical output to the original strncpy().
Allen Ye [Thu, 19 Feb 2026 00:30:27 +0000 (16:30 -0800)]
wifi: mt76: fix backoff fields and max_power calculation
The maximum power value may exist in either the data or backoff field.
Previously, backoff power limits were not considered in txpower reporting.
This patch ensures mt76 also considers backoff values in the SKU table.
Also, each RU entry (RU26, RU52, RU106, BW20, ...) in the DTS corresponds
to 10 stream combinations (1T1ss, 2T1ss, 3T1ss, 4T1ss, 2T2ss, 3T2ss,
4T2ss, 3T3ss, 4T3ss, 4T4ss).
For beamforming tables:
- In connac2, beamforming entries for BW20~BW160, and OFDM do not include
1T1ss.
- In connac3, beamforming entries for BW20~BW160, and RU include 1T1ss,
but OFDM beamforming does not include 1T1ss.
Non-beamforming and RU entries for both connac2 and connac3 include 1T1ss.
Chad Monroe [Mon, 8 Dec 2025 14:31:32 +0000 (14:31 +0000)]
wifi: mt76: fix deadlock in remain-on-channel
mt76_remain_on_channel() and mt76_roc_complete() call mt76_set_channel()
while already holding dev->mutex. Since mt76_set_channel() also acquires
dev->mutex, this results in a deadlock.
Use __mt76_set_channel() instead of mt76_set_channel().
Add cancel_delayed_work_sync() for mac_work before acquiring the mutex
in mt76_remain_on_channel() to prevent a secondary deadlock with the
mac_work workqueue.
Sean Wang [Mon, 26 Jan 2026 18:00:13 +0000 (12:00 -0600)]
wifi: mt76: mt7921: fix potential deadlock in mt7921_roc_abort_sync
roc_abort_sync() can deadlock with roc_work(). roc_work() holds
dev->mt76.mutex, while cancel_work_sync() waits for roc_work()
to finish. If the caller already owns the same mutex, both
sides block and no progress is possible.
This deadlock can occur during station removal when
mt76_sta_state() -> mt76_sta_remove() -> mt7921_mac_sta_remove() ->
mt7921_roc_abort_sync() invokes cancel_work_sync() while
roc_work() is still running and holding dev->mt76.mutex.
This avoids the mutex deadlock and preserves exactly-once
work ownership.
Fixes: 352d966126e6 ("wifi: mt76: mt7921: fix a potential association failure upon resuming") Co-developed-by: Quan Zhou <quan.zhou@mediatek.com> Signed-off-by: Quan Zhou <quan.zhou@mediatek.com> Signed-off-by: Sean Wang <sean.wang@mediatek.com> Link: https://patch.msgid.link/20260126180013.8167-1-sean.wang@kernel.org Signed-off-by: Felix Fietkau <nbd@nbd.name>
Quan Zhou [Fri, 23 Jan 2026 02:16:25 +0000 (10:16 +0800)]
wifi: mt76: mt7921: fix ROC abort flow interruption in mt7921_roc_work
The mt7921_set_roc API may be executed concurrently with mt7921_roc_work,
specifically between the following code paths:
- The check and clear of MT76_STATE_ROC in mt7921_roc_work:
if (!test_and_clear_bit(MT76_STATE_ROC, &phy->mt76->state))
return;
- The execution of ieee80211_iterate_active_interfaces.
This race condition can interrupt the ROC abort flow, resulting in
the ROC process failing to abort as expected.
To address this defect, the modification of MT76_STATE_ROC is now
protected by mt792x_mutex_acquire(phy->dev). This ensures that
changes to the ROC state are properly synchronized, preventing
race conditions and ensuring the ROC abort flow is not interrupted.
Leon Yen [Tue, 20 Jan 2026 16:31:52 +0000 (00:31 +0800)]
wifi: mt76: mt7925: fix tx power setting failure after chip reset
After the chip reset, the procedure to set the tx power will not be
successful because the previous region setting is still remains.
Clear the region setting during MAC initialization and allow it to be
reset to finalize the TX power setting.
Zilin Guan [Fri, 16 Jan 2026 14:49:19 +0000 (14:49 +0000)]
wifi: mt76: Fix memory leak after mt76_connac_mcu_alloc_sta_req()
mt76_connac_mcu_alloc_sta_req() allocates an skb which is expected to
be freed eventually by mt76_mcu_skb_send_msg(). However, currently if
an intermediate function fails before sending, the allocated skb is
leaked.
Specifically, mt76_connac_mcu_sta_wed_update() and
mt76_connac_mcu_sta_key_tlv() may fail, leading to an immediate memory
leak in the error path.
Fix this by explicitly freeing the skb in these error paths.
Commit 7c0f63fe37a5 ("wifi: mt76: mt7996: fix memory leak on
mt7996_mcu_sta_key_tlv error") made a similar change.
Compile tested only. Issue found using a prototype static analysis tool
and code review.
Sean Wang [Tue, 16 Dec 2025 01:38:49 +0000 (19:38 -0600)]
wifi: mt76: mt7925: fix potential deadlock in mt7925_roc_abort_sync
roc_abort_sync() can deadlock with roc_work(). roc_work() holds
dev->mt76.mutex, while cancel_work_sync() waits for roc_work()
to finish. If the caller already owns the same mutex, both
sides block and no progress is possible.
This deadlock can occur during station removal when
mt76_sta_state() -> mt76_sta_remove() ->
mt7925_mac_sta_remove_link() -> mt7925_mac_link_sta_remove() ->
mt7925_roc_abort_sync() invokes cancel_work_sync() while
roc_work() is still running and holding dev->mt76.mutex.
This avoids the mutex deadlock and preserves exactly-once
work ownership.
Fixes: 45064d19fd3a ("wifi: mt76: mt7925: fix a potential association failure upon resuming") Co-developed-by: Quan Zhou <quan.zhou@mediatek.com> Signed-off-by: Quan Zhou <quan.zhou@mediatek.com> Signed-off-by: Sean Wang <sean.wang@mediatek.com> Link: https://patch.msgid.link/20251216013849.17976-1-sean.wang@kernel.org Signed-off-by: Felix Fietkau <nbd@nbd.name>
Michael Lo [Mon, 12 Jan 2026 11:40:07 +0000 (19:40 +0800)]
wifi: mt76: mt7925: Skip scan process during suspend.
We are experiencing command timeouts because an upper layer triggers
an unexpected scan while the system/device is in suspend.
The upper layer should not initiate scans until the NIC has fully resumed.
We want to prevent scans during suspend and avoid timeouts without harming
power management or user experience.
projects / thirdparty / kernel / linux.git / log
