Yongpeng Yang [Mon, 23 Mar 2026 12:06:22 +0000 (20:06 +0800)]
f2fs: fix incorrect multidevice info in trace_f2fs_map_blocks()
When f2fs_map_blocks()->f2fs_map_blocks_cached() hits the read extent
cache, map->m_multidev_dio is not updated, which leads to incorrect
multidevice information being reported by trace_f2fs_map_blocks().
This patch updates map->m_multidev_dio in f2fs_map_blocks_cached() when
the read extent cache is hit.
Cc: stable@kernel.org Fixes: 0094e98bd147 ("f2fs: factor a f2fs_map_blocks_cached helper") Signed-off-by: Yongpeng Yang <yangyongpeng@xiaomi.com> Reviewed-by: Chao Yu <chao@kernel.org> Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
George Saad [Mon, 23 Mar 2026 11:21:23 +0000 (11:21 +0000)]
f2fs: fix use-after-free of sbi in f2fs_compress_write_end_io()
In f2fs_compress_write_end_io(), dec_page_count(sbi, type) can bring
the F2FS_WB_CP_DATA counter to zero, unblocking
f2fs_wait_on_all_pages() in f2fs_put_super() on a concurrent unmount
CPU. The unmount path then proceeds to call
f2fs_destroy_page_array_cache(sbi), which destroys
sbi->page_array_slab via kmem_cache_destroy(), and eventually
kfree(sbi). Meanwhile, the bio completion callback is still executing:
when it reaches page_array_free(sbi, ...), it dereferences
sbi->page_array_slab — a destroyed slab cache — to call
kmem_cache_free(), causing a use-after-free.
This is the same class of bug as CVE-2026-23234 (which fixed the
equivalent race in f2fs_write_end_io() in data.c), but in the
compressed writeback completion path that was not covered by that fix.
Fix this by moving dec_page_count() to after page_array_free(), so
that all sbi accesses complete before the counter decrement that can
unblock unmount. For non-last folios (where atomic_dec_return on
cic->pending_pages is nonzero), dec_page_count is called immediately
before returning — page_array_free is not reached on this path, so
there is no post-decrement sbi access. For the last folio,
page_array_free runs while the F2FS_WB_CP_DATA counter is still
nonzero (this folio has not yet decremented it), keeping sbi alive,
and dec_page_count runs as the final operation.
Fixes: 4c8ff7095bef ("f2fs: support data compression") Cc: stable@vger.kernel.org Signed-off-by: George Saad <geoo115@gmail.com> Reviewed-by: Chao Yu <chao@kernel.org> Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
The root cause is that f2fs_put_super() calls iput(sbi->node_inode) and
sets sbi->node_inode to NULL after sbi->nr_pages[F2FS_WB_CP_DATA] is
decremented to zero. As a result, f2fs_in_warm_node_list() may
dereference a NULL node_inode when checking whether a folio belongs to
the node inode, leading to a panic.
This patch fixes the issue by calling f2fs_in_warm_node_list() before
decrementing sbi->nr_pages[F2FS_WB_CP_DATA], thus preventing the
use-after-free condition.
Cc: stable@kernel.org Fixes: 50fa53eccf9f ("f2fs: fix to avoid broken of dnode block list") Reported-by: syzbot+6e4cb1cac5efc96ea0ca@syzkaller.appspotmail.com Signed-off-by: Yongpeng Yang <yangyongpeng@xiaomi.com> Reviewed-by: Chao Yu <chao@kernel.org> Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
which is similar to the problem reported by syzbot:
https://syzkaller.appspot.com/bug?extid=3686758660f980b402dc
This case is consistent with the description in commit 9bf1a3f
("f2fs: avoid GC causing encrypted file corrupted"):
Page 1 is moved from blkaddr A to blkaddr B by move_data_block, and after
being written it is marked as uptodate. Then, Page 1 is moved from blkaddr
B to blkaddr C, VM_BUG_ON_FOLIO was triggered in the endio initiated by
ra_data_block.
There is no need to read Page 1 again from blkaddr B, since it has already
been updated. Therefore, avoid initiating I/O in this case.
Yongpeng Yang [Tue, 3 Feb 2026 13:36:35 +0000 (21:36 +0800)]
f2fs: fix incorrect file address mapping when inline inode is unwritten
When `fileinfo->fi_flags` does not have the `FIEMAP_FLAG_SYNC` bit set
and inline data has not been persisted yet, the physical address of the
extent is calculated incorrectly for unwritten inline inodes.
This patch fixes the issue by checking if the inode's address is valid.
If the inline inode is unwritten, set the physical address to 0 and
mark the extent with `FIEMAP_EXTENT_UNKNOWN | FIEMAP_EXTENT_DELALLOC`
flags.
Cc: stable@kernel.org Fixes: 67f8cf3cee6f ("f2fs: support fiemap for inline_data") Signed-off-by: Yongpeng Yang <yangyongpeng@xiaomi.com> Reviewed-by: Chao Yu <chao@kernel.org> Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
liujinbao1 [Fri, 13 Feb 2026 12:26:30 +0000 (20:26 +0800)]
f2fs:Fix incomplete search range in f2fs_get_victim when f2fs_need_rand_seg is enabled
During the f2fs_get_victim process, when the f2fs_need_rand_seg is enabled in select_policy,
p->offset is a random value, and the search range is from p->offset to MAIN_SECS.
When segno >= last_segment, the loop breaks and exits directly without searching
the range from 0 to p->offset.This results in an incomplete search when the random
offset is not zero.
The root cause is in commit 40b2d55e0452 ("f2fs: fix to create selinux
label during whiteout initialization"), we added a call to
f2fs_setup_filename() without a matching call to f2fs_free_filename(),
fix it.
Fixes: 40b2d55e0452 ("f2fs: fix to create selinux label during whiteout initialization") Cc: stable@kernel.org Reported-by: syzbot+cf7946ab25b21abc4b66@syzkaller.appspotmail.com Closes: https://lore.kernel.org/linux-f2fs-devel/69a75fe1.a70a0220.b118c.0014.GAE@google.com Suggested-by: Eric Biggers <ebiggers@kernel.org> Signed-off-by: Chao Yu <chao@kernel.org> Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Eric Biggers [Sat, 21 Feb 2026 20:13:16 +0000 (12:13 -0800)]
f2fs: remove unreachable code in f2fs_encrypt_one_page()
Since commit 52e7e0d88933 ("fscrypt: Switch to sync_skcipher and
on-stack requests") eliminated the dynamic allocation of crypto
requests, the only remaining dynamic memory allocation done by
fscrypt_encrypt_pagecache_blocks() is the bounce page allocation.
The bounce page is allocated from a mempool. Mempool allocations with
GFP_NOFS never fail. Therefore, fscrypt_encrypt_pagecache_blocks() can
no longer return -ENOMEM when passed GFP_NOFS.
Remove the now-unreachable code from f2fs_encrypt_one_page().
Suggested-by: Vlastimil Babka <vbabka@suse.cz> Link: https://lore.kernel.org/all/d9dc2ee1-283d-4467-ad36-a6a4aa557589@suse.cz/ Signed-off-by: Eric Biggers <ebiggers@kernel.org> Acked-by: Vlastimil Babka (SUSE) <vbabka@kernel.org> Reviewed-by: Christoph Hellwig <hch@lst.de> Reviewed-by: Chao Yu <chao@kernel.org> Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
The helper function rproc_u64_fit_in_size_t() compares the value
against (size_t)-1, which is equivalent to SIZE_MAX but can confuse
static analysis tools and lead to the above warning.
Replace (size_t)-1 with SIZE_MAX to make the intent explicit and
avoid the Smatch warning without changing the behavior.
Linus Torvalds [Tue, 24 Mar 2026 16:12:45 +0000 (09:12 -0700)]
Merge tag 'mm-hotfixes-stable-2026-03-23-17-56' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
Pull MM fixes from Andrew Morton:
"6 hotfixes. 2 are cc:stable. All are for MM.
All are singletons - please see the changelogs for details"
* tag 'mm-hotfixes-stable-2026-03-23-17-56' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm:
mm/damon/stat: monitor all System RAM resources
mm/zswap: add missing kunmap_local()
mailmap: update email address for Muhammad Usama Anjum
zram: do not slot_free() written-back slots
mm/damon/core: avoid use of half-online-committed context
mm/rmap: clear vma->anon_vma on error
Cunyuan Liu [Fri, 13 Mar 2026 03:31:19 +0000 (11:31 +0800)]
drm/komeda: Add support for Arm China Linlon-D6
Arm China Linlon-D6 is register-compatible with the Mali-D71 display
pipeline for the purpose of basic modesetting.
On Linlon-D6, the PRODUCT_ID register is located at the same offset as on
Mali-D71 and reports 0x0060. The IP also exposes the same Komeda top-level
block layout expected by the existing d71_identify() probing flow, so we
can reuse the D71 function table to bring up the display engine.
bpf: Update MAINTAINERS file for general BPF entry
Per discussion with Alexei, add Eduard and myself as maintainers under
BPF [GENERAL]. While at it, drop R entries for reviewers who have been
inactive.
Marcin Slusarz [Tue, 24 Mar 2026 13:25:57 +0000 (14:25 +0100)]
drm/panthor: extend timestamp query with flags
Flags now control which data user space wants to query,
there is more information sources, and there's ability
to query duration of multiple timestamp reads.
Linus Torvalds [Tue, 24 Mar 2026 15:58:38 +0000 (08:58 -0700)]
Merge tag 'perf-tools-fixes-for-v7.0-2-2026-03-23' of git://git.kernel.org/pub/scm/linux/kernel/git/perf/perf-tools
Pull perf tools fixes from Arnaldo Carvalho de Melo:
- Fix parsing 'overwrite' in command line event definitions in
big-endian machines by writing correct union member
- Fix finding default metric in 'perf stat'
- Fix relative paths for including headers in 'perf kvm stat'
- Sync header copies with the kernel sources: msr-index.h, kvm,
build_bug.h
* tag 'perf-tools-fixes-for-v7.0-2-2026-03-23' of git://git.kernel.org/pub/scm/linux/kernel/git/perf/perf-tools:
tools headers: Synchronize linux/build_bug.h with the kernel sources
tools headers UAPI: Sync x86's asm/kvm.h with the kernel sources
tools headers UAPI: Sync linux/kvm.h with the kernel sources
tools arch x86: Sync the msr-index.h copy with the kernel sources
perf kvm stat: Fix relative paths for including headers
perf parse-events: Fix big-endian 'overwrite' by writing correct union member
perf metricgroup: Fix metricgroup__has_metric_or_groups()
tools headers: Skip arm64 cputype.h check
Varun R Mallya [Sat, 21 Mar 2026 21:40:38 +0000 (03:10 +0530)]
selftests/bpf: Add test for struct_ops __ref argument in any position
Add a selftest to verify that the verifier correctly identifies refcounted
arguments in struct_ops programs, even when they are not the first
argument. This ensures that the restriction on tail calls for programs
with __ref arguments is properly enforced regardless of which argument
they appear in.
This test verifies the fix for check_struct_ops_btf_id() proposed by
Keisuke Nishimura [0], which corrected a bug where only the first
argument was checked for the refcounted flag.
The test includes:
- An update to bpf_testmod to add 'test_refcounted_multi', an operator with
three arguments where the third is tagged with "__ref".
- A BPF program 'test_refcounted_multi' that attempts a tail call.
- A test runner that asserts the verifier rejects the program with
"program with __ref argument cannot tail call".
Lorenzo Bianconi [Sun, 15 Mar 2026 10:26:29 +0000 (11:26 +0100)]
wifi: mt76: mt7996: Destroy active sta links in mt7996_mac_sta_remove()
Similar to vif link management, postpone sta link destuction in
mt7996_mac_sta_remove() introducing mt7996_mac_sta_remove_link utility
routine and just disable sta link running mt7996_mac_sta_remove_links
routine.
This is a preliminary patch in order to support MLO link reconfiguration
in MT7996 driver.
Shayne Chen [Sun, 15 Mar 2026 10:26:28 +0000 (11:26 +0100)]
wifi: mt76: mt7996: Add mcu APIs to enable/disable vif links.
Introduce mt7996_mcu_mld_reconf_stop_link and mt7996_mcu_mld_link_oper
utility routines in order to communicate to the mcu fw to disable/enable
a specific vif link. Please note these APIs are currently supported by
the MT7996 firmware only in AP mode.
Lorenzo Bianconi [Sun, 15 Mar 2026 10:26:27 +0000 (11:26 +0100)]
wifi: mt76: mt7996: Destroy vif active links in mt7996_remove_interface()
MT7996 hw requires to remove active links from the mcu BSSINFO table
destroying the interface. For this reason introduce mt7996_vif_link_destroy
routine and remove active (non-offchannel) vif links running
mt7996_remove_interface routine.
This is a preliminary patch in order to support MLO link reconfiguration
in MT7996 driver.
Shayne Chen [Sun, 15 Mar 2026 10:26:26 +0000 (11:26 +0100)]
wifi: mt76: mt7996: Move mlink deallocation in mt7996_vif_link_remove()
Destroy mt76_vif_link struct in mt7996_vif_link_remove routine and not
in mt76_unassign_vif_chanctx(). This is necessary since, in order to
properly support MLO link reconfiguration, we will destroy mt76_vif_link
struct during AP tear-down process and not running unassign_vif_chanctx
mac80211 callback.
This patch does not introduce any regression since
mt76_assign_vif_chanctx/mt76_unassign_vif_chanctx APIs are currently
used just by MT7996 driver.
Shayne Chen [Sun, 15 Mar 2026 10:26:25 +0000 (11:26 +0100)]
wifi: mt76: mt7996: Account active links in valid_links fields
Track active vif links in mt7996_vif_link_add and mt7996_vif_link_remove
routines.
This is a preliminary patch in order to remove AP MLD links from MCU
configuration during AP tear-down process and to support MLO link
reconfiguration in MT7996 driver.
Lorenzo Bianconi [Sun, 15 Mar 2026 10:26:24 +0000 (11:26 +0100)]
wifi: mt76: mt7996: Rely on msta_link link_id in mt7996_vif_link_remove()
Rely on msta_link link_id value in mt7996_vif_link_remove routine
instead of using link_conf pointer. This assumption is correct since
msta_link link_id is set to link_conf link_id value in mt7996_vif_link_add
routine.
Moreover, fallback to default ieee80211_bss_conf struct if the link_conf
pointer in mt7996_vif_link_remove() is NULL.
MT7996 hw requires to remove AP MLD links from MCU configuration during
AP tear-down process (e.g. running mt7996_remove_interface()). Doing so,
we can't assume link_conf pointer is always non-NULL running
mt7996_vif_link_remove routine.
Sean Wang [Fri, 6 Mar 2026 23:22:37 +0000 (17:22 -0600)]
wifi: mt76: mt7925: publish msta->link after successful link add
Move the msta->link[link_id] publication until after
mt7925_mac_link_sta_add() succeeds.
msta->link[] is RCU-visible, so publishing it before setup completes can
expose a link whose add path later fails. Publish it only after success
to avoid partially initialized link state becoming visible.
Sean Wang [Fri, 6 Mar 2026 23:22:36 +0000 (17:22 -0600)]
wifi: mt76: mt7925: switch link STA allocation to RCU lifetime
Allocate mt792x_link_sta with kzalloc() and free it with kfree_rcu()
instead of devm-managed memory.
msta->link[] is published via RCU, so the link STA must remain valid
until readers have quiesced after teardown. Manage the object lifetime
with kfree_rcu() to match its RCU-visible publication.
Sean Wang [Fri, 6 Mar 2026 23:22:33 +0000 (17:22 -0600)]
wifi: mt76: mt7925: unwind WCID setup on link STA add failure
Undo the published WCID state when mt7925_mac_link_sta_add() fails after
WCID setup.
The add path can fail after dev->mt76.wcid[] is published, so the error
path must clear the partial host-side WCID state to avoid leaving stale
entries behind.
Sean Wang [Fri, 6 Mar 2026 23:22:32 +0000 (17:22 -0600)]
wifi: mt76: mt7925: make WCID cleanup unconditional in sta_remove_links()
Drop the dead pri_link check in mt7925_mac_sta_remove_links() and
perform WCID cleanup unconditionally.
mlink->pri_link is already cleared before the test, making the branch
ineffective. This matches the actual teardown behaviour and simplifies
the remove path.
Sean Wang [Fri, 6 Mar 2026 23:22:31 +0000 (17:22 -0600)]
wifi: mt76: mt7925: pass mconf and mlink to wtbl_update_hdr_trans()
Drop the mt792x_vif_to_link() lookup in mt7925_mcu_wtbl_update_hdr_trans()
and pass the resolved mconf and mlink from the caller instead. The link
context is already known at the call site, making the lookup redundant.
This keeps the helper lookup-free and makes link ownership explicit.
Sean Wang [Fri, 6 Mar 2026 23:22:30 +0000 (17:22 -0600)]
wifi: mt76: mt7925: resolve link after acquiring mt76 mutex
mt792x_sta_to_link() uses rcu_dereference_protected() and therefore
expects mt76.mutex to be held. Move the lookup after
mt792x_mutex_acquire() to make the locking explicit and correct.
Sean Wang [Fri, 6 Mar 2026 23:22:29 +0000 (17:22 -0600)]
wifi: mt76: mt7925: pass mlink to set_link_key()
Drop the mt792x_sta_to_link() lookup in mt7925_set_link_key() and pass
the resolved mlink from the caller instead. The link context is already
known at the call site, making the lookup redundant.
This keeps the helper lookup-free and makes link ownership explicit.
Sean Wang [Fri, 6 Mar 2026 23:22:28 +0000 (17:22 -0600)]
wifi: mt76: mt7925: pass mlink to wtbl_update_hdr_trans()
Drop the mt792x_sta_to_link() lookup in mt7925_mcu_wtbl_update_hdr_trans()
and pass the resolved mlink from the caller instead. The link context is
already known at the call site, making the lookup redundant.
This keeps the helper lookup-free and makes link ownership explicit.
Sean Wang [Fri, 6 Mar 2026 23:22:26 +0000 (17:22 -0600)]
wifi: mt76: mt7925: pass mlink to sta_hdr_trans_tlv()
Drop the mt792x_sta_to_link() lookup in mt7925_mcu_sta_hdr_trans_tlv()
and pass the resolved mlink from the caller instead. The link is
already known at the call site, making the lookup redundant.
This keeps the helper lookup-free and makes WCID selection explicit.
Sean Wang [Fri, 6 Mar 2026 23:22:25 +0000 (17:22 -0600)]
wifi: mt76: mt7925: pass mlink to mac_link_sta_remove()
Drop the mt792x_sta_to_link() lookup in mt7925_mac_link_sta_remove()
and pass mlink from mt7925_mac_sta_remove_links() instead. The link is
already resolved there, making the extra lookup redundant.
This keeps the remove helper lookup-free and avoids hidden dependence on
msta->link[link_id] during teardown.
Sean Wang [Fri, 6 Mar 2026 23:22:24 +0000 (17:22 -0600)]
wifi: mt76: mt7925: resolve primary mlink via def_wcid
Use mlink->wcid.def_wcid to obtain the primary mlink in
mt7925_mac_link_sta_add() instead of calling mt792x_sta_to_link().
The primary link context is already carried by the WCID, so the extra
lookup is redundant. This makes the add path follow the existing WCID
association directly.
Sean Wang [Fri, 6 Mar 2026 23:22:23 +0000 (17:22 -0600)]
wifi: mt76: mt7925: pass mlink to mcu_sta_update()
Drop the mt792x_sta_to_link() lookup in mt7925_mcu_sta_update() and
pass the resolved mlink from the caller instead. The link context is
already known at the call site, making the lookup redundant.
This keeps the helper lookup-free and makes WCID selection explicit.
Sean Wang [Fri, 6 Mar 2026 23:22:22 +0000 (17:22 -0600)]
wifi: mt76: mt7925: pass mlink and mconf to sta_mld_tlv()
Drop the mt792x_sta_to_link() lookup in mt7925_mcu_sta_mld_tlv() and
pass mlink and mconf from the caller instead. The link context is
already known at the call site, making the lookup redundant.
This keeps the helper lookup-free and makes MLD link selection
explicit.
Sean Wang [Fri, 6 Mar 2026 23:22:21 +0000 (17:22 -0600)]
wifi: mt76: mt7925: pass WCID indices to bss_basic_tlv()
Drop the mt792x_sta_to_link() lookup in mt7925_mcu_bss_basic_tlv() and
pass the resolved WCID indices from the caller instead. The link
context is already known, so the lookup is redundant.
This makes link ownership explicit and keeps the helper lookup-free.
Sean Wang [Fri, 6 Mar 2026 23:22:20 +0000 (17:22 -0600)]
wifi: mt76: mt7925: pass mlink to sta_amsdu_tlv()
Drop the mt792x_sta_to_link() lookup in mt7925_mcu_sta_amsdu_tlv() and
pass mlink from the caller instead. The link context is already known
so the lookup is redundant.
This makes link ownership explicit and keeps the helper lookup-free.
StanleyYP Wang [Thu, 12 Mar 2026 09:57:24 +0000 (17:57 +0800)]
wifi: mt76: mt7996: fix issues with manually triggered radar detection
Disallow triggering radar detection on non-DFS channels to prevent paused
TX queues from failing to resume, as a channel switch is not performed in
this case.
Rex Lu [Thu, 12 Mar 2026 09:57:22 +0000 (17:57 +0800)]
wifi: mt76: mt7996: adjust timeout value for boot-up calibration commands
Align the vendor driver by adjusting the timeout values for the
MCU_UNI_CMD_EFUSE_CTRL and MCU_UNI_CMD_EXT_EEPROM_CTRL commands.
Without this adjustment, false positive command timeout errors may occur,
especially on some iPA variants.
Peter Chiu [Thu, 12 Mar 2026 09:57:21 +0000 (17:57 +0800)]
wifi: mt76: mt7996: update WFSYS reset flow for MT7990 chipsets
Skip WFSYS reset during bootup for MT7990 chipsets; only reset if L0.5
recovery is triggered.
Without this fix, the following kernel error may occur:
Internal error: synchronous external abort.
Felix Fietkau [Mon, 9 Mar 2026 06:07:30 +0000 (06:07 +0000)]
wifi: mt76: add per-link beacon monitoring for MLO
With chanctx drivers using hardware scan or remain-on-channel,
mac80211 does not know when the radio goes off-channel, which breaks
its software beacon loss detection.
Implement per-link beacon monitoring in the driver. Track the last
beacon timestamp per link and check for beacon loss periodically from
the mac_work handler.
Beacon monitoring is initialized on association and on late link
activation, and cleared on disassociation. The beacon_mon_last
timestamp is reset when returning from offchannel and after channel
switches to prevent false beacon loss detection.
Felix Fietkau [Mon, 9 Mar 2026 06:07:29 +0000 (06:07 +0000)]
wifi: mt76: wait for firmware TX completion of mgmt frames before channel switch
After flushing software-pending frames to DMA, mt76_has_tx_pending()
only checks DMA ring q->queued. For token-based drivers, q->queued is
decremented at DMA consumption, but firmware may not have transmitted
the frame yet. Waiting for all tokens is not feasible because data
frames may be stuck in firmware powersave/aggregation queues.
Track PSD queue tokens (firmware ALTX) per phy using an atomic counter.
These frames are sent by firmware immediately without PS buffering, so
the counter reliably reaches zero after transmission.
Increment the counter in mt76_token_consume() and decrement it in
mt76_token_release(), only for PSD queue tokens. Include the counter
in mt76_has_tx_pending() so channel switch waits for firmware TX
completion of management and nullfunc frames.
mt7615 (uses mt76_token_get/put) and non-token drivers are unaffected
as they never call mt76_token_consume/release.
Felix Fietkau [Mon, 9 Mar 2026 06:07:28 +0000 (06:07 +0000)]
wifi: mt76: route nullfunc frames to PSD/ALTX queue
ieee80211_is_data() returns true for nullfunc/QoS-nullfunc frames, so
they bypass the PSD queue routing and go through the regular VO data
queue. This means firmware processes them through the normal TID queue
instead of the ALTX queue, which doesn't guarantee immediate
transmission.
Use ieee80211_is_data_present() instead, which returns false for both
management frames and nullfunc/QoS-nullfunc (no payload), routing them
to MT_TXQ_PSD. Firmware maps PSD to the ALTX queue, which transmits
immediately without PS buffering.
This only affects frames from the mt76_tx() pending path. Regular
mac80211 TXQ scheduling is unchanged.
Felix Fietkau [Mon, 9 Mar 2026 06:07:27 +0000 (06:07 +0000)]
wifi: mt76: flush pending TX before channel switch
mt76_tx() queues frames on wcid->tx_pending for async processing by
tx_worker. In __mt76_set_channel(), the worker gets disabled before it
may have run, and the subsequent wait only checks DMA ring queues, not
the software pending list. This means frames like nullfunc PS frames
from mt76_offchannel_notify() may never be transmitted on the correct
channel.
Fix this by running mt76_txq_schedule_pending() synchronously after
disabling the tx_worker but before setting MT76_RESET, which would
otherwise cause mt76_txq_schedule_pending_wcid() to bail out.
Felix Fietkau [Mon, 9 Mar 2026 06:07:26 +0000 (06:07 +0000)]
wifi: mt76: send nullfunc PS frames on offchannel transitions
Since mt76 uses chanctx, mac80211 does not send nullfunc power save
notifications when the driver goes offchannel for scan or ROC.
Add mt76_offchannel_notify() to send nullfunc PM=1 before going
offchannel and PM=0 after returning, so that the AP can buffer
frames during the absence.
For MLO, iterate all vif links on the phy and set
IEEE80211_TX_CTRL_MLO_LINK so that the driver's tx_prepare_skb
resolves the correct per-link wcid.
Felix Fietkau [Mon, 9 Mar 2026 06:07:25 +0000 (06:07 +0000)]
wifi: mt76: optimize ROC for same-channel case
mt76_remain_on_channel() always creates an HT20 chandef and goes
offchannel, even when the ROC channel matches the operating channel.
This unnecessarily narrows bandwidth and triggers beacon stop/restart.
When the ROC channel matches the current operating channel, preserve
the full chandef and skip the offchannel transition, matching the
optimization already present in the scan code.
Extract the shared same-channel detection into mt76_offchannel_chandef()
and use it in both ROC and scan paths.
Felix Fietkau [Mon, 9 Mar 2026 06:07:24 +0000 (06:07 +0000)]
wifi: mt76: abort ROC on chanctx changes
mt76_change_chanctx() calls mt76_phy_update_channel() which switches
the hardware channel. If ROC is active on the same phy, this switches
away from the ROC channel and clears offchannel, but leaves ROC state
intact. Mac80211 still thinks the phy is on the ROC channel.
Abort any active ROC before proceeding, matching the pattern already
used in add, remove, assign, unassign, and switch chanctx functions.
Felix Fietkau [Mon, 9 Mar 2026 06:07:23 +0000 (06:07 +0000)]
wifi: mt76: check chanctx before restoring channel after ROC
mt76_remove_chanctx() sets phy->chanctx to NULL but does not clear
phy->main_chandef. If ROC is later performed on that phy, completion
tries to restore the stale main_chandef channel, programming the
hardware to sit on a channel with no active context.
Add a chanctx check to avoid restoring a channel when no context is
active.
Felix Fietkau [Mon, 9 Mar 2026 06:07:22 +0000 (06:07 +0000)]
wifi: mt76: add offchannel check to mt76_roc_complete
mt76_roc_complete() unconditionally calls __mt76_set_channel() to
restore the operating channel. The scan equivalent mt76_scan_complete()
checks phy->offchannel first, skipping the restore if the phy is
already back on-channel.
Without this check, ROC completion performs a redundant full hardware
channel switch when something has already moved the phy back.
Chad Monroe [Mon, 9 Mar 2026 06:07:21 +0000 (06:07 +0000)]
wifi: mt76: support upgrading passive scans to active
On channels with NO_IR or RADAR flags, wait for beacon before sending
probe requests. Allows active scanning and WPS on restricted channels
if another AP is already present.
wifi: mt76: mt7996: Remove link pointer dependency in mt7996_mac_sta_remove_links()
Remove link pointer dependency in mt7996_mac_sta_remove_links routine to
get the mt7996_phy pointer since the link can be already offchannel
running mt7996_mac_sta_remove_links(). Rely on __mt7996_phy routine
instead.
Enable missing CHANCTX_STA_CSA property required for MLO.
Fixes: f5160304d57c ("wifi: mt76: mt7996: Enable MLO support for client interfaces") Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org> Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com> Link: https://patch.msgid.link/20250928-mt7996_chanctx_sta_csa-v1-1-82e455185990@kernel.org Signed-off-by: Felix Fietkau <nbd@nbd.name>
Quan Zhou [Wed, 25 Feb 2026 09:47:22 +0000 (17:47 +0800)]
wifi: mt76: mt7925: fix incorrect TLV length in CLC command
The previous implementation of __mt7925_mcu_set_clc() set the TLV length
field (.len) incorrectly during CLC command construction. The length was
initialized as sizeof(req) - 4, regardless of the actual segment length.
This could cause the WiFi firmware to misinterpret the command payload,
resulting in command execution errors.
This patch moves the TLV length assignment to after the segment is
selected, and sets .len to sizeof(req) + seg->len - 4, matching the
actual command content. This ensures the firmware receives the
correct TLV length and parses the command properly.
Ziyi Guo [Sat, 31 Jan 2026 03:52:10 +0000 (03:52 +0000)]
wifi: mt76: add missing lock protection in mt76_sta_state for sta_event callback
mt76_sta_state() calls the sta_event callback without holding dev->mutex.
However, mt7915_mac_sta_event() (MT7915 implementation of this callback)
calls mt7915_mac_twt_teardown_flow() which has
lockdep_assert_held(&dev->mt76.mutex) indicating that callers must
hold this lock.
The locking pattern in mt76_sta_state() is inconsistent:
- mt76_sta_add() acquires dev->mutex before calling dev->drv->sta_add
- mt76_sta_remove() acquires dev->mutex before calling __mt76_sta_remove
- But sta_event callback is called without acquiring the lock
Add mutex_lock()/mutex_unlock() around the mt7915_mac_twt_teardown_flow
invocation to fix the missing lock protection and maintain consistency
with the existing locking pattern.
Michael Lo [Wed, 11 Feb 2026 09:50:25 +0000 (17:50 +0800)]
wifi: mt76: mt7921: fix 6GHz regulatory update on connection
Call mt7921_regd_update() instead of mt7921_mcu_set_clc() when setting
the 6GHz power type after connection, so that regulatory limits and SAR
power are also applied.
Duoming Zhou [Sat, 31 Jan 2026 02:47:31 +0000 (10:47 +0800)]
wifi: mt76: mt7996: fix use-after-free bugs in mt7996_mac_dump_work()
When the mt7996 pci chip is detaching, the mt7996_crash_data is
released in mt7996_coredump_unregister(). However, the work item
dump_work may still be running or pending, leading to UAF bugs
when the already freed crash_data is dereferenced again in
mt7996_mac_dump_work().
Fix this by ensuring dump_work is properly canceled before
the crash_data is deallocated. Add cancel_work_sync() in
mt7996_unregister_device() to synchronize with any pending
or executing dump work.
Duoming Zhou [Fri, 30 Jan 2026 14:57:59 +0000 (22:57 +0800)]
wifi: mt76: mt7915: fix use-after-free bugs in mt7915_mac_dump_work()
When the mt7915 pci chip is detaching, the mt7915_crash_data is
released in mt7915_coredump_unregister(). However, the work item
dump_work may still be running or pending, leading to UAF bugs
when the already freed crash_data is dereferenced again in
mt7915_mac_dump_work().
Fix this by ensuring dump_work is properly canceled before
the crash_data is deallocated. Add cancel_work_sync() in
mt7915_unregister_device() to synchronize with any pending
or executing dump work.
David Bauer [Thu, 29 Jan 2026 23:23:20 +0000 (00:23 +0100)]
wifi: mt76: don't return TXQ when exceeding max non-AQL packets
mt76_txq_send_burst does check if the number of non-AQL frames exceeds
the maximum. In this case the queue is returned to ieee80211_return_txq
when iterating over the scheduled TXQs in mt76_txq_schedule_list.
This has the effect of inserting said TXQ at the head of the list. This
means the loop will get the same TXQ again, which will terminate the
scheduling round. TXQs following in the list thus never get scheduled
for transmission.
This can manifest in high latency low throughput or broken connections
for said STAs.
Check if the non-AQL packet count exceeds the limit and not return the
TXQ in this case.
Schedule all TXQs for the STA in case the non-AQL limit can be satisfied
again.
StanleyYP Wang [Tue, 3 Feb 2026 15:55:32 +0000 (23:55 +0800)]
wifi: mt76: mt7996: fix queue pause after scan due to wrong channel switch reason
Previously, we used the IEEE80211_CONF_IDLE flag to avoid setting the
parking channel with the CH_SWITCH_NORMAL reason, which could trigger TX
emission before bootup CAC.
However, we found that this flag can be set after triggering scanning on a
connected station interface, and the reason CH_SWITCH_SCAN_BYPASS_DPD will
be used when switching back to the operating channel, which makes the
firmware failed to resume paused AC queues.
Seems that we should avoid relying on this flag after switching to single
multi-radio architecture. Instead, use the existence of chanctx as the
condition.
StanleyYP Wang [Tue, 3 Feb 2026 15:55:31 +0000 (23:55 +0800)]
wifi: mt76: avoid to set ACK for MCU command if wait_resp is not set
When wait_resp is not set but the ACK option is enabled in the MCU TXD,
the ACK event is enqueued to the MCU event queue without being dequeued
by the original MCU command request.
Any orphaned ACK events will only be removed from the queue when another
MCU command requests a response. Due to sequence index mismatches, these
events are discarded one by one until a matching sequence index is found.
However, if several MCU commands that do not require a response continue
to fill up the event queue, there is a risk that when an MCU command with
wait_resp enabled is issued, it may dequeue the wrong event skb,
especially if the queue contains events with all possible sequence
indices.
Sean Wang [Thu, 19 Feb 2026 00:40:02 +0000 (18:40 -0600)]
wifi: mt76: mt792x: add PSE handling barrier for the large MCU cmd
Add a dummy register read in mt76_connac_mcu_rate_txpower_band() to act as
a PSE barrier. This would release PSE pages and prevents buffer underflow
issues when handling MCU commands with larger payloads without the response
in mt76_connac_mcu_set_rate_txpower().
This is a prerequisite patch before enabling MT7902 PCIe and SDIO support.
Co-developed-by: Xiong Huang <xiong.huang@mediatek.com> Signed-off-by: Xiong Huang <xiong.huang@mediatek.com> Signed-off-by: Sean Wang <sean.wang@mediatek.com> Link: https://patch.msgid.link/20260219004007.19733-6-sean.wang@kernel.org Signed-off-by: Felix Fietkau <nbd@nbd.name>
projects / thirdparty / linux.git / log
