wifi: mt76: fix list corruption in mt76_wcid_cleanup

mt76_wcid_cleanup() was not removing wcid entries from sta_poll_list
before mt76_reset_device() reinitializes the master list. This leaves
stale pointers in wcid->poll_list, causing list corruption when
mt76_wcid_add_poll() later checks list_empty() and tries to add the
entry back.

The fix adds proper cleanup of poll_list in mt76_wcid_cleanup(),
matching how tx_list is already handled. This is similar to what
mt7996_mac_sta_deinit_link() already does correctly.

Fixes list corruption warnings like:
  list_add corruption. prev->next should be next (ffffffff...)

Signed-off-by: Zac Bowling <zac@zacbowling.com>
Link: https://patch.msgid.link/20260120201043.38225-3-zac@zacbowling.com
Signed-off-by: Felix Fietkau <nbd@nbd.name>

diff --git a/drivers/net/wireless/mediatek/mt76/mac80211.c b/drivers/net/wireless/mediatek/mt76/mac80211.c
index 75772979f438ead7e4e8059351eb97451393fd8e..d0c522909e980aeb3244a06ceb6ee9d3b46e2c5d 100644 (file)
--- a/drivers/net/wireless/mediatek/mt76/mac80211.c
+++ b/drivers/net/wireless/mediatek/mt76/mac80211.c
@@ -1716,6 +1716,16 @@ void mt76_wcid_cleanup(struct mt76_dev *dev, struct mt76_wcid *wcid)
 
        idr_destroy(&wcid->pktid);
 
+       /* Remove from sta_poll_list to prevent list corruption after reset.
+        * Without this, mt76_reset_device() reinitializes sta_poll_list but
+        * leaves wcid->poll_list with stale pointers, causing list corruption
+        * when mt76_wcid_add_poll() checks list_empty().
+        */
+       spin_lock_bh(&dev->sta_poll_lock);
+       if (!list_empty(&wcid->poll_list))
+               list_del_init(&wcid->poll_list);
+       spin_unlock_bh(&dev->sta_poll_lock);
+
        spin_lock_bh(&phy->tx_lock);
 
        if (!list_empty(&wcid->tx_list))