]> git.ipfire.org Git - thirdparty/linux.git/commitdiff
projects / thirdparty / linux.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 8c7e196)
wifi: mt76: mt7925: fix potential deadlock in mt7925_roc_abort_sync
authorSean Wang <sean.wang@mediatek.com>
Tue, 16 Dec 2025 01:38:49 +0000 (19:38 -0600)
committerFelix Fietkau <nbd@nbd.name>
Mon, 23 Mar 2026 09:23:01 +0000 (09:23 +0000)
roc_abort_sync() can deadlock with roc_work(). roc_work() holds
dev->mt76.mutex, while cancel_work_sync() waits for roc_work()
to finish. If the caller already owns the same mutex, both
sides block and no progress is possible.

This deadlock can occur during station removal when
mt76_sta_state() -> mt76_sta_remove() ->
mt7925_mac_sta_remove_link() -> mt7925_mac_link_sta_remove() ->
mt7925_roc_abort_sync() invokes cancel_work_sync() while
roc_work() is still running and holding dev->mt76.mutex.

This avoids the mutex deadlock and preserves exactly-once
work ownership.

Fixes: 45064d19fd3a ("wifi: mt76: mt7925: fix a potential association failure upon resuming")
Co-developed-by: Quan Zhou <quan.zhou@mediatek.com>
Signed-off-by: Quan Zhou <quan.zhou@mediatek.com>
Signed-off-by: Sean Wang <sean.wang@mediatek.com>
Link: https://patch.msgid.link/20251216013849.17976-1-sean.wang@kernel.org
Signed-off-by: Felix Fietkau <nbd@nbd.name>
drivers/net/wireless/mediatek/mt76/mt7925/main.c patch | blob | blame | history

diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/main.c b/drivers/net/wireless/mediatek/mt76/mt7925/main.c
index 4220db3f721603e9526dd224f8df9d9a2166d71a..afcc0fa4aa35523e3edd9aba81433a01566f7a82 100644 (file)
--- a/drivers/net/wireless/mediatek/mt76/mt7925/main.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7925/main.c
@@ -461,12 +461,16 @@ void mt7925_roc_abort_sync(struct mt792x_dev *dev)
 {
        struct mt792x_phy *phy = &dev->phy;
 
+       if (!test_and_clear_bit(MT76_STATE_ROC, &phy->mt76->state))
+               return;
+
        timer_delete_sync(&phy->roc_timer);
-       cancel_work_sync(&phy->roc_work);
-       if (test_and_clear_bit(MT76_STATE_ROC, &phy->mt76->state))
-               ieee80211_iterate_interfaces(mt76_hw(dev),
-                                            IEEE80211_IFACE_ITER_RESUME_ALL,
-                                            mt7925_roc_iter, (void *)phy);
+
+       cancel_work(&phy->roc_work);
+
+       ieee80211_iterate_interfaces(mt76_hw(dev),
+                                    IEEE80211_IFACE_ITER_RESUME_ALL,
+                                    mt7925_roc_iter, (void *)phy);
 }
 EXPORT_SYMBOL_GPL(mt7925_roc_abort_sync);
 
A mirror of Linus' kernel repository