wifi: mt76: add missing lock protection in mt76_sta_state for sta_event callback

mt76_sta_state() calls the sta_event callback without holding dev->mutex.
However, mt7915_mac_sta_event() (MT7915 implementation of this callback)
calls mt7915_mac_twt_teardown_flow() which has
lockdep_assert_held(&dev->mt76.mutex) indicating that callers must
hold this lock.

The locking pattern in mt76_sta_state() is inconsistent:
- mt76_sta_add() acquires dev->mutex before calling dev->drv->sta_add
- mt76_sta_remove() acquires dev->mutex before calling __mt76_sta_remove
- But sta_event callback is called without acquiring the lock

Add mutex_lock()/mutex_unlock() around the mt7915_mac_twt_teardown_flow
invocation to fix the missing lock protection and maintain consistency
with the existing locking pattern.

Signed-off-by: Ziyi Guo <n7l8m4@u.northwestern.edu>
Link: https://patch.msgid.link/20260131035210.2198259-1-n7l8m4@u.northwestern.edu
Signed-off-by: Felix Fietkau <nbd@nbd.name>

diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/main.c b/drivers/net/wireless/mediatek/mt76/mt7915/main.c
index 0892291616ead6b943823cb0034e40c23cfc4601..e1d83052aa6ddf71765fa0fcd00787f650a988ad 100644 (file)
--- a/drivers/net/wireless/mediatek/mt76/mt7915/main.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7915/main.c
@@ -852,8 +852,10 @@ int mt7915_mac_sta_event(struct mt76_dev *mdev, struct ieee80211_vif *vif,
                return mt7915_mcu_add_sta(dev, vif, sta, CONN_STATE_PORT_SECURE, false);
 
        case MT76_STA_EVENT_DISASSOC:
+               mutex_lock(&dev->mt76.mutex);
                for (i = 0; i < ARRAY_SIZE(msta->twt.flow); i++)
                        mt7915_mac_twt_teardown_flow(dev, msta, i);
+               mutex_unlock(&dev->mt76.mutex);
 
                mt7915_mcu_add_sta(dev, vif, sta, CONN_STATE_DISCONNECT, false);
                msta->wcid.sta_disabled = 1;