| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20251025160905.3857885-2-sashal@kernel.org>
Date: Sat, 25 Oct 2025 11:53:53 -0400
From: Sasha Levin <sashal@...nel.org>
To: patches@...ts.linux.dev,
stable@...r.kernel.org
Cc: Felix Fietkau <nbd@....name>,
Sasha Levin <sashal@...nel.org>,
lorenzo@...nel.org,
ryder.lee@...iatek.com,
matthias.bgg@...il.com,
angelogioacchino.delregno@...labora.com,
linux-wireless@...r.kernel.org,
linux-kernel@...r.kernel.org,
linux-arm-kernel@...ts.infradead.org,
linux-mediatek@...ts.infradead.org
Subject: [PATCH AUTOSEL 6.17] wifi: mt76: improve phy reset on hw restart
From: Felix Fietkau <nbd@....name>
[ Upstream commit 3f34cced88a429872d1eefc393686f9a48ec01d9 ]
- fix number of station accounting for scanning code.
- reset channel context
Link: https://patch.msgid.link/20250915075910.47558-14-nbd@nbd.name
Signed-off-by: Felix Fietkau <nbd@....name>
Signed-off-by: Sasha Levin <sashal@...nel.org>
---
LLM Generated explanations, may be completely bogus:
## Final Backport Recommendation
**Answer: YES**
This commit should be backported to stable kernel trees.
## Comprehensive Analysis
### Overview of the Fix
This commit adds two critical state resets to the `mt76_reset_phy()`
function in mac80211.c:lines 827-828:
1. **`phy->num_sta = 0;`** - Resets the station counter to zero
2. **`phy->chanctx = NULL;`** - Clears the channel context pointer
### Technical Analysis
#### What the Bug Fixes
**Bug 1: Incorrect Station Accounting**
The `num_sta` field tracks the number of connected stations for each
physical radio. This counter is used by the scanning code in scan.c:97:
```c
if (dev->scan.chan && phy->num_sta) {
dev->scan.chan = NULL;
mt76_set_channel(phy, &phy->main_chandef, false);
goto out;
}
```
**Without the fix:** During hardware restart, `mt76_reset_device()`
cleans up all WCIDs (wireless connection IDs) by calling
`mt76_wcid_cleanup()` and setting them to NULL, but it never resets the
`num_sta` counter. This means:
- All stations are removed from the hardware
- But `num_sta` still contains the old count (e.g., 2 stations)
- When scanning attempts to run, it checks `phy->num_sta` and
incorrectly thinks stations are still connected
- The scan logic then skips scanning channels or returns to the main
channel prematurely
- Result: Scanning doesn't work properly or produces incomplete results
after a hardware restart
**With the fix:** The station counter is properly reset to 0, allowing
scanning to work correctly after hardware restart.
**Bug 2: Dangling Channel Context Pointer**
The `chanctx` field (mt76_phy structure, line 855 of mt76.h) points to
the current channel context. During hardware restart, the channel
context may be invalidated or freed by the upper layers (mac80211).
**Without the fix:** The `chanctx` pointer continues pointing to
potentially stale/freed memory, which could lead to:
- Use-after-free bugs
- Crashes when dereferencing the pointer
- Undefined behavior during channel operations
**With the fix:** The pointer is safely set to NULL. The code already
handles NULL `chanctx` correctly (verified in channel.c:48, 73, 212,
223), so this is a safe operation that prevents potential crashes.
### Context and Related Commits
This fix is part of a series addressing hardware restart issues in the
mt76 driver:
1. **August 27, 2025 - commit 065c79df595af** ("wifi: mt76: mt7915: fix
list corruption after hardware restart")
- Introduced the `mt76_reset_device()` function
- Fixed list corruption bugs during hw restart
- **This commit is a DEPENDENCY** - must be backported first
2. **September 15, 2025 - commit 3f34cced88a42** (THIS COMMIT)
- Adds `num_sta` and `chanctx` reset
- Fixes scanning and channel context issues
3. **September 15, 2025 - commit b36d55610215a** ("wifi: mt76: abort
scan/roc on hw restart")
- Completes the hw restart fixes
- Adds scan/roc abort functionality
- **Should be backported together** for complete fix
### Evidence of Real-World Impact
The search-specialist agent found evidence of real issues affecting
users:
- **GitHub Issue #444**: Users experiencing repeated "Hardware restart
was requested" messages making WiFi unusable
- **Debian Bug #990127**: mt76x0 crashes repeatedly affecting daily
usage
- **Multiple forum reports**: Scanning failures after firmware crashes
requiring system reboot
- **OpenWrt Forums**: Production environments affected by unreliable
wireless after MCU timeouts
The pattern is clear:
1. Firmware crash or MCU timeout occurs
2. Hardware restart attempts
3. Scanning stops working due to incorrect state
4. WiFi becomes unusable until system reboot
### Risk Assessment
**Risk Level: VERY LOW**
1. **Code Change Size**: Only 2 lines of code added
2. **Operation Type**: Simple field resets (counter to 0, pointer to
NULL)
3. **Code Safety**:
- Setting a counter to 0 during reset is inherently safe
- NULL assignment is safe; code already checks for NULL chanctx
4. **Scope**: Confined to hardware restart path only
5. **No New Features**: Pure bug fix, no architectural changes
6. **Well-Tested**: Part of mainline kernel since September 2025
### Regression Risk
**Extremely Low:**
- Resetting a counter to 0 cannot cause regressions
- Setting pointer to NULL is safe (NULL checks already exist)
- Only affects hardware restart code path
- Does not change normal operation behavior
### Stable Kernel Backporting Criteria
This commit meets all stable kernel backporting criteria:
✅ **Fixes Important Bugs**: Resolves scanning failures and potential
crashes after hardware restart
✅ **Small and Contained**: Only 2 lines changed in a single function
✅ **No New Features**: Pure bug fix with no feature additions
✅ **Minimal Risk**: Very low regression risk
✅ **Clear Impact**: Fixes real user-reported issues
✅ **Self-Contained**: Changes are localized to one function
✅ **No API Changes**: No changes to external interfaces
### Dependencies and Backporting Strategy
**Required Dependencies:**
1. Commit 065c79df595af ("wifi: mt76: mt7915: fix list corruption after
hardware restart") - Introduces `mt76_reset_device()`
**Recommended Together:**
1. Commit b36d55610215a ("wifi: mt76: abort scan/roc on hw restart") -
Completes the hw restart fixes
**Backporting Order:**
1. First: 065c79df595af (introduces mt76_reset_device)
2. Second: 3f34cced88a42 (this commit - adds num_sta/chanctx reset)
3. Third: b36d55610215a (adds scan/roc abort)
### Code Quality
The fix demonstrates good engineering:
- Follows the principle of complete state reset during recovery
- Addresses root cause of the problem
- Uses safe operations (reset to initial state)
- Maintains consistency with existing code patterns
### Conclusion
**This commit SHOULD be backported** because:
1. **Real User Impact**: Fixes actual bugs affecting mt76 wireless
driver users across multiple distributions
2. **Low Risk**: Minimal code change with virtually no regression risk
3. **Important Fix**: Addresses broken scanning after hardware restart
4. **Stable Criteria**: Meets all stable kernel backporting requirements
5. **Safety**: Prevents potential use-after-free via dangling chanctx
pointer
6. **Part of Series**: Completes hardware restart reliability
improvements
The fix is small, safe, and addresses real problems that make WiFi
unusable after firmware crashes - a common occurrence with MediaTek mt76
chipsets. Users experiencing hardware restart issues will benefit from
this backport.
**Recommendation: Approve for backport to all applicable stable kernel
trees where mt76 drivers are present and the mt76_reset_device()
function exists.**
drivers/net/wireless/mediatek/mt76/mac80211.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/wireless/mediatek/mt76/mac80211.c b/drivers/net/wireless/mediatek/mt76/mac80211.c
index 59adf33126170..4fa045e87a81f 100644
--- a/drivers/net/wireless/mediatek/mt76/mac80211.c
+++ b/drivers/net/wireless/mediatek/mt76/mac80211.c
@@ -824,6 +824,8 @@ static void mt76_reset_phy(struct mt76_phy *phy)
return;
INIT_LIST_HEAD(&phy->tx_list);
+ phy->num_sta = 0;
+ phy->chanctx = NULL;
}
void mt76_reset_device(struct mt76_dev *dev)
--
2.51.0
Powered by blists - more mailing lists