| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20260116010519.37001-1-zac@zacbowling.com>
Date: Thu, 15 Jan 2026 17:04:58 -0800
From: Zac <zac@...bowling.com>
To: sean.wang@...nel.org
Cc: deren.wu@...iatek.com,
kvalo@...nel.org,
linux-kernel@...r.kernel.org,
linux-mediatek@...ts.infradead.org,
linux-wireless@...r.kernel.org,
lorenzo@...nel.org,
nbd@....name,
linux@...me.work,
ryder.lee@...iatek.com,
sean.wang@...iatek.com,
Zac <zac@...bowling.com>
Subject: [PATCH v4 00/21] wifi: mt76: mt7925/mt7921: stability and MLO fixes
This series addresses stability issues in the mt7925 (WiFi 7) and mt7921
drivers, focusing on NULL pointer dereferences, mutex protection, and
MLO (Multi-Link Operation) handling.
Changes since v3:
- Added mt7921 driver fixes (patches 18-19) to address mutex handling
issues that also affected the older driver
- Fixed mutex deadlocks in mt7921 suspend paths - the mutex was being
acquired inside functions that were already called with mutex held
- Added mt76 core fix for list corruption in mt76_wcid_cleanup (patch 20)
that caused crashes during suspend/resume cycles
- Added fix for BA session teardown during beacon loss (patch 21) which
was causing mac80211 WARN in __ieee80211_stop_tx_ba_session - reported
by Sean Wang
The mt7921 mutex fixes (patches 18-19) correct improper mutex nesting
where mt7921_roc_abort_sync() and mt7921_set_runtime_pm() were acquiring
the mutex internally, but were called from paths that already held it
(e.g., mt7921_mac_sta_remove via mt76_sta_remove, suspend handlers).
The list corruption fix (patch 20) addresses a bug where mt76_wcid_cleanup()
wasn't removing wcid entries from sta_poll_list before mt76_reset_device()
reinitialized the master list, leaving stale pointers.
The BA session fix (patch 21) makes the ieee80211_stop_tx_ba_cb_irqsafe()
callback unconditional in IEEE80211_AMPDU_TX_STOP_CONT handling - the MCU
command may fail during beacon loss but mac80211 must still be notified
to complete the session teardown.
More notes in https://github.com/zbowling/mt7925
Tested on MT7925 (RZ616) with kernel 6.18.5.
Zac Bowling (21):
wifi: mt76: mt7921: fix missing mutex protection in multiple paths
wifi: mt76: mt7921: fix mutex deadlocks in multiple paths
wifi: mt76: fix list corruption in mt76_wcid_cleanup
wifi: mt76: mt7925: fix BA session teardown during beacon loss
wifi: mt76: mt7925: fix NULL pointer dereference in vif iteration
wifi: mt76: mt7925: fix missing mutex protection in reset and ROC
abort
wifi: mt76: mt7925: fix missing mutex protection in runtime PM and MLO
PM
wifi: mt76: mt7925: add NULL checks in MCU STA TLV functions
wifi: mt76: mt7925: add NULL checks for link_conf and mlink in main.c
wifi: mt76: mt7925: add error handling for AMPDU MCU commands
wifi: mt76: mt7925: add error handling for BSS info MCU command in
sta_add
wifi: mt76: mt7925: add error handling for BSS info in key setup
wifi: mt76: mt7925: add NULL checks in MLO link and chanctx functions
wifi: mt76: mt792x: fix NULL pointer dereference in TX path
wifi: mt76: mt7925: add lockdep assertions for mutex verification
wifi: mt76: mt7925: fix key removal failure during MLO roaming
wifi: mt76: mt7925: fix kernel warning in MLO ROC setup
wifi: mt76: mt7925: add NULL checks for MLO link pointers in MCU
functions
wifi: mt76: mt792x: fix firmware reload failure after previous load
crash
wifi: mt76: mt7925: add mutex protection in resume path
wifi: mt76: mt7925: add NULL checks in link station and TX queue setup
drivers/net/wireless/mediatek/mt76/mac80211.c | 10 ++
.../net/wireless/mediatek/mt76/mt7921/mac.c | 2 +
.../net/wireless/mediatek/mt76/mt7921/main.c | 8 ++
.../net/wireless/mediatek/mt76/mt7921/pci.c | 2 +
.../net/wireless/mediatek/mt76/mt7921/sdio.c | 2 +
.../net/wireless/mediatek/mt76/mt7925/mac.c | 8 ++
.../net/wireless/mediatek/mt76/mt7925/main.c | 125 ++++++++++++++----
.../net/wireless/mediatek/mt76/mt7925/mcu.c | 48 +++++--
.../net/wireless/mediatek/mt76/mt7925/pci.c | 4 +
.../net/wireless/mediatek/mt76/mt792x_core.c | 27 +++-
10 files changed, 203 insertions(+), 33 deletions(-)
--
2.52.0
Powered by blists - more mailing lists