| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20260116010519.37001-19-zac@zacbowling.com>
Date: Thu, 15 Jan 2026 17:05:16 -0800
From: Zac <zac@...bowling.com>
To: sean.wang@...nel.org
Cc: deren.wu@...iatek.com,
kvalo@...nel.org,
linux-kernel@...r.kernel.org,
linux-mediatek@...ts.infradead.org,
linux-wireless@...r.kernel.org,
lorenzo@...nel.org,
nbd@....name,
linux@...me.work,
ryder.lee@...iatek.com,
sean.wang@...iatek.com,
Zac <zac@...bowling.com>
Subject: [PATCH v4 18/21] wifi: mt76: mt7921: fix missing mutex protection in multiple paths
Add mt792x_mutex_acquire/release around ieee80211_iterate_*() calls in
MT7921 driver to prevent race conditions:
- mt7921_roc_abort_sync(): protect ROC abort iteration
- mt7921_set_runtime_pm(): protect runtime PM iteration
- mt7921_regd_set_6ghz_power_type(): protect 6GHz power type iteration
- mt7921_mac_reset_work(): protect vif reconnect iteration after reset
These paths were missing the mutex protection that is required when
calling ieee80211_iterate_* functions with ITER_RESUME_ALL flag.
Signed-off-by: Zac Bowling <zac@...bowling.com>
---
drivers/net/wireless/mediatek/mt76/mt7921/mac.c | 2 ++
drivers/net/wireless/mediatek/mt76/mt7921/main.c | 9 ++++++++-
2 files changed, 10 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/mac.c b/drivers/net/wireless/mediatek/mt76/mt7921/mac.c
index 03b4960db7..f5c882e45b 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7921/mac.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7921/mac.c
@@ -693,9 +693,11 @@ void mt7921_mac_reset_work(struct work_struct *work)
clear_bit(MT76_RESET, &dev->mphy.state);
pm->suspended = false;
ieee80211_wake_queues(hw);
+ mt792x_mutex_acquire(dev);
ieee80211_iterate_active_interfaces(hw,
IEEE80211_IFACE_ITER_RESUME_ALL,
mt7921_vif_connect_iter, NULL);
+ mt792x_mutex_release(dev);
mt76_connac_power_save_sched(&dev->mt76.phy, pm);
}
diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/main.c b/drivers/net/wireless/mediatek/mt76/mt7921/main.c
index 5fae9a6e27..8fc3770d1b 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7921/main.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7921/main.c
@@ -373,10 +373,13 @@ void mt7921_roc_abort_sync(struct mt792x_dev *dev)
timer_delete_sync(&phy->roc_timer);
cancel_work_sync(&phy->roc_work);
- if (test_and_clear_bit(MT76_STATE_ROC, &phy->mt76->state))
+ if (test_and_clear_bit(MT76_STATE_ROC, &phy->mt76->state)) {
+ mt792x_mutex_acquire(dev);
ieee80211_iterate_interfaces(mt76_hw(dev),
IEEE80211_IFACE_ITER_RESUME_ALL,
mt7921_roc_iter, (void *)phy);
+ mt792x_mutex_release(dev);
+ }
}
EXPORT_SYMBOL_GPL(mt7921_roc_abort_sync);
@@ -619,9 +622,11 @@ void mt7921_set_runtime_pm(struct mt792x_dev *dev)
bool monitor = !!(hw->conf.flags & IEEE80211_CONF_MONITOR);
pm->enable = pm->enable_user && !monitor;
+ mt792x_mutex_acquire(dev);
ieee80211_iterate_active_interfaces(hw,
IEEE80211_IFACE_ITER_RESUME_ALL,
mt7921_pm_interface_iter, dev);
+ mt792x_mutex_release(dev);
pm->ds_enable = pm->ds_enable_user && !monitor;
mt76_connac_mcu_set_deep_sleep(&dev->mt76, pm->ds_enable);
}
@@ -765,9 +770,11 @@ mt7921_regd_set_6ghz_power_type(struct ieee80211_vif *vif, bool is_add)
struct mt792x_dev *dev = phy->dev;
u32 valid_vif_num = 0;
+ mt792x_mutex_acquire(dev);
ieee80211_iterate_active_interfaces(mt76_hw(dev),
IEEE80211_IFACE_ITER_RESUME_ALL,
mt7921_calc_vif_num, &valid_vif_num);
+ mt792x_mutex_release(dev);
if (valid_vif_num > 1) {
phy->power_type = MT_AP_DEFAULT;
--
2.52.0
Powered by blists - more mailing lists