lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20260120062854.126501-1-zac@zacbowling.com>
Date: Mon, 19 Jan 2026 22:28:43 -0800
From: Zac <zac@...bowling.com>
To: sean.wang@...nel.org
Cc: deren.wu@...iatek.com,
	kvalo@...nel.org,
	linux-kernel@...r.kernel.org,
	linux-mediatek@...ts.infradead.org,
	linux-wireless@...r.kernel.org,
	lorenzo@...nel.org,
	nbd@....name,
	ryder.lee@...iatek.com,
	sean.wang@...iatek.com,
	stable@...r.kernel.org,
	linux@...me.work,
	zbowling@...il.com,
	Zac Bowling <zac@...bowling.com>
Subject: [PATCH v5 00/11] wifi: mt76: mt7925/mt7921 stability fixes

From: Zac Bowling <zac@...bowling.com>

This series addresses stability issues in the mt7925 (WiFi 7) and mt7921
drivers, focusing on NULL pointer dereferences, mutex protection, MLO
(Multi-Link Operation) handling, and ROC (Remain-On-Channel) state machine
fixes.

Changes since v4:
- Reorganized 27 patches into 11 cleaner, logically-grouped patches for
  easier review. Patches are now ordered by subsystem dependency:
  mt76 core -> mt792x shared -> mt7921 -> mt7925

- Consolidated ROC-related fixes (previously patches 22-27) into a single
  comprehensive patch (11/11) that addresses the interconnected deadlock
  and race condition issues discovered through extended testing

- New issues fixed since v4:
  * ROC deadlock in sta removal path - cancel_work_sync() was waiting for
    roc_work which needed the mutex already held by sta_remove
  * ROC timer race during suspend - timer could fire after suspend started
    but before ROC was properly aborted
  * Async ROC abort race condition - double-free when async abort raced
    with normal ROC completion
  * Added ROC rate limiting with exponential backoff to mitigate MLO
    authentication failures caused by rapid ROC requests overwhelming
    the MT7925 firmware
  * Fixed spurious ieee80211_remain_on_channel_expired() callback when
    ROC wasn't actually active (found via code review)

- Added corresponding mt7921 fixes (patches 3-4) since the older driver
  shares similar code paths and exhibited the same deadlock patterns

- Firmware reload fix (patch 2) addresses crashes when the device needs
  recovery after a failed firmware load - the semaphore wasn't being
  released, causing subsequent loads to hang

Investigation and Testing:
  All issues were discovered through real-world testing on Framework 16
  laptops with the MT7925 (RZ616) WiFi module. Crash dumps, dmesg logs,
  and detailed analysis are available in the repository below.

  A DKMS version with extensive debug logging is available for community
  testing. This has been instrumental in tracking down the more subtle
  race conditions and deadlocks that only manifest under specific timing
  conditions.

  Repository: https://github.com/zbowling/mt7925
    - kernels/    - Pre-built patches for 6.17, 6.18, 6.19-rc, nbd168
    - dkms/       - DKMS module with extra debug logging
    - crashes/    - Crash investigation logs and analysis

Acknowledgments:
  Thank you to the community members who tested the DKMS version and
  provided crash reports, dmesg dumps, and helped track down the more
  elusive deadlocks. Your patience and detailed bug reports made these
  fixes possible.

Tested on MT7925 (RZ616) with kernels 6.17.13, 6.18.5, and 6.19-rc5.

Zac Bowling (11):
  wifi: mt76: fix list corruption in mt76_wcid_cleanup
  wifi: mt76: mt792x: fix NULL pointer and firmware reload issues
  wifi: mt76: mt7921: add mutex protection in critical paths
  wifi: mt76: mt7921: fix deadlock in sta removal and suspend ROC abort
  wifi: mt76: mt7925: add comprehensive NULL pointer protection for MLO
  wifi: mt76: mt7925: add mutex protection in critical paths
  wifi: mt76: mt7925: add MCU command error handling
  wifi: mt76: mt7925: add lockdep assertions for mutex verification
  wifi: mt76: mt7925: fix MLO roaming and ROC setup issues
  wifi: mt76: mt7925: fix BA session teardown during beacon loss
  wifi: mt76: mt7925: fix ROC deadlocks and race conditions

 drivers/net/wireless/mediatek/mt76/mac80211.c    |   8 +
 drivers/net/wireless/mediatek/mt76/mt76.h        |   1 +
 drivers/net/wireless/mediatek/mt76/mt7921/mac.c  |   2 +
 drivers/net/wireless/mediatek/mt76/mt7921/main.c |  37 ++-
 drivers/net/wireless/mediatek/mt76/mt7921/pci.c  |   2 -
 drivers/net/wireless/mediatek/mt76/mt7921/sdio.c |   2 -
 drivers/net/wireless/mediatek/mt76/mt7925/mac.c  |   8 +
 drivers/net/wireless/mediatek/mt76/mt7925/main.c | 257 +++++++++++++--
 drivers/net/wireless/mediatek/mt76/mt7925/mcu.c  |  46 ++-
 drivers/net/wireless/mediatek/mt76/mt7925/pci.c  |   4 +
 drivers/net/wireless/mediatek/mt76/mt792x.h      |   7 +
 drivers/net/wireless/mediatek/mt76/mt792x_core.c |  17 +-
 12 files changed, 340 insertions(+), 51 deletions(-)

--
2.52.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ