[PATCH ath-current] wifi: ath12k: prepare REO update element only for primary link
Thorsten Leemhuis
linux at leemhuis.info
Wed Apr 22 02:30:10 PDT 2026
Lo! Top-posting on purpose to make this easy to process.
Jeff, what happened to below patch? It was supposed to fix the
regression linked below, but unless I'm missing something (which might
very well be the case!) it seems it never got any further than this thread.
Ciao, Thorsten
P.S:: Adding a stable tag might be good to ensure this fix is backported.
On 2/10/26 04:07, Baochen Qiang wrote:
> Commit [1] introduces dp->reo_cmd_update_rx_queue_list for the purpose
> of tracking all pending REO queue flush commands. The helper
> ath12k_dp_prepare_reo_update_elem() allocates an element and populates
> it with REO queue information, then add it to the list. The element would
> be helpful during clean up stage to finally unmap/free the corresponding
> REO queue buffer.
>
> In MLO scenarios with more than one links, for non dp_primary_link_only
> chips like WCN7850, that helper is called for each link peer. This
> results in multiple elements added to the list but all of them pointing
> to the same REO queue buffer. Consequently the same buffer gets
> unmap/freed multiple times:
>
> BUG kmalloc-2k (Tainted: G B W O ): Object already free
> -----------------------------------------------------------------------------
> Allocated in ath12k_wifi7_dp_rx_assign_reoq+0xce/0x280 [ath12k_wifi7] age=7436 cpu=10 pid=16130
> __kmalloc_noprof
> ath12k_wifi7_dp_rx_assign_reoq
> ath12k_dp_rx_peer_tid_setup
> ath12k_dp_peer_setup
> ath12k_mac_station_add
> ath12k_mac_op_sta_state
> [...]
> Freed in ath12k_dp_rx_tid_cleanup.part.0+0x25/0x40 [ath12k] age=1 cpu=27 pid=16137
> kfree
> ath12k_dp_rx_tid_cleanup.part.0
> ath12k_dp_rx_reo_cmd_list_cleanup
> ath12k_dp_cmn_device_deinit
> ath12k_core_stop
> ath12k_core_hw_group_cleanup
> ath12k_pci_remove
>
> Fix this by allowing list addition for primary link only. Note
> dp_primary_link_only chips like QCN9274 are not affected by this change,
> because that's what they were doing in the first place.
>
> Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.1.c5-00302-QCAHMTSWPL_V1.0_V2.0_SILICONZ-1.115823.3
>
> Fixes: 3bf2e57e7d6c ("wifi: ath12k: Add Retry Mechanism for REO RX Queue Update Failures") # [1]
> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=221011
> Signed-off-by: Baochen Qiang <baochen.qiang at oss.qualcomm.com>
> ---
> drivers/net/wireless/ath/ath12k/dp_rx.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/net/wireless/ath/ath12k/dp_rx.c b/drivers/net/wireless/ath/ath12k/dp_rx.c
> index a32ee9f8061a..6995de7761df 100644
> --- a/drivers/net/wireless/ath/ath12k/dp_rx.c
> +++ b/drivers/net/wireless/ath/ath12k/dp_rx.c
> @@ -565,6 +565,9 @@ static int ath12k_dp_prepare_reo_update_elem(struct ath12k_dp *dp,
>
> lockdep_assert_held(&dp->dp_lock);
>
> + if (!peer->primary_link)
> + return 0;
> +
> elem = kzalloc(sizeof(*elem), GFP_ATOMIC);
> if (!elem)
> return -ENOMEM;
>
> ---
> base-commit: d9a2be2d72d4f9035f0334e0ff49180fe9df6e52
> change-id: 20260128-ath12k-rxtid-double-free-289100bb5163
>
> Best regards,
More information about the ath12k
mailing list