[PATCH ath-next 2/2] wifi: ath12k: fix MLO peer delete race
Baochen Qiang
baochen.qiang at oss.qualcomm.com
Wed Jun 17 02:28:20 PDT 2026
ath12k_peer_mlo_link_peers_delete() sends WMI peer_delete for every
link before waiting for any peer_unmap / peer_delete_resp event. The
shared per-radio completion ar->peer_delete_done could not
disambiguate which peer a response was for: every call to
ath12k_peer_delete_send() did
reinit_completion(&ar->peer_delete_done), so when an event for the
first link arrived between two sends it raised the count to 1 and
the second send promptly cleared it; the wait for the second link
then timed out with
Timeout in receiving peer delete response
Replace the shared completion with a per-radio waiter list, with
each pending ath12k_peer_delete() caller queueing an
ath12k_peer_delete_wait carrying its (vdev_id, addr) and a private
struct completion. ath12k_peer_delete_resp_event() matches the
response against the list under ar->data_lock and signals the
matching waiter.
Also correct the endian conversion in ath12k_peer_delete_resp_event()
logging, and add the missing \n in some logging.
Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.1.c7-00108-QCAHMTSWPL_V1.0_V2.0_SILICONZ_UPSTREAM-3
Fixes: 8e6f8bc28603 ("wifi: ath12k: Add MLO station state change handling")
Signed-off-by: Baochen Qiang <baochen.qiang at oss.qualcomm.com>
---
drivers/net/wireless/ath/ath12k/core.c | 2 +-
drivers/net/wireless/ath/ath12k/core.h | 5 +-
drivers/net/wireless/ath/ath12k/mac.c | 2 +-
drivers/net/wireless/ath/ath12k/peer.c | 130 ++++++++++++++++++++++++++-------
drivers/net/wireless/ath/ath12k/peer.h | 19 ++++-
drivers/net/wireless/ath/ath12k/wmi.c | 16 ++--
6 files changed, 136 insertions(+), 38 deletions(-)
diff --git a/drivers/net/wireless/ath/ath12k/core.c b/drivers/net/wireless/ath/ath12k/core.c
index 742d4fd1b598..f71650039292 100644
--- a/drivers/net/wireless/ath/ath12k/core.c
+++ b/drivers/net/wireless/ath/ath12k/core.c
@@ -1524,7 +1524,7 @@ static void ath12k_core_pre_reconfigure_recovery(struct ath12k_base *ab)
complete_all(&ar->scan.completed);
complete(&ar->scan.on_channel);
complete(&ar->peer_assoc_done);
- complete(&ar->peer_delete_done);
+ ath12k_peer_delete_wait_flush(ar);
complete(&ar->install_key_done);
complete(&ar->vdev_setup_done);
complete(&ar->vdev_delete_done);
diff --git a/drivers/net/wireless/ath/ath12k/core.h b/drivers/net/wireless/ath/ath12k/core.h
index fc5127b5c1a3..1436ff4316e7 100644
--- a/drivers/net/wireless/ath/ath12k/core.h
+++ b/drivers/net/wireless/ath/ath12k/core.h
@@ -665,7 +665,8 @@ struct ath12k {
/* protects the radio specific data like debug stats, ppdu_stats_info stats,
* vdev_stop_status info, scan data, ath12k_sta info, ath12k_link_vif info,
- * channel context data, survey info, test mode data, regd_channel_update_queue.
+ * channel context data, survey info, test mode data, regd_channel_update_queue,
+ * peer_delete_waits.
*/
spinlock_t data_lock;
@@ -687,7 +688,7 @@ struct ath12k {
u8 radio_idx;
struct completion peer_assoc_done;
- struct completion peer_delete_done;
+ struct list_head peer_delete_waits;
int install_key_status;
struct completion install_key_done;
diff --git a/drivers/net/wireless/ath/ath12k/mac.c b/drivers/net/wireless/ath/ath12k/mac.c
index 2e5a075191ae..4c86a8eb5841 100644
--- a/drivers/net/wireless/ath/ath12k/mac.c
+++ b/drivers/net/wireless/ath/ath12k/mac.c
@@ -15040,11 +15040,11 @@ static void ath12k_mac_setup(struct ath12k *ar)
spin_lock_init(&ar->dp.ppdu_list_lock);
INIT_LIST_HEAD(&ar->arvifs);
INIT_LIST_HEAD(&ar->dp.ppdu_stats_info);
+ INIT_LIST_HEAD(&ar->peer_delete_waits);
init_completion(&ar->vdev_setup_done);
init_completion(&ar->vdev_delete_done);
init_completion(&ar->peer_assoc_done);
- init_completion(&ar->peer_delete_done);
init_completion(&ar->install_key_done);
init_completion(&ar->bss_survey_done);
init_completion(&ar->scan.started);
diff --git a/drivers/net/wireless/ath/ath12k/peer.c b/drivers/net/wireless/ath/ath12k/peer.c
index c222bdaa333c..98509c63c580 100644
--- a/drivers/net/wireless/ath/ath12k/peer.c
+++ b/drivers/net/wireless/ath/ath12k/peer.c
@@ -9,6 +9,55 @@
#include "debug.h"
#include "debugfs.h"
+void ath12k_peer_delete_wait_register(struct ath12k *ar,
+ struct ath12k_peer_delete_wait *wait,
+ u32 vdev_id, const u8 *addr)
+{
+ wait->vdev_id = vdev_id;
+ ether_addr_copy(wait->addr, addr);
+ init_completion(&wait->done);
+
+ spin_lock_bh(&ar->data_lock);
+ list_add(&wait->list, &ar->peer_delete_waits);
+ spin_unlock_bh(&ar->data_lock);
+}
+
+void ath12k_peer_delete_wait_unregister(struct ath12k *ar,
+ struct ath12k_peer_delete_wait *wait)
+{
+ spin_lock_bh(&ar->data_lock);
+ list_del(&wait->list);
+ spin_unlock_bh(&ar->data_lock);
+}
+
+void ath12k_peer_delete_resp_signal(struct ath12k *ar, u32 vdev_id, const u8 *addr)
+{
+ struct ath12k_peer_delete_wait *wait;
+
+ guard(spinlock_bh)(&ar->data_lock);
+
+ list_for_each_entry(wait, &ar->peer_delete_waits, list) {
+ if (wait->vdev_id == vdev_id &&
+ ether_addr_equal(wait->addr, addr)) {
+ complete(&wait->done);
+ return;
+ }
+ }
+
+ ath12k_warn(ar->ab, "failed to find link peer with vdev id %u addr %pM\n",
+ vdev_id, addr);
+}
+
+void ath12k_peer_delete_wait_flush(struct ath12k *ar)
+{
+ struct ath12k_peer_delete_wait *wait;
+
+ spin_lock_bh(&ar->data_lock);
+ list_for_each_entry(wait, &ar->peer_delete_waits, list)
+ complete(&wait->done);
+ spin_unlock_bh(&ar->data_lock);
+}
+
static int ath12k_wait_for_dp_link_peer_common(struct ath12k_base *ab, int vdev_id,
const u8 *addr, bool expect_mapped)
{
@@ -62,20 +111,19 @@ static int ath12k_wait_for_peer_deleted(struct ath12k *ar, int vdev_id, const u8
return ath12k_wait_for_dp_link_peer_common(ar->ab, vdev_id, addr, false);
}
-int ath12k_wait_for_peer_delete_done(struct ath12k *ar, u32 vdev_id,
- const u8 *addr)
+int ath12k_wait_for_peer_delete_done(struct ath12k *ar,
+ struct ath12k_peer_delete_wait *wait)
{
- int ret;
unsigned long time_left;
+ int ret;
- ret = ath12k_wait_for_peer_deleted(ar, vdev_id, addr);
+ ret = ath12k_wait_for_peer_deleted(ar, wait->vdev_id, wait->addr);
if (ret) {
- ath12k_warn(ar->ab, "failed wait for peer deleted");
+ ath12k_warn(ar->ab, "failed wait for peer deleted\n");
return ret;
}
- time_left = wait_for_completion_timeout(&ar->peer_delete_done,
- 3 * HZ);
+ time_left = wait_for_completion_timeout(&wait->done, 3 * HZ);
if (time_left == 0) {
ath12k_warn(ar->ab, "Timeout in receiving peer delete response\n");
return -ETIMEDOUT;
@@ -91,8 +139,6 @@ static int ath12k_peer_delete_send(struct ath12k *ar, u32 vdev_id, const u8 *add
lockdep_assert_wiphy(ath12k_ar_to_hw(ar)->wiphy);
- reinit_completion(&ar->peer_delete_done);
-
ret = ath12k_wmi_send_peer_delete_cmd(ar, addr, vdev_id);
if (ret) {
ath12k_warn(ab,
@@ -106,6 +152,7 @@ static int ath12k_peer_delete_send(struct ath12k *ar, u32 vdev_id, const u8 *add
int ath12k_peer_delete(struct ath12k *ar, u32 vdev_id, u8 *addr)
{
+ struct ath12k_peer_delete_wait wait;
int ret;
lockdep_assert_wiphy(ath12k_ar_to_hw(ar)->wiphy);
@@ -114,17 +161,25 @@ int ath12k_peer_delete(struct ath12k *ar, u32 vdev_id, u8 *addr)
&(ath12k_ar_to_ah(ar)->dp_hw), vdev_id,
addr, ar->hw_link_id);
+ /*
+ * Register the stack waiter before sending so the resp_event for
+ * this peer cannot arrive while no waiter is queued.
+ */
+ ath12k_peer_delete_wait_register(ar, &wait, vdev_id, addr);
+
ret = ath12k_peer_delete_send(ar, vdev_id, addr);
if (ret)
- return ret;
+ goto out;
- ret = ath12k_wait_for_peer_delete_done(ar, vdev_id, addr);
+ ret = ath12k_wait_for_peer_delete_done(ar, &wait);
if (ret)
- return ret;
+ goto out;
ar->num_peers--;
- return 0;
+out:
+ ath12k_peer_delete_wait_unregister(ar, &wait);
+ return ret;
}
static int ath12k_wait_for_peer_created(struct ath12k *ar, int vdev_id, const u8 *addr)
@@ -184,22 +239,26 @@ int ath12k_peer_create(struct ath12k *ar, struct ath12k_link_vif *arvif,
peer = ath12k_dp_link_peer_find_by_vdev_and_addr(dp, arg->vdev_id,
arg->peer_addr);
if (!peer) {
+ struct ath12k_peer_delete_wait wait;
+
spin_unlock_bh(&dp->dp_lock);
ath12k_warn(ar->ab, "failed to find peer %pM on vdev %i after creation\n",
arg->peer_addr, arg->vdev_id);
- reinit_completion(&ar->peer_delete_done);
+ ath12k_peer_delete_wait_register(ar, &wait, arg->vdev_id,
+ arg->peer_addr);
ret = ath12k_wmi_send_peer_delete_cmd(ar, arg->peer_addr,
arg->vdev_id);
if (ret) {
ath12k_warn(ar->ab, "failed to delete peer vdev_id %d addr %pM\n",
arg->vdev_id, arg->peer_addr);
+ ath12k_peer_delete_wait_unregister(ar, &wait);
return ret;
}
- ret = ath12k_wait_for_peer_delete_done(ar, arg->vdev_id,
- arg->peer_addr);
+ ret = ath12k_wait_for_peer_delete_done(ar, &wait);
+ ath12k_peer_delete_wait_unregister(ar, &wait);
if (ret)
return ret;
@@ -283,13 +342,14 @@ u16 ath12k_peer_ml_alloc(struct ath12k_hw *ah)
int ath12k_peer_mlo_link_peers_delete(struct ath12k_vif *ahvif, struct ath12k_sta *ahsta)
{
+ DECLARE_BITMAP(registered, IEEE80211_MLD_MAX_NUM_LINKS);
struct ieee80211_sta *sta = ath12k_ahsta_to_sta(ahsta);
struct ath12k_hw *ah = ahvif->ah;
struct ath12k_link_vif *arvif;
struct ath12k_link_sta *arsta;
+ int ret, err_ret = 0;
unsigned long links;
struct ath12k *ar;
- int ret, err_ret = 0;
u8 link_id;
lockdep_assert_wiphy(ah->hw->wiphy);
@@ -297,8 +357,19 @@ int ath12k_peer_mlo_link_peers_delete(struct ath12k_vif *ahvif, struct ath12k_st
if (!sta->mlo)
return -EINVAL;
- /* FW expects delete of all link peers at once before waiting for reception
- * of peer unmap or delete responses
+ struct ath12k_peer_delete_wait *waits __free(kfree) =
+ kzalloc_objs(*waits, IEEE80211_MLD_MAX_NUM_LINKS);
+ if (!waits)
+ return -ENOMEM;
+
+ bitmap_zero(registered, IEEE80211_MLD_MAX_NUM_LINKS);
+
+ /*
+ * Firmware expects delete of all link peers at once before waiting
+ * for reception of peer unmap or delete responses. Phase 1 registers
+ * a per-link stack waiter and sends WMI peer delete for every
+ * link; the resp_event handler matches each response to its
+ * (vdev_id, addr) waiter on ar->peer_delete_waits.
*/
links = ahsta->links_map;
for_each_set_bit(link_id, &links, IEEE80211_MLD_MAX_NUM_LINKS) {
@@ -318,29 +389,36 @@ int ath12k_peer_mlo_link_peers_delete(struct ath12k_vif *ahvif, struct ath12k_st
arvif->vdev_id, arsta->addr,
ar->hw_link_id);
+ ath12k_peer_delete_wait_register(ar, &waits[link_id],
+ arvif->vdev_id, arsta->addr);
+
ret = ath12k_peer_delete_send(ar, arvif->vdev_id, arsta->addr);
if (ret) {
ath12k_warn(ar->ab,
"failed to delete peer vdev_id %d addr %pM ret %d\n",
arvif->vdev_id, arsta->addr, ret);
err_ret = ret;
+ ath12k_peer_delete_wait_unregister(ar, &waits[link_id]);
continue;
}
+
+ set_bit(link_id, registered);
}
- /* Ensure all link peers are deleted and unmapped */
+ /*
+ * Phase 2: wait for unmap + delete_resp on each registered link
+ * and tear down the waiter.
+ */
links = ahsta->links_map;
for_each_set_bit(link_id, &links, IEEE80211_MLD_MAX_NUM_LINKS) {
- arvif = wiphy_dereference(ah->hw->wiphy, ahvif->link[link_id]);
- arsta = wiphy_dereference(ah->hw->wiphy, ahsta->link[link_id]);
- if (!arvif || !arsta)
+ if (!test_bit(link_id, registered))
continue;
+ arvif = wiphy_dereference(ah->hw->wiphy, ahvif->link[link_id]);
ar = arvif->ar;
- if (!ar)
- continue;
- ret = ath12k_wait_for_peer_delete_done(ar, arvif->vdev_id, arsta->addr);
+ ret = ath12k_wait_for_peer_delete_done(ar, &waits[link_id]);
+ ath12k_peer_delete_wait_unregister(ar, &waits[link_id]);
if (ret) {
err_ret = ret;
continue;
diff --git a/drivers/net/wireless/ath/ath12k/peer.h b/drivers/net/wireless/ath/ath12k/peer.h
index 49d89796bc46..3dc720a3dc12 100644
--- a/drivers/net/wireless/ath/ath12k/peer.h
+++ b/drivers/net/wireless/ath/ath12k/peer.h
@@ -9,13 +9,28 @@
#include "dp_peer.h"
+struct ath12k_peer_delete_wait {
+ struct list_head list;
+ u32 vdev_id;
+ u8 addr[ETH_ALEN];
+ struct completion done;
+};
+
+void ath12k_peer_delete_wait_register(struct ath12k *ar,
+ struct ath12k_peer_delete_wait *wait,
+ u32 vdev_id, const u8 *addr);
+void ath12k_peer_delete_wait_unregister(struct ath12k *ar,
+ struct ath12k_peer_delete_wait *wait);
+void ath12k_peer_delete_resp_signal(struct ath12k *ar, u32 vdev_id, const u8 *addr);
+void ath12k_peer_delete_wait_flush(struct ath12k *ar);
+
void ath12k_peer_cleanup(struct ath12k *ar, u32 vdev_id);
int ath12k_peer_delete(struct ath12k *ar, u32 vdev_id, u8 *addr);
int ath12k_peer_create(struct ath12k *ar, struct ath12k_link_vif *arvif,
struct ieee80211_sta *sta,
struct ath12k_wmi_peer_create_arg *arg);
-int ath12k_wait_for_peer_delete_done(struct ath12k *ar, u32 vdev_id,
- const u8 *addr);
+int ath12k_wait_for_peer_delete_done(struct ath12k *ar,
+ struct ath12k_peer_delete_wait *wait);
int ath12k_peer_mlo_link_peers_delete(struct ath12k_vif *ahvif, struct ath12k_sta *ahsta);
struct ath12k_ml_peer *ath12k_peer_ml_find(struct ath12k_hw *ah,
const u8 *addr);
diff --git a/drivers/net/wireless/ath/ath12k/wmi.c b/drivers/net/wireless/ath/ath12k/wmi.c
index 84a31b953db8..6066ca8d9fc4 100644
--- a/drivers/net/wireless/ath/ath12k/wmi.c
+++ b/drivers/net/wireless/ath/ath12k/wmi.c
@@ -7072,25 +7072,29 @@ static void ath12k_peer_delete_resp_event(struct ath12k_base *ab, struct sk_buff
{
struct wmi_peer_delete_resp_event peer_del_resp;
struct ath12k *ar;
+ u32 vdev_id;
if (ath12k_pull_peer_del_resp_ev(ab, skb, &peer_del_resp) != 0) {
- ath12k_warn(ab, "failed to extract peer delete resp");
+ ath12k_warn(ab, "failed to extract peer delete resp\n");
return;
}
+ vdev_id = le32_to_cpu(peer_del_resp.vdev_id);
+
rcu_read_lock();
- ar = ath12k_mac_get_ar_by_vdev_id(ab, le32_to_cpu(peer_del_resp.vdev_id));
+ ar = ath12k_mac_get_ar_by_vdev_id(ab, vdev_id);
if (!ar) {
- ath12k_warn(ab, "invalid vdev id in peer delete resp ev %d",
- peer_del_resp.vdev_id);
+ ath12k_warn(ab, "invalid vdev id in peer delete resp ev %d\n",
+ vdev_id);
rcu_read_unlock();
return;
}
- complete(&ar->peer_delete_done);
+ ath12k_peer_delete_resp_signal(ar, vdev_id,
+ peer_del_resp.peer_macaddr.addr);
rcu_read_unlock();
ath12k_dbg(ab, ATH12K_DBG_WMI, "peer delete resp for vdev id %d addr %pM\n",
- peer_del_resp.vdev_id, peer_del_resp.peer_macaddr.addr);
+ vdev_id, peer_del_resp.peer_macaddr.addr);
}
static void ath12k_vdev_delete_resp_event(struct ath12k_base *ab,
--
2.25.1
More information about the ath12k
mailing list