[PATCH] wifi: mt76: fix deadlock in remain-on-channel

Chad Monroe chad at monroe.io
Mon Dec 8 09:41:17 PST 2025 





On Monday, December 8th, 2025 at 6:19 AM, Lorenzo Bianconi <lorenzo at kernel.org> wrote:

> 
> 
> > mt76_remain_on_channel() and mt76_roc_complete() call mt76_set_channel()
> 
> > while already holding dev->mutex. Since mt76_set_channel() also acquires
> > dev->mutex, this results in a deadlock.
> > 
> > Use __mt76_set_channel() instead of mt76_set_channel().
> > Add cancel_delayed_work_sync() for mac_work before acquiring the mutex
> > in mt76_remain_on_channel() to prevent a secondary deadlock with the
> > mac_work workqueue.
> 
> 
> I think we need a Fixes tag here.
> 
> Regards,
> Lorenzo
> 

Good call.. added and submitted v2. Thank you,

    -Chad

> > Signed-off-by: Chad Monroe chad at monroe.io
> > ---
> > drivers/net/wireless/mediatek/mt76/channel.c | 13 +++++++++++--
> > 1 file changed, 11 insertions(+), 2 deletions(-)
> > 
> > diff --git a/drivers/net/wireless/mediatek/mt76/channel.c b/drivers/net/wireless/mediatek/mt76/channel.c
> > index 2b705bdb7993..d9f8529db7ed 100644
> > --- a/drivers/net/wireless/mediatek/mt76/channel.c
> > +++ b/drivers/net/wireless/mediatek/mt76/channel.c
> > @@ -326,7 +326,7 @@ void mt76_roc_complete(struct mt76_phy *phy)
> > mlink->mvif->roc_phy = NULL;
> > if (phy->main_chandef.chan &&
> > !test_bit(MT76_MCU_RESET, &dev->phy.state))
> > - mt76_set_channel(phy, &phy->main_chandef, false);
> > + __mt76_set_channel(phy, &phy->main_chandef, false);
> > mt76_put_vif_phy_link(phy, phy->roc_vif, phy->roc_link);
> > phy->roc_vif = NULL;
> > phy->roc_link = NULL;
> > @@ -370,6 +370,8 @@ int mt76_remain_on_channel(struct ieee80211_hw *hw, struct ieee80211_vif *vif,
> > if (!phy)
> > return -EINVAL;
> > 
> > + cancel_delayed_work_sync(&phy->mac_work);
> > +
> > mutex_lock(&dev->mutex);
> > 
> > if (phy->roc_vif || dev->scan.phy == phy ||
> > @@ -388,7 +390,14 @@ int mt76_remain_on_channel(struct ieee80211_hw *hw, struct ieee80211_vif *vif,
> > phy->roc_vif = vif;
> > phy->roc_link = mlink;
> > cfg80211_chandef_create(&chandef, chan, NL80211_CHAN_HT20);
> > - mt76_set_channel(phy, &chandef, true);
> > + ret = __mt76_set_channel(phy, &chandef, true);
> > + if (ret) {
> > + mlink->mvif->roc_phy = NULL;
> > + phy->roc_vif = NULL;
> > + phy->roc_link = NULL;
> > + mt76_put_vif_phy_link(phy, vif, mlink);
> > + goto out;
> > + }
> > ieee80211_ready_on_channel(hw);
> > ieee80211_queue_delayed_work(phy->hw, &phy->roc_work,
> > msecs_to_jiffies(duration));
> > --
> > 2.47.3

More information about the Linux-mediatek mailing list