mt76_sta_state() calls the sta_event callback without holding dev->mutex. However, mt7915_mac_sta_event() (MT7915 implementation of this callback) calls mt7915_mac_twt_teardown_flow() which has lockdep_assert_held(&dev->mt76.mutex) indicating that callers must hold this lock. The locking pattern in mt76_sta_state() is inconsistent: - mt76_sta_add() acquires dev->mutex before calling dev->drv->sta_add - mt76_sta_remove() acquires dev->mutex before calling __mt76_sta_remove - But sta_event callback is called without acquiring the lock Add mutex_lock()/mutex_unlock() around the mt7915_mac_twt_teardown_flow invocation to fix the missing lock protection and maintain consistency with the existing locking pattern. Signed-off-by: Ziyi Guo --- v2: - Move the locking to MT7915 driver to avoid deadlock in other drivers drivers/net/wireless/mediatek/mt76/mt7915/main.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/main.c b/drivers/net/wireless/mediatek/mt76/mt7915/main.c index 90d5e79fbf74..e212e964fda0 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7915/main.c +++ b/drivers/net/wireless/mediatek/mt76/mt7915/main.c @@ -851,8 +851,10 @@ int mt7915_mac_sta_event(struct mt76_dev *mdev, struct ieee80211_vif *vif, return mt7915_mcu_add_sta(dev, vif, sta, CONN_STATE_PORT_SECURE, false); case MT76_STA_EVENT_DISASSOC: + mutex_lock(&dev->mt76.mutex); for (i = 0; i < ARRAY_SIZE(msta->twt.flow); i++) mt7915_mac_twt_teardown_flow(dev, msta, i); + mutex_unlock(&dev->mt76.mutex); mt7915_mcu_add_sta(dev, vif, sta, CONN_STATE_DISCONNECT, false); msta->wcid.sta_disabled = 1; -- 2.34.1