From: Ming Yen Hsieh The updates to state->cc_* (cc_busy, cc_tx, etc.) lack synchronization, risking race conditions and inconsistent statistics. Add cc_lock protection to ensure atomic updates. Signed-off-by: Ming Yen Hsieh --- drivers/net/wireless/mediatek/mt76/mt792x_mac.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/net/wireless/mediatek/mt76/mt792x_mac.c b/drivers/net/wireless/mediatek/mt76/mt792x_mac.c index 3f1d9ba49076..f86e0ac91100 100644 --- a/drivers/net/wireless/mediatek/mt76/mt792x_mac.c +++ b/drivers/net/wireless/mediatek/mt76/mt792x_mac.c @@ -243,10 +243,14 @@ mt792x_phy_update_channel(struct mt76_phy *mphy, int idx) phy->noise += nf - (phy->noise >> 4); state = mphy->chan_state; + + spin_lock_bh(&dev->mt76.cc_lock); state->cc_busy += busy_time; state->cc_tx += tx_time; state->cc_rx += rx_time + obss_time; state->cc_bss_rx += rx_time; + spin_unlock_bh(&dev->mt76.cc_lock); + state->noise = -(phy->noise >> 4); } -- 2.34.1 From: Ming Yen Hsieh Check for a NULL `vif` before accessing `ieee80211_vif_is_mld(vif)` to avoid a potential kernel panic in scenarios where `vif` might not be initialized. Signed-off-by: Ming Yen Hsieh --- drivers/net/wireless/mediatek/mt76/mt7925/mac.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/mac.c b/drivers/net/wireless/mediatek/mt76/mt7925/mac.c index 463288a1dcc7..122aa6e9070a 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7925/mac.c +++ b/drivers/net/wireless/mediatek/mt76/mt7925/mac.c @@ -803,8 +803,8 @@ mt7925_mac_write_txwi(struct mt76_dev *dev, __le32 *txwi, txwi[5] = cpu_to_le32(val); val = MT_TXD6_DAS | FIELD_PREP(MT_TXD6_MSDU_CNT, 1); - if (!ieee80211_vif_is_mld(vif) || - (q_idx >= MT_LMAC_ALTX0 && q_idx <= MT_LMAC_BCN0)) + if (vif && (!ieee80211_vif_is_mld(vif) || + (q_idx >= MT_LMAC_ALTX0 && q_idx <= MT_LMAC_BCN0))) val |= MT_TXD6_DIS_MAT; txwi[6] = cpu_to_le32(val); txwi[7] = 0; -- 2.34.1 From: Ming Yen Hsieh Move the NULL check for 'sta' before dereferencing it to prevent a possible crash. Signed-off-by: Ming Yen Hsieh --- drivers/net/wireless/mediatek/mt76/mt7925/mac.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/mac.c b/drivers/net/wireless/mediatek/mt76/mt7925/mac.c index 122aa6e9070a..ff9f628ba005 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7925/mac.c +++ b/drivers/net/wireless/mediatek/mt76/mt7925/mac.c @@ -845,11 +845,14 @@ static void mt7925_tx_check_aggr(struct ieee80211_sta *sta, struct sk_buff *skb, bool is_8023; u16 fc, tid; + if (!sta) + return; + link_sta = rcu_dereference(sta->link[wcid->link_id]); if (!link_sta) return; - if (!sta || !(link_sta->ht_cap.ht_supported || link_sta->he_cap.has_he)) + if (!(link_sta->ht_cap.ht_supported || link_sta->he_cap.has_he)) return; tid = skb->priority & IEEE80211_QOS_CTL_TID_MASK; -- 2.34.1 From: Ming Yen Hsieh Read dev->token_count under token_lock to prevent race conditions with concurrent token updates, ensuring accurate power management decisions. Signed-off-by: Ming Yen Hsieh --- drivers/net/wireless/mediatek/mt76/mt76_connac.h | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/net/wireless/mediatek/mt76/mt76_connac.h b/drivers/net/wireless/mediatek/mt76/mt76_connac.h index 93e5d36206e8..756719ce0e48 100644 --- a/drivers/net/wireless/mediatek/mt76/mt76_connac.h +++ b/drivers/net/wireless/mediatek/mt76/mt76_connac.h @@ -383,9 +383,14 @@ static inline bool mt76_connac_skip_fw_pmctrl(struct mt76_phy *phy, struct mt76_connac_pm *pm) { struct mt76_dev *dev = phy->dev; + u16 token_count = 0; bool ret; - if (dev->token_count) + spin_lock_bh(&dev->token_lock); + token_count = dev->token_count; + spin_unlock_bh(&dev->token_lock); + + if (token_count) return true; spin_lock_bh(&pm->wake.lock); -- 2.34.1