[Deepin-Kernel-SIG] [linux 6.6-y] [Upstream] wifi: ath11k: fix sleeping-in-atomic in ath11k_mac_op_set_bitrate_mask()

[opsiff]

stable inclusion
from stable-v6.12.42
category: bugfix
CVE: CVE-2025-39732

[ Upstream commit 65c12b1 ]

ath11k_mac_disable_peer_fixed_rate() is passed as the iterator to ieee80211_iterate_stations_atomic(). Note in this case the iterator is required to be atomic, however ath11k_mac_disable_peer_fixed_rate() does not follow it as it might sleep. Consequently below warning is seen:

BUG: sleeping function called from invalid context at wmi.c:304 Call Trace:

dump_stack_lvl
__might_resched.cold
ath11k_wmi_cmd_send
ath11k_wmi_set_peer_param
ath11k_mac_disable_peer_fixed_rate
ieee80211_iterate_stations_atomic
ath11k_mac_op_set_bitrate_mask.cold

Change to ieee80211_iterate_stations_mtx() to fix this issue.

Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.30

Fixes: d5c6515 ("ath11k: driver for Qualcomm IEEE 802.11ax devices")
Signed-off-by: Baochen Qiang quic_bqiang@quicinc.com
Link: https://patch.msgid.link/20250603-ath11k-use-non-atomic-iterator-v1-1-d75762068d56@quicinc.com
Signed-off-by: Jeff Johnson jeff.johnson@oss.qualcomm.com
Signed-off-by: Sasha Levin sashal@kernel.org
(cherry picked from commit 9c0e3144924c7db701575a73af341d33184afeaf)
Signed-off-by: Wentao Guan guanwentao@uniontech.com

Conflicts:
drivers/net/wireless/ath/ath11k/mac.c

Summary by Sourcery

Bug Fixes:

• Use non-atomic station iteration in ath11k_mac_op_set_bitrate_mask() to prevent sleeping-in-atomic warnings when disabling peer fixed rates.

[sourcery-ai]

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Replaces atomic station iteration with mutex-based iteration in ath11k_mac_op_set_bitrate_mask() to avoid sleeping-in-atomic-context warnings while disabling peer fixed-rate settings, aligning the iterator type with the potentially sleeping callback.

Sequence diagram for bitrate mask update using mutex-based station iteration

sequenceDiagram
    participant Caller as caller_context
    participant HW as ieee80211_hw
    participant MAC as ath11k_mac_op_set_bitrate_mask
    participant IterMtx as ieee80211_iterate_stations_mtx
    participant Station as ieee80211_sta
    participant DisableRate as ath11k_mac_disable_peer_fixed_rate
    participant WMI as ath11k_wmi

    Caller->>MAC: ath11k_mac_op_set_bitrate_mask(hw, vif, mask)
    MAC->>HW: access ar and arvif from hw/vif
    alt bitrate_mask_requires_disable
        MAC->>IterMtx: ieee80211_iterate_stations_mtx(hw, DisableRate, arvif)
        loop for each station matching vif
            IterMtx->>Station: select station
            IterMtx->>DisableRate: callback(ar, arvif, Station)
            DisableRate->>WMI: ath11k_wmi_set_peer_param(peer, fixed_rate_none)
            WMI-->>DisableRate: completion (may sleep)
        end
    else bitrate_mask_requires_update_with_lock
        MAC->>MAC: mutex_lock(ar->conf_mutex)
        MAC->>IterMtx: ieee80211_iterate_stations_mtx(hw, DisableRate, arvif)
        loop for each station matching vif
            IterMtx->>Station: select station
            IterMtx->>DisableRate: callback(ar, arvif, Station)
            DisableRate->>WMI: ath11k_wmi_set_peer_param(peer, fixed_rate_none)
            WMI-->>DisableRate: completion (may sleep)
        end
        MAC->>MAC: update arvif->bitrate_mask
        MAC->>HW: ieee80211_iterate_stations_atomic(hw, update_new_fixed_rate, arvif)
        MAC->>MAC: mutex_unlock(ar->conf_mutex)
    end
    MAC-->>Caller: return status

Loading

File-Level Changes

Change	Details	Files
Use mutex-based station iteration instead of atomic iteration when disabling peer fixed-rate in ath11k MAC bitrate mask handling to avoid sleeping in atomic context.	Replace ieee80211_iterate_stations_atomic() with ieee80211_iterate_stations_mtx() in ath11k_mac_op_set_bitrate_mask() when clearing fixed-rate configuration on all stations for a vif Ensure the callback ath11k_mac_disable_peer_fixed_rate(), which can sleep, is only invoked from a non-atomic context guarded by mac80211 station list mutexes	drivers/net/wireless/ath/ath11k/mac.c

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[deepin-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from opsiff. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• deepin/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[deepin-ci-robot]

deepin pr auto review

我来对这个代码修改进行审查：

1. 语法逻辑分析：

• 代码将 ieee80211_iterate_stations_atomic 替换为 ieee80211_iterate_stations_mtx
• 这是一个合理的改动，因为函数名从 _atomic 变为 _mtx 暗示了迭代方式的改变，从原子操作改为使用互斥锁的方式

2. 代码质量：

• 改动提高了代码的安全性，因为使用互斥锁可以更好地保护共享资源
• 修改保持了一致的缩进和格式，符合内核代码风格

3. 代码性能：

• 从原子操作改为互斥锁可能会带来轻微的性能开销，因为需要获取锁
• 但是这种改动通常是必要的，因为原子操作在复杂场景下可能不够安全

4. 代码安全：

• 使用互斥锁版本（iterate_stations_mtx）比原子版本（iterate_stations_atomic）更安全
• 原子操作在复杂的回调函数中可能导致死锁或其他并发问题
• 互斥锁版本提供了更好的同步保护，特别是在需要访问共享数据结构时

改进建议：

1. 这个改动是正确的，但建议在代码注释中说明为什么要从原子操作改为互斥锁操作
2. 确保所有调用 ieee80211_iterate_stations_mtx 的地方都已经正确处理了锁的获取和释放
3. 建议检查 ath11k_mac_disable_peer_fixed_rate 回调函数是否可能在持有锁的情况下睡眠，如果是，那么必须使用互斥锁版本

总体来说，这个修改是合理的，提高了代码的安全性和可靠性，虽然可能会有轻微的性能影响，但这种影响是值得的，因为它避免了潜在的并发问题。

[sourcery-ai]

Hey there - I've reviewed your changes and they look great!

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[Copilot]

Pull request overview

This pull request addresses CVE-2025-39732 by fixing a sleeping-in-atomic bug in the ath11k wireless driver. The issue occurs because ath11k_mac_disable_peer_fixed_rate() can sleep (it calls ath11k_wmi_set_peer_param() which may block), but was being passed to ieee80211_iterate_stations_atomic() which requires atomic context. The fix replaces the atomic station iterator with ieee80211_iterate_stations_mtx(), which allows sleeping operations.

Key Changes:

• Replaced two calls to ieee80211_iterate_stations_atomic() with ieee80211_iterate_stations_mtx() when iterating with ath11k_mac_disable_peer_fixed_rate()
• This allows the iterator function to safely call sleeping WMI commands

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Inconsistent mutex handling: ieee80211_iterate_stations_mtx() is called with ar->conf_mutex held here (line 8287), but without it at line 8217-8219. The function ieee80211_iterate_stations_mtx() handles its own internal locking and should be called without holding ar->conf_mutex. Consider moving this call before the mutex_lock() at line 8287 to match the pattern at line 8217 and align with the ath12k driver implementation (see drivers/net/wireless/ath/ath12k/mac.c:6725-6729).