Re: [PATCH ath-current] wifi: ath12k: prepare REO update element only for primary link

[Jeff Johnson]

On 3/18/2026 8:46 PM, Vasanthakumar Thiagarajan wrote:
> 
> 
> On 2/10/2026 8:37 AM, Baochen Qiang wrote:
>> Commit [1] introduces dp->reo_cmd_update_rx_queue_list for the purpose
>> of tracking all pending REO queue flush commands. The helper
>> ath12k_dp_prepare_reo_update_elem() allocates an element and populates
>> it with REO queue information, then add it to the list. The element would
>> be helpful during clean up stage to finally unmap/free the corresponding
>> REO queue buffer.
>>
>> In MLO scenarios with more than one links, for non dp_primary_link_only
>> chips like WCN7850, that helper is called for each link peer. This
>> results in multiple elements added to the list but all of them pointing
>> to the same REO queue buffer. Consequently the same buffer gets
>> unmap/freed multiple times:
>>
>> BUG kmalloc-2k (Tainted: G    B   W  O       ): Object already free
>> -----------------------------------------------------------------------------
>> Allocated in ath12k_wifi7_dp_rx_assign_reoq+0xce/0x280 [ath12k_wifi7] age=7436 cpu=10 pid=16130
>>   __kmalloc_noprof
>>   ath12k_wifi7_dp_rx_assign_reoq
>>   ath12k_dp_rx_peer_tid_setup
>>   ath12k_dp_peer_setup
>>   ath12k_mac_station_add
>>   ath12k_mac_op_sta_state
>>   [...]
>> Freed in ath12k_dp_rx_tid_cleanup.part.0+0x25/0x40 [ath12k] age=1 cpu=27 pid=16137
>>   kfree
>>   ath12k_dp_rx_tid_cleanup.part.0
>>   ath12k_dp_rx_reo_cmd_list_cleanup
>>   ath12k_dp_cmn_device_deinit
>>   ath12k_core_stop
>>   ath12k_core_hw_group_cleanup
>>   ath12k_pci_remove
>>
>> Fix this by allowing list addition for primary link only. Note
>> dp_primary_link_only chips like QCN9274 are not affected by this change,
>> because that's what they were doing in the first place.
>>
>> Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.1.c5-00302-QCAHMTSWPL_V1.0_V2.0_SILICONZ-1.115823.3
>>
>> Fixes: 3bf2e57e7d6c ("wifi: ath12k: Add Retry Mechanism for REO RX Queue Update Failures") # [1]
>> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=221011
>> Signed-off-by: Baochen Qiang <baochen.qiang@xxxxxxxxxxxxxxxx>
> 
> Vasanthakumar Thiagarajan <vasanthakumar.thiagarajan@xxxxxxxxxxxxxxxx>

Was there supposed to be a tag in front of that?