mt76: fix potential deadlock on cancelling workqueues

mutex->lock must not be held while cancelling workqueues, because it is held
by the workqueue items themselves

Signed-off-by: Felix Fietkau <nbd@nbd.name>

mt76x0/main.c

@@ -21,7 +21,6 @@ mt76x0_set_channel(struct mt76x02_dev *dev, struct cfg80211_chan_def *chandef)
 {
 	int ret;
 
-	cancel_delayed_work_sync(&dev->cal_work);
 	if (mt76_is_mmio(dev)) {
 		tasklet_disable(&dev->pre_tbtt_tasklet);
 		tasklet_disable(&dev->dfs_pd.dfs_tasklet);
@@ -51,6 +50,9 @@ int mt76x0_config(struct ieee80211_hw *hw, u32 changed)
 	struct mt76x02_dev *dev = hw->priv;
 	int ret = 0;
 
+	if (changed & IEEE80211_CONF_CHANGE_CHANNEL)
+		cancel_delayed_work_sync(&dev->cal_work);
+
 	mutex_lock(&dev->mt76.mutex);
 
 	if (changed & IEEE80211_CONF_CHANGE_CHANNEL) {

mt76x0/pci.c

@@ -45,6 +45,7 @@ static void mt76x0e_stop_hw(struct mt76x02_dev *dev)
 	cancel_delayed_work_sync(&dev->cal_work);
 	cancel_delayed_work_sync(&dev->mac_work);
 
+	mutex_lock(&dev->mt76.mutex);
 	if (!mt76_poll(dev, MT_WPDMA_GLO_CFG, MT_WPDMA_GLO_CFG_TX_DMA_BUSY,
 		       0, 1000))
 		dev_warn(dev->mt76.dev, "TX DMA did not stop\n");
@@ -56,16 +57,15 @@ static void mt76x0e_stop_hw(struct mt76x02_dev *dev)
 		       0, 1000))
 		dev_warn(dev->mt76.dev, "TX DMA did not stop\n");
 	mt76_clear(dev, MT_WPDMA_GLO_CFG, MT_WPDMA_GLO_CFG_RX_DMA_EN);
+	mutex_unlock(&dev->mt76.mutex);
 }
 
 static void mt76x0e_stop(struct ieee80211_hw *hw)
 {
 	struct mt76x02_dev *dev = hw->priv;
 
-	mutex_lock(&dev->mt76.mutex);
 	clear_bit(MT76_STATE_RUNNING, &dev->mt76.state);
 	mt76x0e_stop_hw(dev);
-	mutex_unlock(&dev->mt76.mutex);
 }
 
 static void

mt76x0/usb.c

@@ -91,6 +91,7 @@ static void mt76x0u_mac_stop(struct mt76x02_dev *dev)
 	if (test_bit(MT76_REMOVED, &dev->mt76.state))
 		return;
 
+	mutex_lock(&dev->mt76.mutex);
 	mt76_clear(dev, MT_BEACON_TIME_CFG, MT_BEACON_TIME_CFG_TIMER_EN |
 		   MT_BEACON_TIME_CFG_SYNC_MODE | MT_BEACON_TIME_CFG_TBTT_EN |
 		   MT_BEACON_TIME_CFG_BEACON_TX);
@@ -102,6 +103,7 @@ static void mt76x0u_mac_stop(struct mt76x02_dev *dev)
 
 	if (!mt76_poll(dev, MT_USB_DMA_CFG, MT_USB_DMA_CFG_RX_BUSY, 0, 1000))
 		dev_warn(dev->mt76.dev, "RX DMA did not stop\n");
+	mutex_unlock(&dev->mt76.mutex);
 }
 
 static int mt76x0u_start(struct ieee80211_hw *hw)
@@ -131,9 +133,7 @@ static void mt76x0u_stop(struct ieee80211_hw *hw)
 {
 	struct mt76x02_dev *dev = hw->priv;
 
-	mutex_lock(&dev->mt76.mutex);
 	mt76x0u_mac_stop(dev);
-	mutex_unlock(&dev->mt76.mutex);
 }
 
 static const struct ieee80211_ops mt76x0u_ops = {

mt76x2/pci_main.c

@@ -49,19 +49,15 @@ mt76x2_stop(struct ieee80211_hw *hw)
 {
 	struct mt76x02_dev *dev = hw->priv;
 
-	mutex_lock(&dev->mt76.mutex);
 	clear_bit(MT76_STATE_RUNNING, &dev->mt76.state);
 	mt76x2_stop_hardware(dev);
-	mutex_unlock(&dev->mt76.mutex);
 }
 
 static int
 mt76x2_set_channel(struct mt76x02_dev *dev, struct cfg80211_chan_def *chandef)
 {
 	int ret;
 
-	cancel_delayed_work_sync(&dev->cal_work);
-
 	set_bit(MT76_RESET, &dev->mt76.state);
 
 	mt76_set_channel(&dev->mt76);
@@ -95,6 +91,9 @@ mt76x2_config(struct ieee80211_hw *hw, u32 changed)
 	struct mt76x02_dev *dev = hw->priv;
 	int ret = 0;
 
+	if (changed & IEEE80211_CONF_CHANGE_CHANNEL)
+		cancel_delayed_work_sync(&dev->cal_work);
+
 	mutex_lock(&dev->mt76.mutex);
 
 	if (changed & IEEE80211_CONF_CHANGE_MONITOR) {

mt76x2/usb_main.c

@@ -52,7 +52,6 @@ mt76x2u_set_channel(struct mt76x02_dev *dev,
 {
 	int err;
 
-	cancel_delayed_work_sync(&dev->cal_work);
 	set_bit(MT76_RESET, &dev->mt76.state);
 
 	mt76_set_channel(&dev->mt76);
@@ -76,6 +75,9 @@ mt76x2u_config(struct ieee80211_hw *hw, u32 changed)
 	struct mt76x02_dev *dev = hw->priv;
 	int err = 0;
 
+	if (changed & IEEE80211_CONF_CHANGE_CHANNEL)
+		cancel_delayed_work_sync(&dev->cal_work);
+
 	mutex_lock(&dev->mt76.mutex);
 
 	if (changed & IEEE80211_CONF_CHANGE_MONITOR) {