wifi: mac80211: fix channel switching code

My prior commit here introduced a bug due to copy/paste,
it was iterating the links assigned to 'ctx->replace_ctx'
and I replaced it by iterating links assigned to 'ctx' by
accident, then modified it for the iteration later.

Fix it to iterate the users of the correct chanctx, i.e.
'ctx->replace_ctx'.

Ultimately, this issue led to a crash in a hwsim test
(multi_ap_wps_shared_apdev_csa) because it would actually
do the switch (rather than refuse here) and then later
have a double-free of the original chanctx, because it
was still in use by another interface yet freed as part
of the switching.

Fixes: a1dc648aa76d ("wifi: mac80211: remove chanctx to link back-references")
Link: https://patch.msgid.link/20251121113733.7710a58d45eb.Ie9ec010b52b1baed93dbe44f968c2119b6b5d98d@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>

diff --git a/net/mac80211/chan.c b/net/mac80211/chan.c
index 6aa305839f534ff8369133128ff68268d71fef62..c8aba4183c9a2a0b758669c1661639a30bb818c6 100644 (file)
--- a/net/mac80211/chan.c
+++ b/net/mac80211/chan.c
@@ -1715,7 +1715,7 @@ static int ieee80211_vif_use_reserved_switch(struct ieee80211_local *local)
                n_reserved = 0;
                n_ready = 0;
 
-               for_each_chanctx_user_assigned(local, ctx, &iter) {
+               for_each_chanctx_user_assigned(local, ctx->replace_ctx, &iter) {
                        n_assigned++;
                        if (iter.link->reserved_chanctx) {
                                n_reserved++;