From: Johannes Berg Date: Fri, 21 Nov 2025 10:37:34 +0000 (+0100) Subject: wifi: mac80211: fix channel switching code X-Git-Tag: v6.19-rc1~170^2~33^2~9 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=de3c5142349c6cd67fbd20afc5b3ae320df436b7;p=thirdparty%2Fkernel%2Flinux.git wifi: mac80211: fix channel switching code My prior commit here introduced a bug due to copy/paste, it was iterating the links assigned to 'ctx->replace_ctx' and I replaced it by iterating links assigned to 'ctx' by accident, then modified it for the iteration later. Fix it to iterate the users of the correct chanctx, i.e. 'ctx->replace_ctx'. Ultimately, this issue led to a crash in a hwsim test (multi_ap_wps_shared_apdev_csa) because it would actually do the switch (rather than refuse here) and then later have a double-free of the original chanctx, because it was still in use by another interface yet freed as part of the switching. Fixes: a1dc648aa76d ("wifi: mac80211: remove chanctx to link back-references") Link: https://patch.msgid.link/20251121113733.7710a58d45eb.Ie9ec010b52b1baed93dbe44f968c2119b6b5d98d@changeid Signed-off-by: Johannes Berg --- diff --git a/net/mac80211/chan.c b/net/mac80211/chan.c index 6aa305839f534..c8aba4183c9a2 100644 --- a/net/mac80211/chan.c +++ b/net/mac80211/chan.c @@ -1715,7 +1715,7 @@ static int ieee80211_vif_use_reserved_switch(struct ieee80211_local *local) n_reserved = 0; n_ready = 0; - for_each_chanctx_user_assigned(local, ctx, &iter) { + for_each_chanctx_user_assigned(local, ctx->replace_ctx, &iter) { n_assigned++; if (iter.link->reserved_chanctx) { n_reserved++;