]> git.ipfire.org Git - thirdparty/kernel/linux.git/commitdiff
projects / thirdparty / kernel / linux.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 1cac389)
wifi: iwlwifi: mld: cancel mlo_scan_start_wk
authorMiri Korenblit <miriam.rachel.korenblit@intel.com>
Thu, 29 Jan 2026 19:27:09 +0000 (21:27 +0200)
committerMiri Korenblit <miriam.rachel.korenblit@intel.com>
Tue, 3 Feb 2026 13:02:05 +0000 (15:02 +0200)
mlo_scan_start_wk is not canceled on disconnection. In fact, it is not
canceled anywhere except in the restart cleanup, where we don't really
have to.

This can cause an init-after-queue issue: if, for example, the work was
queued and then drv_change_interface got executed.

This can also cause use-after-free: if the work is executed after the
vif is freed.

Fixes: 9748ad82a9d9 ("wifi: iwlwifi: defer MLO scan after link activation")
Reviewed-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
Link: https://patch.msgid.link/20260129212650.a36482a60719.I5bf64a108ca39dacb5ca0dcd8b7258a3ce8db74c@changeid
drivers/net/wireless/intel/iwlwifi/mld/iface.c patch | blob | blame | history
drivers/net/wireless/intel/iwlwifi/mld/mac80211.c patch | blob | blame | history

diff --git a/drivers/net/wireless/intel/iwlwifi/mld/iface.c b/drivers/net/wireless/intel/iwlwifi/mld/iface.c
index a5ececfc13e449e2ed54cd27aab2661c0a47f056..f15d1f5d1bf593839fa3c0c15daae55c7f8ca0f4 100644 (file)
--- a/drivers/net/wireless/intel/iwlwifi/mld/iface.c
+++ b/drivers/net/wireless/intel/iwlwifi/mld/iface.c
@@ -55,8 +55,6 @@ void iwl_mld_cleanup_vif(void *data, u8 *mac, struct ieee80211_vif *vif)
 
        ieee80211_iter_keys(mld->hw, vif, iwl_mld_cleanup_keys_iter, NULL);
 
-       wiphy_delayed_work_cancel(mld->wiphy, &mld_vif->mlo_scan_start_wk);
-
        CLEANUP_STRUCT(mld_vif);
 }
 
diff --git a/drivers/net/wireless/intel/iwlwifi/mld/mac80211.c b/drivers/net/wireless/intel/iwlwifi/mld/mac80211.c
index 55b484c162807f216e83d55b0ca281d87e93bec2..cd0dce8de85690df01f645a33439e326aaf14e31 100644 (file)
--- a/drivers/net/wireless/intel/iwlwifi/mld/mac80211.c
+++ b/drivers/net/wireless/intel/iwlwifi/mld/mac80211.c
@@ -1759,6 +1759,8 @@ static int iwl_mld_move_sta_state_down(struct iwl_mld *mld,
                        wiphy_work_cancel(mld->wiphy, &mld_vif->emlsr.unblock_tpt_wk);
                        wiphy_delayed_work_cancel(mld->wiphy,
                                                  &mld_vif->emlsr.check_tpt_wk);
+                       wiphy_delayed_work_cancel(mld->wiphy,
+                                                 &mld_vif->mlo_scan_start_wk);
 
                        iwl_mld_reset_cca_40mhz_workaround(mld, vif);
                        iwl_mld_smps_workaround(mld, vif, true);
A mirror of Linus' kernel repository