wifi: mac80211: use safe list iteration in radar detect work

The call to ieee80211_dfs_cac_cancel can cause the iterated chanctx to
be freed and removed from the list. Guard against this to avoid a
slab-use-after-free error.

Cc: stable@vger.kernel.org
Fixes: bca8bc0399ac ("wifi: mac80211: handle ieee80211_radar_detected() for MLO")
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Link: https://patch.msgid.link/20260505151539.236d63a1b736.I35dbb9e96a2d4a480be208770fdd99ba3b817b79@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>

diff --git a/net/mac80211/util.c b/net/mac80211/util.c
index b093bc203c815939257bd9285836be82767163bf..2529b01e2cd55c1dbf690acdc52bb0694cfdd041 100644 (file)
--- a/net/mac80211/util.c
+++ b/net/mac80211/util.c
@@ -3700,11 +3700,11 @@ void ieee80211_dfs_radar_detected_work(struct wiphy *wiphy,
        struct ieee80211_local *local =
                container_of(work, struct ieee80211_local, radar_detected_work);
        struct cfg80211_chan_def chandef;
-       struct ieee80211_chanctx *ctx;
+       struct ieee80211_chanctx *ctx, *tmp;
 
        lockdep_assert_wiphy(local->hw.wiphy);
 
-       list_for_each_entry(ctx, &local->chanctx_list, list) {
+       list_for_each_entry_safe(ctx, tmp, &local->chanctx_list, list) {
                if (ctx->replace_state == IEEE80211_CHANCTX_REPLACES_OTHER)
                        continue;