From: Johannes Berg <johannes.berg@intel.com>
Date: Tue, 5 May 2026 13:17:31 +0000 (+0200)
Subject: wifi: mac80211: check stations are removed before MLD change
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ae6691b8c1fde1a21579386664fa971c76504f2b;p=thirdparty%2Fkernel%2Flinux.git

wifi: mac80211: check stations are removed before MLD change

If an interface changes to/from MLD, then all stations related
to it must have been removed first. This is just natural since
we go from having links to not (or vice versa), but not doing
so also causes crashes in debugfs since vif changing to/from
MLD removes the entire debugfs for the vif, including stations.

Delete all stations but warn in this case, other code should
be handling it, in effect fail fast rather than doing a double
free or use-after-free in debugfs.

Link: https://patch.msgid.link/20260505151731.3d7cbb8b952c.I4ce7b536e8af26d7b115e82fd733734446cc56a4@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
---

diff --git a/net/mac80211/link.c b/net/mac80211/link.c
index 93e290dd783f2..e81dd02de12e0 100644
--- a/net/mac80211/link.c
+++ b/net/mac80211/link.c
@@ -2,7 +2,7 @@
 /*
  * MLO link handling
  *
- * Copyright (C) 2022-2025 Intel Corporation
+ * Copyright (C) 2022-2026 Intel Corporation
  */
 #include <linux/slab.h>
 #include <linux/kernel.h>
@@ -307,6 +307,9 @@ static int ieee80211_vif_update_links(struct ieee80211_sub_if_data *sdata,
 	if (old_links == new_links && dormant_links == sdata->vif.dormant_links)
 		return 0;
 
+	if (!old_links || !new_links)
+		WARN_ON(sta_info_flush(sdata, -1) > 0);
+
 	/* if there were no old links, need to clear the pointers to deflink */
 	if (!old_links)
 		rem |= BIT(0);