AP MLD: Fix radar event processing

When a radar event is received in an AP MLD operating on a DFS channel,
nl80211_radar_event() iterates over all the BSSs available in drv to
find a link matching the frequency of the event. If a link match is
found, the radar handler function tries to switch to a new channel with
the same bandwidth. In case no valid channels are available it disables
and re-enables the interface, reallocating the drv BSSs. However, the
loop in nl80211_radar_event() function continues to access the old
deallocated BSSs' address in the next iteration, causing a crash.

Since the radar handler function handles the event for all BSSs in an
interface, there is no need to call it again once a link match is found.
Hence, fix this issue by exiting the loop after calling the handler if a
link match is found for the radar event.

Also, since the loop already checks all the BSSs, remove the handler
present before the loop.

Fixes: bfc89d757b72 ("nl80211: Handle radar event properly during MLO")
Signed-off-by: Mohan Kumar G <quic_mkumarg@quicinc.com>

diff --git a/src/drivers/driver_nl80211_event.c b/src/drivers/driver_nl80211_event.c
index e50a81483c420200db570081428a75b2b76db8e5..f04ac64a1f8aa8f188ba699ce6793de9249ddbf8 100644 (file)
--- a/src/drivers/driver_nl80211_event.c
+++ b/src/drivers/driver_nl80211_event.c
@@ -2596,19 +2596,6 @@ static void nl80211_radar_event(struct i802_bss *bss, struct nlattr **tb)
        if (tb[NL80211_ATTR_CENTER_FREQ2])
                data.dfs_event.cf2 = nla_get_u32(tb[NL80211_ATTR_CENTER_FREQ2]);
 
-       /* Find a link match based on the frequency. If NL80211_DRV_LINK_ID_NA
-        * is returned, either a match was not found or the BSS could be
-        * operating as a non-MLO. */
-       data.dfs_event.link_id = nl80211_get_link_id_by_freq(
-               bss, data.dfs_event.freq);
-       if (data.dfs_event.link_id == NL80211_DRV_LINK_ID_NA) {
-               /* For non-MLO operation, frequency should still match */
-               if (!bss->valid_links &&
-                   bss->links[0].freq == data.dfs_event.freq)
-                       return nl80211_process_radar_event(bss, &data,
-                                                          event_type);
-       }
-
        wpa_printf(MSG_DEBUG,
                   "nl80211: Checking suitable BSS for the DFS event");
 
@@ -2616,8 +2603,16 @@ static void nl80211_radar_event(struct i802_bss *bss, struct nlattr **tb)
         * with NL80211_RADAR_NOP_FINISHED and NL80211_RADAR_PRE_CAC_EXPIRED.
         * Hence need to check on all BSSs. */
        for (bss_iter = drv->first_bss; bss_iter; bss_iter = bss_iter->next) {
+               /* Find a link match based on the frequency. If
+                * NL80211_DRV_LINK_ID_NA is returned, either a match was not
+                * found or the BSS could be operating as a non-MLO. */
                data.dfs_event.link_id = nl80211_get_link_id_by_freq(
                        bss_iter, data.dfs_event.freq);
+               /* If a link match is found, exit the loop after the handler is
+                * called */
+               if (data.dfs_event.link_id != NL80211_DRV_LINK_ID_NA)
+                       return nl80211_process_radar_event(bss_iter, &data,
+                                                          event_type);
                if (data.dfs_event.link_id == NL80211_DRV_LINK_ID_NA) {
                        /* For non-MLO operation, frequency should still match
                         */