nl80211: Fix crash by cancelling scan timeout before a BSS is removed

In wpa_driver_nl80211_deinit(), eloop_cancel_timeout() is called to
cancel any pending scan timeouts. However, the scan is typically
initiated using the first BSS context, while the timeout cancellation is
attempted using the last BSS being removed. This mismatch causes the
scan timeout to remain active.

The crash occurs after deinit, when the pending scan_timeout callback is
triggered and attempts to access the BSS context that has already been
freed.

Fix by ensuring that eloop_cancel_timeout() is called before any BSS
links are removed, so the correct context is still valid during
cancellation. Also, reset scan_link to NULL if the link being removed
matches the one used for scanning, preventing access to freed memory.

Signed-off-by: Dhanavandhana Kannan <dhanavandhana.kannan@oss.qualcomm.com>

diff --git a/src/drivers/driver_nl80211.c b/src/drivers/driver_nl80211.c
index eb279cda88575d86b8a02d93c40ba22b8a4d0dbc..693d846fe3f6eb3dfd61bfc599a51cb4f1284866 100644 (file)
--- a/src/drivers/driver_nl80211.c
+++ b/src/drivers/driver_nl80211.c
@@ -9754,10 +9754,15 @@ int nl80211_remove_link(struct i802_bss *bss, int link_id)
 
        /* First remove the link locally */
        os_memset(link->addr, 0, ETH_ALEN);
+
+       eloop_cancel_timeout(wpa_driver_nl80211_scan_timeout, drv, bss->ctx);
        /* Clear the active links and set the flink */
        nl80211_update_active_links(bss, link_id);
        bss->valid_links &= ~BIT(link_id);
 
+       if (bss->scan_link == link)
+               bss->scan_link = NULL;
+
        /* If this was the last link, reset default link */
        if (!bss->valid_links) {
                /* TODO: Does keeping freq/bandwidth make sense? */