From: Dhanavandhana Kannan Date: Fri, 22 Aug 2025 11:02:42 +0000 (+0530) Subject: nl80211: Fix crash by cancelling scan timeout before a BSS is removed X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=5ce1d41803866782bbd96d575f53d43358a20a2e;p=thirdparty%2Fhostap.git nl80211: Fix crash by cancelling scan timeout before a BSS is removed In wpa_driver_nl80211_deinit(), eloop_cancel_timeout() is called to cancel any pending scan timeouts. However, the scan is typically initiated using the first BSS context, while the timeout cancellation is attempted using the last BSS being removed. This mismatch causes the scan timeout to remain active. The crash occurs after deinit, when the pending scan_timeout callback is triggered and attempts to access the BSS context that has already been freed. Fix by ensuring that eloop_cancel_timeout() is called before any BSS links are removed, so the correct context is still valid during cancellation. Also, reset scan_link to NULL if the link being removed matches the one used for scanning, preventing access to freed memory. Signed-off-by: Dhanavandhana Kannan --- diff --git a/src/drivers/driver_nl80211.c b/src/drivers/driver_nl80211.c index eb279cda8..693d846fe 100644 --- a/src/drivers/driver_nl80211.c +++ b/src/drivers/driver_nl80211.c @@ -9754,10 +9754,15 @@ int nl80211_remove_link(struct i802_bss *bss, int link_id) /* First remove the link locally */ os_memset(link->addr, 0, ETH_ALEN); + + eloop_cancel_timeout(wpa_driver_nl80211_scan_timeout, drv, bss->ctx); /* Clear the active links and set the flink */ nl80211_update_active_links(bss, link_id); bss->valid_links &= ~BIT(link_id); + if (bss->scan_link == link) + bss->scan_link = NULL; + /* If this was the last link, reset default link */ if (!bss->valid_links) { /* TODO: Does keeping freq/bandwidth make sense? */