From: Yuvarani V <yuvarani.v@oss.qualcomm.com>
Date: Fri, 19 Sep 2025 07:21:54 +0000 (+0530)
Subject: AP MLD: Fix context for ML PMKSA cache in link disabling cases
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=bcd271bf872cdea826eeedc39acd8f52a7fa0df4;p=thirdparty%2Fhostap.git

AP MLD: Fix context for ML PMKSA cache in link disabling cases

When the primary_auth link is disabled, its context remains assigned to
the MLD-level PMKSA cache via pmksa_cache_auth_init(). This results in
an invalid pointer being retained, which causes hostapd to crash when
the disabled link is enabled.

Fix this issue by updating the PMKSA cache context to point to the next
valid primary authenticator using pmksa_cache_auth_set_ctx() when the
primary_auth link is disabled.

Fixes: 799cc8eca9ef ("AP MLD: Define a new MLD-level PMKSA cache shared by all links")
Signed-off-by: Yuvarani V <yuvarani.v@oss.qualcomm.com>
---

diff --git a/src/ap/pmksa_cache_auth.c b/src/ap/pmksa_cache_auth.c
index 07155402f..a5394f744 100644
--- a/src/ap/pmksa_cache_auth.c
+++ b/src/ap/pmksa_cache_auth.c
@@ -470,6 +470,17 @@ void pmksa_cache_auth_deinit(struct rsn_pmksa_cache *pmksa)
 }
 
 
+/**
+ * pmksa_cache_auth_set_ctx - Set the context for PMKSA cache
+ * @cache: Pointer to the PMKSA cache structure
+ * @ctx: Context pointer to be stored in the cache
+ */
+void pmksa_cache_auth_set_ctx(struct rsn_pmksa_cache *cache, void *ctx)
+{
+	cache->ctx = ctx;
+}
+
+
 /**
  * pmksa_cache_auth_get - Fetch a PMKSA cache entry
  * @pmksa: Pointer to PMKSA cache data from pmksa_cache_auth_init()
diff --git a/src/ap/pmksa_cache_auth.h b/src/ap/pmksa_cache_auth.h
index c653b0306..8b4a4b30e 100644
--- a/src/ap/pmksa_cache_auth.h
+++ b/src/ap/pmksa_cache_auth.h
@@ -46,6 +46,7 @@ struct rsn_pmksa_cache *
 pmksa_cache_auth_init(void (*free_cb)(struct rsn_pmksa_cache_entry *entry,
 				      void *ctx), void *ctx);
 void pmksa_cache_auth_deinit(struct rsn_pmksa_cache *pmksa);
+void pmksa_cache_auth_set_ctx(struct rsn_pmksa_cache *cache, void *ctx);
 struct rsn_pmksa_cache_entry *
 pmksa_cache_auth_get(struct rsn_pmksa_cache *pmksa,
 		     const u8 *spa, const u8 *pmkid);
diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c
index 5e51ce809..bc711f53d 100644
--- a/src/ap/wpa_auth.c
+++ b/src/ap/wpa_auth.c
@@ -947,6 +947,7 @@ void wpa_deinit(struct wpa_authenticator *wpa_auth)
 			 * authenticator and start rekey timer.
 			 */
 			next_pa->primary_auth = true;
+			pmksa_cache_auth_set_ctx(next_pa->ml_pmksa, next_pa);
 			if (next_pa->conf.wpa_group_rekey)
 				eloop_register_timeout(
 					next_pa->conf.wpa_group_rekey,