]> git.ipfire.org Git - thirdparty/kernel/stable.git/commitdiff
projects / thirdparty / kernel / stable.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 5a2b4b0)
wifi: iwlwifi: mld: cancel mlo_scan_start_wk
authorMiri Korenblit <miriam.rachel.korenblit@intel.com>
Thu, 29 Jan 2026 19:27:09 +0000 (21:27 +0200)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Wed, 11 Feb 2026 12:41:57 +0000 (13:41 +0100)
[ Upstream commit 5ff641011ab7fb63ea101251087745d9826e8ef5 ]

mlo_scan_start_wk is not canceled on disconnection. In fact, it is not
canceled anywhere except in the restart cleanup, where we don't really
have to.

This can cause an init-after-queue issue: if, for example, the work was
queued and then drv_change_interface got executed.

This can also cause use-after-free: if the work is executed after the
vif is freed.

Fixes: 9748ad82a9d9 ("wifi: iwlwifi: defer MLO scan after link activation")
Reviewed-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
Link: https://patch.msgid.link/20260129212650.a36482a60719.I5bf64a108ca39dacb5ca0dcd8b7258a3ce8db74c@changeid
Signed-off-by: Sasha Levin <sashal@kernel.org>
drivers/net/wireless/intel/iwlwifi/mld/iface.c patch | blob | blame | history
drivers/net/wireless/intel/iwlwifi/mld/mac80211.c patch | blob | blame | history

diff --git a/drivers/net/wireless/intel/iwlwifi/mld/iface.c b/drivers/net/wireless/intel/iwlwifi/mld/iface.c
index ed379825a923610abaccbaeca03ad00edb6abb27..240ce19996b347b63054f4f104e35622eb1e9437 100644 (file)
--- a/drivers/net/wireless/intel/iwlwifi/mld/iface.c
+++ b/drivers/net/wireless/intel/iwlwifi/mld/iface.c
@@ -55,8 +55,6 @@ void iwl_mld_cleanup_vif(void *data, u8 *mac, struct ieee80211_vif *vif)
 
        ieee80211_iter_keys(mld->hw, vif, iwl_mld_cleanup_keys_iter, NULL);
 
-       wiphy_delayed_work_cancel(mld->wiphy, &mld_vif->mlo_scan_start_wk);
-
        CLEANUP_STRUCT(mld_vif);
 }
 
diff --git a/drivers/net/wireless/intel/iwlwifi/mld/mac80211.c b/drivers/net/wireless/intel/iwlwifi/mld/mac80211.c
index 5725104a53bf0376eddf4f44e2e8ce35dcdad7ae..2a7e7417d7d84fdf9a6208a04fe1c9ac16236045 100644 (file)
--- a/drivers/net/wireless/intel/iwlwifi/mld/mac80211.c
+++ b/drivers/net/wireless/intel/iwlwifi/mld/mac80211.c
@@ -1755,6 +1755,8 @@ static int iwl_mld_move_sta_state_down(struct iwl_mld *mld,
                        wiphy_work_cancel(mld->wiphy, &mld_vif->emlsr.unblock_tpt_wk);
                        wiphy_delayed_work_cancel(mld->wiphy,
                                                  &mld_vif->emlsr.check_tpt_wk);
+                       wiphy_delayed_work_cancel(mld->wiphy,
+                                                 &mld_vif->mlo_scan_start_wk);
 
                        iwl_mld_reset_cca_40mhz_workaround(mld, vif);
                        iwl_mld_smps_workaround(mld, vif, true);
Mirror https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git