diff options
| author | Peddolla Harshavardhan Reddy <peddolla.reddy@oss.qualcomm.com> | 2026-03-05 21:36:59 +0530 |
|---|---|---|
| committer | Johannes Berg <johannes.berg@intel.com> | 2026-03-06 12:41:59 +0100 |
| commit | 6dccbc9f3e1d38565dff7730d2b7d1e8b16c9b09 (patch) | |
| tree | 876ddba2e5a6b4eecf964bab8c4c86a30b11f784 /net | |
| parent | b94ae8e0d5fe1bdbbfdc3854ff6ce98f6876a828 (diff) | |
wifi: cfg80211: cancel pmsr_free_wk in cfg80211_pmsr_wdev_down
When the nl80211 socket that originated a PMSR request is
closed, cfg80211_release_pmsr() sets the request's nl_portid
to zero and schedules pmsr_free_wk to process the abort
asynchronously. If the interface is concurrently torn down
before that work runs, cfg80211_pmsr_wdev_down() calls
cfg80211_pmsr_process_abort() directly. However, the already-
scheduled pmsr_free_wk work item remains pending and may run
after the interface has been removed from the driver. This
could cause the driver's abort_pmsr callback to operate on a
torn-down interface, leading to undefined behavior and
potential crashes.
Cancel pmsr_free_wk synchronously in cfg80211_pmsr_wdev_down()
before calling cfg80211_pmsr_process_abort(). This ensures any
pending or in-progress work is drained before interface teardown
proceeds, preventing the work from invoking the driver abort
callback after the interface is gone.
Fixes: 9bb7e0f24e7e ("cfg80211: add peer measurement with FTM initiator API")
Signed-off-by: Peddolla Harshavardhan Reddy <peddolla.reddy@oss.qualcomm.com>
Link: https://patch.msgid.link/20260305160712.1263829-3-peddolla.reddy@oss.qualcomm.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Diffstat (limited to 'net')
| -rw-r--r-- | net/wireless/pmsr.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/net/wireless/pmsr.c b/net/wireless/pmsr.c index 44bd88c9ea66..50e8e19aa366 100644 --- a/net/wireless/pmsr.c +++ b/net/wireless/pmsr.c @@ -664,6 +664,7 @@ void cfg80211_pmsr_wdev_down(struct wireless_dev *wdev) } spin_unlock_bh(&wdev->pmsr_lock); + cancel_work_sync(&wdev->pmsr_free_wk); if (found) cfg80211_pmsr_process_abort(wdev); |