wifi: mac80211: fix channel switching code

My prior commit here introduced a bug due to copy/paste, it was iterating the links assigned to 'ctx->replace_ctx' and I replaced it by iterating links assigned to 'ctx' by accident, then modified it for the iteration later. Fix it to iterate the users of the correct chanctx, i.e. 'ctx->replace_ctx'. Ultimately, this issue led to a crash in a hwsim test (multi_ap_wps_shared_apdev_csa) because it would actually do the switch (rather than refuse here) and then later have a double-free of the original chanctx, because it was still in use by another interface yet freed as part of the switching. Fixes: a1dc648aa7 ("wifi: mac80211: remove chanctx to link back-references") Link: https://patch.msgid.link/20251121113733.7710a58d45eb.Ie9ec010b52b1baed93dbe44f968c2119b6b5d98d@changeid Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2025-12-07 20:06:24 +00:00 · 2025-11-21 11:37:34 +01:00
parent 49a9feaf30
commit de3c514234
1 changed files with 1 additions and 1 deletions
--- a/net/mac80211/chan.c
+++ b/net/mac80211/chan.c
@@ -1715,7 +1715,7 @@ static int ieee80211_vif_use_reserved_switch(struct ieee80211_local *local)
 		n_reserved = 0;
 		n_ready = 0;

-		for_each_chanctx_user_assigned(local, ctx, &iter) {
+		for_each_chanctx_user_assigned(local, ctx->replace_ctx, &iter) {
 			n_assigned++;
 			if (iter.link->reserved_chanctx) {
 				n_reserved++;