Commit 5ff64101 authored Jan 29, 2026 by Miri Korenblit

wifi: iwlwifi: mld: cancel mlo_scan_start_wk



mlo_scan_start_wk is not canceled on disconnection. In fact, it is not
canceled anywhere except in the restart cleanup, where we don't really
have to.

This can cause an init-after-queue issue: if, for example, the work was
queued and then drv_change_interface got executed.

This can also cause use-after-free: if the work is executed after the
vif is freed.

Fixes: 9748ad82 ("wifi: iwlwifi: defer MLO scan after link activation")
Reviewed-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
Link: https://patch.msgid.link/20260129212650.a36482a60719.I5bf64a108ca39dacb5ca0dcd8b7258a3ce8db74c@changeid

parent 1cac3891

drivers/net/wireless/intel/iwlwifi/mld/iface.c

+0 −2

Original line number	Diff line number	Diff line
		@@ -55,8 +55,6 @@ void iwl_mld_cleanup_vif(void data, u8 mac, struct ieee80211_vif *vif)

		ieee80211_iter_keys(mld->hw, vif, iwl_mld_cleanup_keys_iter, NULL);

		wiphy_delayed_work_cancel(mld->wiphy, &mld_vif->mlo_scan_start_wk);

		CLEANUP_STRUCT(mld_vif);
		}

drivers/net/wireless/intel/iwlwifi/mld/mac80211.c

+2 −0

Original line number	Diff line number	Diff line
		@@ -1759,6 +1759,8 @@ static int iwl_mld_move_sta_state_down(struct iwl_mld *mld,
		wiphy_work_cancel(mld->wiphy, &mld_vif->emlsr.unblock_tpt_wk);
		wiphy_delayed_work_cancel(mld->wiphy,
		&mld_vif->emlsr.check_tpt_wk);
		wiphy_delayed_work_cancel(mld->wiphy,
		&mld_vif->mlo_scan_start_wk);

		iwl_mld_reset_cca_40mhz_workaround(mld, vif);
		iwl_mld_smps_workaround(mld, vif, true);