Commit ac8eb3e1 authored May 05, 2026 by Benjamin Berg Committed by Johannes Berg May 05, 2026

wifi: mac80211: use safe list iteration in radar detect work



The call to ieee80211_dfs_cac_cancel can cause the iterated chanctx to
be freed and removed from the list. Guard against this to avoid a
slab-use-after-free error.

Cc: stable@vger.kernel.org
Fixes: bca8bc03 ("wifi: mac80211: handle ieee80211_radar_detected() for MLO")
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Link: https://patch.msgid.link/20260505151539.236d63a1b736.I35dbb9e96a2d4a480be208770fdd99ba3b817b79@changeid


Signed-off-by: Johannes Berg <johannes.berg@intel.com>

parent 714ae274

net/mac80211/util.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -3700,11 +3700,11 @@ void ieee80211_dfs_radar_detected_work(struct wiphy *wiphy,
		struct ieee80211_local *local =
		container_of(work, struct ieee80211_local, radar_detected_work);
		struct cfg80211_chan_def chandef;
		struct ieee80211_chanctx *ctx;
		struct ieee80211_chanctx ctx, tmp;

		lockdep_assert_wiphy(local->hw.wiphy);

		list_for_each_entry(ctx, &local->chanctx_list, list) {
		list_for_each_entry_safe(ctx, tmp, &local->chanctx_list, list) {
		if (ctx->replace_state == IEEE80211_CHANCTX_REPLACES_OTHER)
		continue;