Commit de3c5142 authored Nov 21, 2025 by Johannes Berg

wifi: mac80211: fix channel switching code

My prior commit here introduced a bug due to copy/paste,
it was iterating the links assigned to 'ctx->replace_ctx'
and I replaced it by iterating links assigned to 'ctx' by
accident, then modified it for the iteration later.

Fix it to iterate the users of the correct chanctx, i.e.
'ctx->replace_ctx'.

Ultimately, this issue led to a crash in a hwsim test
(multi_ap_wps_shared_apdev_csa) because it would actually
do the switch (rather than refuse here) and then later
have a double-free of the original chanctx, because it
was still in use by another interface yet freed as part
of the switching.

Fixes: a1dc648a ("wifi: mac80211: remove chanctx to link back-references")
Link: https://patch.msgid.link/20251121113733.7710a58d45eb.Ie9ec010b52b1baed93dbe44f968c2119b6b5d98d@changeid


Signed-off-by: Johannes Berg <johannes.berg@intel.com>

parent 49a9feaf

net/mac80211/chan.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -1715,7 +1715,7 @@ static int ieee80211_vif_use_reserved_switch(struct ieee80211_local *local)
		n_reserved = 0;
		n_ready = 0;

		for_each_chanctx_user_assigned(local, ctx, &iter) {
		for_each_chanctx_user_assigned(local, ctx->replace_ctx, &iter) {
		n_assigned++;
		if (iter.link->reserved_chanctx) {
		n_reserved++;