Commit 4f7a0779 authored by Miri Korenblit's avatar Miri Korenblit Committed by Johannes Berg
Browse files

wifi: iwlwifi: mld: properly handle async notification in op mode start 



From the moment that we have ALIVE, we can receive notification that
are handled asynchronously.

Some notifications (for example iwl_rfi_support_notif) requires an
operational FW. So we need to make sure that they were handled in
iwl_op_mode_mld_start before we stop the FW. Flush the async_handlers_wk
there to achieve that.

Also, if loading the FW in op mode start failed, we need to cancel
these notifications, as they are from a dead FW.

More than that, not doing so can cause us to access freed memory
if async_handlers_wk is executed after ieee80211_free_hw is called.

Fix this by canceling all async notifications if a failure occurred in
init (after ALIVE).

Fixes: d1e879ec ("wifi: iwlwifi: add iwlmld sub-driver")
Signed-off-by: default avatarMiri Korenblit <miriam.rachel.korenblit@intel.com>
Link: https://patch.msgid.link/20250420095642.1a8579662437.Ifd77d9c1a29fdd278b0a7bfc2709dd5d5e5efdb1@changeid


Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
parent 64dc5d5e

drivers/net/wireless/intel/iwlwifi/mld/fw.c

+10 −3
Original line number Diff line number Diff line
@@ -333,19 +333,22 @@ int iwl_mld_load_fw(struct iwl_mld *mld) 


	ret = iwl_trans_start_hw(mld->trans);

	if (ret)

		return ret;

		goto err;



	ret = iwl_mld_run_fw_init_sequence(mld);

	if (ret)

		return ret;

		goto err;



	ret = iwl_mld_init_mcc(mld);

	if (ret)

		return ret;

		goto err;



	mld->fw_status.running = true;



	return 0;

err:

	iwl_mld_stop_fw(mld);

	return ret;

}



void iwl_mld_stop_fw(struct iwl_mld *mld)
@@ -358,6 +361,10 @@ void iwl_mld_stop_fw(struct iwl_mld *mld) 


	iwl_trans_stop_device(mld->trans);



	wiphy_work_cancel(mld->wiphy, &mld->async_handlers_wk);



	iwl_mld_purge_async_handlers_list(mld);



	mld->fw_status.running = false;

}

drivers/net/wireless/intel/iwlwifi/mld/mld.c

+5 −0
Original line number Diff line number Diff line
@@ -417,6 +417,11 @@ iwl_op_mode_mld_start(struct iwl_trans *trans, const struct iwl_cfg *cfg, 
		goto free_hw;

	}



	/* We are about to stop the FW. Notifications may require an

	 * operational FW, so handle them all here before we stop.

	 */

	wiphy_work_flush(mld->wiphy, &mld->async_handlers_wk);



	iwl_mld_stop_fw(mld);



	wiphy_unlock(mld->wiphy);

drivers/net/wireless/intel/iwlwifi/mld/mld.h

+0 −5
Original line number Diff line number Diff line
@@ -298,11 +298,6 @@ iwl_cleanup_mld(struct iwl_mld *mld) 
#endif



	iwl_mld_low_latency_restart_cleanup(mld);



	/* Empty the list of async notification handlers so we won't process

	 * notifications from the dead fw after the reconfig flow.

	 */

	iwl_mld_purge_async_handlers_list(mld);

}



enum iwl_power_scheme {