Skip to content

Commit

Permalink
wifi: iwlwifi: trans: cancel restart work on op mode leave
Browse files Browse the repository at this point in the history 
If the restart work happens to run after the opmode left
(i.e. called iwl_trans_op_mode_leave), then the opmode memory (including
its mutex) is likely to be freed already, and trans->opmode is NULL.

Although the hw is stopped in that stage, which means that this restart
got aborted (i.e. STATUS_RESET_PENDING will be cleared),
it still can access trans->opmode (NULL pointer dereference)
or the opmodes memory (which is freed).

Fix this by canceling the restart wk in iwl_trans_op_mode_leave.
Also make sure that the restart wk is really aborted.

Fixes: 7391b2a ("wifi: iwlwifi: rework firmware error handling")
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
Reviewed-by: Johannes Berg <johannes.berg@intel.com>
Link: https://patch.msgid.link/20250306122425.801301ba1b8b.I6f6143f550b6335b699920c5d4b2b78449607a96@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
  • Loading branch information
Miri Korenblit authored and Johannes Berg committed Mar 7, 2025
1 parent b8c8a03 commit 1801a94
Showing 1 changed file with 2 additions and 0 deletions.
2 changes: 2 additions & 0 deletions drivers/net/wireless/intel/iwlwifi/iwl-trans.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -403,6 +403,8 @@ void iwl_trans_op_mode_leave(struct iwl_trans *trans)

iwl_trans_pcie_op_mode_leave(trans);

cancel_work_sync(&trans->restart.wk);

trans->op_mode = NULL;

trans->state = IWL_TRANS_NO_FW;
Expand Down

0 comments on commit 1801a94

Please sign in to comment.