wifi: mac80211: use safe list iteration in radar detect work

The call to ieee80211_dfs_cac_cancel can cause the iterated chanctx to be freed and removed from the list. Guard against this to avoid a slab-use-after-free error. Cc: stable@vger.kernel.org Fixes: bca8bc0399ac ("wifi: mac80211: handle ieee80211_radar_detected() for MLO") Signed-off-by: Benjamin Berg <benjamin.berg@intel.com> Link: https://patch.msgid.link/20260505151539.236d63a1b736.I35dbb9e96a2d4a480be208770fdd99ba3b817b79@changeid Signed-off-by: Johannes Berg <johannes.berg@intel.com>
author: Benjamin Berg <benjamin.berg@intel.com> 2026-05-05 16:15:40 +0300
committer: Johannes Berg <johannes.berg@intel.com> 2026-05-05 19:07:39 +0300
commit: ac8eb3e18f41e2cc8492cc1d358bcb786c850270 (patch)
tree: 3b83de288d8a62b4cb361011ff0cdfe13a08fb5d
parent: 714ae274e869e197fef21c037156fe6e37ce9e7a (diff)
download: linux-ac8eb3e18f41e2cc8492cc1d358bcb786c850270.tar.xz
1 files changed, 2 insertions, 2 deletions
diff --git a/net/mac80211/util.c b/net/mac80211/util.c
index b093bc203c81..2529b01e2cd5 100644
--- a/net/mac80211/util.c
+++ b/net/mac80211/util.c
@@ -3700,11 +3700,11 @@ void ieee80211_dfs_radar_detected_work(struct wiphy *wiphy,
 	struct ieee80211_local *local =
 		container_of(work, struct ieee80211_local, radar_detected_work);
 	struct cfg80211_chan_def chandef;
-	struct ieee80211_chanctx *ctx;
+	struct ieee80211_chanctx *ctx, *tmp;
 
 	lockdep_assert_wiphy(local->hw.wiphy);
 
-	list_for_each_entry(ctx, &local->chanctx_list, list) {
+	list_for_each_entry_safe(ctx, tmp, &local->chanctx_list, list) {
 		if (ctx->replace_state == IEEE80211_CHANCTX_REPLACES_OTHER)
 			continue;
author	Benjamin Berg <benjamin.berg@intel.com>	2026-05-05 16:15:40 +0300
committer	Johannes Berg <johannes.berg@intel.com>	2026-05-05 19:07:39 +0300
commit	ac8eb3e18f41e2cc8492cc1d358bcb786c850270 (patch)
tree	3b83de288d8a62b4cb361011ff0cdfe13a08fb5d
parent	714ae274e869e197fef21c037156fe6e37ce9e7a (diff)
download	linux-ac8eb3e18f41e2cc8492cc1d358bcb786c850270.tar.xz