[PATCH 1/1] Fix NAN USD state machine stall seen with listen failure.

[Jouni Malinen]

On Tue, Apr 29, 2025 at 01:48:41PM +0530, Ajay Davanageri wrote:
> If driver returns -EBUSY for remain_on_channel operation, NAN USD state-machine gets stuck and no further listen is configured from supplicant.
> This patch clears the states and re-triggers the nan_de_timer to restart the listen operation.

> diff --git a/src/common/nan_de.c b/src/common/nan_de.c
> @@ -165,7 +165,6 @@ void nan_de_flush(struct nan_de *de)
>  	nan_de_clear_pending(de);
>  }
>  
> -
>  static void nan_de_pause_state(struct nan_de_service *srv, const u8 *peer_addr,

Please do not include these unrelated whitespace changes in nan_de.c.

> diff --git a/wpa_supplicant/nan_usd.c b/wpa_supplicant/nan_usd.c

> +static void wpas_nan_usd_remain_on_channel_timeout(void *eloop_ctx, void *timeout_ctx)
> +{
> +	struct wpa_supplicant *wpa_s = (struct wpa_supplicant *)eloop_ctx;
> +	struct wpas_nan_usd_listen_work *lwork = (struct wpas_nan_usd_listen_work *)timeout_ctx;
> +
> +	wpas_nan_usd_cancel_remain_on_channel_cb(wpa_s, lwork->freq);
> +	return;
> +}

No need for those explicit typecasts from void pointers or that
"return;" at the end of the function.

> @@ -209,6 +218,9 @@ static void wpas_nan_usd_start_listen_cb(struct wpa_radio_work *work,
>  		wpas_nan_usd_listen_work_done(wpa_s);
> +                eloop_cancel_timeout(wpas_nan_usd_remain_on_channel_timeout, wpa_s, NULL);
> +		/* restart the listen state after a delay */
> +		eloop_register_timeout(0, 500, wpas_nan_usd_remain_on_channel_timeout, wpa_s, lwork)

wpas_nan_usd_listen_work_done() frees lwork. That would seem to result
in the callback function dereferencing freed memory (lwork->freq).

-- 
Jouni Malinen                                            PGP id EFC895FA