[PATCH] wpa_supplicant: events: stop processing scan results when aborting

Wed May 13 04:50:14 PDT 2026

A problem was seen on NXP boards with an offloaded Wi-Fi stack where
the CPU could get stuck processing scan results over and over again
in cases where the scan is aborted.

This is reproducable on the target stack by starting a connection
to a non-existent SSID (thereby starting a scan) and then performing
a "Wi-Fi disconnect" command. That results in the thread getting stuck
processing the scan results over and over.

uart:~$ wifi connect -s nonexistent -p testtesttest -k 10
Connection requested
uart:~$ kernel sleep 1000
uart:~$ wifi disconnect

This one-line patch solves the issue by stopping scan processing early
without triggering follow-up events when the scan is aborted.

Platform: NXP RW610 running hostap on Zephyr v4.3

The issue has not been tested on other platforms, but it is submitted 
upsteam
as it seems to be a valuable sanity check.

This is what my AI has to say about it:

Overall Assessment: APPROVE
This is a well-targeted bugfix that addresses an infinite loop issue when
    aborting scan operations.

ISSUE ANALYSIS:
* Problem: When connecting to a non-existent Wi-Fi network and then calling
  wifi disconnect, the stack gets stuck in an infinite loop continually
  processing the same scan results.
* Root Cause: The function _wpa_supplicant_event_scan_results() was not 
checking
  if the scan was aborted before proceeding with scan result processing.
  This allowed the code to continue processing results from an aborted scan,
  leading to the infinite loop.

CODE CHANGE REVIEW:
* Correctness: The fix is correct. By checking data->scan_info.aborted, the
    function now exits early when processing aborted scan results, 
preventing
    further processing that would lead to the loop.
* Defensive Programming: The check includes proper null-pointer 
protection (data &&)
    before accessing data->scan_info.aborted.
* Minimal Impact: The fix is minimal and surgical - only one line changed,
    reducing risk of introducing new bugs.
* Return Value: Returns 1, which per the function documentation (lines 
2414-2421)
    means "scan results may be shared with other virtual interfaces but 
may not
    trigger any operations" - appropriate for aborted scans.

Signed-off-by: Frederik Van Bogaert <frederik.vanbogaert at mind.be>
---
wpa_supplicant/events.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/wpa_supplicant/events.c b/wpa_supplicant/events.c
index 0684ada71..b84e956d5 100644
--- a/wpa_supplicant/events.c
+++ b/wpa_supplicant/events.c
@@ -2582,7 +2582,7 @@ static int 
_wpa_supplicant_event_scan_results(struct wpa_supplicant *wpa_s,
wpa_s->last_scan_num_ssids = 0;
}

-if (update_only) {
+if (update_only || (data && data->scan_info.aborted)) {
ret = 1;
goto scan_work_done;
}
-- 
2.47.3



