[PATCH] nl80211: fix crash when stopping non first BSS during ACS
Jouni Malinen
j at w1.fi
Thu Mar 19 10:03:35 PDT 2026
On Wed, Mar 04, 2026 at 06:41:40PM +0100, Nicolas Escande wrote:
> When a non MLD interface is stopped during ACS while this BSS isn't the first
> of the DRV on a MLO capable phy, we end up deleting the BSS without calling
> wpa_driver_nl80211_deinit() which does not cancel the pending scan_timeout.
> The problem was mitigated for MLD by cancelling the scan timeout in the
> nl80211_remove_link() by 5ce1d4180386 ("nl80211: Fix crash by cancelling scan
> timeout before a BSS is removed") but for non MLD it will still trigger a
> use after free & a crash like bellow.
>
> As a lack of better place, lets cancel the timeout when we remove the underlying
> wlan interface. At that point it's clear we do not care about handling this
> timeout anyway.
Thanks, applied.
--
Jouni Malinen PGP id EFC895FA
More information about the Hostap
mailing list