From: Johannes Berg My prior commit here introduced a bug due to copy/paste, it was iterating the links assigned to 'ctx->replace_ctx' and I replaced it by iterating links assigned to 'ctx' by accident, then modified it for the iteration later. Fix it to iterate the users of the correct chanctx, i.e. 'ctx->replace_ctx'. Ultimately, this issue led to a crash in a hwsim test (multi_ap_wps_shared_apdev_csa) because it would actually do the switch (rather than refuse here) and then later have a double-free of the original chanctx, because it was still in use by another interface yet freed as part of the switching. Fixes: a1dc648aa76d ("wifi: mac80211: remove chanctx to link back-references") Signed-off-by: Johannes Berg --- net/mac80211/chan.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/mac80211/chan.c b/net/mac80211/chan.c index 6aa305839f53..c8aba4183c9a 100644 --- a/net/mac80211/chan.c +++ b/net/mac80211/chan.c @@ -1715,7 +1715,7 @@ static int ieee80211_vif_use_reserved_switch(struct ieee80211_local *local) n_reserved = 0; n_ready = 0; - for_each_chanctx_user_assigned(local, ctx, &iter) { + for_each_chanctx_user_assigned(local, ctx->replace_ctx, &iter) { n_assigned++; if (iter.link->reserved_chanctx) { n_reserved++; -- 2.51.1