Re: [PATCH 6.1.y] wifi: brcmfmac: fix use-after-free when rescheduling brcmf_btcoex_info work

Next message: Archit Anant: "Re: [PATCH v6 3/4] iio: adc: ad799x: cache regulator voltages during probe"
Previous message: Arend van Spriel: "Re: [PATCHv2 wireless-next] wifi: brcmsmac: use FAM for debug code"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Arend van Spriel

Date: Sat Mar 28 2026 - 06:56:33 EST

On 12/03/2026 04:14, Robert Garcia wrote:

From: Duoming Zhou <duoming@xxxxxxxxxx>

[ Upstream commit 9cb83d4be0b9b697eae93d321e0da999f9cdfcfc ]

The brcmf_btcoex_detach() only shuts down the btcoex timer, if the
flag timer_on is false. However, the brcmf_btcoex_timerfunc(), which
runs as timer handler, sets timer_on to false. This creates critical
race conditions:

[...]

To resolve the race conditions, drop the conditional check and call
timer_shutdown_sync() directly. It can deactivate the timer reliably,
regardless of its current state. Once stopped, the timer_on state is
then set to false.

Fixes: 61730d4dfffc ("brcmfmac: support critical protocol API for DHCP")
Acked-by: Arend van Spriel <arend.vanspriel@xxxxxxxxxxxx>
Signed-off-by: Duoming Zhou <duoming@xxxxxxxxxx>
Link: https://patch.msgid.link/20250822050839.4413-1-duoming@xxxxxxxxxx
Signed-off-by: Johannes Berg <johannes.berg@xxxxxxxxx>
[ Keep del_timer_sync() instead of timer_shutdown_sync() here. ]
Signed-off-by: Robert Garcia <rob_garcia@xxxxxxx>

What tree should this go to. This looks like a stable patch so probably it should have been CCed to stable@xxxxxxxxxxxxxxx?

Regards,
Arend