On Tue, Apr 29, 2025 at 01:48:41PM +0530, Ajay Davanageri wrote:
> If driver returns -EBUSY for remain_on_channel operation, NAN USD state-machine gets stuck and no further listen is configured from supplicant.
> This patch clears the states and re-triggers the nan_de_timer to restart the listen operation.
> diff --git a/src/common/nan_de.c b/src/common/nan_de.c
> @@ -165,7 +165,6 @@ void nan_de_flush(struct nan_de *de)
> nan_de_clear_pending(de);
> }
>
> -
> static void nan_de_pause_state(struct nan_de_service *srv, const u8 *peer_addr,
Please do not include these unrelated whitespace changes in nan_de.c.
> diff --git a/wpa_supplicant/nan_usd.c b/wpa_supplicant/nan_usd.c
> +static void wpas_nan_usd_remain_on_channel_timeout(void *eloop_ctx, void *timeout_ctx)
> +{
> + struct wpa_supplicant *wpa_s = (struct wpa_supplicant *)eloop_ctx;
> + struct wpas_nan_usd_listen_work *lwork = (struct wpas_nan_usd_listen_work *)timeout_ctx;
> +
> + wpas_nan_usd_cancel_remain_on_channel_cb(wpa_s, lwork->freq);
> + return;
> +}
No need for those explicit typecasts from void pointers or that
"return;" at the end of the function.
> @@ -209,6 +218,9 @@ static void wpas_nan_usd_start_listen_cb(struct wpa_radio_work *work,
> wpas_nan_usd_listen_work_done(wpa_s);
> + eloop_cancel_timeout(wpas_nan_usd_remain_on_channel_timeout, wpa_s, NULL);
> + /* restart the listen state after a delay */
> + eloop_register_timeout(0, 500, wpas_nan_usd_remain_on_channel_timeout, wpa_s, lwork)
wpas_nan_usd_listen_work_done() frees lwork. That would seem to result
in the callback function dereferencing freed memory (lwork->freq).
--
Jouni Malinen PGP id EFC895FA
_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
