On Fri, 2025-03-14 at 12:04 +0100, Remi Pommarel wrote: > After ieee80211_do_stop() SKB from vif's txq could still be processed. > Indeed another concurrent vif schedule_and_wake_txq call could cause > those packets to be dequeued (see ieee80211_handle_wake_tx_queue()) > without checking the sdata current state. > > Because vif.drv_priv is now cleared in this function, this could lead to > driver crash. > > For example in ath12k, ahvif is store in vif.drv_priv. Thus if > ath12k_mac_op_tx() is called after ieee80211_do_stop(), ahvif->ah can be > NULL, leading the ath12k_warn(ahvif->ah,...) call in this function to > trigger the NULL deref below. > > Unable to handle kernel paging request at virtual address dfffffc000000001 > Also here, can you find a Fixes: tag? johannes
