Some notifications (for example iwl_rfi_support_notif) requires an
operational FW. So we need to make sure that they were handled in
iwl_op_mode_mld_start before we stop the FW. Flush the async_handlers_wk
there to achieve that.
Also, if loading the FW in op mode start failed, we need to cancel
these notifications, as they are from a dead FW.
More than that, not doing so can cause us to access freed memory
if async_handlers_wk is executed after ieee80211_free_hw is called.
Fix this by canceling all async notifications if a failure occurred in
init (after ALIVE).
Fixes: d1e879ec600f ("wifi: iwlwifi: add iwlmld sub-driver")
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@xxxxxxxxx>
---
drivers/net/wireless/intel/iwlwifi/mld/fw.c | 13 ++++++++++---
drivers/net/wireless/intel/iwlwifi/mld/mld.c | 5 +++++
drivers/net/wireless/intel/iwlwifi/mld/mld.h | 5 -----
3 files changed, 15 insertions(+), 8 deletions(-)
diff --git a/drivers/net/wireless/intel/iwlwifi/mld/fw.c b/drivers/net/wireless/intel/iwlwifi/mld/fw.c
index 62da137e1024..4b083d447ee2 100644
--- a/drivers/net/wireless/intel/iwlwifi/mld/fw.c
+++ b/drivers/net/wireless/intel/iwlwifi/mld/fw.c
@@ -333,19 +333,22 @@ int iwl_mld_load_fw(struct iwl_mld *mld)
ret = iwl_trans_start_hw(mld->trans);
if (ret)
- return ret;
+ goto err;
ret = iwl_mld_run_fw_init_sequence(mld);
if (ret)
- return ret;
+ goto err;
ret = iwl_mld_init_mcc(mld);
if (ret)
- return ret;
+ goto err;
mld->fw_status.running = true;
return 0;
+err:
+ iwl_mld_stop_fw(mld);
+ return ret;
}
void iwl_mld_stop_fw(struct iwl_mld *mld)
@@ -358,6 +361,10 @@ void iwl_mld_stop_fw(struct iwl_mld *mld)
iwl_trans_stop_device(mld->trans);
+ wiphy_work_cancel(mld->wiphy, &mld->async_handlers_wk);
+
+ iwl_mld_purge_async_handlers_list(mld);
+
mld->fw_status.running = false;
}
diff --git a/drivers/net/wireless/intel/iwlwifi/mld/mld.c b/drivers/net/wireless/intel/iwlwifi/mld/mld.c
index d4a99ae64074..cfdf52b43c68 100644
--- a/drivers/net/wireless/intel/iwlwifi/mld/mld.c
+++ b/drivers/net/wireless/intel/iwlwifi/mld/mld.c
@@ -417,6 +417,11 @@ iwl_op_mode_mld_start(struct iwl_trans *trans, const struct iwl_cfg *cfg,
goto free_hw;
}
+ /* We are about to stop the FW. Notifications may require an
+ * operational FW, so handle them all here before we stop.
+ */
+ wiphy_work_flush(mld->wiphy, &mld->async_handlers_wk);
+
iwl_mld_stop_fw(mld);
wiphy_unlock(mld->wiphy);
diff --git a/drivers/net/wireless/intel/iwlwifi/mld/mld.h b/drivers/net/wireless/intel/iwlwifi/mld/mld.h
index 5eceaaf7696d..a4a16da6ebf3 100644
--- a/drivers/net/wireless/intel/iwlwifi/mld/mld.h
+++ b/drivers/net/wireless/intel/iwlwifi/mld/mld.h
@@ -298,11 +298,6 @@ iwl_cleanup_mld(struct iwl_mld *mld)
#endif
iwl_mld_low_latency_restart_cleanup(mld);
-
- /* Empty the list of async notification handlers so we won't process
- * notifications from the dead fw after the reconfig flow.
- */
- iwl_mld_purge_async_handlers_list(mld);
}
enum iwl_power_scheme {
--
2.34.1
