ng freed. In order to fix the issue cancel the
corresponding work before destroying rfkill in cfg80211_dev_free().

Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

Fixes: 1f87f7d3a3b4 ("cfg80211: add rfkill support")
Cc: stable@vger.kernel.org
Signed-off-by: Daniil Dulov <d.dulov@aladdin.ru>
---
 net/wireless/core.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/wireless/core.c b/net/wireless/core.c
index 54a34d8d356e..e94f69205f50 100644
--- a/net/wireless/core.c
+++ b/net/wireless/core.c
@@ -1226,6 +1226,7 @@ void cfg80211_dev_free(struct cfg80211_registered_device *rdev)
 	spin_unlock_irqrestore(&rdev->wiphy_work_lock, flags);
 	cancel_work_sync(&rdev->wiphy_work);
 
+	cancel_work_sync(&rdev->rfkill_block);
 	rfkill_destroy(rdev->wiphy.rfkill);
 	list_for_each_entry_safe(reg, treg, &rdev->beacon_registrations, list) {
 		list_del(&reg->list);
-- 
2.34.1[PATCH] wifi: cfg80211: Fix use-after-free in cfg80211_shutdown_all_interfacesDaniil Dulov <d.dulov@aladdin.ru> undefinedJohannes Berg <johannes@sipsolutions.net> undefined undefined undefined undefined undefined undefined�,��G