wifi: iwlwifi: trans: cancel restart work on op mode leave

JIRA: https://issues.redhat.com/browse/RHEL-79791

commit 1801a94
Author: Miri Korenblit <miriam.rachel.korenblit@intel.com>
Date:   Thu Mar 6 12:25:48 2025 +0200

    wifi: iwlwifi: trans: cancel restart work on op mode leave
    
    If the restart work happens to run after the opmode left
    (i.e. called iwl_trans_op_mode_leave), then the opmode memory (including
    its mutex) is likely to be freed already, and trans->opmode is NULL.
    
    Although the hw is stopped in that stage, which means that this restart
    got aborted (i.e. STATUS_RESET_PENDING will be cleared),
    it still can access trans->opmode (NULL pointer dereference)
    or the opmodes memory (which is freed).
    
    Fix this by canceling the restart wk in iwl_trans_op_mode_leave.
    Also make sure that the restart wk is really aborted.
    
    Fixes: 7391b2a ("wifi: iwlwifi: rework firmware error handling")
    Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
    Reviewed-by: Johannes Berg <johannes.berg@intel.com>
    Link: https://patch.msgid.link/20250306122425.801301ba1b8b.I6f6143f550b6335b699920c5d4b2b78449607a96@changeid
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>

Signed-off-by: Jose Ignacio Tornos Martinez <jtornosm@redhat.com>

Author: jtornosm

drivers/net/wireless/intel/iwlwifi/iwl-trans.c

@@ -403,6 +403,8 @@ void iwl_trans_op_mode_leave(struct iwl_trans *trans)
 
 	iwl_trans_pcie_op_mode_leave(trans);
 
+	cancel_work_sync(&trans->restart.wk);
+
 	trans->op_mode = NULL;
 
 	trans->state = IWL_TRANS_NO_FW;