On 12/03/2026 04:14, Robert Garcia wrote:

From: Duoming Zhou <redacted>

[ Upstream commit 9cb83d4be0b9b697eae93d321e0da999f9cdfcfc ]

The brcmf_btcoex_detach() only shuts down the btcoex timer, if the
flag timer_on is false. However, the brcmf_btcoex_timerfunc(), which
runs as timer handler, sets timer_on to false. This creates critical
race conditions:

[...]

To resolve the race conditions, drop the conditional check and call
timer_shutdown_sync() directly. It can deactivate the timer reliably,
regardless of its current state. Once stopped, the timer_on state is
then set to false.

Fixes: 61730d4dfffc ("brcmfmac: support critical protocol API for DHCP")
Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: Duoming Zhou <redacted>
Link: https://patch.msgid.link/20250822050839.4413-1-duoming@zju.edu.cn
Signed-off-by: Johannes Berg <redacted>
[ Keep del_timer_sync() instead of timer_shutdown_sync() here. ]
Signed-off-by: Robert Garcia <redacted>

What tree should this go to. This looks like a stable patch so probably 
it should have been CCed to stable@vger.kernel.org?

Regards,
Arend