Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 4b4b8229 authored by Alan Cox's avatar Alan Cox Committed by Johannes Berg
Browse files

mac80211: fix use after free 



roc is destroyed then roc->started is referenced. Keep a local cache.

Signed-off-by: default avatarAlan Cox <alan@linux.intel.com>
Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
parent ae33bd81

net/mac80211/offchannel.c

+4 −2
Original line number Diff line number Diff line
@@ -324,6 +324,7 @@ void ieee80211_sw_roc_work(struct work_struct *work) 
		container_of(work, struct ieee80211_roc_work, work.work);

	struct ieee80211_sub_if_data *sdata = roc->sdata;

	struct ieee80211_local *local = sdata->local;

	bool started;



	mutex_lock(&local->mtx);
@@ -366,9 +367,10 @@ void ieee80211_sw_roc_work(struct work_struct *work) 
		/* finish this ROC */

 finish:

		list_del(&roc->list);

		started = roc->started;

		ieee80211_roc_notify_destroy(roc);



		if (roc->started) {

		if (started) {

			drv_flush(local, false);



			local->tmp_channel = NULL;
@@ -379,7 +381,7 @@ void ieee80211_sw_roc_work(struct work_struct *work) 


		ieee80211_recalc_idle(local);



		if (roc->started)

		if (started)

			ieee80211_start_next_roc(local);

	}