Commit 4b4b8229 authored by Alan Cox's avatar Alan Cox Committed by Johannes Berg

mac80211: fix use after free

roc is destroyed then roc->started is referenced. Keep a local cache.
Signed-off-by: default avatarAlan Cox <alan@linux.intel.com>
Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
parent ae33bd81
...@@ -324,6 +324,7 @@ void ieee80211_sw_roc_work(struct work_struct *work) ...@@ -324,6 +324,7 @@ void ieee80211_sw_roc_work(struct work_struct *work)
container_of(work, struct ieee80211_roc_work, work.work); container_of(work, struct ieee80211_roc_work, work.work);
struct ieee80211_sub_if_data *sdata = roc->sdata; struct ieee80211_sub_if_data *sdata = roc->sdata;
struct ieee80211_local *local = sdata->local; struct ieee80211_local *local = sdata->local;
bool started;
mutex_lock(&local->mtx); mutex_lock(&local->mtx);
...@@ -366,9 +367,10 @@ void ieee80211_sw_roc_work(struct work_struct *work) ...@@ -366,9 +367,10 @@ void ieee80211_sw_roc_work(struct work_struct *work)
/* finish this ROC */ /* finish this ROC */
finish: finish:
list_del(&roc->list); list_del(&roc->list);
started = roc->started;
ieee80211_roc_notify_destroy(roc); ieee80211_roc_notify_destroy(roc);
if (roc->started) { if (started) {
drv_flush(local, false); drv_flush(local, false);
local->tmp_channel = NULL; local->tmp_channel = NULL;
...@@ -379,7 +381,7 @@ void ieee80211_sw_roc_work(struct work_struct *work) ...@@ -379,7 +381,7 @@ void ieee80211_sw_roc_work(struct work_struct *work)
ieee80211_recalc_idle(local); ieee80211_recalc_idle(local);
if (roc->started) if (started)
ieee80211_start_next_roc(local); ieee80211_start_next_roc(local);
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment