mt76: mt7615: Use after free in mt7615_mcu_set_bcn()

We dereference "skb" when we assign: req.pkt_len = cpu_to_le16(MT_TXD_SIZE + skb->len); ^^^^^^^^ So this patch just moves the dev_kfree_skb() down a bit to avoid the use after free. Fixes: 04b8e659 ("mt76: add mac80211 driver for MT7615 PCIe-based chipsets") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Acked-by: Lorenzo Bianconi <lorenzo@kernel.org> Signed-off-by: Felix Fietkau <nbd@nbd.name>

mt76: mt7615: Use after free in mt7615_mcu_set_bcn()
We dereference "skb" when we assign: req.pkt_len = cpu_to_le16(MT_TXD_SIZE + skb->len); ^^^^^^^^ So this patch just moves the dev_kfree_skb() down a bit to avoid the use after free. Fixes: 04b8e659 ("mt76: add mac80211 driver for MT7615 PCIe-based chipsets") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Acked-by: Lorenzo Bianconi <lorenzo@kernel.org> Signed-off-by: Felix Fietkau <nbd@nbd.name>
9db1aec0 · Dan Carpenter · Felix Fietkau · b1571a0e · 9db1aec0
Commit 9db1aec0 authored May 03, 2019 by Dan Carpenter Committed by Felix Fietkau Jun 25, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

drivers/net/wireless/mediatek/mt76/mt7615/mcu.c drivers/net/wireless/mediatek/mt76/mt7615/mcu.c +1 -1

No files found.
--- a/drivers/net/wireless/mediatek/mt76/mt7615/mcu.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7615/mcu.c
@@ -1270,7 +1270,6 @@ int mt7615_mcu_set_bcn(struct mt7615_dev *dev, struct ieee80211_vif *vif,
 	mt7615_mac_write_txwi(dev, (__le32 *)(req.pkt), skb, wcid, NULL,
 			      0, NULL);
 	memcpy(req.pkt + MT_TXD_SIZE, skb->data, skb->len);
-	dev_kfree_skb(skb);

 	req.omac_idx = mvif->omac_idx;
 	req.enable = en;
@@ -1281,6 +1280,7 @@ int mt7615_mcu_set_bcn(struct mt7615_dev *dev, struct ieee80211_vif *vif,
 	req.pkt_len = cpu_to_le16(MT_TXD_SIZE + skb->len);
 	req.tim_ie_pos = cpu_to_le16(MT_TXD_SIZE + tim_off);

+	dev_kfree_skb(skb);
 	skb = mt7615_mcu_msg_alloc(&req, sizeof(req));

 	return mt7615_mcu_msg_send(dev, skb, MCU_EXT_CMD_BCN_OFFLOAD,