aboutsummaryrefslogtreecommitdiffstats
path: root/net/mac80211/offchannel.c
diff options
context:
space:
mode:
authorAlan Cox <alan@linux.intel.com>2012-07-13 10:14:45 -0400
committerJohannes Berg <johannes.berg@intel.com>2012-07-13 10:15:54 -0400
commit4b4b8229aeff4ca09b4aee921d383c596146eca0 (patch)
tree49646d515eb82d83e10197df2ac2d2e833b7cae1 /net/mac80211/offchannel.c
parentae33bd817a10f39174453b754e9b548132acae4a (diff)
mac80211: fix use after free
roc is destroyed then roc->started is referenced. Keep a local cache. Signed-off-by: Alan Cox <alan@linux.intel.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Diffstat (limited to 'net/mac80211/offchannel.c')
-rw-r--r--net/mac80211/offchannel.c6
1 files changed, 4 insertions, 2 deletions
diff --git a/net/mac80211/offchannel.c b/net/mac80211/offchannel.c
index 8c047fc8b325..635c3250c668 100644
--- a/net/mac80211/offchannel.c
+++ b/net/mac80211/offchannel.c
@@ -324,6 +324,7 @@ void ieee80211_sw_roc_work(struct work_struct *work)
324 container_of(work, struct ieee80211_roc_work, work.work); 324 container_of(work, struct ieee80211_roc_work, work.work);
325 struct ieee80211_sub_if_data *sdata = roc->sdata; 325 struct ieee80211_sub_if_data *sdata = roc->sdata;
326 struct ieee80211_local *local = sdata->local; 326 struct ieee80211_local *local = sdata->local;
327 bool started;
327 328
328 mutex_lock(&local->mtx); 329 mutex_lock(&local->mtx);
329 330
@@ -366,9 +367,10 @@ void ieee80211_sw_roc_work(struct work_struct *work)
366 /* finish this ROC */ 367 /* finish this ROC */
367 finish: 368 finish:
368 list_del(&roc->list); 369 list_del(&roc->list);
370 started = roc->started;
369 ieee80211_roc_notify_destroy(roc); 371 ieee80211_roc_notify_destroy(roc);
370 372
371 if (roc->started) { 373 if (started) {
372 drv_flush(local, false); 374 drv_flush(local, false);
373 375
374 local->tmp_channel = NULL; 376 local->tmp_channel = NULL;
@@ -379,7 +381,7 @@ void ieee80211_sw_roc_work(struct work_struct *work)
379 381
380 ieee80211_recalc_idle(local); 382 ieee80211_recalc_idle(local);
381 383
382 if (roc->started) 384 if (started)
383 ieee80211_start_next_roc(local); 385 ieee80211_start_next_roc(local);
384 } 386 }
385 387