mac80211: fix use after free

roc is destroyed then roc->started is referenced. Keep a local cache. Signed-off-by: Alan Cox <alan@linux.intel.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
author: Alan Cox <alan@linux.intel.com> 2012-07-13 10:14:45 -0400
committer: Johannes Berg <johannes.berg@intel.com> 2012-07-13 10:15:54 -0400
commit: 4b4b8229aeff4ca09b4aee921d383c596146eca0 (patch)
tree: 49646d515eb82d83e10197df2ac2d2e833b7cae1 /net/mac80211
parent: ae33bd817a10f39174453b754e9b548132acae4a (diff)
1 files changed, 4 insertions, 2 deletions
diff --git a/net/mac80211/offchannel.c b/net/mac80211/offchannel.c
index 8c047fc8b325..635c3250c668 100644
--- a/net/mac80211/offchannel.c
+++ b/net/mac80211/offchannel.c
@@ -324,6 +324,7 @@ void ieee80211_sw_roc_work(struct work_struct *work)
                container_of(work, struct ieee80211_roc_work, work.work);
        struct ieee80211_sub_if_data *sdata = roc->sdata;
        struct ieee80211_local *local = sdata->local;
+        bool started;
        mutex_lock(&local->mtx);
@@ -366,9 +367,10 @@ void ieee80211_sw_roc_work(struct work_struct *work)
                /* finish this ROC */
 finish:
                list_del(&roc->list);
+                started = roc->started;
                ieee80211_roc_notify_destroy(roc);
-                if (roc->started) {
+                if (started) {
                        drv_flush(local, false);
                        local->tmp_channel = NULL;
@@ -379,7 +381,7 @@ void ieee80211_sw_roc_work(struct work_struct *work)
                ieee80211_recalc_idle(local);
-                if (roc->started)
+                if (started)
                        ieee80211_start_next_roc(local);
        }
author	Alan Cox <alan@linux.intel.com>	2012-07-13 10:14:45 -0400
committer	Johannes Berg <johannes.berg@intel.com>	2012-07-13 10:15:54 -0400
commit	4b4b8229aeff4ca09b4aee921d383c596146eca0 (patch)
tree	49646d515eb82d83e10197df2ac2d2e833b7cae1 /net/mac80211
parent	ae33bd817a10f39174453b754e9b548132acae4a (diff)