diff options
author | Alan Cox <alan@linux.intel.com> | 2012-07-13 16:14:45 +0200 |
---|---|---|
committer | Johannes Berg <johannes.berg@intel.com> | 2012-07-13 16:15:54 +0200 |
commit | 4b4b8229aeff4ca09b4aee921d383c596146eca0 (patch) | |
tree | 49646d515eb82d83e10197df2ac2d2e833b7cae1 | |
parent | ae33bd817a10f39174453b754e9b548132acae4a (diff) |
mac80211: fix use after free
roc is destroyed then roc->started is referenced. Keep a local cache.
Signed-off-by: Alan Cox <alan@linux.intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
-rw-r--r-- | net/mac80211/offchannel.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/net/mac80211/offchannel.c b/net/mac80211/offchannel.c index 8c047fc8b32..635c3250c66 100644 --- a/net/mac80211/offchannel.c +++ b/net/mac80211/offchannel.c @@ -324,6 +324,7 @@ void ieee80211_sw_roc_work(struct work_struct *work) container_of(work, struct ieee80211_roc_work, work.work); struct ieee80211_sub_if_data *sdata = roc->sdata; struct ieee80211_local *local = sdata->local; + bool started; mutex_lock(&local->mtx); @@ -366,9 +367,10 @@ void ieee80211_sw_roc_work(struct work_struct *work) /* finish this ROC */ finish: list_del(&roc->list); + started = roc->started; ieee80211_roc_notify_destroy(roc); - if (roc->started) { + if (started) { drv_flush(local, false); local->tmp_channel = NULL; @@ -379,7 +381,7 @@ void ieee80211_sw_roc_work(struct work_struct *work) ieee80211_recalc_idle(local); - if (roc->started) + if (started) ieee80211_start_next_roc(local); } |