summaryrefslogtreecommitdiff
path: root/net/mac80211
diff options
context:
space:
mode:
authorAlan Cox <alan@linux.intel.com>2012-07-13 16:14:45 +0200
committerJohannes Berg <johannes.berg@intel.com>2012-07-13 16:15:54 +0200
commit4b4b8229aeff4ca09b4aee921d383c596146eca0 (patch)
tree49646d515eb82d83e10197df2ac2d2e833b7cae1 /net/mac80211
parentae33bd817a10f39174453b754e9b548132acae4a (diff)
mac80211: fix use after free
roc is destroyed then roc->started is referenced. Keep a local cache. Signed-off-by: Alan Cox <alan@linux.intel.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Diffstat (limited to 'net/mac80211')
-rw-r--r--net/mac80211/offchannel.c6
1 files changed, 4 insertions, 2 deletions
diff --git a/net/mac80211/offchannel.c b/net/mac80211/offchannel.c
index 8c047fc8b325..635c3250c668 100644
--- a/net/mac80211/offchannel.c
+++ b/net/mac80211/offchannel.c
@@ -324,6 +324,7 @@ void ieee80211_sw_roc_work(struct work_struct *work)
container_of(work, struct ieee80211_roc_work, work.work);
struct ieee80211_sub_if_data *sdata = roc->sdata;
struct ieee80211_local *local = sdata->local;
+ bool started;
mutex_lock(&local->mtx);
@@ -366,9 +367,10 @@ void ieee80211_sw_roc_work(struct work_struct *work)
/* finish this ROC */
finish:
list_del(&roc->list);
+ started = roc->started;
ieee80211_roc_notify_destroy(roc);
- if (roc->started) {
+ if (started) {
drv_flush(local, false);
local->tmp_channel = NULL;
@@ -379,7 +381,7 @@ void ieee80211_sw_roc_work(struct work_struct *work)
ieee80211_recalc_idle(local);
- if (roc->started)
+ if (started)
ieee80211_start_next_roc(local);
}