Home Explore Help
Register Sign In
phyus
/
linux-vybrid_public
8
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

mac80211: fix use after free

roc is destroyed then roc->started is referenced. Keep a local cache.

Signed-off-by: Alan Cox <alan@linux.intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Alan Cox 13 years ago
parent
ae33bd817a
commit
4b4b8229ae
1 changed files with 4 additions and 2 deletions
Split View Show Diff Stats
  1. 4 2
      net/mac80211/offchannel.c

+ 4 - 2
net/mac80211/offchannel.c
View File 

@@ -324,6 +324,7 @@ void ieee80211_sw_roc_work(struct work_struct *work)
 
 		container_of(work, struct ieee80211_roc_work, work.work);
 
 	struct ieee80211_sub_if_data *sdata = roc->sdata;
 
 	struct ieee80211_local *local = sdata->local;
 
+	bool started;
 
 
 	mutex_lock(&local->mtx);
 
 
@@ -366,9 +367,10 @@ void ieee80211_sw_roc_work(struct work_struct *work)
 
 		/* finish this ROC */
 
  finish:
 
 		list_del(&roc->list);
 
+		started = roc->started;
 
 		ieee80211_roc_notify_destroy(roc);
 
 
-		if (roc->started) {
 
+		if (started) {
 
 			drv_flush(local, false);
 
 
 			local->tmp_channel = NULL;
 
@@ -379,7 +381,7 @@ void ieee80211_sw_roc_work(struct work_struct *work)
 
 
 		ieee80211_recalc_idle(local);
 
 
-		if (roc->started)
 
+		if (started)
 
 			ieee80211_start_next_roc(local);
 
 	}