projects / linux.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: e0c7ee3)
wifi: iwlwifi: mvm: free probe_resp_data later
authorJohannes Berg <johannes.berg@intel.com>
Wed, 29 Mar 2023 07:05:38 +0000 (10:05 +0300)
committerJohannes Berg <johannes.berg@intel.com>
Thu, 30 Mar 2023 10:08:44 +0000 (12:08 +0200)
In the MLD code, we free probe_resp_data before we remove
the MAC from the firmware, so we might receive another one
from the device after freeing, and thus might leak it. Fix
that by moving the free later.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Gregory Greenman <gregory.greenman@intel.com>
Link: https://lore.kernel.org/r/20230329100040.152b1715fc13.Ibd37fed1b24cd25012923ad9170d1fe33ab35c5c@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
drivers/net/wireless/intel/iwlwifi/mvm/mld-mac80211.c patch | blob | history

diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mld-mac80211.c b/drivers/net/wireless/intel/iwlwifi/mvm/mld-mac80211.c
index 4d56b2fc5f33b6e54bd88e78028b58c676822898..203f2513e7ea59685cfd25ceab3588a3bc42532e 100644 (file)
--- a/drivers/net/wireless/intel/iwlwifi/mvm/mld-mac80211.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/mld-mac80211.c
@@ -159,12 +159,6 @@ static void iwl_mvm_mld_mac_remove_interface(struct ieee80211_hw *hw,
                mvm->csme_vif = NULL;
        }
 
-       probe_data = rcu_dereference_protected(mvmvif->deflink.probe_resp_data,
-                                              lockdep_is_held(&mvm->mutex));
-       RCU_INIT_POINTER(mvmvif->deflink.probe_resp_data, NULL);
-       if (probe_data)
-               kfree_rcu(probe_data, rcu_head);
-
        if (mvm->bf_allowed_vif == mvmvif) {
                mvm->bf_allowed_vif = NULL;
                vif->driver_flags &= ~(IEEE80211_VIF_BEACON_FILTER |
@@ -207,6 +201,12 @@ static void iwl_mvm_mld_mac_remove_interface(struct ieee80211_hw *hw,
 
        RCU_INIT_POINTER(mvm->vif_id_to_mac[mvmvif->id], NULL);
 
+       probe_data = rcu_dereference_protected(mvmvif->deflink.probe_resp_data,
+                                              lockdep_is_held(&mvm->mutex));
+       RCU_INIT_POINTER(mvmvif->deflink.probe_resp_data, NULL);
+       if (probe_data)
+               kfree_rcu(probe_data, rcu_head);
+
        if (vif->type == NL80211_IFTYPE_MONITOR) {
                mvm->monitor_on = false;
                __clear_bit(IEEE80211_HW_RX_INCLUDES_FCS, mvm->hw->flags);
ep93xx device tree rework repo: git://git.maquefel.me/linux.git