From: Johannes Berg Date: Wed, 29 Mar 2023 07:05:38 +0000 (+0300) Subject: wifi: iwlwifi: mvm: free probe_resp_data later X-Git-Url: http://git.maquefel.me/?a=commitdiff_plain;h=8ca86d61798f04c98fc2c303d52e552247dc433b;p=linux.git wifi: iwlwifi: mvm: free probe_resp_data later In the MLD code, we free probe_resp_data before we remove the MAC from the firmware, so we might receive another one from the device after freeing, and thus might leak it. Fix that by moving the free later. Signed-off-by: Johannes Berg Signed-off-by: Gregory Greenman Link: https://lore.kernel.org/r/20230329100040.152b1715fc13.Ibd37fed1b24cd25012923ad9170d1fe33ab35c5c@changeid Signed-off-by: Johannes Berg --- diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mld-mac80211.c b/drivers/net/wireless/intel/iwlwifi/mvm/mld-mac80211.c index 4d56b2fc5f33b..203f2513e7ea5 100644 --- a/drivers/net/wireless/intel/iwlwifi/mvm/mld-mac80211.c +++ b/drivers/net/wireless/intel/iwlwifi/mvm/mld-mac80211.c @@ -159,12 +159,6 @@ static void iwl_mvm_mld_mac_remove_interface(struct ieee80211_hw *hw, mvm->csme_vif = NULL; } - probe_data = rcu_dereference_protected(mvmvif->deflink.probe_resp_data, - lockdep_is_held(&mvm->mutex)); - RCU_INIT_POINTER(mvmvif->deflink.probe_resp_data, NULL); - if (probe_data) - kfree_rcu(probe_data, rcu_head); - if (mvm->bf_allowed_vif == mvmvif) { mvm->bf_allowed_vif = NULL; vif->driver_flags &= ~(IEEE80211_VIF_BEACON_FILTER | @@ -207,6 +201,12 @@ static void iwl_mvm_mld_mac_remove_interface(struct ieee80211_hw *hw, RCU_INIT_POINTER(mvm->vif_id_to_mac[mvmvif->id], NULL); + probe_data = rcu_dereference_protected(mvmvif->deflink.probe_resp_data, + lockdep_is_held(&mvm->mutex)); + RCU_INIT_POINTER(mvmvif->deflink.probe_resp_data, NULL); + if (probe_data) + kfree_rcu(probe_data, rcu_head); + if (vif->type == NL80211_IFTYPE_MONITOR) { mvm->monitor_on = false; __clear_bit(IEEE80211_HW_RX_INCLUDES_FCS, mvm->hw->flags);