Commit 8ca86d61 authored by Johannes Berg's avatar Johannes Berg
Browse files

wifi: iwlwifi: mvm: free probe_resp_data later 



In the MLD code, we free probe_resp_data before we remove
the MAC from the firmware, so we might receive another one
from the device after freeing, and thus might leak it. Fix
that by moving the free later.

Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
Signed-off-by: default avatarGregory Greenman <gregory.greenman@intel.com>
Link: https://lore.kernel.org/r/20230329100040.152b1715fc13.Ibd37fed1b24cd25012923ad9170d1fe33ab35c5c@changeid


Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
parent e0c7ee3a

drivers/net/wireless/intel/iwlwifi/mvm/mld-mac80211.c

+6 −6
Original line number Diff line number Diff line
@@ -159,12 +159,6 @@ static void iwl_mvm_mld_mac_remove_interface(struct ieee80211_hw *hw, 
		mvm->csme_vif = NULL;

	}



	probe_data = rcu_dereference_protected(mvmvif->deflink.probe_resp_data,

					       lockdep_is_held(&mvm->mutex));

	RCU_INIT_POINTER(mvmvif->deflink.probe_resp_data, NULL);

	if (probe_data)

		kfree_rcu(probe_data, rcu_head);



	if (mvm->bf_allowed_vif == mvmvif) {

		mvm->bf_allowed_vif = NULL;

		vif->driver_flags &= ~(IEEE80211_VIF_BEACON_FILTER |
@@ -207,6 +201,12 @@ static void iwl_mvm_mld_mac_remove_interface(struct ieee80211_hw *hw, 


	RCU_INIT_POINTER(mvm->vif_id_to_mac[mvmvif->id], NULL);



	probe_data = rcu_dereference_protected(mvmvif->deflink.probe_resp_data,

					       lockdep_is_held(&mvm->mutex));

	RCU_INIT_POINTER(mvmvif->deflink.probe_resp_data, NULL);

	if (probe_data)

		kfree_rcu(probe_data, rcu_head);



	if (vif->type == NL80211_IFTYPE_MONITOR) {

		mvm->monitor_on = false;

		__clear_bit(IEEE80211_HW_RX_INCLUDES_FCS, mvm->hw->flags);