projects / openwrt / staging / blogic.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: a500e46)
iwlwifi: mvm: avoid use-after-free on iwl_mvm_d0i3_enable_tx()
authorEliad Peller <[email protected]>
Tue, 14 Apr 2015 08:36:23 +0000 (11:36 +0300)
committerEmmanuel Grumbach <[email protected]>
Thu, 21 May 2015 19:36:46 +0000 (22:36 +0300)
qos_seq points (to a struct) inside the command response data.

Make sure to free the response only after qos_seq is not
needed anymore.

Reported-by: Heng Luo <[email protected]>
Signed-off-by: Eliad Peller <[email protected]>
Signed-off-by: Emmanuel Grumbach <[email protected]>
drivers/net/wireless/iwlwifi/mvm/ops.c patch | blob | history

diff --git a/drivers/net/wireless/iwlwifi/mvm/ops.c b/drivers/net/wireless/iwlwifi/mvm/ops.c
index 1c66297d82c0a80dd0bb66c7148ea8ef42c5e099..2ea01238754eb8d1c2470156f0293a2e15988fd6 100644 (file)
--- a/drivers/net/wireless/iwlwifi/mvm/ops.c
+++ b/drivers/net/wireless/iwlwifi/mvm/ops.c
@@ -1263,11 +1263,13 @@ static void iwl_mvm_d0i3_exit_work(struct work_struct *wk)
                ieee80211_iterate_active_interfaces(
                        mvm->hw, IEEE80211_IFACE_ITER_NORMAL,
                        iwl_mvm_d0i3_disconnect_iter, mvm);
-
-       iwl_free_resp(&get_status_cmd);
 out:
        iwl_mvm_d0i3_enable_tx(mvm, qos_seq);
 
+       /* qos_seq might point inside resp_pkt, so free it only now */
+       if (get_status_cmd.resp_pkt)
+               iwl_free_resp(&get_status_cmd);
+
        /* the FW might have updated the regdomain */
        iwl_mvm_update_changed_regdom(mvm);
 
John Crispins staging tree