From fa28981b35128132aeb69a0a2ea2ff1c49bea6d9 Mon Sep 17 00:00:00 2001 From: Johannes Berg Date: Fri, 22 Jul 2022 11:15:20 +0200 Subject: wifi: mac80211: fix link data leak During the code reshuffling, I accidentally set this to NULL before using it, fix that to fix the link data leak. Fixes: d3e2439b0f33 ("wifi: mac80211: fix link manipulation") Signed-off-by: Johannes Berg --- net/mac80211/iface.c | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) (limited to 'net/mac80211') diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c index e544621ead0e..95b58c5cac07 100644 --- a/net/mac80211/iface.c +++ b/net/mac80211/iface.c @@ -514,18 +514,18 @@ static int ieee80211_vif_update_links(struct ieee80211_sub_if_data *sdata, /* grab old links to free later */ for_each_set_bit(link_id, &rem, IEEE80211_MLD_MAX_NUM_LINKS) { + if (rcu_access_pointer(sdata->link[link_id]) != &sdata->deflink) { + /* + * we must have allocated the data through this path so + * we know we can free both at the same time + */ + to_free[link_id] = container_of(rcu_access_pointer(sdata->link[link_id]), + typeof(*links[link_id]), + data); + } + RCU_INIT_POINTER(sdata->link[link_id], NULL); RCU_INIT_POINTER(sdata->vif.link_conf[link_id], NULL); - - if (rcu_access_pointer(sdata->link[link_id]) == &sdata->deflink) - continue; - /* - * we must have allocated the data through this path so - * we know we can free both at the same time - */ - to_free[link_id] = container_of(rcu_access_pointer(sdata->link[link_id]), - typeof(*links[link_id]), - data); } /* link them into data structures */ -- cgit v1.2.3-73-gaa49b