mac80211: fix use after free roc is destroyed then roc->started is referenced. Keep a local cache. Signed-off-by: Alan Cox <alan@linux.intel.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com>

commit: 4b4b8229aeff4ca09b4aee921d383c596146eca0 [log] [tgz]
author: Alan Cox <alan@linux.intel.com> Fri Jul 13 16:14:45 2012 +0200
committer: Johannes Berg <johannes.berg@intel.com> Fri Jul 13 16:15:54 2012 +0200
tree: 49646d515eb82d83e10197df2ac2d2e833b7cae1
parent: ae33bd817a10f39174453b754e9b548132acae4a [diff] [blame]
diff --git a/net/mac80211/offchannel.c b/net/mac80211/offchannel.c
index 8c047fc..635c325 100644
--- a/net/mac80211/offchannel.c
+++ b/net/mac80211/offchannel.c

@@ -324,6 +324,7 @@
 		container_of(work, struct ieee80211_roc_work, work.work);
 	struct ieee80211_sub_if_data *sdata = roc->sdata;
 	struct ieee80211_local *local = sdata->local;
+	bool started;
 
 	mutex_lock(&local->mtx);
 
@@ -366,9 +367,10 @@
 		/* finish this ROC */
  finish:
 		list_del(&roc->list);
+		started = roc->started;
 		ieee80211_roc_notify_destroy(roc);
 
-		if (roc->started) {
+		if (started) {
 			drv_flush(local, false);
 
 			local->tmp_channel = NULL;
@@ -379,7 +381,7 @@
 
 		ieee80211_recalc_idle(local);
 
-		if (roc->started)
+		if (started)
 			ieee80211_start_next_roc(local);
 	}
commit	4b4b8229aeff4ca09b4aee921d383c596146eca0	[log] [tgz]
author	Alan Cox <alan@linux.intel.com>	Fri Jul 13 16:14:45 2012 +0200
committer	Johannes Berg <johannes.berg@intel.com>	Fri Jul 13 16:15:54 2012 +0200
tree	49646d515eb82d83e10197df2ac2d2e833b7cae1
parent	ae33bd817a10f39174453b754e9b548132acae4a [diff] [blame]