Message ID | iwlwifi.20210907143156.e80e52167d93.Ie2247f43f8acb2cee6dff5b07a3947c79a772835@changeid |
---|---|
State | New |
Headers | show |
Series | iwlwifi: mvm: Fix possible NULL dereference | expand |
On Tue, 2021-09-07 at 14:32 +0300, Luca Coelho wrote: > From: Ilan Peer <ilan.peer@intel.com> > > In __iwl_mvm_remove_time_event() check that 'te_data->vif' is NULL > before dereferencing it. > > Fixes: 7b3954a1d69a ("iwlwifi: mvm: Explicitly stop session protection before unbinding") > Reported-by: Dan Carpenter <dan.carpenter@oracle.com> > Signed-off-by: Ilan Peer <ilan.peer@intel.com> > Signed-off-by: Luca Coelho <luciano.coelho@intel.com> > --- Kalle, I assigned this to you. Can you please take it directly to wireless-drivers for v5.15? Thanks! -- Cheers, Luca.
Luca Coelho <luca@coelho.fi> wrote: > From: Ilan Peer <ilan.peer@intel.com> > > In __iwl_mvm_remove_time_event() check that 'te_data->vif' is NULL > before dereferencing it. > > Fixes: 7b3954a1d69a ("iwlwifi: mvm: Explicitly stop session protection before unbinding") > Reported-by: Dan Carpenter <dan.carpenter@oracle.com> > Signed-off-by: Ilan Peer <ilan.peer@intel.com> > Signed-off-by: Luca Coelho <luciano.coelho@intel.com> Patch applied to wireless-drivers.git, thanks. 24d5f16e407b iwlwifi: mvm: Fix possible NULL dereference -- https://patchwork.kernel.org/project/linux-wireless/patch/iwlwifi.20210907143156.e80e52167d93.Ie2247f43f8acb2cee6dff5b07a3947c79a772835@changeid/ https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/time-event.c b/drivers/net/wireless/intel/iwlwifi/mvm/time-event.c index 25af88a3edce..e91f8e889df7 100644 --- a/drivers/net/wireless/intel/iwlwifi/mvm/time-event.c +++ b/drivers/net/wireless/intel/iwlwifi/mvm/time-event.c @@ -662,12 +662,13 @@ static bool __iwl_mvm_remove_time_event(struct iwl_mvm *mvm, u32 *uid) { u32 id; - struct iwl_mvm_vif *mvmvif = iwl_mvm_vif_from_mac80211(te_data->vif); + struct iwl_mvm_vif *mvmvif; enum nl80211_iftype iftype; if (!te_data->vif) return false; + mvmvif = iwl_mvm_vif_from_mac80211(te_data->vif); iftype = te_data->vif->type; /*