[32/34] wifi: iwlwifi: mvm: free probe_resp_data later

Message ID	20230329100040.152b1715fc13.Ibd37fed1b24cd25012923ad9170d1fe33ab35c5c@changeid (mailing list archive)
State	Accepted
Delegated to:	Johannes Berg
Headers	show Return-Path: <linux-wireless-owner@vger.kernel.org> From: gregory.greenman@intel.com To: johannes@sipsolutions.net Cc: linux-wireless@vger.kernel.org, Johannes Berg <johannes.berg@intel.com>, Gregory Greenman <gregory.greenman@intel.com> Subject: [PATCH 32/34] wifi: iwlwifi: mvm: free probe_resp_data later Date: Wed, 29 Mar 2023 10:05:38 +0300 Message-Id: <20230329100040.152b1715fc13.Ibd37fed1b24cd25012923ad9170d1fe33ab35c5c@changeid> In-Reply-To: <20230329070540.2739372-1-gregory.greenman@intel.com> References: <20230329070540.2739372-1-gregory.greenman@intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	wifi: iwlwifi: updates intended for v6.4 2023-03-29 \| expand [00/34] wifi: iwlwifi: updates intended for v6.4 2023-03-29 [01/34] wifi: iwlwifi: mvm: make some HW flags conditional [02/34] wifi: iwlwifi: mvm: fix narrow RU check for MLO [03/34] wifi: iwlwifi: mvm: skip MEI update for MLO [04/34] wifi: iwlwifi: mvm: use STA link address [05/34] wifi: iwlwifi: mvm: rs-fw: don't crash on missing channel [06/34] wifi: iwlwifi: mvm: coex: start handling multiple links [07/34] wifi: iwlwifi: mvm: make a few warnings only trigger once [08/34] wifi: iwlwifi: mvm: adjust iwl_mvm_sec_key_remove_ap to MLO [09/34] wifi: iwlwifi: mvm: adjust radar detection to MLO [10/34] wifi: iwlwifi: mvm: adjust rs init to MLO [11/34] wifi: iwlwifi: mvm: use the link sta address [12/34] wifi: iwlwifi: mvm: implement mac80211 callback change_sta_links [13/34] wifi: iwlwifi: mvm: translate management frame address [14/34] wifi: iwlwifi: mvm: use bcast/mcast link station id [15/34] wifi: iwlwifi: mvm: rxmq: report link ID to mac80211 [16/34] wifi: iwlwifi: mvm: adjust iwl_mvm_scan_respect_p2p_go_iter() for MLO [17/34] wifi: iwlwifi: mvm: skip inactive links [18/34] wifi: iwlwifi: mvm: remove only link-specific AP keys [19/34] wifi: iwlwifi: mvm: avoid sending MAC context for idle [20/34] wifi: iwlwifi: mvm: remove chanctx WARN_ON [21/34] wifi: iwlwifi: mvm: use the new lockdep-checking macros [22/34] wifi: iwlwifi: mvm: use appropriate link for rate selection [23/34] wifi: iwlwifi: mvm: initialize max_rc_amsdu_len per-link [24/34] wifi: iwlwifi: mvm: fix station link data leak [25/34] wifi: iwlwifi: mvm: clean up mac_id vs. link_id in MLD sta [26/34] wifi: iwlwifi: mvm: use the correct link queue [27/34] wifi: iwlwifi: mvm: update mac config when assigning chanctx [28/34] wifi: iwlwifi: mvm: rework active links counting [29/34] wifi: iwlwifi: mvm: send full STA during HW restart [30/34] wifi: iwlwifi: mvm: move max_agg_bufsize into host TLC lq_sta [31/34] wifi: iwlwifi: bump FW API to 75 for AX devices [32/34] wifi: iwlwifi: mvm: free probe_resp_data later [33/34] wifi: iwlwifi: separate AP link management queues [34/34] wifi: iwlwifi: mvm: correctly use link in iwl_mvm_sta_del()

Message ID

20230329100040.152b1715fc13.Ibd37fed1b24cd25012923ad9170d1fe33ab35c5c@changeid (mailing list archive)

State

Accepted

Delegated to:

Johannes Berg

Headers

From: gregory.greenman@intel.com
To: johannes@sipsolutions.net
Cc: linux-wireless@vger.kernel.org,
        Johannes Berg <johannes.berg@intel.com>,
        Gregory Greenman <gregory.greenman@intel.com>
Subject: [PATCH 32/34] wifi: iwlwifi: mvm: free probe_resp_data later
Date: Wed, 29 Mar 2023 10:05:38 +0300
Message-Id: 
 <20230329100040.152b1715fc13.Ibd37fed1b24cd25012923ad9170d1fe33ab35c5c@changeid>
In-Reply-To: <20230329070540.2739372-1-gregory.greenman@intel.com>
References: <20230329070540.2739372-1-gregory.greenman@intel.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

wifi: iwlwifi: updates intended for v6.4 2023-03-29 | expand

Commit Message

Greenman, Gregory March 29, 2023, 7:05 a.m. UTC

From: Johannes Berg <johannes.berg@intel.com>

In the MLD code, we free probe_resp_data before we remove
the MAC from the firmware, so we might receive another one
from the device after freeing, and thus might leak it. Fix
that by moving the free later.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Gregory Greenman <gregory.greenman@intel.com>
---
 .../net/wireless/intel/iwlwifi/mvm/mld-mac80211.c    | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mld-mac80211.c b/drivers/net/wireless/intel/iwlwifi/mvm/mld-mac80211.c
index 4d56b2fc5f33..203f2513e7ea 100644
--- a/drivers/net/wireless/intel/iwlwifi/mvm/mld-mac80211.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/mld-mac80211.c
@@ -159,12 +159,6 @@  static void iwl_mvm_mld_mac_remove_interface(struct ieee80211_hw *hw,
 		mvm->csme_vif = NULL;
 	}
 
-	probe_data = rcu_dereference_protected(mvmvif->deflink.probe_resp_data,
-					       lockdep_is_held(&mvm->mutex));
-	RCU_INIT_POINTER(mvmvif->deflink.probe_resp_data, NULL);
-	if (probe_data)
-		kfree_rcu(probe_data, rcu_head);
-
 	if (mvm->bf_allowed_vif == mvmvif) {
 		mvm->bf_allowed_vif = NULL;
 		vif->driver_flags &= ~(IEEE80211_VIF_BEACON_FILTER |
@@ -207,6 +201,12 @@  static void iwl_mvm_mld_mac_remove_interface(struct ieee80211_hw *hw,
 
 	RCU_INIT_POINTER(mvm->vif_id_to_mac[mvmvif->id], NULL);
 
+	probe_data = rcu_dereference_protected(mvmvif->deflink.probe_resp_data,
+					       lockdep_is_held(&mvm->mutex));
+	RCU_INIT_POINTER(mvmvif->deflink.probe_resp_data, NULL);
+	if (probe_data)
+		kfree_rcu(probe_data, rcu_head);
+
 	if (vif->type == NL80211_IFTYPE_MONITOR) {
 		mvm->monitor_on = false;
 		__clear_bit(IEEE80211_HW_RX_INCLUDES_FCS, mvm->hw->flags);

[32/34] wifi: iwlwifi: mvm: free probe_resp_data later

Commit Message

Patch