The sk_buff is only set to NULL when initialize, sometimes it will goto
label "begin" after ieee80211_free_txskb(), then it points to a sk_buff
which is already freed. If it run into the "goto out" after arrived to
label "begin", then it will return a sk_buff which is freed, it is a
risk for use-after-free.
Fixes: ded4698b58cb ("mac80211: run late dequeue late tx handlers without holding fq->lock")
Signed-off-by: Wen Gong <quic_wgong@xxxxxxxxxxx>
---
net/mac80211/tx.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index 2171cd1ca807..0b23cc9ab9c7 100644
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -3776,7 +3776,7 @@ struct sk_buff *ieee80211_tx_dequeue(struct ieee80211_hw *hw,
struct ieee80211_local *local = hw_to_local(hw);
struct txq_info *txqi = container_of(txq, struct txq_info, txq);
struct ieee80211_hdr *hdr;
- struct sk_buff *skb = NULL;
+ struct sk_buff *skb;
struct fq *fq = &local->fq;
struct fq_tin *tin = &txqi->tin;
struct ieee80211_tx_info *info;
@@ -3790,6 +3790,8 @@ struct sk_buff *ieee80211_tx_dequeue(struct ieee80211_hw *hw,
return NULL;
begin:
+ skb = NULL;
+
spin_lock_bh(&fq->lock);
if (test_bit(IEEE80211_TXQ_STOP, &txqi->flags) ||
base-commit: 922932ca02191a390f7f52fb6e21c44b50e14025
--
2.31.1
