* [PATCH iwlwifi-fixes] wifi: iwlwifi: mld: Fix dereference of link before NULL check.
@ 2026-01-07 2:32 Rory Little
0 siblings, 0 replies; only message in thread
From: Rory Little @ 2026-01-07 2:32 UTC (permalink / raw)
To: Miri Korenblit; +Cc: linux-wireless
Move dereference to retrieve fw_id member of the link to after the link
is NULL checked.
Fixes: 77e67d5daaf1 ("wifi: iwlwifi: fix potential use after free in iwl_mld_remove_link()")
Signed-off-by: Rory Little <rory@candelatech.com>
---
drivers/net/wireless/intel/iwlwifi/mld/link.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/intel/iwlwifi/mld/link.c b/drivers/net/wireless/intel/iwlwifi/mld/link.c
index d89840a1152b..13102753b36c 100644
--- a/drivers/net/wireless/intel/iwlwifi/mld/link.c
+++ b/drivers/net/wireless/intel/iwlwifi/mld/link.c
@@ -504,11 +504,13 @@ void iwl_mld_remove_link(struct iwl_mld *mld,
struct iwl_mld_vif *mld_vif = iwl_mld_vif_from_mac80211(bss_conf->vif);
struct iwl_mld_link *link = iwl_mld_link_from_mac80211(bss_conf);
bool is_deflink = link == &mld_vif->deflink;
- u8 fw_id = link->fw_id;
+ u8 fw_id;
if (WARN_ON(!link || link->active))
return;
+ fw_id = link->fw_id;
+
iwl_mld_rm_link_from_fw(mld, bss_conf);
/* Continue cleanup on failure */
--
2.49.0
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2026-01-07 2:32 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-01-07 2:32 [PATCH iwlwifi-fixes] wifi: iwlwifi: mld: Fix dereference of link before NULL check Rory Little
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox