From b4d85942e6e922930f4ddb8c2ab676efb399947c Mon Sep 17 00:00:00 2001 From: Andrew Zaborowski Date: Tue, 21 Jul 2020 02:45:37 +0200 Subject: [PATCH] frame-xchg: Don't call frame_xchg_destroy directly frame_xchg_destroy is passed as the wiphy radio work's destroy callback to wiphy.c. If it's also called directly in frame_xchg_exit, there's going to be a use-after-free when it's called again from wiphy_exit, so instead use wiphy_radio_work_done which will call frame_xchg_destroy and forget the frame_xchg record. --- src/frame-xchg.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/frame-xchg.c b/src/frame-xchg.c index 1ba2d907..f07a4d8d 100644 --- a/src/frame-xchg.c +++ b/src/frame-xchg.c @@ -1337,7 +1337,7 @@ static void destroy_xchg_data(void *user_data) { struct frame_xchg_data *fx = user_data; - frame_xchg_destroy(&fx->work); + wiphy_radio_work_done(wiphy_find_by_wdev(fx->wdev_id), fx->work.id); } static void frame_xchg_exit(void) @@ -1359,3 +1359,4 @@ static void frame_xchg_exit(void) } IWD_MODULE(frame_xchg, frame_xchg_init, frame_xchg_exit); +IWD_MODULE_DEPENDS(frame_xchg, wiphy)