mt76: mt7615: Use after free in mt7615_mcu_set_bcn()

We dereference "skb" when we assign:

	req.pkt_len = cpu_to_le16(MT_TXD_SIZE + skb->len);
                                                ^^^^^^^^
So this patch just moves the dev_kfree_skb() down a bit to avoid the
use after free.

Fixes: 09301c7b1225 ("mt76: add mac80211 driver for MT7615 PCIe-based chipsets")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: Felix Fietkau <nbd@nbd.name>

diff --git a/drivers/net/wireless/mediatek/mt76/mt7615/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7615/mcu.c
index ea67c6022fe6ff5894fa3cf066dfeddb1ab0d16a..dc1301effa242fe29bcae0eaa719725be437c977 100644 (file)
--- a/drivers/net/wireless/mediatek/mt76/mt7615/mcu.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7615/mcu.c
@@ -1270,7 +1270,6 @@ int mt7615_mcu_set_bcn(struct mt7615_dev *dev, struct ieee80211_vif *vif,
        mt7615_mac_write_txwi(dev, (__le32 *)(req.pkt), skb, wcid, NULL,
                              0, NULL);
        memcpy(req.pkt + MT_TXD_SIZE, skb->data, skb->len);
-       dev_kfree_skb(skb);
 
        req.omac_idx = mvif->omac_idx;
        req.enable = en;
@@ -1281,6 +1280,7 @@ int mt7615_mcu_set_bcn(struct mt7615_dev *dev, struct ieee80211_vif *vif,
        req.pkt_len = cpu_to_le16(MT_TXD_SIZE + skb->len);
        req.tim_ie_pos = cpu_to_le16(MT_TXD_SIZE + tim_off);
 
+       dev_kfree_skb(skb);
        skb = mt7615_mcu_msg_alloc(&req, sizeof(req));
 
        return mt7615_mcu_msg_send(dev, skb, MCU_EXT_CMD_BCN_OFFLOAD,