From 58d618c7b56935530febfd28cd32078c18bf2359 Mon Sep 17 00:00:00 2001
From: Jianmin Zhu <jianminz@codeaurora.org>
Date: Tue, 24 Jul 2018 22:11:09 +0800
Subject: [PATCH] cfg80211: Fix use after free when process wdev events

"bssid" is only initialized out of the while loop, in case of two
events with same type: EVENT_CONNECT_RESULT, but one has zero
ether addr, the other is non-zero, the bssid pointer will be
referenced twice, which lead to use-after-free issue

Change-Id: Ie8a24275f7ec5c2f936ef0a802a42e5f63be9c71
CRs-Fixed: 2254305
Signed-off-by: Zhu Jianmin <jianminz@codeaurora.org>
---
 net/wireless/util.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/net/wireless/util.c b/net/wireless/util.c
index a20e420b2fc2..cd28aaceb438 100644
--- a/net/wireless/util.c
+++ b/net/wireless/util.c
@@ -739,8 +739,7 @@ void cfg80211_process_wdev_events(struct wireless_dev *wdev)
 		wdev_lock(wdev);
 		switch (ev->type) {
 		case EVENT_CONNECT_RESULT:
-			if (!is_zero_ether_addr(ev->cr.bssid))
-				bssid = ev->cr.bssid;
+			bssid = ev->cr.bssid;
 			__cfg80211_connect_result(
 				wdev->netdev, bssid,
 				ev->cr.req_ie, ev->cr.req_ie_len,