diff options
| author | Johannes Berg <johannes.berg@intel.com> | 2024-10-22 16:17:42 +0200 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2024-11-08 16:30:54 +0100 |
| commit | 64e4c45d23cd7f6167f69cc2d2877bc7f54292e5 (patch) | |
| tree | 02d3fec053cd42746ec165d13911819699be1152 /net/wireless | |
| parent | 2f6f1e26ac6d2b38e2198a71f81f0ade14d6b07b (diff) | |
| download | linux-64e4c45d23cd7f6167f69cc2d2877bc7f54292e5.tar.gz linux-64e4c45d23cd7f6167f69cc2d2877bc7f54292e5.tar.bz2 linux-64e4c45d23cd7f6167f69cc2d2877bc7f54292e5.zip | |
wifi: cfg80211: clear wdev->cqm_config pointer on free
commit d5fee261dfd9e17b08b1df8471ac5d5736070917 upstream.
When we free wdev->cqm_config when unregistering, we also
need to clear out the pointer since the same wdev/netdev
may get re-registered in another network namespace, then
destroyed later, running this code again, which results in
a double-free.
Reported-by: syzbot+36218cddfd84b5cc263e@syzkaller.appspotmail.com
Fixes: 37c20b2effe9 ("wifi: cfg80211: fix cqm_config access race")
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20241022161742.7c34b2037726.I121b9cdb7eb180802eafc90b493522950d57ee18@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'net/wireless')
| -rw-r--r-- | net/wireless/core.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/net/wireless/core.c b/net/wireless/core.c index 4d5d351bd0b5..c9ebf9449fcc 100644 --- a/net/wireless/core.c +++ b/net/wireless/core.c @@ -1236,6 +1236,7 @@ static void _cfg80211_unregister_wdev(struct wireless_dev *wdev, /* deleted from the list, so can't be found from nl80211 any more */ cqm_config = rcu_access_pointer(wdev->cqm_config); kfree_rcu(cqm_config, rcu_head); + RCU_INIT_POINTER(wdev->cqm_config, NULL); /* * Ensure that all events have been processed and |