diff options
| author | Johannes Berg <johannes.berg@intel.com> | 2024-10-22 16:17:42 +0200 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2024-11-08 16:28:23 +0100 |
| commit | 6c44abb2d4c3262737d5d67832daebc8cf48b8c9 (patch) | |
| tree | 0efe116fa9be29105d3889b24e60dd8077d134c5 /net | |
| parent | 5f5a939759c79e7385946c85e62feca51a18d816 (diff) | |
| download | linux-6c44abb2d4c3262737d5d67832daebc8cf48b8c9.tar.gz linux-6c44abb2d4c3262737d5d67832daebc8cf48b8c9.tar.bz2 linux-6c44abb2d4c3262737d5d67832daebc8cf48b8c9.zip | |
wifi: cfg80211: clear wdev->cqm_config pointer on free
commit d5fee261dfd9e17b08b1df8471ac5d5736070917 upstream.
When we free wdev->cqm_config when unregistering, we also
need to clear out the pointer since the same wdev/netdev
may get re-registered in another network namespace, then
destroyed later, running this code again, which results in
a double-free.
Reported-by: syzbot+36218cddfd84b5cc263e@syzkaller.appspotmail.com
Fixes: 37c20b2effe9 ("wifi: cfg80211: fix cqm_config access race")
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20241022161742.7c34b2037726.I121b9cdb7eb180802eafc90b493522950d57ee18@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'net')
| -rw-r--r-- | net/wireless/core.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/net/wireless/core.c b/net/wireless/core.c index 68aa8f0d7014..3c1247933ae9 100644 --- a/net/wireless/core.c +++ b/net/wireless/core.c @@ -1233,6 +1233,7 @@ static void _cfg80211_unregister_wdev(struct wireless_dev *wdev, /* deleted from the list, so can't be found from nl80211 any more */ cqm_config = rcu_access_pointer(wdev->cqm_config); kfree_rcu(cqm_config, rcu_head); + RCU_INIT_POINTER(wdev->cqm_config, NULL); /* * Ensure that all events have been processed and |