github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-05-30 01:53:29 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph

wifi: cfg80211: fix double free for link_sinfo in nl80211_station_dump()

Browse Source 
Currently, the link_sinfo structure is being freed twice in
nl80211_dump_station(), once after the send_station() call and again
in the error handling path. This results in a double free of both
link_sinfo and link_sinfo->pertid, which might lead to undefined
behavior or kernel crashes.

Hence, fix by ensuring cfg80211_sinfo_release_content() is only
invoked once during execution of nl80211_station_dump().

Fixes: 49e47223ec ("wifi: cfg80211: allocate memory for link_station info structure")
Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
Closes: https://lore.kernel.org/all/81f30515-a83d-4b05-a9d1-e349969df9e9@sabinyo.mountain/
Reported-by: syzbot+4ba6272678aa468132c8@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/68655325.a70a0220.5d25f.0316.GAE@google.com
Signed-off-by: Sarika Sharma <quic_sarishar@quicinc.com>
Link: https://patch.msgid.link/20250714084405.178066-1-quic_sarishar@quicinc.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
This commit is contained in:
Sarika Sharma 2025-07-14 14:14:05 +05:30 committed by Johannes Berg
parent e9a896d498
commit 9a44b5e36c
1 changed files with 9 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
net/wireless/nl80211.c
View File

@ -7451,6 +7451,7 @@ static int nl80211_dump_station(struct sk_buff *skb,
struct wireless_dev *wdev;
u8 mac_addr[ETH_ALEN];
int sta_idx = cb->args[2];
bool sinfo_alloc = false;
int err, i;
err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
@ -7479,6 +7480,7 @@ static int nl80211_dump_station(struct sk_buff *skb,
err = -ENOMEM;
goto out_err;
}
sinfo_alloc = true;
}
err = rdev_dump_station(rdev, wdev->netdev, sta_idx,
@ -7491,6 +7493,11 @@ static int nl80211_dump_station(struct sk_buff *skb,
if (sinfo.valid_links)
cfg80211_sta_set_mld_sinfo(&sinfo);
/* reset the sinfo_alloc flag as nl80211_send_station()
* always releases sinfo
*/
sinfo_alloc = false;
if (nl80211_send_station(skb, NL80211_CMD_NEW_STATION,
NETLINK_CB(cb->skb).portid,
cb->nlh->nlmsg_seq, NLM_F_MULTI,
@ -7505,7 +7512,8 @@ static int nl80211_dump_station(struct sk_buff *skb,
cb->args[2] = sta_idx;
err = skb->len;
out_err:
cfg80211_sinfo_release_content(&sinfo);
if (sinfo_alloc)
cfg80211_sinfo_release_content(&sinfo);
wiphy_unlock(&rdev->wiphy);
return err;