| From 1f8fd7c44eb5be7adaa94db19cc4d48bf779f4bd Mon Sep 17 00:00:00 2001 |
| From: =?UTF-8?q?Stefan=20B=C3=BChler?= <source@stbuehler.de> |
| Date: Tue, 26 Nov 2019 11:05:44 +0100 |
| Subject: [PATCH] cfg80211: fix double-free after changing network namespace |
| MIME-Version: 1.0 |
| Content-Type: text/plain; charset=UTF-8 |
| Content-Transfer-Encoding: 8bit |
| |
| commit 56cb31e185adb61f930743a9b70e700a43625386 upstream. |
| |
| If wdev->wext.keys was initialized it didn't get reset to NULL on |
| unregister (and it doesn't get set in cfg80211_init_wdev either), but |
| wdev is reused if unregister was triggered through |
| cfg80211_switch_netns. |
| |
| The next unregister (for whatever reason) will try to free |
| wdev->wext.keys again. |
| |
| Signed-off-by: Stefan BΓΌhler <source@stbuehler.de> |
| Link: https://lore.kernel.org/r/20191126100543.782023-1-stefan.buehler@tik.uni-stuttgart.de |
| Signed-off-by: Johannes Berg <johannes.berg@intel.com> |
| Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> |
| |
| diff --git a/net/wireless/core.c b/net/wireless/core.c |
| index ed24a0b071c3..fa6353b9ca1e 100644 |
| --- a/net/wireless/core.c |
| +++ b/net/wireless/core.c |
| @@ -1093,6 +1093,7 @@ static void __cfg80211_unregister_wdev(struct wireless_dev *wdev, bool sync) |
| |
| #ifdef CONFIG_CFG80211_WEXT |
| kzfree(wdev->wext.keys); |
| + wdev->wext.keys = NULL; |
| #endif |
| /* only initialized if we have a netdev */ |
| if (wdev->netdev) |
| -- |
| 2.7.4 |
| |
