releases/4.19.160/mac80211-free-sta-in-sta_info_insert_finish-on-errors.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From 7bc40aedf24d31d8bea80e1161e996ef4299fb10 Mon Sep 17 00:00:00 2001
 From: Johannes Berg <johannes.berg@intel.com>
 Date: Thu, 12 Nov 2020 11:22:04 +0100
 Subject: mac80211: free sta in sta_info_insert_finish() on errors

 From: Johannes Berg <johannes.berg@intel.com>

 commit 7bc40aedf24d31d8bea80e1161e996ef4299fb10 upstream.

 If sta_info_insert_finish() fails, we currently keep the station
 around and free it only in the caller, but there's only one such
 caller and it always frees it immediately.

 As syzbot found, another consequence of this split is that we can
 put things that sleep only into __cleanup_single_sta() and not in
 sta_info_free(), but this is the only place that requires such of
 sta_info_free() now.

 Change this to free the station in sta_info_insert_finish(), in
 which case we can still sleep. This will also let us unify the
 cleanup code later.

 Cc: stable@vger.kernel.org
 Fixes: dcd479e10a05 ("mac80211: always wind down STA state")
 Reported-by: syzbot+32c6c38c4812d22f2f0b@syzkaller.appspotmail.com
 Reported-by: syzbot+4c81fe92e372d26c4246@syzkaller.appspotmail.com
 Reported-by: syzbot+6a7fe9faf0d1d61bc24a@syzkaller.appspotmail.com
 Reported-by: syzbot+abed06851c5ffe010921@syzkaller.appspotmail.com
 Reported-by: syzbot+b7aeb9318541a1c709f1@syzkaller.appspotmail.com
 Reported-by: syzbot+d5a9416c6cafe53b5dd0@syzkaller.appspotmail.com
 Link: https://lore.kernel.org/r/20201112112201.ee6b397b9453.I9c31d667a0ea2151441cc64ed6613d36c18a48e0@changeid
 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 ---
  net/mac80211/sta_info.c |   14 ++++----------
  1 file changed, 4 insertions(+), 10 deletions(-)

 --- a/net/mac80211/sta_info.c
 +++ b/net/mac80211/sta_info.c
 @@ -634,7 +634,7 @@ static int sta_info_insert_finish(struct
   out_drop_sta:
  	local->num_sta--;
  	synchronize_net();
 -	__cleanup_single_sta(sta);
 +	cleanup_single_sta(sta);
   out_err:
  	mutex_unlock(&local->sta_mtx);
  	kfree(sinfo);
 @@ -653,19 +653,13 @@ int sta_info_insert_rcu(struct sta_info

  	err = sta_info_insert_check(sta);
  	if (err) {
 +		sta_info_free(local, sta);
  		mutex_unlock(&local->sta_mtx);
  		rcu_read_lock();
 -		goto out_free;
 +		return err;
  	}

 -	err = sta_info_insert_finish(sta);
 -	if (err)
 -		goto out_free;
 -
 -	return 0;
 - out_free:
 -	sta_info_free(local, sta);
 -	return err;
 +	return sta_info_insert_finish(sta);
  }

  int sta_info_insert(struct sta_info *sta)
	From 7bc40aedf24d31d8bea80e1161e996ef4299fb10 Mon Sep 17 00:00:00 2001
	From: Johannes Berg <johannes.berg@intel.com>
	Date: Thu, 12 Nov 2020 11:22:04 +0100
	Subject: mac80211: free sta in sta_info_insert_finish() on errors

	From: Johannes Berg <johannes.berg@intel.com>

	commit 7bc40aedf24d31d8bea80e1161e996ef4299fb10 upstream.

	If sta_info_insert_finish() fails, we currently keep the station
	around and free it only in the caller, but there's only one such
	caller and it always frees it immediately.

	As syzbot found, another consequence of this split is that we can
	put things that sleep only into __cleanup_single_sta() and not in
	sta_info_free(), but this is the only place that requires such of
	sta_info_free() now.

	Change this to free the station in sta_info_insert_finish(), in
	which case we can still sleep. This will also let us unify the
	cleanup code later.

	Cc: stable@vger.kernel.org
	Fixes: dcd479e10a05 ("mac80211: always wind down STA state")
	Reported-by: syzbot+32c6c38c4812d22f2f0b@syzkaller.appspotmail.com
	Reported-by: syzbot+4c81fe92e372d26c4246@syzkaller.appspotmail.com
	Reported-by: syzbot+6a7fe9faf0d1d61bc24a@syzkaller.appspotmail.com
	Reported-by: syzbot+abed06851c5ffe010921@syzkaller.appspotmail.com
	Reported-by: syzbot+b7aeb9318541a1c709f1@syzkaller.appspotmail.com
	Reported-by: syzbot+d5a9416c6cafe53b5dd0@syzkaller.appspotmail.com
	Link: https://lore.kernel.org/r/20201112112201.ee6b397b9453.I9c31d667a0ea2151441cc64ed6613d36c18a48e0@changeid
	Signed-off-by: Johannes Berg <johannes.berg@intel.com>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

	---
	net/mac80211/sta_info.c \| 14 ++++----------
	1 file changed, 4 insertions(+), 10 deletions(-)

	--- a/net/mac80211/sta_info.c
	+++ b/net/mac80211/sta_info.c
	@@ -634,7 +634,7 @@ static int sta_info_insert_finish(struct
	out_drop_sta:
	local->num_sta--;
	synchronize_net();
	- __cleanup_single_sta(sta);
	+ cleanup_single_sta(sta);
	out_err:
	mutex_unlock(&local->sta_mtx);
	kfree(sinfo);
	@@ -653,19 +653,13 @@ int sta_info_insert_rcu(struct sta_info

	err = sta_info_insert_check(sta);
	if (err) {
	+ sta_info_free(local, sta);
	mutex_unlock(&local->sta_mtx);
	rcu_read_lock();
	- goto out_free;
	+ return err;
	}

	- err = sta_info_insert_finish(sta);
	- if (err)
	- goto out_free;
	-
	- return 0;
	- out_free:
	- sta_info_free(local, sta);
	- return err;
	+ return sta_info_insert_finish(sta);
	}

	int sta_info_insert(struct sta_info *sta)