| From 2965c4cdf7ad9ce0796fac5e57debb9519ea721e Mon Sep 17 00:00:00 2001 |
| From: Johannes Berg <johannes.berg@intel.com> |
| Date: Wed, 1 Jun 2022 09:19:36 +0200 |
| Subject: wifi: mac80211: fix use-after-free in chanctx code |
| |
| From: Johannes Berg <johannes.berg@intel.com> |
| |
| commit 2965c4cdf7ad9ce0796fac5e57debb9519ea721e upstream. |
| |
| In ieee80211_vif_use_reserved_context(), when we have an |
| old context and the new context's replace_state is set to |
| IEEE80211_CHANCTX_REPLACE_NONE, we free the old context |
| in ieee80211_vif_use_reserved_reassign(). Therefore, we |
| cannot check the old_ctx anymore, so we should set it to |
| NULL after this point. |
| |
| However, since the new_ctx replace state is clearly not |
| IEEE80211_CHANCTX_REPLACES_OTHER, we're not going to do |
| anything else in this function and can just return to |
| avoid accessing the freed old_ctx. |
| |
| Cc: stable@vger.kernel.org |
| Fixes: 5bcae31d9cb1 ("mac80211: implement multi-vif in-place reservations") |
| Signed-off-by: Johannes Berg <johannes.berg@intel.com> |
| Signed-off-by: Kalle Valo <kvalo@kernel.org> |
| Link: https://lore.kernel.org/r/20220601091926.df419d91b165.I17a9b3894ff0b8323ce2afdb153b101124c821e5@changeid |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| net/mac80211/chan.c | 7 ++----- |
| 1 file changed, 2 insertions(+), 5 deletions(-) |
| |
| --- a/net/mac80211/chan.c |
| +++ b/net/mac80211/chan.c |
| @@ -1640,12 +1640,9 @@ int ieee80211_vif_use_reserved_context(s |
| |
| if (new_ctx->replace_state == IEEE80211_CHANCTX_REPLACE_NONE) { |
| if (old_ctx) |
| - err = ieee80211_vif_use_reserved_reassign(sdata); |
| - else |
| - err = ieee80211_vif_use_reserved_assign(sdata); |
| + return ieee80211_vif_use_reserved_reassign(sdata); |
| |
| - if (err) |
| - return err; |
| + return ieee80211_vif_use_reserved_assign(sdata); |
| } |
| |
| /* |
