nl80211 requires NL80211_CMD_ABORT_SCAN to have a wdev or netdev attribute present and checks that if netdev is provided it is UP. However, mac80211 does not check that an ongoing scan actually belongs to the netdev/wdev provided by the user. In other words, it is possible for an application to cancel scans on an interface it doesn't manage.
Signed-off-by: Denis Kenzior denkenz@gmail.com Cc: stable@vger.kernel.org --- net/mac80211/cfg.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c index 70739e746c13..ece344f9e9ca 100644 --- a/net/mac80211/cfg.c +++ b/net/mac80211/cfg.c @@ -2333,7 +2333,13 @@ static int ieee80211_scan(struct wiphy *wiphy,
static void ieee80211_abort_scan(struct wiphy *wiphy, struct wireless_dev *wdev) { - ieee80211_scan_cancel(wiphy_priv(wiphy)); + struct ieee80211_local *local = wiphy_priv(wiphy); + struct ieee80211_sub_if_data *sdata = + IEEE80211_WDEV_TO_SUB_IF(wdev); + bool cancel_scan = rcu_access_pointer(local->scan_sdata) == sdata; + + if (cancel_scan) + ieee80211_scan_cancel(local); }
static int