From: Johannes Berg johannes.berg@intel.com
When we free wdev->cqm_config when unregistering, we also need to clear out the pointer since the same wdev/netdev may get re-registered in another network namespace, then destroyed later, running this code again, which results in a double-free.
Reported-by: syzbot+36218cddfd84b5cc263e@syzkaller.appspotmail.com Fixes: 37c20b2effe9 ("wifi: cfg80211: fix cqm_config access race") Cc: stable@vger.kernel.org # 6.6+ Signed-off-by: Johannes Berg johannes.berg@intel.com --- net/wireless/core.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/net/wireless/core.c b/net/wireless/core.c index 4c8d8f167409..d3c7b7978f00 100644 --- a/net/wireless/core.c +++ b/net/wireless/core.c @@ -1280,6 +1280,7 @@ static void _cfg80211_unregister_wdev(struct wireless_dev *wdev, /* deleted from the list, so can't be found from nl80211 any more */ cqm_config = rcu_access_pointer(wdev->cqm_config); kfree_rcu(cqm_config, rcu_head); + RCU_INIT_POINTER(wdev->cqm_config, NULL);
/* * Ensure that all events have been processed and
linux-stable-mirror@lists.linaro.org