From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
syzbot+93976391bf299d425f44@syzkaller.appspotmail.com,
Markus Theil <markus.theil@tu-ilmenau.de>,
Johannes Berg <johannes.berg@intel.com>
Subject: [PATCH 4.4 33/33] mac80211: fix double free in ibss_leave
Date: Mon, 29 Mar 2021 09:58:18 +0200 [thread overview]
Message-ID: <20210329075606.323271418@linuxfoundation.org> (raw)
In-Reply-To: <20210329075605.290845195@linuxfoundation.org>
From: Markus Theil <markus.theil@tu-ilmenau.de>
commit 3bd801b14e0c5d29eeddc7336558beb3344efaa3 upstream.
Clear beacon ie pointer and ie length after free
in order to prevent double free.
==================================================================
BUG: KASAN: double-free or invalid-free \
in ieee80211_ibss_leave+0x83/0xe0 net/mac80211/ibss.c:1876
CPU: 0 PID: 8472 Comm: syz-executor100 Not tainted 5.11.0-rc6-syzkaller #0
Call Trace:
__dump_stack lib/dump_stack.c:79 [inline]
dump_stack+0x107/0x163 lib/dump_stack.c:120
print_address_description.constprop.0.cold+0x5b/0x2c6 mm/kasan/report.c:230
kasan_report_invalid_free+0x51/0x80 mm/kasan/report.c:355
____kasan_slab_free+0xcc/0xe0 mm/kasan/common.c:341
kasan_slab_free include/linux/kasan.h:192 [inline]
__cache_free mm/slab.c:3424 [inline]
kfree+0xed/0x270 mm/slab.c:3760
ieee80211_ibss_leave+0x83/0xe0 net/mac80211/ibss.c:1876
rdev_leave_ibss net/wireless/rdev-ops.h:545 [inline]
__cfg80211_leave_ibss+0x19a/0x4c0 net/wireless/ibss.c:212
__cfg80211_leave+0x327/0x430 net/wireless/core.c:1172
cfg80211_leave net/wireless/core.c:1221 [inline]
cfg80211_netdev_notifier_call+0x9e8/0x12c0 net/wireless/core.c:1335
notifier_call_chain+0xb5/0x200 kernel/notifier.c:83
call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:2040
call_netdevice_notifiers_extack net/core/dev.c:2052 [inline]
call_netdevice_notifiers net/core/dev.c:2066 [inline]
__dev_close_many+0xee/0x2e0 net/core/dev.c:1586
__dev_close net/core/dev.c:1624 [inline]
__dev_change_flags+0x2cb/0x730 net/core/dev.c:8476
dev_change_flags+0x8a/0x160 net/core/dev.c:8549
dev_ifsioc+0x210/0xa70 net/core/dev_ioctl.c:265
dev_ioctl+0x1b1/0xc40 net/core/dev_ioctl.c:511
sock_do_ioctl+0x148/0x2d0 net/socket.c:1060
sock_ioctl+0x477/0x6a0 net/socket.c:1177
vfs_ioctl fs/ioctl.c:48 [inline]
__do_sys_ioctl fs/ioctl.c:753 [inline]
__se_sys_ioctl fs/ioctl.c:739 [inline]
__x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Reported-by: syzbot+93976391bf299d425f44@syzkaller.appspotmail.com
Signed-off-by: Markus Theil <markus.theil@tu-ilmenau.de>
Link: https://lore.kernel.org/r/20210213133653.367130-1-markus.theil@tu-ilmenau.de
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mac80211/ibss.c | 2 ++
1 file changed, 2 insertions(+)
--- a/net/mac80211/ibss.c
+++ b/net/mac80211/ibss.c
@@ -1860,6 +1860,8 @@ int ieee80211_ibss_leave(struct ieee8021
/* remove beacon */
kfree(sdata->u.ibss.ie);
+ sdata->u.ibss.ie = NULL;
+ sdata->u.ibss.ie_len = 0;
/* on the next join, re-program HT parameters */
memset(&ifibss->ht_capa, 0, sizeof(ifibss->ht_capa));
next prev parent reply other threads:[~2021-03-29 8:02 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-29 7:57 [PATCH 4.4 00/33] 4.4.264-rc1 review Greg Kroah-Hartman
2021-03-29 7:57 ` [PATCH 4.4 01/33] net: fec: ptp: avoid register access when ipg clock is disabled Greg Kroah-Hartman
2021-03-29 7:57 ` [PATCH 4.4 02/33] powerpc/4xx: Fix build errors from mfdcr() Greg Kroah-Hartman
2021-03-29 7:57 ` [PATCH 4.4 03/33] atm: eni: dont release is never initialized Greg Kroah-Hartman
2021-03-29 7:57 ` [PATCH 4.4 04/33] atm: lanai: dont run lanai_dev_close if not open Greg Kroah-Hartman
2021-03-29 7:57 ` [PATCH 4.4 05/33] net: tehuti: fix error return code in bdx_probe() Greg Kroah-Hartman
2021-03-29 7:57 ` [PATCH 4.4 06/33] sun/niu: fix wrong RXMAC_BC_FRM_CNT_COUNT count Greg Kroah-Hartman
2021-03-29 7:57 ` [PATCH 4.4 07/33] nfs: fix PNFS_FLEXFILE_LAYOUT Kconfig default Greg Kroah-Hartman
2021-03-29 7:57 ` [PATCH 4.4 08/33] NFS: Correct size calculation for create reply length Greg Kroah-Hartman
2021-03-29 7:57 ` [PATCH 4.4 09/33] atm: uPD98402: fix incorrect allocation Greg Kroah-Hartman
2021-03-29 7:57 ` [PATCH 4.4 10/33] atm: idt77252: fix null-ptr-dereference Greg Kroah-Hartman
2021-03-29 7:57 ` [PATCH 4.4 11/33] u64_stats,lockdep: Fix u64_stats_init() vs lockdep Greg Kroah-Hartman
2021-03-29 7:57 ` [PATCH 4.4 12/33] nfs: we dont support removing system.nfs4_acl Greg Kroah-Hartman
2021-03-29 7:57 ` [PATCH 4.4 13/33] ia64: fix ia64_syscall_get_set_arguments() for break-based syscalls Greg Kroah-Hartman
2021-03-29 7:57 ` [PATCH 4.4 14/33] ia64: fix ptrace(PTRACE_SYSCALL_INFO_EXIT) sign Greg Kroah-Hartman
2021-03-29 7:58 ` [PATCH 4.4 15/33] x86/tlb: Flush global mappings when KAISER is disabled Greg Kroah-Hartman
2021-03-29 7:58 ` [PATCH 4.4 16/33] squashfs: fix inode lookup sanity checks Greg Kroah-Hartman
2021-03-29 7:58 ` [PATCH 4.4 17/33] squashfs: fix xattr id and id " Greg Kroah-Hartman
2021-03-29 7:58 ` [PATCH 4.4 18/33] bus: omap_l3_noc: mark l3 irqs as IRQF_NO_THREAD Greg Kroah-Hartman
2021-03-29 7:58 ` [PATCH 4.4 19/33] macvlan: macvlan_count_rx() needs to be aware of preemption Greg Kroah-Hartman
2021-03-29 7:58 ` [PATCH 4.4 20/33] net: dsa: bcm_sf2: Qualify phydev->dev_flags based on port Greg Kroah-Hartman
2021-03-29 7:58 ` [PATCH 4.4 21/33] e1000e: add rtnl_lock() to e1000_reset_task Greg Kroah-Hartman
2021-03-29 7:58 ` [PATCH 4.4 22/33] e1000e: Fix error handling in e1000_set_d0_lplu_state_82571 Greg Kroah-Hartman
2021-03-29 7:58 ` [PATCH 4.4 23/33] net/qlcnic: Fix a use after free in qlcnic_83xx_get_minidump_template Greg Kroah-Hartman
2021-03-29 7:58 ` [PATCH 4.4 24/33] can: c_can_pci: c_can_pci_remove(): fix use-after-free Greg Kroah-Hartman
2021-03-29 7:58 ` [PATCH 4.4 25/33] can: c_can: move runtime PM enable/disable to c_can_platform Greg Kroah-Hartman
2021-03-29 7:58 ` [PATCH 4.4 26/33] can: m_can: m_can_do_rx_poll(): fix extraneous msg loss warning Greg Kroah-Hartman
2021-03-29 7:58 ` [PATCH 4.4 27/33] mac80211: fix rate mask reset Greg Kroah-Hartman
2021-03-29 7:58 ` [PATCH 4.4 28/33] net: cdc-phonet: fix data-interface release on probe failure Greg Kroah-Hartman
2021-03-29 7:58 ` [PATCH 4.4 29/33] RDMA/cxgb4: Fix adapter LE hash errors while destroying ipv6 listening server Greg Kroah-Hartman
2021-03-29 7:58 ` [PATCH 4.4 30/33] perf auxtrace: Fix auxtrace queue conflict Greg Kroah-Hartman
2021-03-29 7:58 ` [PATCH 4.4 31/33] can: dev: Move device back to init netns on owning netns delete Greg Kroah-Hartman
2021-03-29 7:58 ` [PATCH 4.4 32/33] net: sched: validate stab values Greg Kroah-Hartman
2021-03-29 7:58 ` Greg Kroah-Hartman [this message]
2021-03-29 10:18 ` [PATCH 4.4 00/33] 4.4.264-rc1 review Pavel Machek
2021-03-29 21:32 ` Guenter Roeck
2021-03-30 1:28 ` Shuah Khan
2021-03-30 7:28 ` Naresh Kamboju
2021-03-30 9:35 ` Jon Hunter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210329075606.323271418@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=johannes.berg@intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=markus.theil@tu-ilmenau.de \
--cc=stable@vger.kernel.org \
--cc=syzbot+93976391bf299d425f44@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.