From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Markus Theil <markus.theil@tu-ilmenau.de>,
syzbot+93976391bf299d425f44@syzkaller.appspotmail.com,
Johannes Berg <johannes.berg@intel.com>,
Sasha Levin <sashal@kernel.org>,
linux-wireless@vger.kernel.org, netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 4.19 06/15] mac80211: fix double free in ibss_leave
Date: Mon, 29 Mar 2021 18:23:17 -0400 [thread overview]
Message-ID: <20210329222327.2383533-6-sashal@kernel.org> (raw)
In-Reply-To: <20210329222327.2383533-1-sashal@kernel.org>
From: Markus Theil <markus.theil@tu-ilmenau.de>
[ Upstream commit 3bd801b14e0c5d29eeddc7336558beb3344efaa3 ]
Clear beacon ie pointer and ie length after free
in order to prevent double free.
==================================================================
BUG: KASAN: double-free or invalid-free \
in ieee80211_ibss_leave+0x83/0xe0 net/mac80211/ibss.c:1876
CPU: 0 PID: 8472 Comm: syz-executor100 Not tainted 5.11.0-rc6-syzkaller #0
Call Trace:
__dump_stack lib/dump_stack.c:79 [inline]
dump_stack+0x107/0x163 lib/dump_stack.c:120
print_address_description.constprop.0.cold+0x5b/0x2c6 mm/kasan/report.c:230
kasan_report_invalid_free+0x51/0x80 mm/kasan/report.c:355
____kasan_slab_free+0xcc/0xe0 mm/kasan/common.c:341
kasan_slab_free include/linux/kasan.h:192 [inline]
__cache_free mm/slab.c:3424 [inline]
kfree+0xed/0x270 mm/slab.c:3760
ieee80211_ibss_leave+0x83/0xe0 net/mac80211/ibss.c:1876
rdev_leave_ibss net/wireless/rdev-ops.h:545 [inline]
__cfg80211_leave_ibss+0x19a/0x4c0 net/wireless/ibss.c:212
__cfg80211_leave+0x327/0x430 net/wireless/core.c:1172
cfg80211_leave net/wireless/core.c:1221 [inline]
cfg80211_netdev_notifier_call+0x9e8/0x12c0 net/wireless/core.c:1335
notifier_call_chain+0xb5/0x200 kernel/notifier.c:83
call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:2040
call_netdevice_notifiers_extack net/core/dev.c:2052 [inline]
call_netdevice_notifiers net/core/dev.c:2066 [inline]
__dev_close_many+0xee/0x2e0 net/core/dev.c:1586
__dev_close net/core/dev.c:1624 [inline]
__dev_change_flags+0x2cb/0x730 net/core/dev.c:8476
dev_change_flags+0x8a/0x160 net/core/dev.c:8549
dev_ifsioc+0x210/0xa70 net/core/dev_ioctl.c:265
dev_ioctl+0x1b1/0xc40 net/core/dev_ioctl.c:511
sock_do_ioctl+0x148/0x2d0 net/socket.c:1060
sock_ioctl+0x477/0x6a0 net/socket.c:1177
vfs_ioctl fs/ioctl.c:48 [inline]
__do_sys_ioctl fs/ioctl.c:753 [inline]
__se_sys_ioctl fs/ioctl.c:739 [inline]
__x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Reported-by: syzbot+93976391bf299d425f44@syzkaller.appspotmail.com
Signed-off-by: Markus Theil <markus.theil@tu-ilmenau.de>
Link: https://lore.kernel.org/r/20210213133653.367130-1-markus.theil@tu-ilmenau.de
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/mac80211/ibss.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/mac80211/ibss.c b/net/mac80211/ibss.c
index f0f5fedb8caa..fa13eef25f2c 100644
--- a/net/mac80211/ibss.c
+++ b/net/mac80211/ibss.c
@@ -1861,6 +1861,8 @@ int ieee80211_ibss_leave(struct ieee80211_sub_if_data *sdata)
/* remove beacon */
kfree(sdata->u.ibss.ie);
+ sdata->u.ibss.ie = NULL;
+ sdata->u.ibss.ie_len = 0;
/* on the next join, re-program HT parameters */
memset(&ifibss->ht_capa, 0, sizeof(ifibss->ht_capa));
--
2.30.1
next prev parent reply other threads:[~2021-03-29 22:27 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-29 22:23 [PATCH AUTOSEL 4.19 01/15] ARM: dts: am33xx: add aliases for mmc interfaces Sasha Levin
2021-03-29 22:23 ` [PATCH AUTOSEL 4.19 02/15] bus: ti-sysc: Fix warning on unbind if reset is not deasserted Sasha Levin
2021-03-29 22:23 ` [PATCH AUTOSEL 4.19 03/15] platform/x86: intel-hid: Support Lenovo ThinkPad X1 Tablet Gen 2 Sasha Levin
2021-03-29 22:23 ` [PATCH AUTOSEL 4.19 04/15] net: pxa168_eth: Fix a potential data race in pxa168_eth_remove Sasha Levin
2021-03-29 22:23 ` [PATCH AUTOSEL 4.19 05/15] mISDN: fix crash in fritzpci Sasha Levin
2021-03-29 22:23 ` Sasha Levin [this message]
2021-03-29 22:23 ` [PATCH AUTOSEL 4.19 07/15] mac80211: choose first enabled channel for monitor Sasha Levin
2021-03-29 22:23 ` [PATCH AUTOSEL 4.19 08/15] drm/msm: Ratelimit invalid-fence message Sasha Levin
2021-03-29 22:23 ` Sasha Levin
2021-03-29 22:23 ` [PATCH AUTOSEL 4.19 09/15] platform/x86: thinkpad_acpi: Allow the FnLock LED to change state Sasha Levin
2021-03-29 22:23 ` [PATCH AUTOSEL 4.19 10/15] x86/build: Turn off -fcf-protection for realmode targets Sasha Levin
2021-03-29 22:23 ` [PATCH AUTOSEL 4.19 11/15] scsi: target: pscsi: Clean up after failure in pscsi_map_sg() Sasha Levin
2021-03-29 22:23 ` [PATCH AUTOSEL 4.19 12/15] ia64: mca: allocate early mca with GFP_ATOMIC Sasha Levin
2021-03-29 22:23 ` Sasha Levin
2021-03-29 22:23 ` [PATCH AUTOSEL 4.19 13/15] ia64: fix format strings for err_inject Sasha Levin
2021-03-29 22:23 ` Sasha Levin
2021-03-29 22:23 ` [PATCH AUTOSEL 4.19 14/15] cifs: revalidate mapping when we open files for SMB1 POSIX Sasha Levin
2021-03-29 22:23 ` [PATCH AUTOSEL 4.19 15/15] cifs: Silently ignore unknown oplock break handle Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210329222327.2383533-6-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=johannes.berg@intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=markus.theil@tu-ilmenau.de \
--cc=netdev@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+93976391bf299d425f44@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.