Skip to content

Commit 9a44b5e

Browse files
Sarika Sharmajmberg-intel
Sarika Sharma
authored and
jmberg-intel
committed
wifi: cfg80211: fix double free for link_sinfo in nl80211_station_dump()
Currently, the link_sinfo structure is being freed twice in nl80211_dump_station(), once after the send_station() call and again in the error handling path. This results in a double free of both link_sinfo and link_sinfo->pertid, which might lead to undefined behavior or kernel crashes. Hence, fix by ensuring cfg80211_sinfo_release_content() is only invoked once during execution of nl80211_station_dump(). Fixes: 49e4722 ("wifi: cfg80211: allocate memory for link_station info structure") Reported-by: Dan Carpenter <[email protected]> Closes: https://lore.kernel.org/all/[email protected]/ Reported-by: [email protected] Closes: https://lore.kernel.org/all/[email protected] Signed-off-by: Sarika Sharma <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Johannes Berg <[email protected]>
1 parent e9a896d commit 9a44b5e

File tree

1 file changed

+9
-1
lines changed

1 file changed

+9
-1
lines changed

net/wireless/nl80211.c

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7451,6 +7451,7 @@ static int nl80211_dump_station(struct sk_buff *skb,
74517451
struct wireless_dev *wdev;
74527452
u8 mac_addr[ETH_ALEN];
74537453
int sta_idx = cb->args[2];
7454+
bool sinfo_alloc = false;
74547455
int err, i;
74557456

74567457
err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
@@ -7479,6 +7480,7 @@ static int nl80211_dump_station(struct sk_buff *skb,
74797480
err = -ENOMEM;
74807481
goto out_err;
74817482
}
7483+
sinfo_alloc = true;
74827484
}
74837485

74847486
err = rdev_dump_station(rdev, wdev->netdev, sta_idx,
@@ -7491,6 +7493,11 @@ static int nl80211_dump_station(struct sk_buff *skb,
74917493
if (sinfo.valid_links)
74927494
cfg80211_sta_set_mld_sinfo(&sinfo);
74937495

7496+
/* reset the sinfo_alloc flag as nl80211_send_station()
7497+
* always releases sinfo
7498+
*/
7499+
sinfo_alloc = false;
7500+
74947501
if (nl80211_send_station(skb, NL80211_CMD_NEW_STATION,
74957502
NETLINK_CB(cb->skb).portid,
74967503
cb->nlh->nlmsg_seq, NLM_F_MULTI,
@@ -7505,7 +7512,8 @@ static int nl80211_dump_station(struct sk_buff *skb,
75057512
cb->args[2] = sta_idx;
75067513
err = skb->len;
75077514
out_err:
7508-
cfg80211_sinfo_release_content(&sinfo);
7515+
if (sinfo_alloc)
7516+
cfg80211_sinfo_release_content(&sinfo);
75097517
wiphy_unlock(&rdev->wiphy);
75107518

75117519
return err;

0 commit comments

Comments
 (0)