wifi: cfg80211: clear wdev->cqm_config pointer on free

When we free wdev->cqm_config when unregistering, we also
need to clear out the pointer since the same wdev/netdev
may get re-registered in another network namespace, then
destroyed later, running this code again, which results in
a double-free.

Reported-by: syzbot+36218cddfd84b5cc263e@syzkaller.appspotmail.com
Fixes: 37c20b2effe9 ("wifi: cfg80211: fix cqm_config access race")
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20241022161742.7c34b2037726.I121b9cdb7eb180802eafc90b493522950d57ee18@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>

diff --git a/net/wireless/core.c b/net/wireless/core.c
index 8331064de9dd99824b255f7927b5d4b46084f318..74ca18833df172a1f911a6ef9c62c7685ac36c8a 100644 (file)
--- a/net/wireless/core.c
+++ b/net/wireless/core.c
@@ -1236,6 +1236,7 @@ static void _cfg80211_unregister_wdev(struct wireless_dev *wdev,
        /* deleted from the list, so can't be found from nl80211 any more */
        cqm_config = rcu_access_pointer(wdev->cqm_config);
        kfree_rcu(cqm_config, rcu_head);
+       RCU_INIT_POINTER(wdev->cqm_config, NULL);
 
        /*
         * Ensure that all events have been processed and