From: Johannes Berg Date: Tue, 22 Oct 2024 14:17:42 +0000 (+0200) Subject: wifi: cfg80211: clear wdev->cqm_config pointer on free X-Git-Tag: v6.12-rc6~33^2~6^2~2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d5fee261dfd9e17b08b1df8471ac5d5736070917;p=thirdparty%2Fkernel%2Flinux.git wifi: cfg80211: clear wdev->cqm_config pointer on free When we free wdev->cqm_config when unregistering, we also need to clear out the pointer since the same wdev/netdev may get re-registered in another network namespace, then destroyed later, running this code again, which results in a double-free. Reported-by: syzbot+36218cddfd84b5cc263e@syzkaller.appspotmail.com Fixes: 37c20b2effe9 ("wifi: cfg80211: fix cqm_config access race") Cc: stable@vger.kernel.org Link: https://patch.msgid.link/20241022161742.7c34b2037726.I121b9cdb7eb180802eafc90b493522950d57ee18@changeid Signed-off-by: Johannes Berg --- diff --git a/net/wireless/core.c b/net/wireless/core.c index 8331064de9dd9..74ca18833df17 100644 --- a/net/wireless/core.c +++ b/net/wireless/core.c @@ -1236,6 +1236,7 @@ static void _cfg80211_unregister_wdev(struct wireless_dev *wdev, /* deleted from the list, so can't be found from nl80211 any more */ cqm_config = rcu_access_pointer(wdev->cqm_config); kfree_rcu(cqm_config, rcu_head); + RCU_INIT_POINTER(wdev->cqm_config, NULL); /* * Ensure that all events have been processed and