git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Johannes Berg <johannes.berg@intel.com>
	Thu, 21 Jan 2021 16:16:22 +0000 (17:16 +0100)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Wed, 3 Feb 2021 22:25:56 +0000 (23:25 +0100)
commit	8aba60ebcfc3b55307efc538fc9ee29f0ac63d39
tree	0d83a4d9c586a3d903f8596f1f3e864b265ff0d9	tree \| snapshot
parent	720032d3dc84f26c966cee3dccd5791ab561db93	commit \| diff

wext: fix NULL-ptr-dereference with cfg80211's lack of commit()

commit 5122565188bae59d507d90a9a9fd2fd6107f4439 upstream.

Since cfg80211 doesn't implement commit, we never really cared about
that code there (and it's configured out w/o CONFIG_WIRELESS_EXT).
After all, since it has no commit, it shouldn't return -EIWCOMMIT to
indicate commit is needed.

However, EIWCOMMIT is actually an alias for EINPROGRESS, which _can_
happen if e.g. we try to change the frequency but we're already in
the process of connecting to some network, and drivers could return
that value (or even cfg80211 itself might).

This then causes us to crash because dev->wireless_handlers is NULL
but we try to check dev->wireless_handlers->standard[0].

Fix this by also checking dev->wireless_handlers. Also simplify the
code a little bit.

Cc: stable@vger.kernel.org
Reported-by: syzbot+444248c79e117bc99f46@syzkaller.appspotmail.com
Reported-by: syzbot+8b2a88a09653d4084179@syzkaller.appspotmail.com
Link: https://lore.kernel.org/r/20210121171621.2076e4a37d5a.I5d9c72220fe7bb133fb718751da0180a57ecba4e@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>