Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp1769932ybl; Sat, 11 Jan 2020 02:27:50 -0800 (PST) X-Google-Smtp-Source: APXvYqyCnEva3eM5u8hVN1HlYfymswRAihU9c+W4Ii0TCTOJHyvdgm2pAF9vagVGgJnUJCzTKk5/ X-Received: by 2002:aca:570d:: with SMTP id l13mr5600928oib.146.1578738470362; Sat, 11 Jan 2020 02:27:50 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1578738470; cv=none; d=google.com; s=arc-20160816; b=d275ztdM1d8usCAg0e0+zScl0rZ+yhfVULgxaYfvxGj05pe7TbltNgyOC/K62xt/6w 2HMBypZiR97fRWAvdIkfmlqhFMliC6GJ1olkucAndOBNRxbGt8OvjZ7k8bmzM2FDeOBq kQjGpcgT8iDxzgy9AniWd1HqG91EZtf4iVWzsCJCN/xdlKtXkEXjrmwFy9WtRzgbL/i0 UvpuRl6W+xKpkcalJFqKLJG5bwLZwhLV+5nGxcpISQGZCr6tKaSEXwiSSrvNlo3qbpON TiGLnGqwaET33i/Hpyk5Vkyh9V4h3vKDzFs/htz4UZv47+qsYtZmRpY6NfZAN8h9N7Iv Y2sA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=sTN+vGmOym655rrkCoM06aHARx5FcxIVwIlFCErp7RU=; b=dEqHRAzcjh1I3qvG5NzX+BwawpgIB1eXgcT2oxx6V/RlqR6Hd0RQG/CC2Vcq5obl1Y l6k96H5jfVPSVKidQqXl46X9BYRAI4EELg+PxBcQTI8Xpn+zQf/fGBmZIUpTNBL5y20Q 2dGj9RYsdA6/dL94pohLLuygliXO0zUjnhan8To5uQNBdNjJvuo5aW1VgLf0A0bsCQ9Q Ah5H+rqPWjlEa3/s1s+z4ThqWrU8TdWsJzB74fWUnJGpWlCsz1NIkq1rJRGxYZx4VfHg QNpkJZmEJZJMY2Jo5C2hcHlelKVHVVv+wI5zMY7BhUmDwA49ZpWnCMW4FYeblLMsLYre Igdg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=aecLYT+K; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q17si4475139otr.219.2020.01.11.02.27.38; Sat, 11 Jan 2020 02:27:50 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=aecLYT+K; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731121AbgAKK0q (ORCPT + 99 others); Sat, 11 Jan 2020 05:26:46 -0500 Received: from mail.kernel.org ([198.145.29.99]:59802 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730771AbgAKK0p (ORCPT ); Sat, 11 Jan 2020 05:26:45 -0500 Received: from localhost (unknown [62.119.166.9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id F0F762082E; Sat, 11 Jan 2020 10:26:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1578738404; bh=wBvesqRv6+JFHdNYD/+gWe4AyEM41kdiYVzP5Y+yzNw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=aecLYT+K9yU/9r/8UTY65TuFeotjhetZvQZqmOKofUOlrS7oLAMC0MMlcaJ/DaJQv xkqFj+uenVgrALYOrCAGLYT5H29MXMQeNvuwwdCALCemAFUUQFY2n+ngGdN89D43xD IbVxkwr1Cn1Ew7k/voD24gUDNKeWM7GJ8Ccmqp4o= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, =?UTF-8?q?Stefan=20B=C3=BChler?= , Johannes Berg , Sasha Levin Subject: [PATCH 5.4 070/165] cfg80211: fix double-free after changing network namespace Date: Sat, 11 Jan 2020 10:49:49 +0100 Message-Id: <20200111094927.003403037@linuxfoundation.org> X-Mailer: git-send-email 2.24.1 In-Reply-To: <20200111094921.347491861@linuxfoundation.org> References: <20200111094921.347491861@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Stefan Bühler [ Upstream commit 56cb31e185adb61f930743a9b70e700a43625386 ] If wdev->wext.keys was initialized it didn't get reset to NULL on unregister (and it doesn't get set in cfg80211_init_wdev either), but wdev is reused if unregister was triggered through cfg80211_switch_netns. The next unregister (for whatever reason) will try to free wdev->wext.keys again. Signed-off-by: Stefan Bühler Link: https://lore.kernel.org/r/20191126100543.782023-1-stefan.buehler@tik.uni-stuttgart.de Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin --- net/wireless/core.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/wireless/core.c b/net/wireless/core.c index 350513744575..3e25229a059d 100644 --- a/net/wireless/core.c +++ b/net/wireless/core.c @@ -1102,6 +1102,7 @@ static void __cfg80211_unregister_wdev(struct wireless_dev *wdev, bool sync) #ifdef CONFIG_CFG80211_WEXT kzfree(wdev->wext.keys); + wdev->wext.keys = NULL; #endif /* only initialized if we have a netdev */ if (wdev->netdev) -- 2.20.1