Received: by 2002:a05:7412:8598:b0:f9:33c2:5753 with SMTP id n24csp358796rdh;
        Tue, 19 Dec 2023 00:38:37 -0800 (PST)
X-Google-Smtp-Source: AGHT+IGEyD8tOXBS/w0+kcKyT+ouyI/OeIBRyI2DV8UsEDg0qY1XU45zARbRVItxMSRNu+Je+LDt
X-Received: by 2002:a17:906:a011:b0:a23:9a1c:b1c8 with SMTP id p17-20020a170906a01100b00a239a1cb1c8mr594209ejy.36.1702975117234;
        Tue, 19 Dec 2023 00:38:37 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1702975117; cv=none;
        d=google.com; s=arc-20160816;
        b=EO7fKHaAyC6k5eSrAysPPaXAMycF+RM+FzqtOIhrWoRVBFgaPwmsYZncnT76DVILX2
         PC47nBTf7lllSJbnbOGy3YUOEeL198vWp943edB9YHUXk+U+RtdiEyVGdXT0ycvy2ZSd
         t1et8Fh0FlYsZcng5t+/O6n69AWYBk95iTlTM4iz+RdRUmFANY8KQn/e5IYeFV+hYWIS
         AiX++RqfHJXp+EMhwrxD2n0BtDKDoS/SU1qlzePSwB4GjznmIfaXqo9YMqmway/yBDHM
         M1C2s89WCQ5bzbrQFcKWVMdapTyyAKhbDzFdEe5onUwxuKsfN5l+ED7CbYyJEI7Tmxwq
         bkfg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:organization:mime-version
         :list-unsubscribe:list-subscribe:list-id:precedence:references
         :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature;
        bh=1/n2b0NMe6KHTuAtIQ9SrSujR6TKIKGalQKueCa6giQ=;
        fh=YrAuaossMrVPiL8QCJPQEDvC/PQo4rrLqZt++logQ2o=;
        b=HAKQFJTHPORrpJKSJ82zqeLTBMJ7PhjSp9hvx1RgoJQNurJTqJmw8QhU9I7bsxvxd0
         kX+nr/Zuk1hDuGGirS5hgDJrd5kppeNEsWsSY7LV88nFJDdVnegeW6v3qNpYaYWfb7jA
         q31XAq3qpmPHVWJYIqNuNDI48+Itu/ZoCP7+YlSrFa6Q4X8pjwxJRu+A/vQsSFaRI0+M
         kEDh6c93URKGVM+PlpXF7jDyp6d5xy3lPNAXCpjiaxxysJnaS26XDl4bFcbDsEKVEMLX
         Cfp766/ctgI0zf2XaOudQTzs1EpVIDoXtecoE+cf5ceIHDeFEJawyQvVi2r+xasSUJ9n
         +XzA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail header.i=@intel.com header.s=Intel header.b=cPR1sxTs;
       spf=pass (google.com: domain of linux-wireless+bounces-974-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-wireless+bounces-974-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com
Return-Path: <linux-wireless+bounces-974-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249])
        by mx.google.com with ESMTPS id rs22-20020a170907037600b00a2346f2cf20si1978546ejb.623.2023.12.19.00.38.37
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 19 Dec 2023 00:38:37 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-wireless+bounces-974-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249;
Authentication-Results: mx.google.com;
       dkim=fail header.i=@intel.com header.s=Intel header.b=cPR1sxTs;
       spf=pass (google.com: domain of linux-wireless+bounces-974-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-wireless+bounces-974-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by am.mirrors.kernel.org (Postfix) with ESMTPS id E25EE1F2505C
	for <linux.lists.archive@gmail.com>; Tue, 19 Dec 2023 08:38:36 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id F1C56134C5;
	Tue, 19 Dec 2023 08:38:07 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=fail reason="signature verification failed" (2048-bit key) header.d=intel.com header.i=@intel.com header.b="cPR1sxTs"
X-Original-To: linux-wireless@vger.kernel.org
Received: from mgamail.intel.com (mgamail.intel.com [134.134.136.31])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 91908134BD
	for <linux-wireless@vger.kernel.org>; Tue, 19 Dec 2023 08:38:06 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=intel.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=intel.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1702975086; x=1734511086;
  h=from:to:cc:subject:date:message-id:in-reply-to:
   references:mime-version:content-transfer-encoding;
  bh=0BGMe6cgvfEACHgU+LCNC/fc8c0tCR/n/dQ/hFHXg2Q=;
  b=cPR1sxTsgdA4aCaRJDDGwErBv1aFKIRg8sovu3tmDFsvVf35bztkiVHy
   Yq3qkJTFK2blIgV45tUuDvewIKctvnwLSiF4//rmpASP9i07ICfsYr6Tr
   5SfmUpgLGldcXd0UrGuaa1Plu3COhmwTGCdgp4h9bpV4CXd0qqBysZexu
   LA88oeNYGe1rbOaYyaeepUqqARNDlsI9RiUc7QJ3SmNp0W/pRCuXYz8Uq
   Os/SaDngZ2KZJP3MZytsJs3EwXdBpJfpeFf9cMxsx1by57g5ZRO9rvj2J
   MfZlzpOe6wa4STLd69SjbHJ9iDpLvVXJ9l+zDvJbt8ZqHYfohbqBNREas
   w==;
X-IronPort-AV: E=McAfee;i="6600,9927,10928"; a="459969232"
X-IronPort-AV: E=Sophos;i="6.04,287,1695711600"; 
   d="scan'208";a="459969232"
Received: from fmsmga004.fm.intel.com ([10.253.24.48])
  by orsmga104.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 19 Dec 2023 00:38:06 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=McAfee;i="6600,9927,10928"; a="846266447"
X-IronPort-AV: E=Sophos;i="6.04,287,1695711600"; 
   d="scan'208";a="846266447"
Received: from unknown (HELO WEIS0040.iil.intel.com) ([10.12.217.108])
  by fmsmga004-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 19 Dec 2023 00:38:04 -0800
From: Miri Korenblit <miriam.rachel.korenblit@intel.com>
To: johannes@sipsolutions.net
Cc: linux-wireless@vger.kernel.org,
	Benjamin Berg <benjamin.berg@intel.com>, Berg@web.codeaurora.org,
	Johannes <johannes.berg@intel.com>
Subject: [PATCH 10/15] wifi: cfg80211: avoid double free if updating BSS fails
Date: Wed, 20 Dec 2023 04:37:58 +0200
Message-Id: <20231220043149.75909b8ca56c.Id09c5145363e990ff5237decd58296302e2d53c8@changeid>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20231220023803.2901117-1-miriam.rachel.korenblit@intel.com>
References: <20231220023803.2901117-1-miriam.rachel.korenblit@intel.com>
Precedence: bulk
X-Mailing-List: linux-wireless@vger.kernel.org
List-Id: <linux-wireless.vger.kernel.org>
List-Subscribe: <mailto:linux-wireless+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-wireless+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Organization: Intel Israel (74) Limited
Content-Transfer-Encoding: 8bit

From: Benjamin Berg <benjamin.berg@intel.com>

cfg80211_update_known_bss will always consume the passed IEs. As such,
cfg80211_update_assoc_bss_entry also needs to always set the pointers to
NULL so that no double free can occur.

Note that hitting this would probably require being connected to a
hidden BSS which is then doing a channel switch while also switching to
be not hidden anymore at the same time.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Reviewed-by: Berg, Johannes <johannes.berg@intel.com>
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
---
 net/wireless/scan.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/net/wireless/scan.c b/net/wireless/scan.c
index f7fd7ea0e935..cf2131671eb6 100644
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -3194,10 +3194,9 @@ void cfg80211_update_assoc_bss_entry(struct wireless_dev *wdev,
 
 	if (new) {
 		/* to save time, update IEs for transmitting bss only */
-		if (cfg80211_update_known_bss(rdev, cbss, new, false)) {
-			new->pub.proberesp_ies = NULL;
-			new->pub.beacon_ies = NULL;
-		}
+		cfg80211_update_known_bss(rdev, cbss, new, false);
+		new->pub.proberesp_ies = NULL;
+		new->pub.beacon_ies = NULL;
 
 		list_for_each_entry_safe(nontrans_bss, tmp,
 					 &new->pub.nontrans_list,
-- 
2.34.1