Received: by 2002:a05:7412:e794:b0:fa:551:50a7 with SMTP id o20csp1757616rdd; Thu, 11 Jan 2024 08:23:26 -0800 (PST) X-Google-Smtp-Source: AGHT+IEONTHVNp3swjcck9Bi4lXVDqdgB8KSmj2IHnxjlStcYvn8SYG9bDfQq4jpWotZNiVy8dPB X-Received: by 2002:aa7:87c2:0:b0:6da:16ec:8afb with SMTP id i2-20020aa787c2000000b006da16ec8afbmr1202199pfo.69.1704990206486; Thu, 11 Jan 2024 08:23:26 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1704990206; cv=none; d=google.com; s=arc-20160816; b=DI0H1IHy50lrSpV76KkeOfbdHU3PfpAmIGwuSuUIEpL1buJtuv3MMJ/L3P4OWu2Zek 7JzbbDCSdggCds4oxh48xz4LViPcCKr2X3j5x4ZRaiOik37rNn7h8endPRMqmTCBtLTY IoyoW6umARVEGKG0/AosowsQ7kADNccfQo4827HZZjQIsxuKlU7XtSP4cd0cbbyU8GrW PJTjfDQnidi1IN37gNr3oBGrdJZ6J115CZio2yaD8Egu3ayw7RsbhpqR+8jpUoEzYyQz 6tOrxdP7FVKwlHBDhuPRzmhxbMrt6h39XS98Ym7UJiRjHO/PD1tj3pkiwRxt1m7/JyAu 0Uyw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:organization:mime-version :list-unsubscribe:list-subscribe:list-id:precedence:references :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature; bh=wEy0dmLOZNaaHXBCMiyGcwtttNi6pkgKOiuh3YpCik4=; fh=W7WWd98FKWwNTG4GfeA8islnbj+61DpxCUk/wDjciL0=; b=Nwwsif2q/LjOOih0F0Xd++UUty8ybQD8Oh6WmMmTO+a+6RMXoRXC8ypYNsfQj1aP9Q o4tAuyB6ZepmsM0H8LUCjBk4NohjNcifKzFyEqIXIfAAilXxjXDCwIi2BKEGYqA1aRbP /k27XFTfSSntNusVgFLK9QNR0i211TO8d3wgTgqO89Lae6MHB0AUI/03V5PalsIdr7H5 4yGTp9VljWFBmnkbf0u0eZiFZ2X4W949AkKNRiod29xDPRpJKgfQ4paJD35YE2vuF4Dz qwqabzX7EvmheVSGcKZdr+37GfuH68pei+KcomOJYg3fTjFwKMLjKreospwyckHBvPRr xP4w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=GR5dz+4H; spf=pass (google.com: domain of linux-wireless+bounces-1732-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-wireless+bounces-1732-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [147.75.48.161]) by mx.google.com with ESMTPS id fi12-20020a056a00398c00b006cb75e1d713si1336615pfb.193.2024.01.11.08.23.25 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 11 Jan 2024 08:23:26 -0800 (PST) Received-SPF: pass (google.com: domain of linux-wireless+bounces-1732-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) client-ip=147.75.48.161; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=GR5dz+4H; spf=pass (google.com: domain of linux-wireless+bounces-1732-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-wireless+bounces-1732-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id 227D8B266BC for ; Thu, 11 Jan 2024 16:21:08 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id CD09755C31; Thu, 11 Jan 2024 16:18:42 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="GR5dz+4H" X-Original-To: linux-wireless@vger.kernel.org Received: from mgamail.intel.com (mgamail.intel.com [134.134.136.31]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5A42E55C2A for ; Thu, 11 Jan 2024 16:18:41 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=intel.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=intel.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1704989921; x=1736525921; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=UOHWsntpoU9zApr29jEX5Dksh8ill5Tk3Aoh3z093A8=; b=GR5dz+4HSQ/uQyrtfr5qHrZ/5K+FukCWSkOewu2YO1EZiHsXe64ICxNx 8ekgFRJ8Q44Le4o2uYS5eNaD6qqWKHxFzv5xpO7OW9IKY1oj/xT2A+gHa 4xEK6MKjXfw26nuRVm45ja+SjJ6qIseywFakIVp1qNYUk+GeIE+JfmwPO 9xO5jN9vwCywTcz2pcyYcDGM4xejFVdsKR294aGPEwO7pwOmATS3BO4Aj xIFvQvr0ngkoG8V/DTt7C+JDJNOwCiFM9NaCyl+S4KJXiJIoV4xbDn5rp JFabWusY7Bx/ByNckm5Z+qwz/7IMLlzKAlfqirwwGru+IlvRw96YyBv+9 Q==; X-IronPort-AV: E=McAfee;i="6600,9927,10950"; a="463182610" X-IronPort-AV: E=Sophos;i="6.04,186,1695711600"; d="scan'208";a="463182610" Received: from fmsmga006.fm.intel.com ([10.253.24.20]) by orsmga104.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 11 Jan 2024 08:18:40 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10950"; a="1029606725" X-IronPort-AV: E=Sophos;i="6.04,186,1695711600"; d="scan'208";a="1029606725" Received: from unknown (HELO WEIS0040.iil.intel.com) ([10.12.217.108]) by fmsmga006-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 11 Jan 2024 08:18:38 -0800 From: Miri Korenblit To: johannes@sipsolutions.net Cc: linux-wireless@vger.kernel.org, Johannes Berg , Ilan Peer Subject: [PATCH 6/8] wifi: mac80211: fix potential sta-link leak Date: Thu, 11 Jan 2024 18:17:44 +0200 Message-Id: <20240111181514.6573998beaf8.I09ac2e1d41c80f82a5a616b8bd1d9d8dd709a6a6@changeid> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240111161746.3978601-1-miriam.rachel.korenblit@intel.com> References: <20240111161746.3978601-1-miriam.rachel.korenblit@intel.com> Precedence: bulk X-Mailing-List: linux-wireless@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Organization: Intel Israel (74) Limited Content-Transfer-Encoding: 8bit From: Johannes Berg When a station is allocated, links are added but not set to valid yet (e.g. during connection to an AP MLD), we might remove the station without ever marking links valid, and leak them. Fix that. Fixes: cb71f1d136a6 ("wifi: mac80211: add sta link addition/removal") Signed-off-by: Johannes Berg Reviewed-by: Ilan Peer Signed-off-by: Miri Korenblit --- net/mac80211/sta_info.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c index bf1adcd96b41..92a7ba7c9c9d 100644 --- a/net/mac80211/sta_info.c +++ b/net/mac80211/sta_info.c @@ -404,7 +404,10 @@ void sta_info_free(struct ieee80211_local *local, struct sta_info *sta) int i; for (i = 0; i < ARRAY_SIZE(sta->link); i++) { - if (!(sta->sta.valid_links & BIT(i))) + struct link_sta_info *link_sta; + + link_sta = rcu_access_pointer(sta->link[i]); + if (!link_sta) continue; sta_remove_link(sta, i, false); -- 2.34.1