mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-14 06:35:12 +00:00
Code Issues Releases Wiki Activity
linux-stable/net/mac80211
History
Markus Theil 3bd801b14e mac80211: fix double free in ibss_leave 
Clear beacon ie pointer and ie length after free
in order to prevent double free.

==================================================================
BUG: KASAN: double-free or invalid-free \
in ieee80211_ibss_leave+0x83/0xe0 net/mac80211/ibss.c:1876

CPU: 0 PID: 8472 Comm: syz-executor100 Not tainted 5.11.0-rc6-syzkaller #0
Call Trace:
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack+0x107/0x163 lib/dump_stack.c:120
 print_address_description.constprop.0.cold+0x5b/0x2c6 mm/kasan/report.c:230
 kasan_report_invalid_free+0x51/0x80 mm/kasan/report.c:355
 ____kasan_slab_free+0xcc/0xe0 mm/kasan/common.c:341
 kasan_slab_free include/linux/kasan.h:192 [inline]
 __cache_free mm/slab.c:3424 [inline]
 kfree+0xed/0x270 mm/slab.c:3760
 ieee80211_ibss_leave+0x83/0xe0 net/mac80211/ibss.c:1876
 rdev_leave_ibss net/wireless/rdev-ops.h:545 [inline]
 __cfg80211_leave_ibss+0x19a/0x4c0 net/wireless/ibss.c:212
 __cfg80211_leave+0x327/0x430 net/wireless/core.c:1172
 cfg80211_leave net/wireless/core.c:1221 [inline]
 cfg80211_netdev_notifier_call+0x9e8/0x12c0 net/wireless/core.c:1335
 notifier_call_chain+0xb5/0x200 kernel/notifier.c:83
 call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:2040
 call_netdevice_notifiers_extack net/core/dev.c:2052 [inline]
 call_netdevice_notifiers net/core/dev.c:2066 [inline]
 __dev_close_many+0xee/0x2e0 net/core/dev.c:1586
 __dev_close net/core/dev.c:1624 [inline]
 __dev_change_flags+0x2cb/0x730 net/core/dev.c:8476
 dev_change_flags+0x8a/0x160 net/core/dev.c:8549
 dev_ifsioc+0x210/0xa70 net/core/dev_ioctl.c:265
 dev_ioctl+0x1b1/0xc40 net/core/dev_ioctl.c:511
 sock_do_ioctl+0x148/0x2d0 net/socket.c:1060
 sock_ioctl+0x477/0x6a0 net/socket.c:1177
 vfs_ioctl fs/ioctl.c:48 [inline]
 __do_sys_ioctl fs/ioctl.c:753 [inline]
 __se_sys_ioctl fs/ioctl.c:739 [inline]
 __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Reported-by: syzbot+93976391bf299d425f44@syzkaller.appspotmail.com
Signed-off-by: Markus Theil <markus.theil@tu-ilmenau.de>
Link: https://lore.kernel.org/r/20210213133653.367130-1-markus.theil@tu-ilmenau.de
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2021-03-16 21:13:09 +01:00
..
aead_api.c mm, treewide: rename kzfree() to kfree_sensitive() 2020-08-07 11:33:22 -07:00
aead_api.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
aes_ccm.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
aes_cmac.c mac80211: Update BIP to support Beacon frames 2020-02-24 10:36:03 +01:00
aes_cmac.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
aes_gcm.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
aes_gmac.c mm, treewide: rename kzfree() to kfree_sensitive() 2020-08-07 11:33:22 -07:00
aes_gmac.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
agg-rx.c mac80211: use bitfield helpers for BA session action frames 2020-12-11 13:20:05 +01:00
agg-tx.c mac80211: use bitfield helpers for BA session action frames 2020-12-11 13:20:05 +01:00
airtime.c mac80211: add AQL support for VHT160 tx rates 2020-09-18 11:36:03 +02:00
cfg.c mac80211: fix rate mask reset 2021-03-16 21:13:06 +01:00
chan.c mac80211: Update rate control on channel change 2020-12-11 13:20:05 +01:00
debug.h
debugfs.c mac80211: introduce aql_enable node in debugfs 2021-01-22 09:11:37 +01:00
debugfs.h
debugfs_key.c mac80211: remove trailing semicolon in macro definitions 2020-12-11 12:51:55 +01:00
debugfs_key.h mac80211: Support BIGTK configuration for Beacon protection 2020-02-24 10:35:57 +01:00
debugfs_netdev.c mac80211: remove trailing semicolon in macro definitions 2020-12-11 12:51:55 +01:00
debugfs_netdev.h
debugfs_sta.c mac80211: add rx decapsulation offload support 2021-01-21 13:34:49 +01:00
debugfs_sta.h
driver-ops.c mac80211: fix station rate table updates on assoc 2021-02-01 15:07:09 +01:00
driver-ops.h mac80211: add rx decapsulation offload support 2021-01-21 13:34:49 +01:00
ethtool.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 432 2019-06-05 17:37:16 +02:00
fils_aead.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
fils_aead.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
he.c mac80211: reduce peer HE MCS/NSS to own capabilities 2021-01-22 09:11:28 +01:00
ht.c mac80211: Use fallthrough pseudo-keyword 2020-07-31 09:24:23 +02:00
ibss.c mac80211: fix double free in ibss_leave 2021-03-16 21:13:09 +01:00
ieee80211_i.h Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2021-01-28 17:09:31 -08:00
iface.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2021-01-28 17:09:31 -08:00
Kconfig ath9k: fix build error with LEDS_CLASS=m 2021-01-28 09:29:34 +02:00
key.c cfg80211: avoid holding the RTNL when calling the driver 2021-01-26 11:55:50 +01:00
key.h mac80211: Support BIGTK configuration for Beacon protection 2020-02-24 10:35:57 +01:00
led.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
led.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
main.c cfg80211: avoid holding the RTNL when calling the driver 2021-01-26 11:55:50 +01:00
Makefile mac80211: remove legacy minstrel rate control 2021-01-22 09:11:37 +01:00
mesh.c mac80211: save HE oper info in BSS config for mesh 2020-11-06 10:03:21 +01:00
mesh.h mac80211: add HE 6 GHz Band Capability element 2020-05-31 11:26:39 +02:00
mesh_hwmp.c mac80211: fix potential overflow when multiplying to u32 integers 2021-02-12 08:54:42 +01:00
mesh_pathtbl.c mac80211: mesh: fix mesh_pathtbl_init() error path 2020-12-04 17:34:25 -08:00
mesh_plink.c mac80211: fix some more kernel-doc in mesh 2020-09-28 14:36:53 +02:00
mesh_ps.c mac80211: fix some more kernel-doc in mesh 2020-09-28 14:36:53 +02:00
mesh_sync.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
michael.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
michael.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
mlme.c cfg80211/mac80211: Support disabling HE mode 2021-02-12 09:33:34 +01:00
ocb.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
offchannel.c mac80211: Inform AP when returning operating channel 2020-09-28 13:18:53 +02:00
pm.c cfg80211: avoid holding the RTNL when calling the driver 2021-01-26 11:55:50 +01:00
rate.c mac80211: fix station rate table updates on assoc 2021-02-01 15:07:09 +01:00
rate.h mac80211: populate debugfs only after cfg80211 init 2020-04-24 11:30:13 +02:00
rc80211_minstrel_ht.c mac80211: minstrel_ht: remove sample rate switching code for constrained devices 2021-02-12 08:58:22 +01:00
rc80211_minstrel_ht.h mac80211: minstrel_ht: remove sample rate switching code for constrained devices 2021-02-12 08:58:22 +01:00
rc80211_minstrel_ht_debugfs.c mac80211: minstrel_ht: show sampling rates in debugfs 2021-02-12 08:58:11 +01:00
rx.c mac80211: add rx decapsulation offload support 2021-01-21 13:34:49 +01:00
s1g.c mac80211: initialize last_rate for S1G STAs 2020-10-08 10:40:57 +02:00
scan.c mac80211: convert S1G beacon to scan results 2020-09-28 13:53:25 +02:00
spectmgmt.c mac80211: 160MHz with extended NSS BW in CSA 2021-01-21 13:39:11 +01:00
sta_info.c mac80211: free sta in sta_info_insert_finish() on errors 2020-11-13 09:48:32 +01:00
sta_info.h mac80211: add rx decapsulation offload support 2021-01-21 13:34:49 +01:00
status.c mac80211: enable QoS support for nl80211 ctrl port 2021-02-12 08:52:48 +01:00
tdls.c cfg80211: avoid holding the RTNL when calling the driver 2021-01-26 11:55:50 +01:00
tkip.c mac80211: Fix TKIP replay protection immediately after key setup 2020-01-15 09:52:12 +01:00
tkip.h Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 2019-07-08 20:57:08 -07:00
trace.c
trace.h mac80211: add rx decapsulation offload support 2021-01-21 13:34:49 +01:00
trace_msg.h mac80211: Increase MAX_MSG_LEN 2019-03-29 11:20:36 +01:00
tx.c mac80211: add STBC encoding to ieee80211_parse_tx_radiotap 2021-02-12 09:04:22 +01:00
util.c cfg80211: avoid holding the RTNL when calling the driver 2021-01-26 11:55:50 +01:00
vht.c mac80211: remove NSS number of 160MHz if not support 160MHz for HE 2021-01-21 13:45:13 +01:00
wep.c mac80211: make ieee80211_wep_init() return void 2020-02-07 12:40:34 +01:00
wep.h mac80211: make ieee80211_wep_init() return void 2020-02-07 12:40:34 +01:00
wme.c mac80211: remove WDS-related code 2020-11-11 08:39:13 +01:00
wme.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
wpa.c mac80211: add IEEE80211_KEY_FLAG_GENERATE_MMIE to ieee80211_key_flags 2019-07-26 16:14:12 +02:00
wpa.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00