linux

iv/linux

History

Markus Theil 92b9e3deff mac80211: fix double free in ibss_leave

commit 3bd801b14e0c5d29eeddc7336558beb3344efaa3 upstream.

Clear beacon ie pointer and ie length after free
in order to prevent double free.

==================================================================
BUG: KASAN: double-free or invalid-free \
in ieee80211_ibss_leave+0x83/0xe0 net/mac80211/ibss.c:1876

CPU: 0 PID: 8472 Comm: syz-executor100 Not tainted 5.11.0-rc6-syzkaller #0
Call Trace:
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack+0x107/0x163 lib/dump_stack.c:120
 print_address_description.constprop.0.cold+0x5b/0x2c6 mm/kasan/report.c:230
 kasan_report_invalid_free+0x51/0x80 mm/kasan/report.c:355
 ____kasan_slab_free+0xcc/0xe0 mm/kasan/common.c:341
 kasan_slab_free include/linux/kasan.h:192 [inline]
 __cache_free mm/slab.c:3424 [inline]
 kfree+0xed/0x270 mm/slab.c:3760
 ieee80211_ibss_leave+0x83/0xe0 net/mac80211/ibss.c:1876
 rdev_leave_ibss net/wireless/rdev-ops.h:545 [inline]
 __cfg80211_leave_ibss+0x19a/0x4c0 net/wireless/ibss.c:212
 __cfg80211_leave+0x327/0x430 net/wireless/core.c:1172
 cfg80211_leave net/wireless/core.c:1221 [inline]
 cfg80211_netdev_notifier_call+0x9e8/0x12c0 net/wireless/core.c:1335
 notifier_call_chain+0xb5/0x200 kernel/notifier.c:83
 call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:2040
 call_netdevice_notifiers_extack net/core/dev.c:2052 [inline]
 call_netdevice_notifiers net/core/dev.c:2066 [inline]
 __dev_close_many+0xee/0x2e0 net/core/dev.c:1586
 __dev_close net/core/dev.c:1624 [inline]
 __dev_change_flags+0x2cb/0x730 net/core/dev.c:8476
 dev_change_flags+0x8a/0x160 net/core/dev.c:8549
 dev_ifsioc+0x210/0xa70 net/core/dev_ioctl.c:265
 dev_ioctl+0x1b1/0xc40 net/core/dev_ioctl.c:511
 sock_do_ioctl+0x148/0x2d0 net/socket.c:1060
 sock_ioctl+0x477/0x6a0 net/socket.c:1177
 vfs_ioctl fs/ioctl.c:48 [inline]
 __do_sys_ioctl fs/ioctl.c:753 [inline]
 __se_sys_ioctl fs/ioctl.c:739 [inline]
 __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Reported-by: syzbot+93976391bf299d425f44@syzkaller.appspotmail.com
Signed-off-by: Markus Theil <markus.theil@tu-ilmenau.de>
Link: https://lore.kernel.org/r/20210213133653.367130-1-markus.theil@tu-ilmenau.de
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

2021-03-30 14:35:29 +02:00

aead_api.c

treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500

2019-06-19 17:09:55 +02:00

aead_api.h

treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500

2019-06-19 17:09:55 +02:00

aes_ccm.h

treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500

2019-06-19 17:09:55 +02:00

aes_cmac.c

treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500

2019-06-19 17:09:55 +02:00

aes_cmac.h

treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500

2019-06-19 17:09:55 +02:00

aes_gcm.h

treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500

2019-06-19 17:09:55 +02:00

aes_gmac.c

treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500

2019-06-19 17:09:55 +02:00

aes_gmac.h

treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500

2019-06-19 17:09:55 +02:00

agg-rx.c

mac80211: add missing null return check from call to ieee80211_get_sband

2019-07-31 10:51:17 +02:00

agg-tx.c

treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500

2019-06-19 17:09:55 +02:00

cfg.c

mac80211: fix rate mask reset

2021-03-30 14:35:26 +02:00

chan.c

treewide: Add SPDX license identifier for missed files

2019-05-21 10:50:45 +02:00

debug.h

License cleanup: add SPDX GPL-2.0 license identifier to files with no license

2017-11-02 11:10:55 +01:00

debugfs_key.c

Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net

2019-06-22 08:59:24 -04:00

debugfs_key.h

License cleanup: add SPDX GPL-2.0 license identifier to files with no license

2017-11-02 11:10:55 +01:00

debugfs_netdev.c

mac80211: fix txq null pointer dereference

2019-10-01 17:56:19 +02:00

debugfs_netdev.h

License cleanup: add SPDX GPL-2.0 license identifier to files with no license

2017-11-02 11:10:55 +01:00

debugfs_sta.c

mac80211: drop data frames without key on encrypted links

2020-04-01 11:02:01 +02:00

debugfs_sta.h

License cleanup: add SPDX GPL-2.0 license identifier to files with no license

2017-11-02 11:10:55 +01:00

debugfs.c

mac80211: AMPDU handling for rekeys with Extended Key ID

2019-07-26 13:29:10 +02:00

debugfs.h

License cleanup: add SPDX GPL-2.0 license identifier to files with no license

2017-11-02 11:10:55 +01:00

driver-ops.c

mac80211: fix station rate table updates on assoc

2021-02-10 09:25:29 +01:00

driver-ops.h

mac80211: pass the vif to cancel_remain_on_channel

2019-07-26 13:08:28 +02:00

ethtool.c

treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 432

2019-06-05 17:37:16 +02:00

fils_aead.c

treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500

2019-06-19 17:09:55 +02:00

fils_aead.h

treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500

2019-06-19 17:09:55 +02:00

he.c

mac80211: fix possible NULL pointerderef in obss pd code

2019-08-21 10:58:32 +02:00

ht.c

mac80211: add support for the ADDBA extension element

2019-07-29 16:40:22 +02:00

ibss.c

mac80211: fix double free in ibss_leave

2021-03-30 14:35:29 +02:00

ieee80211_i.h

mac80211: pause TX while changing interface type

2021-02-03 23:26:00 +01:00

iface.c

mac80211: pause TX while changing interface type

2021-02-03 23:26:00 +01:00

Kconfig

Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6

2019-07-08 20:57:08 -07:00

key.c

mac80211: drop data frames without key on encrypted links

2020-04-01 11:02:01 +02:00

key.h

mac80211: clear crypto tx tailroom counter upon keys enable

2019-09-11 09:33:28 +02:00

led.c

treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500

2019-06-19 17:09:55 +02:00

led.h

treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500

2019-06-19 17:09:55 +02:00

main.c

mac80211: populate debugfs only after cfg80211 init

2020-04-29 16:33:18 +02:00

Makefile

mac80211: minstrel: merge with minstrel_ht, always enable VHT support

2018-10-11 16:01:01 +02:00

mesh_hwmp.c

mac80211: fix potential overflow when multiplying to u32 integers

2021-03-04 10:26:17 +01:00

mesh_pathtbl.c

mac80211: mesh: fix mesh_pathtbl_init() error path

2020-12-21 13:27:03 +01:00

mesh_plink.c

mac80211: implement HE support for mesh

2019-07-26 16:14:12 +02:00

mesh_ps.c

treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500

2019-06-19 17:09:55 +02:00

mesh_sync.c

treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500

2019-06-19 17:09:55 +02:00

mesh.c

mac80211: fix channel switch trigger from unknown mesh peer

2020-05-02 08:48:58 +02:00

mesh.h

mac80211: implement HE support for mesh

2019-07-26 16:14:12 +02:00

michael.c

treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500

2019-06-19 17:09:55 +02:00

michael.h

treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500

2019-06-19 17:09:55 +02:00

mlme.c

mac80211: add ieee80211_is_any_nullfunc()

2020-05-10 10:31:32 +02:00

ocb.c

treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500

2019-06-19 17:09:55 +02:00

offchannel.c

mac80211: pass the vif to cancel_remain_on_channel

2019-07-26 13:08:28 +02:00

pm.c

License cleanup: add SPDX GPL-2.0 license identifier to files with no license

2017-11-02 11:10:55 +01:00

rate.c

mac80211: fix station rate table updates on assoc

2021-02-10 09:25:29 +01:00

rate.h

mac80211: populate debugfs only after cfg80211 init

2020-04-29 16:33:18 +02:00

rc80211_minstrel_debugfs.c

mac80211: rc80211_minstrel: remove variance / stddev calculation

2018-10-11 16:01:05 +02:00

rc80211_minstrel_ht_debugfs.c

treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500

2019-06-19 17:09:55 +02:00

rc80211_minstrel_ht.c

mac80211: populate debugfs only after cfg80211 init

2020-04-29 16:33:18 +02:00

rc80211_minstrel_ht.h

mac80211: minstrel_ht: improve rate probing for devices with static fallback

2019-08-21 11:10:13 +02:00

rc80211_minstrel.c

mac80211: minstrel: fix tx status processing corner case

2020-11-24 13:29:23 +01:00

rc80211_minstrel.h

mac80211: minstrel: remove deferred sampling code

2020-11-24 13:29:23 +01:00

rx.c

mac80211: fix fast-rx encryption check

2021-02-07 15:35:48 +01:00

scan.c

mac80211: fix scan when operating on DFS channels in ETSI domains

2019-10-07 22:10:50 +02:00

spectmgmt.c

mac80211: 160MHz with extended NSS BW in CSA

2021-02-13 13:52:55 +01:00

sta_info.c

mac80211: free sta in sta_info_insert_finish() on errors

2020-11-24 13:29:23 +01:00

sta_info.h

mac80211: drop data frames without key on encrypted links

2020-04-01 11:02:01 +02:00

status.c

mac80211: add ieee80211_is_any_nullfunc()

2020-05-10 10:31:32 +02:00

tdls.c

Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net

2019-06-17 15:55:34 -07:00

tkip.c

mac80211: Fix TKIP replay protection immediately after key setup

2020-02-05 21:22:46 +00:00

tkip.h

Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6

2019-07-08 20:57:08 -07:00

trace_msg.h

mac80211: Increase MAX_MSG_LEN

2019-03-29 11:20:36 +01:00

trace.c

License cleanup: add SPDX GPL-2.0 license identifier to files with no license

2017-11-02 11:10:55 +01:00

trace.h

mac80211: pass the vif to cancel_remain_on_channel

2019-07-26 13:08:28 +02:00

tx.c

mac80211: check if atf has been disabled in __ieee80211_schedule_txq

2021-01-23 15:58:00 +01:00

util.c

mac80211: fix wrong 160/80+80 MHz setting

2020-03-05 16:43:41 +01:00

vht.c

mac80211: don't set set TDLS STA bandwidth wider than possible

2020-12-30 11:51:25 +01:00

wep.c

Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6

2019-07-08 20:57:08 -07:00

wep.h

Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6

2019-07-08 20:57:08 -07:00

wme.c

treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500

2019-06-19 17:09:55 +02:00

wme.h

treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500

2019-06-19 17:09:55 +02:00

wpa.c

mac80211: add IEEE80211_KEY_FLAG_GENERATE_MMIE to ieee80211_key_flags

2019-07-26 16:14:12 +02:00

wpa.h

treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500

2019-06-19 17:09:55 +02:00