diff options
author | Stefan Bühler <source@stbuehler.de> | 2019-11-26 11:05:44 +0100 |
---|---|---|
committer | Johannes Berg <johannes.berg@intel.com> | 2019-12-13 10:08:09 +0100 |
commit | 56cb31e185adb61f930743a9b70e700a43625386 (patch) | |
tree | 8fd77a423bf357821ccc773baa05770e2bcc07f2 /net/wireless/core.c | |
parent | 753ffad3d6243303994227854d951ff5c70fa9e0 (diff) | |
download | lwn-56cb31e185adb61f930743a9b70e700a43625386.tar.gz lwn-56cb31e185adb61f930743a9b70e700a43625386.zip |
cfg80211: fix double-free after changing network namespace
If wdev->wext.keys was initialized it didn't get reset to NULL on
unregister (and it doesn't get set in cfg80211_init_wdev either), but
wdev is reused if unregister was triggered through
cfg80211_switch_netns.
The next unregister (for whatever reason) will try to free
wdev->wext.keys again.
Signed-off-by: Stefan Bühler <source@stbuehler.de>
Link: https://lore.kernel.org/r/20191126100543.782023-1-stefan.buehler@tik.uni-stuttgart.de
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Diffstat (limited to 'net/wireless/core.c')
-rw-r--r-- | net/wireless/core.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/net/wireless/core.c b/net/wireless/core.c index 350513744575..3e25229a059d 100644 --- a/net/wireless/core.c +++ b/net/wireless/core.c @@ -1102,6 +1102,7 @@ static void __cfg80211_unregister_wdev(struct wireless_dev *wdev, bool sync) #ifdef CONFIG_CFG80211_WEXT kzfree(wdev->wext.keys); + wdev->wext.keys = NULL; #endif /* only initialized if we have a netdev */ if (wdev->netdev) |