summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorStefan Bühler <source@stbuehler.de>2019-11-26 11:05:44 +0100
committerJohannes Berg <johannes.berg@intel.com>2019-12-13 10:08:09 +0100
commit56cb31e185adb61f930743a9b70e700a43625386 (patch)
tree8fd77a423bf357821ccc773baa05770e2bcc07f2
parentmac80211: fix TID field in monitor mode transmit (diff)
downloadlinux-56cb31e185adb61f930743a9b70e700a43625386.tar.xz
linux-56cb31e185adb61f930743a9b70e700a43625386.zip
cfg80211: fix double-free after changing network namespace
If wdev->wext.keys was initialized it didn't get reset to NULL on unregister (and it doesn't get set in cfg80211_init_wdev either), but wdev is reused if unregister was triggered through cfg80211_switch_netns. The next unregister (for whatever reason) will try to free wdev->wext.keys again. Signed-off-by: Stefan Bühler <source@stbuehler.de> Link: https://lore.kernel.org/r/20191126100543.782023-1-stefan.buehler@tik.uni-stuttgart.de Signed-off-by: Johannes Berg <johannes.berg@intel.com>
-rw-r--r--net/wireless/core.c1
1 files changed, 1 insertions, 0 deletions
diff --git a/net/wireless/core.c b/net/wireless/core.c
index 350513744575..3e25229a059d 100644
--- a/net/wireless/core.c
+++ b/net/wireless/core.c
@@ -1102,6 +1102,7 @@ static void __cfg80211_unregister_wdev(struct wireless_dev *wdev, bool sync)
#ifdef CONFIG_CFG80211_WEXT
kzfree(wdev->wext.keys);
+ wdev->wext.keys = NULL;
#endif
/* only initialized if we have a netdev */
if (wdev->netdev)