Currently, cfg80211_sinfo_release_content() frees dynamically
allocated memory but does not reset the associated pointers.
This results in double free issues in nl80211_dump_station(),
where both link_sinfo and link_sinfo->pertid are released twice,
once after the send_station() call and again in the error handling path.
Hence, to fix accidental dereferencing of dangling pointers, explicitly
set the freed pointers to NULL.
Fixes: 49e47223ecc4 ("wifi: cfg80211: allocate memory for link_station info structure")
Reported-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Closes: https://lore.kernel.org/all/81f30515-a83d-4b05-a9d1-e349969df9e9@sabinyo.mountain/
Reported-by: syzbot+4ba6272678aa468132c8@xxxxxxxxxxxxxxxxxxxxxxxxx
Closes: https://lore.kernel.org/all/68655325.a70a0220.5d25f.0316.GAE@xxxxxxxxxx
Signed-off-by: Sarika Sharma <quic_sarishar@xxxxxxxxxxx>
---
include/net/cfg80211.h | 2 ++
1 file changed, 2 insertions(+)
diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h
index 4a092da3a9de..27b3e1517aa1 100644
--- a/include/net/cfg80211.h
+++ b/include/net/cfg80211.h
@@ -8612,11 +8612,13 @@ int cfg80211_link_sinfo_alloc_tid_stats(struct link_station_info *link_sinfo,
static inline void cfg80211_sinfo_release_content(struct station_info *sinfo)
{
kfree(sinfo->pertid);
+ sinfo->pertid = NULL;
for (int link_id = 0; link_id < ARRAY_SIZE(sinfo->links); link_id++) {
if (sinfo->links[link_id]) {
kfree(sinfo->links[link_id]->pertid);
kfree(sinfo->links[link_id]);
+ sinfo->links[link_id] = NULL;
}
}
}
base-commit: 28aa52b6189f1cc409f96910c63fa1b99370b99e
--
2.34.1
