cfg80211: fix double-free after changing network namespace

If wdev->wext.keys was initialized it didn't get reset to NULL on unregister (and it doesn't get set in cfg80211_init_wdev either), but wdev is reused if unregister was triggered through cfg80211_switch_netns. The next unregister (for whatever reason) will try to free wdev->wext.keys again. Signed-off-by: Stefan Bühler <source@stbuehler.de> Link: https://lore.kernel.org/r/20191126100543.782023-1-stefan.buehler@tik.uni-stuttgart.deSigned-off-by: Johannes Berg <johannes.berg@intel.com>

cfg80211: fix double-free after changing network namespace
If wdev->wext.keys was initialized it didn't get reset to NULL on unregister (and it doesn't get set in cfg80211_init_wdev either), but wdev is reused if unregister was triggered through cfg80211_switch_netns. The next unregister (for whatever reason) will try to free wdev->wext.keys again. Signed-off-by: Stefan Bühler <source@stbuehler.de> Link: https://lore.kernel.org/r/20191126100543.782023-1-stefan.buehler@tik.uni-stuttgart.deSigned-off-by: Johannes Berg <johannes.berg@intel.com>
56cb31e1 · Stefan Bühler · Johannes Berg · 753ffad3 · 56cb31e1
Commit 56cb31e1 authored Nov 26, 2019 by Stefan Bühler Committed by Johannes Berg Dec 13, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 0 deletions

net/wireless/core.c net/wireless/core.c +1 -0

No files found.
--- a/net/wireless/core.c
+++ b/net/wireless/core.c
@@ -1102,6 +1102,7 @@ static void __cfg80211_unregister_wdev(struct wireless_dev *wdev, bool sync)
 #ifdef CONFIG_CFG80211_WEXT
 	kzfree(wdev->wext.keys);
+	wdev->wext.keys = NULL;
 #endif
 	/* only initialized if we have a netdev */
 	if (wdev->netdev)