www.infradead.org Git - users/jedix/linux-maple.git/commit

author	Miri Korenblit <miriam.rachel.korenblit@intel.com>
	Thu, 2 Jan 2025 14:20:09 +0000 (16:20 +0200)
committer	Johannes Berg <johannes.berg@intel.com>
	Mon, 13 Jan 2025 14:34:10 +0000 (15:34 +0100)
commit	295adaf455bec573fd730b887a072d07861b03c0
tree	1782f8498b53d8ac15991fbe7f734239716df5c7	tree
parent	b9caeea95c41d46d2051595ff4c293ac48f66d6a	commit \| diff

wifi: mac80211: avoid double free in auth/assoc timeout

In case of authentication/association timeout (as detected in
ieee80211_iface_work->ieee80211_sta_work), ieee80211_destroy_auth_data
is called.
At the beginning of it, the pointer to ifmgd::auth_data memory is
copied to a local variable.
If iface_work is queued again during the execution of the current one,
and then the driver is flushing the wiphy_works (for its needs),
ieee80211_destroy_auth_data will run again and free auth_data.
Then when the execution of the original worker continues, the previously
copied pointer will be freed, causing a kernel bug:
kernel BUG at mm/slub.c:553! (double free)

Same for association timeout (just with ieee80211_destroy_assoc_data and
ifmgd::assoc_data)

Fix this by NULLifying auth/assoc data right after we copied
the pointer to it. That way, even in the scenario above, the code will
not handle the same timeout twice.

Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
Reviewed-by: Johannes Berg <johannes.berg@intel.com>
Link: https://patch.msgid.link/20250102161730.0c3f7f781096.I2b458fb53291b06717077a815755288a81274756@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>