proxmox-mirrors/mirror_ubuntu-kernels
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_ubuntu-kernels.git synced 2026-01-02 20:55:12 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
4a2d4496e1
mirror_ubuntu-kernels/net/mac80211
History
Linus Lüssing 4a2d4496e1 mac80211: fix potential double free on mesh join 
While commit 6a01afcf84 ("mac80211: mesh: Free ie data when leaving
mesh") fixed a memory leak on mesh leave / teardown it introduced a
potential memory corruption caused by a double free when rejoining the
mesh:

  ieee80211_leave_mesh()
  -> kfree(sdata->u.mesh.ie);
  ...
  ieee80211_join_mesh()
  -> copy_mesh_setup()
     -> old_ie = ifmsh->ie;
     -> kfree(old_ie);

This double free / kernel panics can be reproduced by using wpa_supplicant
with an encrypted mesh (if set up without encryption via "iw" then
ifmsh->ie is always NULL, which avoids this issue). And then calling:

  $ iw dev mesh0 mesh leave
  $ iw dev mesh0 mesh join my-mesh

Note that typically these commands are not used / working when using
wpa_supplicant. And it seems that wpa_supplicant or wpa_cli are going
through a NETDEV_DOWN/NETDEV_UP cycle between a mesh leave and mesh join
where the NETDEV_UP resets the mesh.ie to NULL via a memcpy of
default_mesh_setup in cfg80211_netdev_notifier_call, which then avoids
the memory corruption, too.

The issue was first observed in an application which was not using
wpa_supplicant but "Senf" instead, which implements its own calls to
nl80211.

Fixing the issue by removing the kfree()'ing of the mesh IE in the mesh
join function and leaving it solely up to the mesh leave to free the
mesh IE.

Cc: stable@vger.kernel.org
Fixes: 6a01afcf84 ("mac80211: mesh: Free ie data when leaving mesh")
Reported-by: Matthias Kretschmer <mathias.kretschmer@fit.fraunhofer.de>
Signed-off-by: Linus Lüssing <ll@simonwunderlich.de>
Tested-by: Mathias Kretschmer <mathias.kretschmer@fit.fraunhofer.de>
Link: https://lore.kernel.org/r/20220310183513.28589-1-linus.luessing@c0d3.blue
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2022-03-11 11:51:18 +01:00
..
aead_api.c mac80211: Check crypto_aead_encrypt for errors 2021-03-16 21:20:41 +01:00
aead_api.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
aes_ccm.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
aes_cmac.c mac80211: aes_cmac: check crypto_shash_setkey() return value 2021-04-19 12:01:40 +02:00
aes_cmac.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
aes_gcm.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
aes_gmac.c mac80211: Check crypto_aead_encrypt for errors 2021-03-16 21:20:41 +01:00
aes_gmac.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
agg-rx.c mac80211: parse AddBA request with extended AddBA element 2022-02-16 15:44:37 +01:00
agg-tx.c mac80211: agg-tx: don't schedule_and_wake_txq() under sta->lock 2021-12-14 11:19:43 +01:00
airtime.c mac80211: correct legacy rates check in ieee80211_calc_rx_airtime 2022-03-11 11:45:36 +01:00
cfg.c mac80211: fix potential double free on mesh join 2022-03-11 11:51:18 +01:00
chan.c mac80211: Add initial support for EHT and 320 MHz channels 2022-02-16 15:43:48 +01:00
debug.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
debugfs_key.c mac80211: remove unused macros 2022-02-04 16:26:27 +01:00
debugfs_key.h mac80211: Support BIGTK configuration for Beacon protection 2020-02-24 10:35:57 +01:00
debugfs_netdev.c mac80211: remove unused macros 2022-02-04 16:26:27 +01:00
debugfs_netdev.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
debugfs_sta.c ieee80211: change HE nominal packet padding value defines 2021-11-28 21:53:04 +01:00
debugfs_sta.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
debugfs.c mac80211: remove unused macros 2022-02-04 16:26:27 +01:00
debugfs.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
driver-ops.c mac80211: fix station rate table updates on assoc 2021-02-01 15:07:09 +01:00
driver-ops.h This time we have: 2021-12-21 07:41:52 -08:00
eht.c mac80211: Handle station association response with EHT 2022-02-16 15:44:09 +01:00
ethtool.c ethtool: extend ringparam setting/getting API with rx_buf_len 2021-11-22 12:31:49 +00:00
fils_aead.c mac80211: fils: use cfg80211_find_ext_elem() 2021-10-21 17:01:16 +02:00
fils_aead.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
he.c mac80211: fix NULL ptr dereference during mesh peer connection for non HE devices 2021-06-23 18:06:44 +02:00
ht.c mac80211: allow SMPS requests only in client mode 2021-06-23 11:29:13 +02:00
ibss.c mac80211: fix memory leaks with element parsing 2021-10-21 16:54:04 +02:00
ieee80211_i.h mac80211: Handle station association response with EHT 2022-02-16 15:44:09 +01:00
iface.c mac80211: add support for .ndo_fill_forward_path 2021-11-26 11:47:26 +01:00
Kconfig ath9k: fix build error with LEDS_CLASS=m 2021-01-28 09:29:34 +02:00
key.c mac80211: prevent mixed key and fragment cache attacks 2021-05-11 20:12:51 +02:00
key.h mac80211: prevent mixed key and fragment cache attacks 2021-05-11 20:12:51 +02:00
led.c mac80211: don't open-code LED manipulations 2021-06-23 11:29:12 +02:00
led.h mac80211: fix throughput LED trigger 2021-11-15 10:56:57 +01:00
main.c mac80211: Add EHT capabilities to association/probe request 2022-02-16 15:44:00 +01:00
Makefile mac80211: Handle station association response with EHT 2022-02-16 15:44:09 +01:00
mesh_hwmp.c mac80211: always allocate struct ieee802_11_elems 2021-09-23 16:27:07 +02:00
mesh_pathtbl.c mac80211: mesh: embedd mesh_paths and mpp_paths into ieee80211_if_mesh 2022-01-04 15:11:49 +01:00
mesh_plink.c mac80211: always allocate struct ieee802_11_elems 2021-09-23 16:27:07 +02:00
mesh_ps.c mac80211: mesh: fix potentially unaligned access 2021-09-23 13:25:09 +02:00
mesh_sync.c mac80211: mesh: clean up rx_bcn_presp API 2021-09-23 16:26:33 +02:00
mesh.c mac80211: Use GFP_KERNEL instead of GFP_ATOMIC when possible 2022-03-11 11:42:49 +01:00
mesh.h mac80211: mesh: embedd mesh_paths and mpp_paths into ieee80211_if_mesh 2022-01-04 15:11:49 +01:00
michael.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
michael.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
mlme.c mac80211: Handle station association response with EHT 2022-02-16 15:44:09 +01:00
ocb.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
offchannel.c mac80211: Inform AP when returning operating channel 2020-09-28 13:18:53 +02:00
pm.c mac80211: Prevent AP probing during suspend 2021-10-21 17:27:51 +02:00
rate.c Revert "mac80211: do not use low data rates for data frames with no ack flag" 2021-09-23 12:59:29 +02:00
rate.h mac80211: populate debugfs only after cfg80211 init 2020-04-24 11:30:13 +02:00
rc80211_minstrel_ht_debugfs.c mac80211: minstrel_ht: show sampling rates in debugfs 2021-02-12 08:58:11 +01:00
rc80211_minstrel_ht.c mac80211: remove unused macros 2022-02-04 16:26:27 +01:00
rc80211_minstrel_ht.h mac80211: minstrel_ht: remove sample rate switching code for constrained devices 2021-02-12 08:58:22 +01:00
rx.c cfg80211/mac80211: assume CHECKSUM_COMPLETE includes SNAP 2022-02-04 16:23:19 +01:00
s1g.c mac80211: twt: don't use potentially unaligned pointer 2021-09-27 13:02:51 +02:00
scan.c mac80211: always allocate struct ieee802_11_elems 2021-09-23 16:27:07 +02:00
spectmgmt.c mac80211: 160MHz with extended NSS BW in CSA 2021-01-21 13:39:11 +01:00
sta_info.c mac80211: remove useless ieee80211_vif_is_mesh() check 2022-02-04 16:27:07 +01:00
sta_info.h mac80211: add docs for ssn in struct tid_ampdu_tx 2021-11-29 09:31:17 +01:00
status.c mac80211: fix struct ieee80211_tx_info size 2022-02-04 16:26:53 +01:00
tdls.c mac80211: always allocate struct ieee802_11_elems 2021-09-23 16:27:07 +02:00
tkip.c mac80211: Fix TKIP replay protection immediately after key setup 2020-01-15 09:52:12 +01:00
tkip.h Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 2019-07-08 20:57:08 -07:00
trace_msg.h mac80211: Increase MAX_MSG_LEN 2019-03-29 11:20:36 +01:00
trace.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
trace.h mac80211: add support for .ndo_fill_forward_path 2021-11-26 11:47:26 +01:00
tx.c This time we have: 2021-12-21 07:41:52 -08:00
util.c mac80211: Add EHT capabilities to association/probe request 2022-02-16 15:44:00 +01:00
vht.c mac80211: calculate max RX NSS for EHT mode 2022-02-16 15:44:28 +01:00
wep.c mac80211: make ieee80211_wep_init() return void 2020-02-07 12:40:34 +01:00
wep.h mac80211: make ieee80211_wep_init() return void 2020-02-07 12:40:34 +01:00
wme.c mac80211: drop check for DONT_REORDER in __ieee80211_select_queue 2021-11-15 10:55:40 +01:00
wme.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
wpa.c mac80211: Remove unused assignment statements 2021-11-26 11:46:24 +01:00
wpa.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00