Skip to content

GitLab

Switch branch/tag
History Find file
Clone
mac80211: fix potential double free on mesh join
Linus Lüssing authored 
commit 4a2d4496 upstream.

While commit 6a01afcf ("mac80211: mesh: Free ie data when leaving
mesh") fixed a memory leak on mesh leave / teardown it introduced a
potential memory corruption caused by a double free when rejoining the
mesh:

  ieee80211_leave_mesh()
  -> kfree(sdata->u.mesh.ie);
  ...
  ieee80211_join_mesh()
  -> copy_mesh_setup()
     -> old_ie = ifmsh->ie;
     -> kfree(old_ie);

This double free / kernel panics can be reproduced by using wpa_supplicant
with an encrypted mesh (if set up without encryption via "iw" then
ifmsh->ie is always NULL, which avoids this issue). And then calling:

  $ iw dev mesh0 mesh leave
  $ iw dev mesh0 mesh join my-mesh

Note that typically these commands are not used / working when using
wpa_supplicant. And it seems that wpa_supplicant or wpa_cli are going
through a NETDEV_DOWN/NETDEV_UP cycle between a mesh leave and mesh join
where the NETDEV_UP resets the mesh.ie to NULL ...
3bbd0000
Name Last commit Last update
..
Kconfig Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6
Makefile mac80211: minstrel: merge with minstrel_ht, always enable VHT support
aead_api.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500
aead_api.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500
aes_ccm.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500
aes_cmac.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500
aes_cmac.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500
aes_gcm.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500
aes_gmac.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500
aes_gmac.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500
agg-rx.c mac80211: fix lookup when adding AddBA extension element
agg-tx.c mac80211: refuse aggregations sessions before authorized
cfg.c mac80211: fix potential double free on mesh join
chan.c treewide: Add SPDX license identifier for missed files
debug.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license
debugfs.c mac80211: AMPDU handling for rekeys with Extended Key ID
debugfs.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license
debugfs_key.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
debugfs_key.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license
debugfs_netdev.c mac80211: fix txq null pointer dereference
debugfs_netdev.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license
debugfs_sta.c mac80211: drop data frames without key on encrypted links
debugfs_sta.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license
driver-ops.c mac80211: fix station rate table updates on assoc
driver-ops.h mac80211: mark TX-during-stop for TX in in_reconfig
ethtool.c
fils_aead.c
fils_aead.h
he.c
ht.c
ibss.c
ieee80211_i.h
iface.c
key.c
key.h
led.c
led.h
main.c
mesh.c
mesh.h
mesh_hwmp.c
mesh_pathtbl.c
mesh_plink.c
mesh_ps.c
mesh_sync.c
michael.c
michael.h
mlme.c
ocb.c
offchannel.c
pm.c
rate.c
rate.h
rc80211_minstrel.c
rc80211_minstrel.h
rc80211_minstrel_debugfs.c
rc80211_minstrel_ht.c
rc80211_minstrel_ht.h
rc80211_minstrel_ht_debugfs.c
rx.c
scan.c
spectmgmt.c
sta_info.c
sta_info.h
status.c
tdls.c
tkip.c
tkip.h
trace.c
trace.h
trace_msg.h
tx.c
util.c
vht.c
wep.c
wep.h
wme.c
wme.h
wpa.c
wpa.h