diff options
| author | Miri Korenblit <miriam.rachel.korenblit@intel.com> | 2025-01-02 16:20:09 +0200 |
|---|---|---|
| committer | Johannes Berg <johannes.berg@intel.com> | 2025-01-13 15:34:10 +0100 |
| commit | 295adaf455bec573fd730b887a072d07861b03c0 (patch) | |
| tree | 1782f8498b53d8ac15991fbe7f734239716df5c7 /tools/perf/scripts/python/export-to-sqlite.py | |
| parent | b9caeea95c41d46d2051595ff4c293ac48f66d6a (diff) | |
wifi: mac80211: avoid double free in auth/assoc timeout
In case of authentication/association timeout (as detected in
ieee80211_iface_work->ieee80211_sta_work), ieee80211_destroy_auth_data
is called.
At the beginning of it, the pointer to ifmgd::auth_data memory is
copied to a local variable.
If iface_work is queued again during the execution of the current one,
and then the driver is flushing the wiphy_works (for its needs),
ieee80211_destroy_auth_data will run again and free auth_data.
Then when the execution of the original worker continues, the previously
copied pointer will be freed, causing a kernel bug:
kernel BUG at mm/slub.c:553! (double free)
Same for association timeout (just with ieee80211_destroy_assoc_data and
ifmgd::assoc_data)
Fix this by NULLifying auth/assoc data right after we copied
the pointer to it. That way, even in the scenario above, the code will
not handle the same timeout twice.
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
Reviewed-by: Johannes Berg <johannes.berg@intel.com>
Link: https://patch.msgid.link/20250102161730.0c3f7f781096.I2b458fb53291b06717077a815755288a81274756@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Diffstat (limited to 'tools/perf/scripts/python/export-to-sqlite.py')
0 files changed, 0 insertions, 0 deletions