wifi: cfg80211: fix double free for link_sinfo in nl80211_station_dump()

jtornosm · jtornosm · commit fd1e716feb28 · 2025-11-13T13:50:20.000+01:00
JIRA: https://issues.redhat.com/browse/RHEL-114891 commit 9a44b5e Author: Sarika Sharma <quic_sarishar@quicinc.com> Date: Mon Jul 14 14:14:05 2025 +0530 wifi: cfg80211: fix double free for link_sinfo in nl80211_station_dump() Currently, the link_sinfo structure is being freed twice in nl80211_dump_station(), once after the send_station() call and again in the error handling path. This results in a double free of both link_sinfo and link_sinfo->pertid, which might lead to undefined behavior or kernel crashes. Hence, fix by ensuring cfg80211_sinfo_release_content() is only invoked once during execution of nl80211_station_dump(). Fixes: 49e4722 ("wifi: cfg80211: allocate memory for link_station info structure") Reported-by: Dan Carpenter <dan.carpenter@linaro.org> Closes: https://lore.kernel.org/all/81f30515-a83d-4b05-a9d1-e349969df9e9@sabinyo.mountain/ Reported-by: syzbot+4ba6272678aa468132c8@syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/68655325.a70a0220.5d25f.0316.GAE@google.com Signed-off-by: Sarika Sharma <quic_sarishar@quicinc.com> Link: https://patch.msgid.link/20250714084405.178066-1-quic_sarishar@quicinc.com Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Jose Ignacio Tornos Martinez <jtornosm@redhat.com>
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
@@ -7456,6 +7456,7 @@ static int nl80211_dump_station(struct sk_buff *skb,
 	struct wireless_dev *wdev;
 	u8 mac_addr[ETH_ALEN];
 	int sta_idx = cb->args[2];
+	bool sinfo_alloc = false;
 	int err, i;
 
 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
@@ -7484,6 +7485,7 @@ static int nl80211_dump_station(struct sk_buff *skb,
 				err = -ENOMEM;
 				goto out_err;
 			}
+			sinfo_alloc = true;
 		}
 
 		err = rdev_dump_station(rdev, wdev->netdev, sta_idx,
@@ -7496,6 +7498,11 @@ static int nl80211_dump_station(struct sk_buff *skb,
 		if (sinfo.valid_links)
 			cfg80211_sta_set_mld_sinfo(&sinfo);
 
+		/* reset the sinfo_alloc flag as nl80211_send_station()
+		 * always releases sinfo
+		 */
+		sinfo_alloc = false;
+
 		if (nl80211_send_station(skb, NL80211_CMD_NEW_STATION,
 				NETLINK_CB(cb->skb).portid,
 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
@@ -7510,7 +7517,8 @@ static int nl80211_dump_station(struct sk_buff *skb,
 	cb->args[2] = sta_idx;
 	err = skb->len;
  out_err:
-	cfg80211_sinfo_release_content(&sinfo);
+	if (sinfo_alloc)
+		cfg80211_sinfo_release_content(&sinfo);
 	wiphy_unlock(&rdev->wiphy);
 
 	return err;
