From: Stefan Bühler source@stbuehler.de
[ Upstream commit 56cb31e185adb61f930743a9b70e700a43625386 ]
If wdev->wext.keys was initialized it didn't get reset to NULL on unregister (and it doesn't get set in cfg80211_init_wdev either), but wdev is reused if unregister was triggered through cfg80211_switch_netns.
The next unregister (for whatever reason) will try to free wdev->wext.keys again.
Signed-off-by: Stefan Bühler source@stbuehler.de Link: https://lore.kernel.org/r/20191126100543.782023-1-stefan.buehler@tik.uni-stu... Signed-off-by: Johannes Berg johannes.berg@intel.com Signed-off-by: Sasha Levin sashal@kernel.org --- net/wireless/core.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/net/wireless/core.c b/net/wireless/core.c index 350513744575..3e25229a059d 100644 --- a/net/wireless/core.c +++ b/net/wireless/core.c @@ -1102,6 +1102,7 @@ static void __cfg80211_unregister_wdev(struct wireless_dev *wdev, bool sync)
#ifdef CONFIG_CFG80211_WEXT kzfree(wdev->wext.keys); + wdev->wext.keys = NULL; #endif /* only initialized if we have a netdev */ if (wdev->netdev)