Skip to content
Commit 60deb9f1 authored by Siddh Raman Pant's avatar Siddh Raman Pant Committed by Johannes Berg
Browse files

wifi: mac80211: Fix UAF in ieee80211_scan_rx() 



ieee80211_scan_rx() tries to access scan_req->flags after a
null check, but a UAF is observed when the scan is completed
and __ieee80211_scan_completed() executes, which then calls
cfg80211_scan_done() leading to the freeing of scan_req.

Since scan_req is rcu_dereference()'d, prevent the racing in
__ieee80211_scan_completed() by ensuring that from mac80211's
POV it is no longer accessed from an RCU read critical section
before we call cfg80211_scan_done().

Cc: stable@vger.kernel.org
Link: https://syzkaller.appspot.com/bug?extid=f9acff9bf08a845f225d
Reported-by: default avatar <syzbot+f9acff9bf08a845f225d@syzkaller.appspotmail.com>
Suggested-by: default avatarJohannes Berg <johannes@sipsolutions.net>
Signed-off-by: default avatarSiddh Raman Pant <code@siddh.me>
Link: https://lore.kernel.org/r/20220819200340.34826-1-code@siddh.me
Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
parent 24c7a64e
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment