diff mbox series

[v4,11/11] netdev: fix invalid read after netdev_free

Message ID 20250328144253.421425-11-prestwoj@gmail.com (mailing list archive)
State Accepted, archived
Headers show
Series [v4,01/11] station: always add BSS to network blacklist on failure | expand

Checks

Context Check Description
tedd_an/pre-ci_am success Success
prestwoj/iwd-ci-gitlint success GitLint

Commit Message

James Prestwood March 28, 2025, 2:42 p.m. UTC 
The netdev frame watches got cleaned up upon the interface going down
which works if the interface is simply being toggled but when IWD
shuts down it first shuts down the interface, then immediately frees
netdev. If a watched frame arrives immediately after that before the
interface shutdown callback it will reference netdev, which has been
freed.

Fix this by clearing out the frame watches in netdev_free.

==147== Invalid read of size 8
==147==    at 0x408ADB: netdev_neighbor_report_frame_event (netdev.c:4772)
==147==    by 0x467C75: frame_watch_unicast_notify (frame-xchg.c:234)
==147==    by 0x4E28F8: __notifylist_notify (notifylist.c:91)
==147==    by 0x4E2D37: l_notifylist_notify_matches (notifylist.c:204)
==147==    by 0x4A1388: process_unicast (genl.c:844)
==147==    by 0x4A1388: received_data (genl.c:972)
==147==    by 0x49D82F: io_callback (io.c:105)
==147==    by 0x49C93C: l_main_iterate (main.c:461)
==147==    by 0x49CA0B: l_main_run (main.c:508)
==147==    by 0x49CA0B: l_main_run (main.c:490)
==147==    by 0x49CC3F: l_main_run_with_signal (main.c:630)
==147==    by 0x4049EC: main (main.c:614)
---
 src/netdev.c | 1 +
 1 file changed, 1 insertion(+)
diff mbox series

Patch

diff --git a/src/netdev.c b/src/netdev.c
index 048681f5..b81a475f 100644
--- a/src/netdev.c
+++ b/src/netdev.c
@@ -1109,6 +1109,7 @@  static void netdev_free(void *data)
 		l_timeout_remove(netdev->rssi_poll_timeout);
 
 	scan_wdev_remove(netdev->wdev_id);
+	frame_watch_wdev_remove(netdev->wdev_id);
 
 	watchlist_destroy(&netdev->station_watches);