| Message ID | 20211001125616.GI2283@kili (mailing list archive) |
|---|---|
| State | Not Applicable |
| Delegated to: | Johannes Berg |
| Headers | show |
| Series | nl80211: fix error pointer dereference in error handling | expand |
On Fri, 2021-10-01 at 15:56 +0300, Dan Carpenter wrote: > The error handling calls kfree(params->acl) so if "params->acl" is an > error pointer that will lead to an Oops. > > Fixes: 9e263e193af7 ("nl80211: don't put struct cfg80211_ap_settings on stack") > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > --- > net/wireless/nl80211.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c > index 0b4f29d689d2..962fb169a5fb 100644 > --- a/net/wireless/nl80211.c > +++ b/net/wireless/nl80211.c > @@ -5507,6 +5507,7 @@ static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info) > params->acl = parse_acl_data(&rdev->wiphy, info); > if (IS_ERR(params->acl)) { > err = PTR_ERR(params->acl); > + params->acl = NULL; Yeah. I think I had just applied the exact same patch: commit 05075fe7455a210769b266e62a0040ddc98b2739 Author: Johannes Berg <johannes.berg@intel.com> Date: Mon Sep 27 13:44:03 2021 +0200 nl80211: don't kfree() ERR_PTR() value johannes
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c index 0b4f29d689d2..962fb169a5fb 100644 --- a/net/wireless/nl80211.c +++ b/net/wireless/nl80211.c @@ -5507,6 +5507,7 @@ static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info) params->acl = parse_acl_data(&rdev->wiphy, info); if (IS_ERR(params->acl)) { err = PTR_ERR(params->acl); + params->acl = NULL; goto out; } }
The error handling calls kfree(params->acl) so if "params->acl" is an error pointer that will lead to an Oops. Fixes: 9e263e193af7 ("nl80211: don't put struct cfg80211_ap_settings on stack") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> --- net/wireless/nl80211.c | 1 + 1 file changed, 1 insertion(+)