| From: Felix Fietkau <nbd@nbd.name> |
| Date: Sat, 16 Mar 2024 08:37:21 +0100 |
| Subject: [PATCH] wifi: mac80211: check/clear fast rx for non-4addr sta VLAN |
| changes |
| |
| When moving a station out of a VLAN and deleting the VLAN afterwards, the |
| fast_rx entry still holds a pointer to the VLAN's netdev, which can cause |
| use-after-free bugs. Fix this by immediately calling ieee80211_check_fast_rx |
| after the VLAN change. |
| |
| Cc: stable@vger.kernel.org |
| Reported-by: ranygh@riseup.net |
| Signed-off-by: Felix Fietkau <nbd@nbd.name> |
| --- |
| |
| --- a/net/mac80211/cfg.c |
| +++ b/net/mac80211/cfg.c |
| @@ -2184,15 +2184,14 @@ static int ieee80211_change_station(stru |
| } |
| |
| if (sta->sdata->vif.type == NL80211_IFTYPE_AP_VLAN && |
| - sta->sdata->u.vlan.sta) { |
| - ieee80211_clear_fast_rx(sta); |
| + sta->sdata->u.vlan.sta) |
| RCU_INIT_POINTER(sta->sdata->u.vlan.sta, NULL); |
| - } |
| |
| if (test_sta_flag(sta, WLAN_STA_AUTHORIZED)) |
| ieee80211_vif_dec_num_mcast(sta->sdata); |
| |
| sta->sdata = vlansdata; |
| + ieee80211_check_fast_rx(sta); |
| ieee80211_check_fast_xmit(sta); |
| |
| if (test_sta_flag(sta, WLAN_STA_AUTHORIZED)) { |