lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20250619080526.899000-1-lizhi.xu@windriver.com>
Date: Thu, 19 Jun 2025 16:05:26 +0800
From: Lizhi Xu <lizhi.xu@...driver.com>
To: <syzbot+189dcafc06865d38178d@...kaller.appspotmail.com>
CC: <davem@...emloft.net>, <edumazet@...gle.com>, <johannes@...solutions.net>,
        <kuba@...nel.org>, <linux-kernel@...r.kernel.org>,
        <linux-wireless@...r.kernel.org>, <netdev@...r.kernel.org>,
        <pabeni@...hat.com>, <syzkaller-bugs@...glegroups.com>
Subject: [PATCH] wifi: cfg80211: Prevent comparison with invalid registered dev scan req

The scan req of a registered device may have been released, so it should
be checked to be valid before comparing it with the current req.

Reported-by: syzbot+189dcafc06865d38178d@...kaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=189dcafc06865d38178d
Signed-off-by: Lizhi Xu <lizhi.xu@...driver.com>
---
 net/wireless/scan.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/net/wireless/scan.c b/net/wireless/scan.c
index e8a4fe44ec2d..bfd40797e608 100644
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -1176,10 +1176,14 @@ void cfg80211_scan_done(struct cfg80211_scan_request *request,
 			struct cfg80211_scan_info *info)
 {
 	struct cfg80211_scan_info old_info = request->info;
+	struct cfg80211_scan_request *rdev_req, *rdev_int_req;
+
+	rdev_req = wiphy_to_rdev(request->wiphy)->scan_req;
+	rdev_int_req = wiphy_to_rdev(request->wiphy)->int_scan_req;
 
 	trace_cfg80211_scan_done(request, info);
-	WARN_ON(request != wiphy_to_rdev(request->wiphy)->scan_req &&
-		request != wiphy_to_rdev(request->wiphy)->int_scan_req);
+	WARN_ON((rdev_req && request != rdev_req) &&
+		(rdev_int_req && request != rdev_int_req));
 
 	request->info = *info;
 
-- 
2.43.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ