nl80211 requires NL80211_CMD_ABORT_SCAN to have a wdev or netdev
attribute present and checks that if netdev is provided it is UP.
However, mac80211 does not check that an ongoing scan actually belongs
to the netdev/wdev provided by the user. In other words, it is possible
for an application to cancel scans on an interface it doesn't manage.
Signed-off-by: Denis Kenzior <denkenz@xxxxxxxxx>
Cc: stable@xxxxxxxxxxxxxxx
---
net/mac80211/cfg.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index 70739e746c13..ece344f9e9ca 100644
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -2333,7 +2333,13 @@ static int ieee80211_scan(struct wiphy *wiphy,
static void ieee80211_abort_scan(struct wiphy *wiphy, struct wireless_dev *wdev)
{
- ieee80211_scan_cancel(wiphy_priv(wiphy));
+ struct ieee80211_local *local = wiphy_priv(wiphy);
+ struct ieee80211_sub_if_data *sdata =
+ IEEE80211_WDEV_TO_SUB_IF(wdev);
+ bool cancel_scan = rcu_access_pointer(local->scan_sdata) == sdata;
+
+ if (cancel_scan)
+ ieee80211_scan_cancel(local);
}
static int
--
2.21.0
