On Wed, 2025-01-29 at 21:22 +0530, Roopni Devanathan wrote:
Hello,
> diff --git a/net/wireless/core.c b/net/wireless/core.c
> index 70857018f020..3f4c9edc2bc8 100644
> --- a/net/wireless/core.c
> +++ b/net/wireless/core.c
> @@ -1077,6 +1077,23 @@ int wiphy_register(struct wiphy *wiphy)
> return res;
> }
>
> + /* Allocate radio configuration space for multi-radio wiphy.
> + */
> + if (wiphy->n_radio) {
> + int idx;
> +
> + wiphy->radio_cfg = kcalloc(wiphy->n_radio, sizeof(*wiphy->radio_cfg),
> + GFP_KERNEL);
>
wiphy is already registered at this point, so it can be dumped from userland.
And your patch 2/5 dereferences rcfg->rts_threshold in wiphy_dump(), so
there is a race for a NULL deref (KASAN caught it).
--
Maxime
