On 3/10/2025 10:03 PM, Maxime Bizon wrote:
>
> On Wed, 2025-01-29 at 21:22 +0530, Roopni Devanathan wrote:
>
> Hello,
>
>> diff --git a/net/wireless/core.c b/net/wireless/core.c
>> index 70857018f020..3f4c9edc2bc8 100644
>> --- a/net/wireless/core.c
>> +++ b/net/wireless/core.c
>> @@ -1077,6 +1077,23 @@ int wiphy_register(struct wiphy *wiphy)
>> return res;
>> }
>>
>> + /* Allocate radio configuration space for multi-radio wiphy.
>> + */
>> + if (wiphy->n_radio) {
>> + int idx;
>> +
>> + wiphy->radio_cfg = kcalloc(wiphy->n_radio, sizeof(*wiphy->radio_cfg),
>> + GFP_KERNEL);
>>
>
> wiphy is already registered at this point, so it can be dumped from userland.
>
> And your patch 2/5 dereferences rcfg->rts_threshold in wiphy_dump(), so
> there is a race for a NULL deref (KASAN caught it).
>
In my next version, I'll unregister wiphy when memory is not allocated for
wiphy->radio_cfg. I'll have something like:
if (!wiphy->radio_cfg) {
rfkill_destroy(rdev->wiphy.rfkill);
rdev->wiphy.rfkill = NULL;
wiphy_unregister(&rdev->wiphy);
return res;
}
I hope this will resolve the said problems. Thanks for pointing it out.
