Patch "mac802154: fix missing INIT_LIST_HEAD in ieee802154_if_add()" has been added to the 4.9-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 11 Dec 2022 22:32:34 -0500

This is a note to let you know that I've just added the patch titled

    mac802154: fix missing INIT_LIST_HEAD in ieee802154_if_add()

to the 4.9-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     mac802154-fix-missing-init_list_head-in-ieee802154_i.patch
and it can be found in the queue-4.9 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 986a2965640389659c866930530abaa28288080b
Author: Wei Yongjun <weiyongjun1@xxxxxxxxxx>
Date:   Wed Nov 30 09:17:05 2022 +0000

    mac802154: fix missing INIT_LIST_HEAD in ieee802154_if_add()
    
    [ Upstream commit b3d72d3135d2ef68296c1ee174436efd65386f04 ]
    
    Kernel fault injection test reports null-ptr-deref as follows:
    
    BUG: kernel NULL pointer dereference, address: 0000000000000008
    RIP: 0010:cfg802154_netdev_notifier_call+0x120/0x310 include/linux/list.h:114
    Call Trace:
     <TASK>
     raw_notifier_call_chain+0x6d/0xa0 kernel/notifier.c:87
     call_netdevice_notifiers_info+0x6e/0xc0 net/core/dev.c:1944
     unregister_netdevice_many_notify+0x60d/0xcb0 net/core/dev.c:1982
     unregister_netdevice_queue+0x154/0x1a0 net/core/dev.c:10879
     register_netdevice+0x9a8/0xb90 net/core/dev.c:10083
     ieee802154_if_add+0x6ed/0x7e0 net/mac802154/iface.c:659
     ieee802154_register_hw+0x29c/0x330 net/mac802154/main.c:229
     mcr20a_probe+0xaaa/0xcb1 drivers/net/ieee802154/mcr20a.c:1316
    
    ieee802154_if_add() allocates wpan_dev as netdev's private data, but not
    init the list in struct wpan_dev. cfg802154_netdev_notifier_call() manage
    the list when device register/unregister, and may lead to null-ptr-deref.
    
    Use INIT_LIST_HEAD() on it to initialize it correctly.
    
    Fixes: fcf39e6e88e9 ("ieee802154: add wpan_dev_list")
    Signed-off-by: Wei Yongjun <weiyongjun1@xxxxxxxxxx>
    Acked-by: Alexander Aring <aahringo@xxxxxxxxxx>
    
    Link: https://lore.kernel.org/r/20221130091705.1831140-1-weiyongjun@xxxxxxxxxxxxxxx
    Signed-off-by: Stefan Schmidt <stefan@xxxxxxxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/mac802154/iface.c b/net/mac802154/iface.c
index 06019dba4b10..9f2355cb6701 100644
--- a/net/mac802154/iface.c
+++ b/net/mac802154/iface.c
@@ -670,6 +670,7 @@ ieee802154_if_add(struct ieee802154_local *local, const char *name,
 	sdata->dev = ndev;
 	sdata->wpan_dev.wpan_phy = local->hw.phy;
 	sdata->local = local;
+	INIT_LIST_HEAD(&sdata->wpan_dev.list);
 
 	/* setup type-dependent data */
 	ret = ieee802154_setup_sdata(sdata, type);






