wifi: cfg80211: clear wdev->cqm_config pointer on free

[Johannes Berg <johannes.berg@xxxxxxxxx>]

From: Johannes Berg <johannes.berg@xxxxxxxxx>

commit d5fee261dfd9e17b08b1df8471ac5d5736070917 upstream.

When we free wdev->cqm_config when unregistering, we also
need to clear out the pointer since the same wdev/netdev
may get re-registered in another network namespace, then
destroyed later, running this code again, which results in
a double-free.

Reported-by: syzbot+36218cddfd84b5cc263e@xxxxxxxxxxxxxxxxxxxxxxxxx
Fixes: 37c20b2effe9 ("wifi: cfg80211: fix cqm_config access race")
Cc: stable@xxxxxxxxxxxxxxx
Link: https://patch.msgid.link/20241022161742.7c34b2037726.I121b9cdb7eb180802eafc90b493522950d57ee18@changeid
Signed-off-by: Johannes Berg <johannes.berg@xxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
 net/wireless/core.c |    1 +
 1 file changed, 1 insertion(+)

--- a/net/wireless/core.c
+++ b/net/wireless/core.c
@@ -1230,6 +1230,7 @@ static void _cfg80211_unregister_wdev(st
 	/* deleted from the list, so can't be found from nl80211 any more */
 	cqm_config = rcu_access_pointer(wdev->cqm_config);
 	kfree_rcu(cqm_config, rcu_head);
+	RCU_INIT_POINTER(wdev->cqm_config, NULL);
 
 	/*
 	 * Ensure that all events have been processed and


Patches currently in stable-queue which might be from johannes.berg@xxxxxxxxx are

queue-6.1/mac80211-mac80211_message_tracing-should-depend-on-t.patch
queue-6.1/wifi-mac80211-skip-non-uploaded-keys-in-ieee80211_it.patch
queue-6.1/wifi-mac80211-do-not-pass-a-stopped-vif-to-the-driver-in-.get_txpower.patch
queue-6.1/wifi-cfg80211-clear-wdev-cqm_config-pointer-on-free.patch
queue-6.1/wifi-iwlwifi-mvm-fix-response-handling-in-iwl_mvm_se.patch
queue-6.1/wifi-iwlwifi-mvm-disconnect-station-vifs-if-recovery.patch