1. Patchew
  2. linux
  3. View series

[PATCH] wifi: cfg80211: Prevent comparison with invalid registered dev scan req

Lizhi Xu posted 1 patch 7 months, 3 weeks ago 
net/wireless/scan.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
[PATCH] wifi: cfg80211: Prevent comparison with invalid registered dev scan req
Posted by Lizhi Xu 7 months, 3 weeks ago 
The scan req of a registered device may have been released, so it should
be checked to be valid before comparing it with the current req.

Reported-by: syzbot+189dcafc06865d38178d@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=189dcafc06865d38178d
Signed-off-by: Lizhi Xu <lizhi.xu@windriver.com>
---
 net/wireless/scan.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/net/wireless/scan.c b/net/wireless/scan.c
index e8a4fe44ec2d..bfd40797e608 100644
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -1176,10 +1176,14 @@ void cfg80211_scan_done(struct cfg80211_scan_request *request,
 			struct cfg80211_scan_info *info)
 {
 	struct cfg80211_scan_info old_info = request->info;
+	struct cfg80211_scan_request *rdev_req, *rdev_int_req;
+
+	rdev_req = wiphy_to_rdev(request->wiphy)->scan_req;
+	rdev_int_req = wiphy_to_rdev(request->wiphy)->int_scan_req;
 
 	trace_cfg80211_scan_done(request, info);
-	WARN_ON(request != wiphy_to_rdev(request->wiphy)->scan_req &&
-		request != wiphy_to_rdev(request->wiphy)->int_scan_req);
+	WARN_ON((rdev_req && request != rdev_req) &&
+		(rdev_int_req && request != rdev_int_req));
 
 	request->info = *info;
 
-- 
2.43.0
Re: [PATCH] wifi: cfg80211: Prevent comparison with invalid registered dev scan req
Posted by Johannes Berg 7 months, 3 weeks ago 
On Thu, 2025-06-19 at 16:05 +0800, Lizhi Xu wrote:
> The scan req of a registered device may have been released, so it should
> be checked to be valid before comparing it with the current req.
> 

I don't understand the subject/commit log at all. You're now accepting
scan_done() with a NULL scan request, why does that make sense?

johannes
Re: [PATCH] wifi: cfg80211: Prevent comparison with invalid registered dev scan req
Posted by Lizhi Xu 7 months, 2 weeks ago 
On Fri, 20 Jun 2025 13:01:51 +0200, Johannes Berg wrote:
> > The scan req of a registered device may have been released, so it should
> > be checked to be valid before comparing it with the current req.
> >
> 
> I don't understand the subject/commit log at all. You're now accepting
> scan_done() with a NULL scan request, why does that make sense?
It is meaningless to compare the registered device with NULL scan_req with
the current scan request.

Because there is a check for scan_req being NULL in ___cfg80211_scan_done(),
cfg80211_scan_done() is not directly exited when the scan_req of the registered
device is NULL.

Lizhi

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.