From: James Kim <james010kim@gmail.com>
To: jjohnson@kernel.org
Cc: quic_srirrama@quicinc.com, quic_ramess@quicinc.com,
kvalo@kernel.org, stable@vger.kernel.org,
linux-wireless@vger.kernel.org, ath12k@lists.infradead.org,
linux-kernel@vger.kernel.org, James Kim <james010kim@gmail.com>
Subject: [PATCH] wifi: ath12k: fix use-after-free of arvif in assign_vif_chanctx()
Date: Tue, 10 Mar 2026 11:43:05 +0900 [thread overview]
Message-ID: <20260310024305.555408-1-james010kim@gmail.com> (raw)
In ath12k_mac_op_assign_vif_chanctx(), arvif is obtained from
ath12k_mac_assign_link_vif() and then passed to
ath12k_mac_assign_vif_to_vdev(). Inside that function, when the
target radio (ar) differs from arvif->ar (multi-radio configuration),
the old arvif is freed via ath12k_mac_unassign_link_vif() -> kfree()
and a new one is allocated internally. However, only the ar pointer
is returned to the caller — the caller's arvif still points to the
freed memory.
The caller then continues to dereference this stale arvif pointer
at multiple locations (arvif->vdev_id, arvif->punct_bitmap,
arvif->is_started, etc.), resulting in a use-after-free.
Fix this by re-fetching arvif from ahvif->link[link_id] after
ath12k_mac_assign_vif_to_vdev() returns, since the link pointer
is always updated when a new arvif is assigned.
Fixes: 477cabfdb776 ("wifi: ath12k: modify link arvif creation and removal for MLO")
Cc: stable@vger.kernel.org
Signed-off-by: James Kim <james010kim@gmail.com>
---
drivers/net/wireless/ath/ath12k/mac.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/drivers/net/wireless/ath/ath12k/mac.c b/drivers/net/wireless/ath/ath12k/mac.c
index b253d1e3f405..ee44a8b59e9b 100644
--- a/drivers/net/wireless/ath/ath12k/mac.c
+++ b/drivers/net/wireless/ath/ath12k/mac.c
@@ -12069,6 +12069,17 @@ ath12k_mac_op_assign_vif_chanctx(struct ieee80211_hw *hw,
return -EINVAL;
}
+ /* ath12k_mac_assign_vif_to_vdev() may free and reassign arvif
+ * internally when switching radios (ar != arvif->ar). Refresh
+ * arvif from ahvif->link[].
+ */
+ arvif = wiphy_dereference(hw->wiphy, ahvif->link[link_id]);
+ if (!arvif) {
+ ath12k_hw_warn(ah, "failed to get arvif for link %u after vdev assignment",
+ link_id);
+ return -ENOENT;
+ }
+
ab = ar->ab;
ath12k_dbg(ab, ATH12K_DBG_MAC,
--
2.43.0
next reply other threads:[~2026-03-10 2:45 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-10 2:43 James Kim [this message]
2026-04-27 7:26 ` [PATCH] wifi: ath12k: fix use-after-free of arvif in assign_vif_chanctx() James Kim
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260310024305.555408-1-james010kim@gmail.com \
--to=james010kim@gmail.com \
--cc=ath12k@lists.infradead.org \
--cc=jjohnson@kernel.org \
--cc=kvalo@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=quic_ramess@quicinc.com \
--cc=quic_srirrama@quicinc.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.