From d70fbade446972161726bd7a7c315572273378a4 Mon Sep 17 00:00:00 2001 From: James Prestwood Date: Fri, 28 Mar 2025 07:42:53 -0700 Subject: [PATCH] netdev: fix invalid read after netdev_free The netdev frame watches got cleaned up upon the interface going down which works if the interface is simply being toggled but when IWD shuts down it first shuts down the interface, then immediately frees netdev. If a watched frame arrives immediately after that before the interface shutdown callback it will reference netdev, which has been freed. Fix this by clearing out the frame watches in netdev_free. ==147== Invalid read of size 8 ==147== at 0x408ADB: netdev_neighbor_report_frame_event (netdev.c:4772) ==147== by 0x467C75: frame_watch_unicast_notify (frame-xchg.c:234) ==147== by 0x4E28F8: __notifylist_notify (notifylist.c:91) ==147== by 0x4E2D37: l_notifylist_notify_matches (notifylist.c:204) ==147== by 0x4A1388: process_unicast (genl.c:844) ==147== by 0x4A1388: received_data (genl.c:972) ==147== by 0x49D82F: io_callback (io.c:105) ==147== by 0x49C93C: l_main_iterate (main.c:461) ==147== by 0x49CA0B: l_main_run (main.c:508) ==147== by 0x49CA0B: l_main_run (main.c:490) ==147== by 0x49CC3F: l_main_run_with_signal (main.c:630) ==147== by 0x4049EC: main (main.c:614) --- src/netdev.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/netdev.c b/src/netdev.c index 048681f5..b81a475f 100644 --- a/src/netdev.c +++ b/src/netdev.c @@ -1109,6 +1109,7 @@ static void netdev_free(void *data) l_timeout_remove(netdev->rssi_poll_timeout); scan_wdev_remove(netdev->wdev_id); + frame_watch_wdev_remove(netdev->wdev_id); watchlist_destroy(&netdev->station_watches);