Received: by 10.223.185.116 with SMTP id b49csp5287243wrg; Wed, 7 Mar 2018 09:14:38 -0800 (PST) X-Google-Smtp-Source: AG47ELusky7F6ADzI5OM/n7BXa54HT2E2seExFenI0uVV00i9XAtQNs5s1CN1r3iAFDVJ8BLt1I3 X-Received: by 10.101.93.135 with SMTP id f7mr18085944pgt.82.1520442878105; Wed, 07 Mar 2018 09:14:38 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1520442878; cv=none; d=google.com; s=arc-20160816; b=GDjz4bw1nMA85Yw+21T98bzfUGhMW+h8ugB9qhkm3FPYx7C32uaMz/1D/0mR+RqNE5 /YOpcG87hlmEtOFSTjH9CJl7ypN4mqEtpcgB330Idv9XQCI0aYgxEBs81tE27bXlCZP0 nyIoiHUT7H8pS7YhHfYLp1DwyGmrtgTe/MDWOOAsfdvQvMZmIW+gJEef8Vw3U1wTSt+B p+20puagBWyICD6ukAku+E2k3igWbppHUpx/2Dx/OWvZnFfcUlQweHaXbRhnz+BaHcoU /AVwPz8dWbJl6bazDjGusAzcbqDGiUcG9Ja7n2IMUzb9MyAIG97d3toERl0aAf51xIRt BwgQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:message-id:date:subject:cc :to:from:dkim-signature:arc-authentication-results; bh=zRsWGUYSzxw4NEvkH4DOHmUJcp+mloGYEHLk1u4FMFc=; b=E327dN4jc6cJ90VGCTvos/TUWzQTM0rL60ll1Zn/rN5spnQHEYBnVU2YXDK+Ykx8ww gleLGII0hi4maOGHVveb894y1ccFpSsYqlmAd7gl3JdZLW/IPRaIn+Gwojc9xcmeC/8n QMZacv23e+pgA6Lkf2xpa5+/RlNcO8/DRPD1tJVsPAlHh9xBGBbHorVe7waiVQxzpWw8 P7O5zUBPZixiudc8xR1xpIGgtdSu5uuaqskKCorLPWGHfOdRaN0DRHREQ+haYKsXT/ZO 2fV1nFRFFRcq3mYODq9CY60vd9M3qeed6rhdFcTAukQ8m1Z3S6Jo3mE9okgYZWOd1ALh Ilxw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@uni-rostock.de header.s=itmz-nsp header.b=Se8TtJjF; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=uni-rostock.de Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i136si11622589pgc.416.2018.03.07.09.14.19; Wed, 07 Mar 2018 09:14:38 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@uni-rostock.de header.s=itmz-nsp header.b=Se8TtJjF; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=uni-rostock.de Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934090AbeCGRLw (ORCPT + 99 others); Wed, 7 Mar 2018 12:11:52 -0500 Received: from mx1.uni-rostock.de ([139.30.22.71]:63850 "EHLO mx1.uni-rostock.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933487AbeCGRLu (ORCPT ); Wed, 7 Mar 2018 12:11:50 -0500 DKIM-Signature: v=1; c=relaxed/relaxed; d=uni-rostock.de; s=itmz-nsp; t=1520442709; bh=zRsWGUYSzxw4NEvkH4DOHmUJcp+mloGYEHLk1u4FMFc=; h= "Subject:Subject:From:From:Date:Date:ReplyTo:ReplyTo:Cc:Cc:Message-Id:Message-Id"; a=rsa-sha256; b= Se8TtJjFfrKqQk9RgExqdTlVrgdDatNNHMAcF5tqe/h5cj1CbUnmu0oXXBlagTbatHLjlQYqCQ+4HjMBR4nkmfMMITiGuq4LR38Qv/gwSEEr2BiqYBgOYaq8B2SpIO+Dk+eV6C2I2GrcL1RYSFjviFAUf0jzgoQr/IxpZVmzm9k= Received: from BB-manjaroVM.amd.e-technik.uni-rostock.de (139.30.201.113) by email1.uni-rostock.de (139.30.22.81) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.1415.2; Wed, 7 Mar 2018 18:11:48 +0100 From: Benjamin Beichler To: CC: , , , , , , Benjamin Beichler Subject: [PATCH] mac80211_hwsim: fixed use-after-free bug in hwsim_exit_net Date: Wed, 7 Mar 2018 18:11:07 +0100 Message-ID: <20180307171107.2803-1-benjamin.beichler@uni-rostock.de> X-Mailer: git-send-email 2.16.2 MIME-Version: 1.0 Content-Type: text/plain X-Originating-IP: [139.30.201.113] X-ClientProxiedBy: email1.uni-rostock.de (139.30.22.81) To email1.uni-rostock.de (139.30.22.81) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org When destroying a net namespace, all hwsim interfaces, which are not created in default namespace are deleted. But the async deletion of the interfaces could last longer than the actual destruction of the namespace, which results to an use after free bug. Therefore use synchronous deletion in this case. Fixes: 100cb9ff40e0 ("mac80211_hwsim: Allow managing radios from non-initial namespaces") Reported-by: syzbot+70ce058e01259de7bb1d@syzkaller.appspotmail.com Signed-off-by: Benjamin Beichler --- drivers/net/wireless/mac80211_hwsim.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c index 7b6c3640a94f..93a7ae34653e 100644 --- a/drivers/net/wireless/mac80211_hwsim.c +++ b/drivers/net/wireless/mac80211_hwsim.c @@ -3528,8 +3528,12 @@ static void __net_exit hwsim_exit_net(struct net *net) list_del(&data->list); rhashtable_remove_fast(&hwsim_radios_rht, &data->rht, hwsim_rht_params); - INIT_WORK(&data->destroy_work, destroy_radio); - queue_work(hwsim_wq, &data->destroy_work); + hwsim_radios_generation++; + spin_unlock_bh(&hwsim_radio_lock); + mac80211_hwsim_del_radio(data, + wiphy_name(data->hw->wiphy), + NULL); + spin_lock_bh(&hwsim_radio_lock); } spin_unlock_bh(&hwsim_radio_lock); -- 2.16.2