Received: by 10.192.165.148 with SMTP id m20csp531263imm; Wed, 25 Apr 2018 03:47:03 -0700 (PDT) X-Google-Smtp-Source: AB8JxZrZY91OzIBvNDU2XXfyVQ7dbLOiy6pkUPM8y/145u8BnKWkTN9h5lTlC/qsNspxD5B0l2ir X-Received: by 10.99.65.197 with SMTP id o188mr5662601pga.7.1524653223828; Wed, 25 Apr 2018 03:47:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1524653223; cv=none; d=google.com; s=arc-20160816; b=hiPqLa0z8v0RlNlDODswx7tNmiJOlmATacOxkgqVwsXLpXIbA4Y1Q1z9Qlc40iYDoG 8zuBg3IAkBvVowFNQnofN2MK+J7NyOJ6Yc0FoTelpyFZHdDeSa9jVScrbaDEsMxUC+cm g17qLJ3/k9g6FJvNhiTT8EfxgiYmmbUeiWfr+cEWG0T+cYaFlHzrpJQRyHd+xFRJyELB uDMud5kE53DGLcXHOyaf9jmt354tJ80AYCBkIO7YD/xXz14ZpgAfSeKERjX4SoyC8KX7 qzsV9TnsXrNmA00yVNJ4by4ndn90si4o3uXRVjqOvuc73yRBApmmtIijFS72zWc2jGfV svXA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=ICoY/+RjJL3NQgxzCek0F/3ruoQSw6TYV2KCFUzzvaA=; b=hcYdRWVgfkMDPpos7Wn73FF+R3NHsneDBMT1f7uwcqy/PIU74KoYTrK0N367RZ16TV EMrAxJ2XVVpURzsHOpkT2E2fwpr1Wieh/r3xujVLWFe0n1c1hUWv0b46kUHVF1XVvsMb AkGlGZRtyRUvE53m2/3awSZ0kzc9Y8072c/JcdVyjLGiT9o0pip6J10niCXXkRmXNioV /3iacQ00FHobmgwdI12dPe0JWSAcXRjIse+D5j9ug2QFTdS8zJZ1gIFx8TVRucTYMqa7 95rY99PdFQ9VLrW8090t5KoWDON1HUSNnUbNJ5cCgPDJio6l66CeoXZy0jaoq5zQmWgh L4dA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id bi10-v6si11764469plb.49.2018.04.25.03.46.49; Wed, 25 Apr 2018 03:47:03 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754566AbeDYKpg (ORCPT + 99 others); Wed, 25 Apr 2018 06:45:36 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:53564 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754517AbeDYKpU (ORCPT ); Wed, 25 Apr 2018 06:45:20 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id DC481272; Wed, 25 Apr 2018 10:45:19 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+70ce058e01259de7bb1d@syzkaller.appspotmail.com, Benjamin Beichler , Johannes Berg Subject: [PATCH 4.14 183/183] mac80211_hwsim: fix use-after-free bug in hwsim_exit_net Date: Wed, 25 Apr 2018 12:36:43 +0200 Message-Id: <20180425103249.853994921@linuxfoundation.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180425103242.532713678@linuxfoundation.org> References: <20180425103242.532713678@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Benjamin Beichler commit 8cfd36a0b53aeb4ec21d81eb79706697b84dfc3d upstream. When destroying a net namespace, all hwsim interfaces, which are not created in default namespace are deleted. But the async deletion of the interfaces could last longer than the actual destruction of the namespace, which results to an use after free bug. Therefore use synchronous deletion in this case. Fixes: 100cb9ff40e0 ("mac80211_hwsim: Allow managing radios from non-initial namespaces") Reported-by: syzbot+70ce058e01259de7bb1d@syzkaller.appspotmail.com Signed-off-by: Benjamin Beichler Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman --- drivers/net/wireless/mac80211_hwsim.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) --- a/drivers/net/wireless/mac80211_hwsim.c +++ b/drivers/net/wireless/mac80211_hwsim.c @@ -3427,8 +3427,11 @@ static void __net_exit hwsim_exit_net(st continue; list_del(&data->list); - INIT_WORK(&data->destroy_work, destroy_radio); - schedule_work(&data->destroy_work); + spin_unlock_bh(&hwsim_radio_lock); + mac80211_hwsim_del_radio(data, wiphy_name(data->hw->wiphy), + NULL); + spin_lock_bh(&hwsim_radio_lock); + } spin_unlock_bh(&hwsim_radio_lock); }