Bug#946143: cfg80211: double-free after changing network namespace
Package: linux-signed-amd64
Version: 4.19.67+2+deb10u1
Tags: patch
Forwarded: https://patchwork.kernel.org/patch/11261855/
Hi,
I already reported this upstream, but didn't get much of a response yet,
see:
https://patchwork.kernel.org/patch/11261855/
We've been running the attached patch on 4.19.67 (rebuilt debian kernel
source with KASAN and the patch) for about a week now without crashes on
a few boxes.
It would save me a lot of time and effort if this would be included in
debian :)
cheers,
Stefan
--
Stefan Bühler Mail/xmpp: stefan.buehler@tik.uni-stuttgart.de
Netze und Kommunikationssysteme der Universität Stuttgart (NKS)
https://www.tik.uni-stuttgart.de/ Telefon: +49 711 685 60854
From e34c3d99095cadb7f764cdc497de57a7fc44cf55 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Stefan=20B=C3=BChler?= <source@stbuehler.de>
Date: Tue, 26 Nov 2019 10:25:31 +0100
Subject: [PATCH 1/1] cfg80211: fix double-free after changing network
namespace (backport for 4.19.87)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
If wdev->wext.keys was initialized it didn't get reset to NULL on
unregister (and it doesn't get set in cfg80211_init_wdev either), but
wdev is reused if unregister was triggered through
cfg80211_switch_netns.
The next unregister (for whatever reason) will try to free
wdev->wext.keys again.
X-Ref: https://patchwork.kernel.org/patch/11261855/
Signed-off-by: Stefan Bühler <source@stbuehler.de>
---
net/wireless/core.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/wireless/core.c b/net/wireless/core.c
index 68660781aa51..e556965220b7 100644
--- a/net/wireless/core.c
+++ b/net/wireless/core.c
@@ -1310,6 +1310,7 @@ static int cfg80211_netdev_notifier_call(struct notifier_block *nb,
cfg80211_mlme_purge_registrations(wdev);
#ifdef CONFIG_CFG80211_WEXT
kzfree(wdev->wext.keys);
+ wdev->wext.keys = NULL;
#endif
flush_work(&wdev->disconnect_wk);
cfg80211_cqm_config_free(wdev);
--
2.24.0
Reply to: