--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: cfg80211: double-free after changing network namespace
- From: "Stefan Bühler" <stefan.buehler@tik.uni-stuttgart.de>
- Date: Wed, 4 Dec 2019 09:50:56 +0100
- Message-id: <2c7ca6b4-4ed0-6535-2966-8f33ccc8a191@tik.uni-stuttgart.de>
Package: linux-signed-amd64
Version: 4.19.67+2+deb10u1
Tags: patch
Forwarded: https://patchwork.kernel.org/patch/11261855/
Hi,
I already reported this upstream, but didn't get much of a response yet,
see:
https://patchwork.kernel.org/patch/11261855/
We've been running the attached patch on 4.19.67 (rebuilt debian kernel
source with KASAN and the patch) for about a week now without crashes on
a few boxes.
It would save me a lot of time and effort if this would be included in
debian :)
cheers,
Stefan
--
Stefan Bühler Mail/xmpp: stefan.buehler@tik.uni-stuttgart.de
Netze und Kommunikationssysteme der Universität Stuttgart (NKS)
https://www.tik.uni-stuttgart.de/ Telefon: +49 711 685 60854
From e34c3d99095cadb7f764cdc497de57a7fc44cf55 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Stefan=20B=C3=BChler?= <source@stbuehler.de>
Date: Tue, 26 Nov 2019 10:25:31 +0100
Subject: [PATCH 1/1] cfg80211: fix double-free after changing network
namespace (backport for 4.19.87)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
If wdev->wext.keys was initialized it didn't get reset to NULL on
unregister (and it doesn't get set in cfg80211_init_wdev either), but
wdev is reused if unregister was triggered through
cfg80211_switch_netns.
The next unregister (for whatever reason) will try to free
wdev->wext.keys again.
X-Ref: https://patchwork.kernel.org/patch/11261855/
Signed-off-by: Stefan Bühler <source@stbuehler.de>
---
net/wireless/core.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/wireless/core.c b/net/wireless/core.c
index 68660781aa51..e556965220b7 100644
--- a/net/wireless/core.c
+++ b/net/wireless/core.c
@@ -1310,6 +1310,7 @@ static int cfg80211_netdev_notifier_call(struct notifier_block *nb,
cfg80211_mlme_purge_registrations(wdev);
#ifdef CONFIG_CFG80211_WEXT
kzfree(wdev->wext.keys);
+ wdev->wext.keys = NULL;
#endif
flush_work(&wdev->disconnect_wk);
cfg80211_cqm_config_free(wdev);
--
2.24.0
--- End Message ---
--- Begin Message ---
- To: Stefan Bühler <stefan.buehler@tik.uni-stuttgart.de>, 946143-done@bugs.debian.org
- Subject: Re: Bug#946143: cfg80211: double-free after changing network namespace
- From: Salvatore Bonaccorso <carnil@debian.org>
- Date: Sun, 2 May 2021 14:01:43 +0200
- Message-id: <YI6UpxUGBuAQnFZB@eldamar.lan>
- In-reply-to: <2c7ca6b4-4ed0-6535-2966-8f33ccc8a191@tik.uni-stuttgart.de>
- References: <2c7ca6b4-4ed0-6535-2966-8f33ccc8a191@tik.uni-stuttgart.de>
Source: linux
Source-Version: 5.4.13-1
Hi,
On Wed, Dec 04, 2019 at 09:50:56AM +0100, Stefan Bühler wrote:
> Package: linux-signed-amd64
> Version: 4.19.67+2+deb10u1
> Tags: patch
> Forwarded: https://patchwork.kernel.org/patch/11261855/
>
> Hi,
>
> I already reported this upstream, but didn't get much of a response yet,
> see:
>
> https://patchwork.kernel.org/patch/11261855/
>
> We've been running the attached patch on 4.19.67 (rebuilt debian kernel
> source with KASAN and the patch) for about a week now without crashes on
> a few boxes.
>
> It would save me a lot of time and effort if this would be included in
> debian :)
This appears to have been commited upstream 5.5-rc3 and backported to
5.4.11 as well.
Regards,
Salvatore
--- End Message ---