[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#946143: marked as done (cfg80211: double-free after changing network namespace)

Your message dated Sun, 2 May 2021 14:01:43 +0200
with message-id <YI6UpxUGBuAQnFZB@eldamar.lan>
and subject line Re: Bug#946143: cfg80211: double-free after changing network namespace
has caused the Debian Bug report #946143,
regarding cfg80211: double-free after changing network namespace
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
946143: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946143
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: linux-signed-amd64
Version: 4.19.67+2+deb10u1
Tags: patch
Forwarded: https://patchwork.kernel.org/patch/11261855/

Hi,

I already reported this upstream, but didn't get much of a response yet,
see:

https://patchwork.kernel.org/patch/11261855/

We've been running the attached patch on 4.19.67 (rebuilt debian kernel
source with KASAN and the patch) for about a week now without crashes on
a few boxes.

It would save me a lot of time and effort if this would be included in
debian :)

cheers,
Stefan

-- 
Stefan Bühler    Mail/xmpp: stefan.buehler@tik.uni-stuttgart.de
Netze und Kommunikationssysteme der Universität Stuttgart (NKS)
https://www.tik.uni-stuttgart.de/    Telefon: +49 711 685 60854

From e34c3d99095cadb7f764cdc497de57a7fc44cf55 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Stefan=20B=C3=BChler?= <source@stbuehler.de>
Date: Tue, 26 Nov 2019 10:25:31 +0100
Subject: [PATCH 1/1] cfg80211: fix double-free after changing network
 namespace (backport for 4.19.87)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

If wdev->wext.keys was initialized it didn't get reset to NULL on
unregister (and it doesn't get set in cfg80211_init_wdev either), but
wdev is reused if unregister was triggered through
cfg80211_switch_netns.

The next unregister (for whatever reason) will try to free
wdev->wext.keys again.

X-Ref: https://patchwork.kernel.org/patch/11261855/
Signed-off-by: Stefan Bühler <source@stbuehler.de>
---
 net/wireless/core.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/wireless/core.c b/net/wireless/core.c
index 68660781aa51..e556965220b7 100644
--- a/net/wireless/core.c
+++ b/net/wireless/core.c
@@ -1310,6 +1310,7 @@ static int cfg80211_netdev_notifier_call(struct notifier_block *nb,
 			cfg80211_mlme_purge_registrations(wdev);
 #ifdef CONFIG_CFG80211_WEXT
 			kzfree(wdev->wext.keys);
+			wdev->wext.keys = NULL;
 #endif
 			flush_work(&wdev->disconnect_wk);
 			cfg80211_cqm_config_free(wdev);
-- 
2.24.0

--- End Message ---
--- Begin Message --- 
Source: linux
Source-Version: 5.4.13-1

Hi,

On Wed, Dec 04, 2019 at 09:50:56AM +0100, Stefan Bühler wrote:
> Package: linux-signed-amd64
> Version: 4.19.67+2+deb10u1
> Tags: patch
> Forwarded: https://patchwork.kernel.org/patch/11261855/
> 
> Hi,
> 
> I already reported this upstream, but didn't get much of a response yet,
> see:
> 
> https://patchwork.kernel.org/patch/11261855/
> 
> We've been running the attached patch on 4.19.67 (rebuilt debian kernel
> source with KASAN and the patch) for about a week now without crashes on
> a few boxes.
> 
> It would save me a lot of time and effort if this would be included in
> debian :)

This appears to have been commited upstream 5.5-rc3 and backported to
5.4.11 as well.

Regards,
Salvatore

--- End Message ---
Reply to: