Commit f1c47eb6 authored by Martin Willi's avatar Martin Willi Committed by Johannes Berg

mac80211_hwsim: fix race in radio destruction from netlink notifier

The asynchronous destruction from a work-queue of radios tagged with
destroy-on-close may race with the owning namespace about to exit,
resulting in potential use-after-free of that namespace.

Instead of using a work-queue, move radios about to destroy to a
temporary list, which can be worked on synchronously after releasing
the lock. This should be safe to do from the netlink socket notifier,
as the namespace is guaranteed to not get released.
Signed-off-by: default avatarMartin Willi <martin@strongswan.org>
Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
parent 628980e5
...@@ -520,7 +520,6 @@ struct mac80211_hwsim_data { ...@@ -520,7 +520,6 @@ struct mac80211_hwsim_data {
int channels, idx; int channels, idx;
bool use_chanctx; bool use_chanctx;
bool destroy_on_close; bool destroy_on_close;
struct work_struct destroy_work;
u32 portid; u32 portid;
char alpha2[2]; char alpha2[2];
const struct ieee80211_regdomain *regd; const struct ieee80211_regdomain *regd;
...@@ -3565,30 +3564,27 @@ static struct genl_family hwsim_genl_family __ro_after_init = { ...@@ -3565,30 +3564,27 @@ static struct genl_family hwsim_genl_family __ro_after_init = {
.n_mcgrps = ARRAY_SIZE(hwsim_mcgrps), .n_mcgrps = ARRAY_SIZE(hwsim_mcgrps),
}; };
static void destroy_radio(struct work_struct *work)
{
struct mac80211_hwsim_data *data =
container_of(work, struct mac80211_hwsim_data, destroy_work);
hwsim_radios_generation++;
mac80211_hwsim_del_radio(data, wiphy_name(data->hw->wiphy), NULL);
}
static void remove_user_radios(u32 portid) static void remove_user_radios(u32 portid)
{ {
struct mac80211_hwsim_data *entry, *tmp; struct mac80211_hwsim_data *entry, *tmp;
LIST_HEAD(list);
spin_lock_bh(&hwsim_radio_lock); spin_lock_bh(&hwsim_radio_lock);
list_for_each_entry_safe(entry, tmp, &hwsim_radios, list) { list_for_each_entry_safe(entry, tmp, &hwsim_radios, list) {
if (entry->destroy_on_close && entry->portid == portid) { if (entry->destroy_on_close && entry->portid == portid) {
list_del(&entry->list); list_move(&entry->list, &list);
rhashtable_remove_fast(&hwsim_radios_rht, &entry->rht, rhashtable_remove_fast(&hwsim_radios_rht, &entry->rht,
hwsim_rht_params); hwsim_rht_params);
INIT_WORK(&entry->destroy_work, destroy_radio); hwsim_radios_generation++;
queue_work(hwsim_wq, &entry->destroy_work);
} }
} }
spin_unlock_bh(&hwsim_radio_lock); spin_unlock_bh(&hwsim_radio_lock);
list_for_each_entry_safe(entry, tmp, &list, list) {
list_del(&entry->list);
mac80211_hwsim_del_radio(entry, wiphy_name(entry->hw->wiphy),
NULL);
}
} }
static int mac80211_hwsim_netlink_notify(struct notifier_block *nb, static int mac80211_hwsim_netlink_notify(struct notifier_block *nb,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment