--- /dev/null
+From 8cfd36a0b53aeb4ec21d81eb79706697b84dfc3d Mon Sep 17 00:00:00 2001
+From: Benjamin Beichler <benjamin.beichler@uni-rostock.de>
+Date: Wed, 7 Mar 2018 18:11:07 +0100
+Subject: mac80211_hwsim: fix use-after-free bug in hwsim_exit_net
+
+From: Benjamin Beichler <benjamin.beichler@uni-rostock.de>
+
+commit 8cfd36a0b53aeb4ec21d81eb79706697b84dfc3d upstream.
+
+When destroying a net namespace, all hwsim interfaces, which are not
+created in default namespace are deleted. But the async deletion of the
+interfaces could last longer than the actual destruction of the
+namespace, which results to an use after free bug. Therefore use
+synchronous deletion in this case.
+
+Fixes: 100cb9ff40e0 ("mac80211_hwsim: Allow managing radios from non-initial namespaces")
+Reported-by: syzbot+70ce058e01259de7bb1d@syzkaller.appspotmail.com
+Signed-off-by: Benjamin Beichler <benjamin.beichler@uni-rostock.de>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/mac80211_hwsim.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/mac80211_hwsim.c
++++ b/drivers/net/wireless/mac80211_hwsim.c
+@@ -3427,8 +3427,11 @@ static void __net_exit hwsim_exit_net(st
+ continue;
+
+ list_del(&data->list);
+- INIT_WORK(&data->destroy_work, destroy_radio);
+- schedule_work(&data->destroy_work);
++ spin_unlock_bh(&hwsim_radio_lock);
++ mac80211_hwsim_del_radio(data, wiphy_name(data->hw->wiphy),
++ NULL);
++ spin_lock_bh(&hwsim_radio_lock);
++
+ }
+ spin_unlock_bh(&hwsim_radio_lock);
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
