Re: [PATCH] wifi: mac80211_hwsim: fix destroy-on-close UAF in netlink handlers

Next message: Christian Borntraeger: "Re: [PATCH 1/2] s390: export memory encryption helper functions"
Previous message: Maxime Ripard: "Re: [PATCH] powerpc: Export set_memory_encrypted and set_memory_decrypted"
In reply to: Dominik 'Disconnect3d' Czarnota: "[PATCH] wifi: mac80211_hwsim: fix destroy-on-close UAF in netlink handlers"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Johannes Berg

Date: Tue Jun 09 2026 - 08:39:22 EST

On Tue, 2026-06-09 at 09:32 +0000, Dominik 'Disconnect3d' Czarnota
wrote:
> mac80211_hwsim is a developer testing driver for simulated 802.11
> radios and is not used for normal wireless LAN operation.
>
> Its generic-netlink handlers can look up a radio by MAC address and then
> continue using the returned hwsim data after the rhashtable lookup has
> completed. A destroy_on_close netlink socket can concurrently remove that
> radio from the global table and unregister/free the ieee80211_hw, leaving
> the handler with stale hwsim_data, wdev or PMSR request pointers. This
> can lead to a use-after-free.
>
> Make address lookup take an active radio reference under hwsim_radio_lock.
> Drop that reference at the end of each netlink handler that uses the
> lookup helper. During radio deletion, drop the initial reference and wait
> for active handlers to finish before unregistering and freeing the hw.

The whole refcount here is overblown, could just use RCU, and the patch
doesn't apply either.

johannes