[PATCH] wifi: mac80211_hwsim: remove radios from rhashtable before freeing

[Cen Zhang]

mac80211_hwsim_new_radio() publishes each registered radio on the
hwsim_radios list and in hwsim_radios_rht. The generic-netlink and
virtio command paths use the rhashtable to find radios by address.

Most radio removal paths remove the hash entry while holding
hwsim_radio_lock before unregistering and freeing the radio. However,
mac80211_hwsim_free() only removes the list entry. During init error
unwinding after hwsim netlink and virtio registration, this can leave a
freed radio reachable from hwsim_radios_rht until the callback surfaces
are unpublished and the rhashtable is destroyed.

The buggy scenario involves two paths, with each column showing the order
within that path:

init error unwind path:              hwsim command path:
1. create and hash a radio           1. receive a command by address
2. hit a later init failure          2. look up hwsim_radios_rht
3. call mac80211_hwsim_free()        3. get the stale radio pointer
4. free the radio                    4. dereference the freed radio
5. unregister netlink and virtio

Remove each radio from hwsim_radios_rht in mac80211_hwsim_free(),
matching the other radio removal paths, before releasing the lock and
freeing the hw object.

Validation reproduced this kernel report:
BUG: KASAN: slab-use-after-free in memcmp+0x1ab/0x1d0

Call Trace:
 <TASK>
 dump_stack_lvl+0x66/0xa0
 print_report+0xce/0x630
 ? memcmp+0x1ab/0x1d0
 ? srso_alias_return_thunk+0x5/0xfbef5
 ? __virt_addr_valid+0x224/0x430
 ? memcmp+0x1ab/0x1d0
 kasan_report+0xac/0xe0
 ? memcmp+0x1ab/0x1d0
 memcmp+0x1ab/0x1d0
 get_hwsim_data_ref_from_addr+0x15b/0x4d0 [mac80211_hwsim]
 hwsim_cloned_frame_received_nl+0x1ff/0xce0 [mac80211_hwsim]
 ? __pfx_hwsim_cloned_frame_received_nl+0x10/0x10 [mac80211_hwsim]
 ? srso_alias_return_thunk+0x5/0xfbef5
 ? kasan_save_track+0x14/0x30
 ? srso_alias_return_thunk+0x5/0xfbef5
 ? __kasan_kmalloc+0xaa/0xb0
 ? __nla_parse+0x24/0x30
 ? srso_alias_return_thunk+0x5/0xfbef5
 ? genl_family_rcv_msg_attrs_parse.isra.0+0x17f/0x290
 genl_family_rcv_msg_doit+0x1e5/0x2c0
 ? __pfx_genl_family_rcv_msg_doit+0x10/0x10
 ? srso_alias_return_thunk+0x5/0xfbef5
 ? srso_alias_return_thunk+0x5/0xfbef5
 ? kasan_save_stack+0x42/0x60
 ? kasan_save_stack+0x33/0x60
 ? kasan_save_track+0x14/0x30
 genl_rcv_msg+0x432/0x6f0
 ? __pfx_genl_rcv_msg+0x10/0x10
 ? srso_alias_return_thunk+0x5/0xfbef5
 ? __pfx_hwsim_cloned_frame_received_nl+0x10/0x10 [mac80211_hwsim]
 ? srso_alias_return_thunk+0x5/0xfbef5
 ? __lock_acquire+0x466/0x2260
 netlink_rcv_skb+0x124/0x350
 ? __pfx_genl_rcv_msg+0x10/0x10
 ? __pfx_netlink_rcv_skb+0x10/0x10
 ? lock_acquire+0x187/0x300
 ? srso_alias_return_thunk+0x5/0xfbef5
 ? netlink_deliver_tap+0x150/0xac0
 genl_rcv+0x28/0x40
 netlink_unicast+0x47c/0x790
 ? __pfx_netlink_unicast+0x10/0x10
 netlink_sendmsg+0x767/0xc30
 ? __pfx_netlink_sendmsg+0x10/0x10
 ? lock_release+0xc8/0x290
 __sys_sendto+0x34f/0x3a0
 ? __pfx___sys_sendto+0x10/0x10
 ? lockdep_hardirqs_on_prepare+0xea/0x1a0
 ? srso_alias_return_thunk+0x5/0xfbef5
 ? __x64_sys_poll+0x181/0x3e0
 ? __pfx___x64_sys_poll+0x10/0x10
 __x64_sys_sendto+0xe0/0x1c0
 ? srso_alias_return_thunk+0x5/0xfbef5
 ? trace_hardirqs_on+0x1a/0x170
 do_syscall_64+0x115/0x6a0
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Allocated by task 444:
 kasan_save_stack+0x33/0x60
 kasan_save_track+0x14/0x30
 __kasan_kmalloc+0xaa/0xb0
 __kmalloc_noprof+0x292/0x770
 p9_fcall_init+0xe5/0x400
 p9_tag_alloc+0x1b8/0x700
 p9_client_prepare_req+0x107/0x3e0
 p9_client_zc_rpc.constprop.0+0xf1/0x860
 p9_client_write+0x36d/0x780
 v9fs_issue_write+0xdd/0x170
 netfs_unbuffered_write+0x339/0x2680
 netfs_unbuffered_write_iter_locked+0x6c4/0x960
 netfs_unbuffered_write_iter+0x2d5/0x540
 vfs_write+0x5fb/0x1230
 ksys_write+0xf9/0x1d0
 do_syscall_64+0x115/0x6a0
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 444:
 kasan_save_stack+0x33/0x60
 kasan_save_track+0x14/0x30
 kasan_save_free_info+0x3b/0x60

Fixes: c6509cc3b3e8 ("mac80211_hwsim: add hashtable with mac address keys for faster lookup")
Assisted-by: Codex:gpt-5.5
Signed-off-by: Cen Zhang <zzzccc427@xxxxxxxxx>
---
 drivers/net/wireless/virtual/mac80211_hwsim_main.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/net/wireless/virtual/mac80211_hwsim_main.c b/drivers/net/wireless/virtual/mac80211_hwsim_main.c
index 0dd8a6c85953..8e83ebdf4563 100644
--- a/drivers/net/wireless/virtual/mac80211_hwsim_main.c
+++ b/drivers/net/wireless/virtual/mac80211_hwsim_main.c
@@ -6274,6 +6274,9 @@ static void mac80211_hwsim_free(void)
 						struct mac80211_hwsim_data,
 						list))) {
 		list_del(&data->list);
+		rhashtable_remove_fast(&hwsim_radios_rht, &data->rht,
+				       hwsim_rht_params);
+		hwsim_radios_generation++;
 		spin_unlock_bh(&hwsim_radio_lock);
 		mac80211_hwsim_del_radio(data, wiphy_name(data->hw->wiphy),
 					 NULL);
-- 
2.43.0