Package: linux-signed-amd64 Version: 4.19.67+2+deb10u1 Tags: patch Forwarded: https://patchwork.kernel.org/patch/11261855/
Hi, I already reported this upstream, but didn't get much of a response yet, see: https://patchwork.kernel.org/patch/11261855/ We've been running the attached patch on 4.19.67 (rebuilt debian kernel source with KASAN and the patch) for about a week now without crashes on a few boxes. It would save me a lot of time and effort if this would be included in debian :) cheers, Stefan -- Stefan Bühler Mail/xmpp: stefan.bueh...@tik.uni-stuttgart.de Netze und Kommunikationssysteme der Universität Stuttgart (NKS) https://www.tik.uni-stuttgart.de/ Telefon: +49 711 685 60854
From e34c3d99095cadb7f764cdc497de57a7fc44cf55 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Stefan=20B=C3=BChler?= <sou...@stbuehler.de> Date: Tue, 26 Nov 2019 10:25:31 +0100 Subject: [PATCH 1/1] cfg80211: fix double-free after changing network namespace (backport for 4.19.87) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If wdev->wext.keys was initialized it didn't get reset to NULL on unregister (and it doesn't get set in cfg80211_init_wdev either), but wdev is reused if unregister was triggered through cfg80211_switch_netns. The next unregister (for whatever reason) will try to free wdev->wext.keys again. X-Ref: https://patchwork.kernel.org/patch/11261855/ Signed-off-by: Stefan Bühler <sou...@stbuehler.de> --- net/wireless/core.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/wireless/core.c b/net/wireless/core.c index 68660781aa51..e556965220b7 100644 --- a/net/wireless/core.c +++ b/net/wireless/core.c @@ -1310,6 +1310,7 @@ static int cfg80211_netdev_notifier_call(struct notifier_block *nb, cfg80211_mlme_purge_registrations(wdev); #ifdef CONFIG_CFG80211_WEXT kzfree(wdev->wext.keys); + wdev->wext.keys = NULL; #endif flush_work(&wdev->disconnect_wk); cfg80211_cqm_config_free(wdev); -- 2.24.0
