From: Johannes Berg <johan...@sipsolutions.net> Date: Thu, 7 Apr 2016 09:31:38 +0200
> From: Dmitry Ivanov <dmitrijs.ivan...@ubnt.com> > > All existing users of NETLINK_URELEASE use it to clean up resources that > were previously allocated to a socket via some command. As a result, no > users require getting this notification for unbound sockets. > > Sending it for unbound sockets, however, is a problem because any user > (including unprivileged users) can create a socket that uses the same ID > as an existing socket. Binding this new socket will fail, but if the > NETLINK_URELEASE notification is generated for such sockets, the users > thereof will be tricked into thinking the socket that they allocated the > resources for is closed. > > In the nl80211 case, this will cause destruction of virtual interfaces > that still belong to an existing hostapd process; this is the case that > Dmitry noticed. In the NFC case, it will cause a poll abort. In the case > of netlink log/queue it will cause them to stop reporting events, as if > NFULNL_CFG_CMD_UNBIND/NFQNL_CFG_CMD_UNBIND had been called. > > Fix this problem by checking that the socket is bound before generating > the NETLINK_URELEASE notification. > > Cc: sta...@vger.kernel.org > Signed-off-by: Dmitry Ivanov <d...@ubnt.com> > Signed-off-by: Johannes Berg <johannes.b...@intel.com> Applied and queued up for -stable, thanks everyone.
