From: Johannes Berg <johannes@xxxxxxxxxxxxxxxx> Date: Thu, 7 Apr 2016 09:31:38 +0200 > From: Dmitry Ivanov <dmitrijs.ivanovs@xxxxxxxx> > > All existing users of NETLINK_URELEASE use it to clean up resources that > were previously allocated to a socket via some command. As a result, no > users require getting this notification for unbound sockets. > > Sending it for unbound sockets, however, is a problem because any user > (including unprivileged users) can create a socket that uses the same ID > as an existing socket. Binding this new socket will fail, but if the > NETLINK_URELEASE notification is generated for such sockets, the users > thereof will be tricked into thinking the socket that they allocated the > resources for is closed. > > In the nl80211 case, this will cause destruction of virtual interfaces > that still belong to an existing hostapd process; this is the case that > Dmitry noticed. In the NFC case, it will cause a poll abort. In the case > of netlink log/queue it will cause them to stop reporting events, as if > NFULNL_CFG_CMD_UNBIND/NFQNL_CFG_CMD_UNBIND had been called. > > Fix this problem by checking that the socket is bound before generating > the NETLINK_URELEASE notification. > > Cc: stable@xxxxxxxxxxxxxxx > Signed-off-by: Dmitry Ivanov <dima@xxxxxxxx> > Signed-off-by: Johannes Berg <johannes.berg@xxxxxxxxx> Applied and queued up for -stable, thanks everyone. -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
