[PATCH 1/2] Do not send netlink socket release notification when socket is not bound

[PATCH 1/2] Do not send netlink socket release notification when socket is not bound

[Dmitry Ivanov]

This patch corrects the problem where non-privileged user may create
netlink socket with port_id equal to port_id used by hostapd to create
virtual wireless network interfaces. Call to bind() will fail for such
socket, but release notification sent on close() or process termination
to nl80211 subsystem will destroy virtual network interfaces while
hostapd is still running.

Signed-off-by: Dmitry Ivanov <dima@ubnt.com>
---
 net/netlink/af_netlink.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 215fc08..330ebd6 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -688,7 +688,7 @@ static int netlink_release(struct socket *sock)
 
 	skb_queue_purge(&sk->sk_write_queue);
 
-	if (nlk->portid) {
+	if (nlk->portid && nlk->bound) {
 		struct netlink_notify n = {
 						.net = sock_net(sk),
 						.protocol = sk->sk_protocol,
-- 
2.1.4

Re: [PATCH 1/2] Do not send netlink socket release notification when socket is not bound

[Johannes Berg]

On Wed, 2016-04-06 at 17:22 +0300, Dmitry Ivanov wrote:
> This patch corrects the problem where non-privileged user may create
> netlink socket with port_id equal to port_id used by hostapd to
> create
> virtual wireless network interfaces. Call to bind() will fail for
> such
> socket, but release notification sent on close() or process
> termination
> to nl80211 subsystem will destroy virtual network interfaces while
> hostapd is still running.
> 
Thanks Dmitry.

There are a number of issues with your patch still, such as describing
the problem in too restricted ways (this problem is not specific to
nl80211 nor fixed there). The subject should also have a proper prefix
and you're not sending this patch to the right people.

If you prefer, I can take ownership of these patches.

johannes