From: Cen Zhang <zzzccc427@gmail.com>
To: Johannes Berg <johannes@sipsolutions.net>
Cc: linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org,
baijiaju1990@gmail.com, zzzccc427@gmail.com
Subject: [PATCH] wifi: mac80211_hwsim: remove radios from rhashtable before freeing
Date: Sat, 20 Jun 2026 00:24:19 +0800 [thread overview]
Message-ID: <20260619162419.3874564-1-zzzccc427@gmail.com> (raw)
mac80211_hwsim_new_radio() publishes each registered radio on the
hwsim_radios list and in hwsim_radios_rht. The generic-netlink and
virtio command paths use the rhashtable to find radios by address.
Most radio removal paths remove the hash entry while holding
hwsim_radio_lock before unregistering and freeing the radio. However,
mac80211_hwsim_free() only removes the list entry. During init error
unwinding after hwsim netlink and virtio registration, this can leave a
freed radio reachable from hwsim_radios_rht until the callback surfaces
are unpublished and the rhashtable is destroyed.
The buggy scenario involves two paths, with each column showing the order
within that path:
init error unwind path: hwsim command path:
1. create and hash a radio 1. receive a command by address
2. hit a later init failure 2. look up hwsim_radios_rht
3. call mac80211_hwsim_free() 3. get the stale radio pointer
4. free the radio 4. dereference the freed radio
5. unregister netlink and virtio
Remove each radio from hwsim_radios_rht in mac80211_hwsim_free(),
matching the other radio removal paths, before releasing the lock and
freeing the hw object.
Validation reproduced this kernel report:
BUG: KASAN: slab-use-after-free in memcmp+0x1ab/0x1d0
Call Trace:
<TASK>
dump_stack_lvl+0x66/0xa0
print_report+0xce/0x630
? memcmp+0x1ab/0x1d0
? srso_alias_return_thunk+0x5/0xfbef5
? __virt_addr_valid+0x224/0x430
? memcmp+0x1ab/0x1d0
kasan_report+0xac/0xe0
? memcmp+0x1ab/0x1d0
memcmp+0x1ab/0x1d0
get_hwsim_data_ref_from_addr+0x15b/0x4d0 [mac80211_hwsim]
hwsim_cloned_frame_received_nl+0x1ff/0xce0 [mac80211_hwsim]
? __pfx_hwsim_cloned_frame_received_nl+0x10/0x10 [mac80211_hwsim]
? srso_alias_return_thunk+0x5/0xfbef5
? kasan_save_track+0x14/0x30
? srso_alias_return_thunk+0x5/0xfbef5
? __kasan_kmalloc+0xaa/0xb0
? __nla_parse+0x24/0x30
? srso_alias_return_thunk+0x5/0xfbef5
? genl_family_rcv_msg_attrs_parse.isra.0+0x17f/0x290
genl_family_rcv_msg_doit+0x1e5/0x2c0
? __pfx_genl_family_rcv_msg_doit+0x10/0x10
? srso_alias_return_thunk+0x5/0xfbef5
? srso_alias_return_thunk+0x5/0xfbef5
? kasan_save_stack+0x42/0x60
? kasan_save_stack+0x33/0x60
? kasan_save_track+0x14/0x30
genl_rcv_msg+0x432/0x6f0
? __pfx_genl_rcv_msg+0x10/0x10
? srso_alias_return_thunk+0x5/0xfbef5
? __pfx_hwsim_cloned_frame_received_nl+0x10/0x10 [mac80211_hwsim]
? srso_alias_return_thunk+0x5/0xfbef5
? __lock_acquire+0x466/0x2260
netlink_rcv_skb+0x124/0x350
? __pfx_genl_rcv_msg+0x10/0x10
? __pfx_netlink_rcv_skb+0x10/0x10
? lock_acquire+0x187/0x300
? srso_alias_return_thunk+0x5/0xfbef5
? netlink_deliver_tap+0x150/0xac0
genl_rcv+0x28/0x40
netlink_unicast+0x47c/0x790
? __pfx_netlink_unicast+0x10/0x10
netlink_sendmsg+0x767/0xc30
? __pfx_netlink_sendmsg+0x10/0x10
? lock_release+0xc8/0x290
__sys_sendto+0x34f/0x3a0
? __pfx___sys_sendto+0x10/0x10
? lockdep_hardirqs_on_prepare+0xea/0x1a0
? srso_alias_return_thunk+0x5/0xfbef5
? __x64_sys_poll+0x181/0x3e0
? __pfx___x64_sys_poll+0x10/0x10
__x64_sys_sendto+0xe0/0x1c0
? srso_alias_return_thunk+0x5/0xfbef5
? trace_hardirqs_on+0x1a/0x170
do_syscall_64+0x115/0x6a0
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Allocated by task 444:
kasan_save_stack+0x33/0x60
kasan_save_track+0x14/0x30
__kasan_kmalloc+0xaa/0xb0
__kmalloc_noprof+0x292/0x770
p9_fcall_init+0xe5/0x400
p9_tag_alloc+0x1b8/0x700
p9_client_prepare_req+0x107/0x3e0
p9_client_zc_rpc.constprop.0+0xf1/0x860
p9_client_write+0x36d/0x780
v9fs_issue_write+0xdd/0x170
netfs_unbuffered_write+0x339/0x2680
netfs_unbuffered_write_iter_locked+0x6c4/0x960
netfs_unbuffered_write_iter+0x2d5/0x540
vfs_write+0x5fb/0x1230
ksys_write+0xf9/0x1d0
do_syscall_64+0x115/0x6a0
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 444:
kasan_save_stack+0x33/0x60
kasan_save_track+0x14/0x30
kasan_save_free_info+0x3b/0x60
Fixes: c6509cc3b3e8 ("mac80211_hwsim: add hashtable with mac address keys for faster lookup")
Assisted-by: Codex:gpt-5.5
Signed-off-by: Cen Zhang <zzzccc427@gmail.com>
---
drivers/net/wireless/virtual/mac80211_hwsim_main.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/net/wireless/virtual/mac80211_hwsim_main.c b/drivers/net/wireless/virtual/mac80211_hwsim_main.c
index 0dd8a6c85953..8e83ebdf4563 100644
--- a/drivers/net/wireless/virtual/mac80211_hwsim_main.c
+++ b/drivers/net/wireless/virtual/mac80211_hwsim_main.c
@@ -6274,6 +6274,9 @@ static void mac80211_hwsim_free(void)
struct mac80211_hwsim_data,
list))) {
list_del(&data->list);
+ rhashtable_remove_fast(&hwsim_radios_rht, &data->rht,
+ hwsim_rht_params);
+ hwsim_radios_generation++;
spin_unlock_bh(&hwsim_radio_lock);
mac80211_hwsim_del_radio(data, wiphy_name(data->hw->wiphy),
NULL);
--
2.43.0
reply other threads:[~2026-06-19 16:24 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260619162419.3874564-1-zzzccc427@gmail.com \
--to=zzzccc427@gmail.com \
--cc=baijiaju1990@gmail.com \
--cc=johannes@sipsolutions.net \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox