From mboxrd@z Thu Jan  1 00:00:00 1970
From: Johannes Berg <johannes@sipsolutions.net>
Subject: Re: KASAN: use-after-free Read in mac80211_hwsim_del_radio
Date: Thu, 01 Mar 2018 10:30:38 +0100
Message-ID: <1519896638.2292.7.camel@sipsolutions.net>
References: <001a113ecf342db684056655e097@google.com>
         (sfid-20180301_094507_144777_9C69AA6F)
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
To: syzbot <syzbot+70ce058e01259de7bb1d@syzkaller.appspotmail.com>,
        kvalo@codeaurora.org, linux-kernel@vger.kernel.org,
        linux-wireless@vger.kernel.org, netdev@vger.kernel.org,
        syzkaller-bugs@googlegroups.com,
        Benjamin Beichler <benjamin.beichler@uni-rostock.de>
Return-path: <linux-kernel-owner@vger.kernel.org>
In-Reply-To: <001a113ecf342db684056655e097@google.com> (sfid-20180301_094507_144777_9C69AA6F)
Sender: linux-kernel-owner@vger.kernel.org
List-Id: netdev.vger.kernel.org

Hi,

> syzbot hit the following crash on upstream commit
> f3afe530d644488a074291da04a69a296ab63046 (Tue Feb 27 22:02:39 2018 +0000)
> Merge branch 'fixes-v4.16-rc4' of  
> git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
> 
> So far this crash happened 4 times on upstream.
> Unfortunately, I don't have any reproducer for this crash yet.
> Raw console output is attached.

That's ... a pretty complex scenario.

Looks like we have a race between destroying a network namespace, which
moves everything back into the init_ns and may have to rename objects
asynchronously (cleanup_net), with destroying the radio in hwsim that's
also asynchronous (destroy_radio).

Benjamin, would you be able to take a look at this? I'm preparing for a
trip and will leave Saturday for a week so I don't think I'll be able
to really dig into this before mid-March.

johannes