2298120 – (CVE-2022-48784) CVE-2022-48784 kernel: cfg80211: fix race in netlink owner interface destruction

Bug 2298120 (CVE-2022-48784) - CVE-2022-48784 kernel: cfg80211: fix race in netlink owner interface destruction

Summary: CVE-2022-48784 kernel: cfg80211: fix race in netlink owner interface destruction

Keywords:
Status:	NEW
Alias:	CVE-2022-48784
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2024-07-16 12:24 UTC by OSIDB Bzimport
Modified:	2024-10-31 16:06 UTC (History)
CC List:	4 users (show)
Fixed In Version:	kernel 5.15.25, kernel 5.16.11, kernel 5.17
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2024-07-16 12:24:24 UTC

In the Linux kernel, the following vulnerability has been resolved:

cfg80211: fix race in netlink owner interface destruction

My previous fix here to fix the deadlock left a race where
the exact same deadlock (see the original commit referenced
below) can still happen if cfg80211_destroy_ifaces() already
runs while nl80211_netlink_notify() is still marking some
interfaces as nl_owner_dead.

The race happens because we have two loops here - first we
dev_close() all the netdevs, and then we destroy them. If we
also have two netdevs (first one need only be a wdev though)
then we can find one during the first iteration, close it,
and go to the second iteration -- but then find two, and try
to destroy also the one we didn't close yet.

Fix this by only iterating once.

Note You need to log in before you can comment on or make changes to this bug.