Description
In the Linux kernel, the following vulnerability has been resolved: wireguard: device: use exit_rtnl callback instead of manual rtnl_lock in pre_exit wg_netns_pre_exit() manually acquires rtnl_lock() inside the pernet .pre_exit callback. This causes a hung task when another thread holds rtnl_mutex - the cleanup_net workqueue (or the setup_net failure rollback path) blocks indefinitely in wg_netns_pre_exit() waiting to acquire the lock. Convert to .exit_rtnl, introduced in commit 7a60d91c690b ("net: Add ->exit_rtnl() hook to struct pernet_operations."), where the framework already holds RTNL and batches all callbacks under a single rtnl_lock()/rtnl_unlock() pair, eliminating the contention window. The rcu_assign_pointer(wg->creating_net, NULL) is safe to move from .pre_exit to .exit_rtnl (which runs after synchronize_rcu()) because all RCU readers of creating_net either use maybe_get_net() - which returns NULL for a dying namespace with zero refcount - or access net->user_ns which remains valid throughout the entire ops_undo_list sequence. [ Jason: added __net_exit and __read_mostly annotations that were missing. ]
Product status
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 9a9e69155b2091b8297afaf1533b8d68a3096841
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 1c52ef00e391144334f10995985c2f256d4be982
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before a1d0f6cbb962af29586e3e65a4bced1a5e39221f
6.18.24 (semver)
6.19.14 (semver)
7.0.1 (semver)
References
git.kernel.org/...c/9a9e69155b2091b8297afaf1533b8d68a3096841
git.kernel.org/...c/1c52ef00e391144334f10995985c2f256d4be982
git.kernel.org/...c/a1d0f6cbb962af29586e3e65a4bced1a5e39221f