lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20240717105849.1208-1-hdanton@sina.com>
Date: Wed, 17 Jul 2024 18:58:49 +0800
From: Hillf Danton <hdanton@...a.com>
To: syzbot <syzbot+d5dc2801166df6d34774@...kaller.appspotmail.com>
Cc: linux-kernel@...r.kernel.org,
	syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [fs?] KASAN: slab-use-after-free Read in lockref_get

On Mon, 15 Jul 2024 19:02:19 -0700
> syzbot found the following issue on:
> 
> HEAD commit:    58f9416d413a Merge branch 'ice-support-to-dump-phy-config-..
> git tree:       net-next
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=16ed24b5980000

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git  58f9416d413a

--- x/net/mac80211/debugfs_netdev.c
+++ y/net/mac80211/debugfs_netdev.c
@@ -1016,12 +1016,15 @@ static void ieee80211_debugfs_add_netdev
 
 void ieee80211_debugfs_remove_netdev(struct ieee80211_sub_if_data *sdata)
 {
+	mutex_lock(&sdata->debug_mutex);
 	if (!sdata->vif.debugfs_dir)
-		return;
+		goto out;
 
 	debugfs_remove_recursive(sdata->vif.debugfs_dir);
 	sdata->vif.debugfs_dir = NULL;
 	sdata->debugfs.subdir_stations = NULL;
+out:
+	mutex_unlock(&sdata->debug_mutex);
 }
 
 void ieee80211_debugfs_rename_netdev(struct ieee80211_sub_if_data *sdata)
--- x/net/mac80211/debugfs_sta.c
+++ y/net/mac80211/debugfs_sta.c
@@ -1284,8 +1284,13 @@ void ieee80211_sta_debugfs_add(struct st
 
 void ieee80211_sta_debugfs_remove(struct sta_info *sta)
 {
-	debugfs_remove_recursive(sta->debugfs_dir);
+	struct ieee80211_sub_if_data *sdata = sta->sdata;
+
+	mutex_lock(&sdata->debug_mutex);
+	if (sdata->debugfs.subdir_stations != NULL)
+		debugfs_remove_recursive(sta->debugfs_dir);
 	sta->debugfs_dir = NULL;
+	mutex_unlock(&sdata->debug_mutex);
 }
 
 #undef DEBUGFS_ADD
--- x/net/mac80211/ieee80211_i.h
+++ y/net/mac80211/ieee80211_i.h
@@ -1172,6 +1172,7 @@ struct ieee80211_sub_if_data {
 	u16 desired_active_links;
 
 	u16 restart_active_links;
+	struct mutex  debug_mutex;
 
 #ifdef CONFIG_MAC80211_DEBUGFS
 	struct {
--- x/net/mac80211/iface.c
+++ y/net/mac80211/iface.c
@@ -1091,6 +1091,7 @@ static void ieee80211_set_default_queues
 static void ieee80211_sdata_init(struct ieee80211_local *local,
 				 struct ieee80211_sub_if_data *sdata)
 {
+	mutex_init(&sdata->debug_mutex);
 	sdata->local = local;
 
 	/*
--

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ