lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20240718103953.1323-1-hdanton@sina.com>
Date: Thu, 18 Jul 2024 18:39:53 +0800
From: Hillf Danton <hdanton@...a.com>
To: syzbot <syzbot+d5dc2801166df6d34774@...kaller.appspotmail.com>
Cc: linux-kernel@...r.kernel.org,
	syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [fs?] KASAN: slab-use-after-free Read in lockref_get

On Mon, 15 Jul 2024 19:02:19 -0700
> syzbot found the following issue on:
> 
> HEAD commit:    58f9416d413a Merge branch 'ice-support-to-dump-phy-config-..
> git tree:       net-next
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=16ed24b5980000

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git  58f9416d413a

--- x/net/mac80211/iface.c
+++ y/net/mac80211/iface.c
@@ -1091,6 +1091,7 @@ static void ieee80211_set_default_queues
 static void ieee80211_sdata_init(struct ieee80211_local *local,
 				 struct ieee80211_sub_if_data *sdata)
 {
+	mutex_init(&sdata->debug_mutex);
 	sdata->local = local;
 
 	/*
--- x/net/mac80211/ieee80211_i.h
+++ y/net/mac80211/ieee80211_i.h
@@ -1172,6 +1172,8 @@ struct ieee80211_sub_if_data {
 	u16 desired_active_links;
 
 	u16 restart_active_links;
+	struct mutex  debug_mutex;
+	u32 dev_seq, sta_seq;
 
 #ifdef CONFIG_MAC80211_DEBUGFS
 	struct {
--- x/net/mac80211/debugfs_netdev.c
+++ y/net/mac80211/debugfs_netdev.c
@@ -1016,12 +1016,16 @@ static void ieee80211_debugfs_add_netdev
 
 void ieee80211_debugfs_remove_netdev(struct ieee80211_sub_if_data *sdata)
 {
+	mutex_lock(&sdata->debug_mutex);
 	if (!sdata->vif.debugfs_dir)
-		return;
+		goto out;
 
 	debugfs_remove_recursive(sdata->vif.debugfs_dir);
 	sdata->vif.debugfs_dir = NULL;
 	sdata->debugfs.subdir_stations = NULL;
+	sdata->dev_seq++;
+out:
+	mutex_unlock(&sdata->debug_mutex);
 }
 
 void ieee80211_debugfs_rename_netdev(struct ieee80211_sub_if_data *sdata)
--- x/net/mac80211/debugfs_sta.c
+++ y/net/mac80211/debugfs_sta.c
@@ -1280,12 +1280,18 @@ void ieee80211_sta_debugfs_add(struct st
 			   &sta->driver_buffered_tids);
 
 	drv_sta_add_debugfs(local, sdata, &sta->sta, sta->debugfs_dir);
+	sdata->sta_seq = sdata->dev_seq;
 }
 
 void ieee80211_sta_debugfs_remove(struct sta_info *sta)
 {
-	debugfs_remove_recursive(sta->debugfs_dir);
+	struct ieee80211_sub_if_data *sdata = sta->sdata;
+
+	mutex_lock(&sdata->debug_mutex);
+	if (sdata->sta_seq == sdata->dev_seq)
+		debugfs_remove_recursive(sta->debugfs_dir);
 	sta->debugfs_dir = NULL;
+	mutex_unlock(&sdata->debug_mutex);
 }
 
 #undef DEBUGFS_ADD
--

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ