| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250724155832.GU2580412@ZenIV>
Date: Thu, 24 Jul 2025 16:58:32 +0100
From: Al Viro <viro@...iv.linux.org.uk>
To: Moon Hee Lee <moonhee.lee.ca@...il.com>
Cc: syzbot+d6ccd49ae046542a0641@...kaller.appspotmail.com,
linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [fs?] [wireless?] general protection fault in
simple_recursive_removal (5)
On Wed, Jul 23, 2025 at 11:40:52PM -0700, Moon Hee Lee wrote:
> #syz test git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless-next.git main
>
> A NULL pointer dereference may occur in ieee80211_sta_debugfs_remove()
> when debugfs_remove_recursive() is called on a dentry whose inode has
> already been freed. This can happen due to a race between STA teardown
> and debugfs cleanup.
>
> Fix this by checking that both sta->debugfs_dir and its d_inode are
> valid before invoking debugfs_remove_recursive().
> void ieee80211_sta_debugfs_remove(struct sta_info *sta)
> {
> - debugfs_remove_recursive(sta->debugfs_dir);
> + if (sta->debugfs_dir && sta->debugfs_dir->d_inode)
> + debugfs_remove_recursive(sta->debugfs_dir);
> sta->debugfs_dir = NULL;
> }
It might paper over the specific reproducer, but that's not a fix...
I'm not familiar with that code; will check the details, but in
this form it is obviously still racy.
NAK.
Powered by blists - more mailing lists