[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20250731171729.46432-2-moonhee.lee.ca@gmail.com>
Date: Thu, 31 Jul 2025 10:17:29 -0700
From: Moon Hee Lee <moonhee.lee.ca@...il.com>
To: syzbot+d6ccd49ae046542a0641@...kaller.appspotmail.com
Cc: linux-kernel@...r.kernel.org,
syzkaller-bugs@...glegroups.com,
viro@...iv.linux.org.uk,
hdanton@...a.com,
Moon Hee Lee <moonhee.lee.ca@...il.com>
Subject: [syzbot] [fs?] [wireless?] general protection fault in simple_recursive_removal (5)
#syz test git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless-next.git main
Thanks for the review and valuable feedback.
Upon investigation, I found the crash occurs when the netdev's debugfs
directory is removed while a station still holds a pointer
(sta->debugfs_dir) to a dentry within it. A subsequent call to
ieee80211_sta_debugfs_remove() may then dereference a freed dentry,
triggering a use-after-free.
To address this, I’m preparing a patch that clears sta->debugfs_dir for
all stations associated with the interface before calling
debugfs_remove_recursive(). This ensures any later station removal
becomes a no-op and avoids referencing a stale pointer.
This reply is intended for syz testing and to provide context for
review. A formal patch will follow.
Many thanks to Hillf Danton and Al Viro for their insights.
---
net/mac80211/debugfs_netdev.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/net/mac80211/debugfs_netdev.c b/net/mac80211/debugfs_netdev.c
index 1dac78271045..4d45bb4fe380 100644
--- a/net/mac80211/debugfs_netdev.c
+++ b/net/mac80211/debugfs_netdev.c
@@ -1015,9 +1015,24 @@ static void ieee80211_debugfs_add_netdev(struct ieee80211_sub_if_data *sdata,
void ieee80211_debugfs_remove_netdev(struct ieee80211_sub_if_data *sdata)
{
+ struct sta_info *sta;
+
if (!sdata->vif.debugfs_dir)
return;
+ /*
+ * Before we delete the netdev’s debugfs tree, clear sta->debugfs_dir
+ * for every station on this interface. This ensures any later call to
+ * ieee80211_sta_debugfs_remove() sees NULL and avoids touching a dentry
+ * that we are about to free.
+ */
+ rcu_read_lock();
+ list_for_each_entry_rcu(sta, &sdata->local->sta_list, list) {
+ if (sta->sdata == sdata)
+ sta->debugfs_dir = NULL;
+ }
+ rcu_read_unlock();
+
debugfs_remove_recursive(sdata->vif.debugfs_dir);
sdata->vif.debugfs_dir = NULL;
sdata->debugfs.subdir_stations = NULL;
--
2.43.0
Powered by blists - more mailing lists