lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20250731171729.46432-2-moonhee.lee.ca@gmail.com>
Date: Thu, 31 Jul 2025 10:17:29 -0700
From: Moon Hee Lee <moonhee.lee.ca@...il.com>
To: syzbot+d6ccd49ae046542a0641@...kaller.appspotmail.com
Cc: linux-kernel@...r.kernel.org,
	syzkaller-bugs@...glegroups.com,
	viro@...iv.linux.org.uk,
	hdanton@...a.com,
	Moon Hee Lee <moonhee.lee.ca@...il.com>
Subject: [syzbot] [fs?] [wireless?] general protection fault in simple_recursive_removal (5)

#syz test git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless-next.git main


Thanks for the review and valuable feedback.

Upon investigation, I found the crash occurs when the netdev's debugfs
directory is removed while a station still holds a pointer
(sta->debugfs_dir) to a dentry within it. A subsequent call to
ieee80211_sta_debugfs_remove() may then dereference a freed dentry,
triggering a use-after-free.

To address this, I’m preparing a patch that clears sta->debugfs_dir for
all stations associated with the interface before calling
debugfs_remove_recursive(). This ensures any later station removal
becomes a no-op and avoids referencing a stale pointer.

This reply is intended for syz testing and to provide context for
review. A formal patch will follow.

Many thanks to Hillf Danton and Al Viro for their insights.

---
 net/mac80211/debugfs_netdev.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/net/mac80211/debugfs_netdev.c b/net/mac80211/debugfs_netdev.c
index 1dac78271045..4d45bb4fe380 100644
--- a/net/mac80211/debugfs_netdev.c
+++ b/net/mac80211/debugfs_netdev.c
@@ -1015,9 +1015,24 @@ static void ieee80211_debugfs_add_netdev(struct ieee80211_sub_if_data *sdata,
 
 void ieee80211_debugfs_remove_netdev(struct ieee80211_sub_if_data *sdata)
 {
+	struct sta_info *sta;
+
 	if (!sdata->vif.debugfs_dir)
 		return;
 
+	/*
+	 * Before we delete the netdev’s debugfs tree, clear sta->debugfs_dir
+	 * for every station on this interface.  This ensures any later call to
+	 * ieee80211_sta_debugfs_remove() sees NULL and avoids touching a dentry
+	 * that we are about to free.
+	 */
+	rcu_read_lock();
+	list_for_each_entry_rcu(sta, &sdata->local->sta_list, list) {
+		if (sta->sdata == sdata)
+			sta->debugfs_dir = NULL;
+	}
+	rcu_read_unlock();
+
 	debugfs_remove_recursive(sdata->vif.debugfs_dir);
 	sdata->vif.debugfs_dir = NULL;
 	sdata->debugfs.subdir_stations = NULL;
-- 
2.43.0


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ