[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20250731172852.GQ222315@ZenIV>
Date: Thu, 31 Jul 2025 18:28:52 +0100
From: Al Viro <viro@...iv.linux.org.uk>
To: Moon Hee Lee <moonhee.lee.ca@...il.com>
Cc: syzbot+d6ccd49ae046542a0641@...kaller.appspotmail.com,
linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com,
hdanton@...a.com
Subject: Re: [syzbot] [fs?] [wireless?] general protection fault in
simple_recursive_removal (5)
On Thu, Jul 31, 2025 at 10:17:29AM -0700, Moon Hee Lee wrote:
> #syz test git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless-next.git main
>
>
> Thanks for the review and valuable feedback.
>
> Upon investigation, I found the crash occurs when the netdev's debugfs
> directory is removed while a station still holds a pointer
> (sta->debugfs_dir) to a dentry within it. A subsequent call to
> ieee80211_sta_debugfs_remove() may then dereference a freed dentry,
> triggering a use-after-free.
>
> To address this, I’m preparing a patch that clears sta->debugfs_dir for
> all stations associated with the interface before calling
> debugfs_remove_recursive(). This ensures any later station removal
> becomes a no-op and avoids referencing a stale pointer.
>
> This reply is intended for syz testing and to provide context for
> review. A formal patch will follow.
> + /*
> + * Before we delete the netdev’s debugfs tree, clear sta->debugfs_dir
> + * for every station on this interface. This ensures any later call to
> + * ieee80211_sta_debugfs_remove() sees NULL and avoids touching a dentry
> + * that we are about to free.
> + */
> + rcu_read_lock();
> + list_for_each_entry_rcu(sta, &sdata->local->sta_list, list) {
> + if (sta->sdata == sdata)
> + sta->debugfs_dir = NULL;
> + }
> + rcu_read_unlock();
Umm... Is there any exclusion between that an ieee80211_sta_debugfs_remove()?
This looks fishy...
Powered by blists - more mailing lists