lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20250731172852.GQ222315@ZenIV>
Date: Thu, 31 Jul 2025 18:28:52 +0100
From: Al Viro <viro@...iv.linux.org.uk>
To: Moon Hee Lee <moonhee.lee.ca@...il.com>
Cc: syzbot+d6ccd49ae046542a0641@...kaller.appspotmail.com,
	linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com,
	hdanton@...a.com
Subject: Re: [syzbot] [fs?] [wireless?] general protection fault in
 simple_recursive_removal (5)

On Thu, Jul 31, 2025 at 10:17:29AM -0700, Moon Hee Lee wrote:
> #syz test git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless-next.git main
> 
> 
> Thanks for the review and valuable feedback.
> 
> Upon investigation, I found the crash occurs when the netdev's debugfs
> directory is removed while a station still holds a pointer
> (sta->debugfs_dir) to a dentry within it. A subsequent call to
> ieee80211_sta_debugfs_remove() may then dereference a freed dentry,
> triggering a use-after-free.
> 
> To address this, I’m preparing a patch that clears sta->debugfs_dir for
> all stations associated with the interface before calling
> debugfs_remove_recursive(). This ensures any later station removal
> becomes a no-op and avoids referencing a stale pointer.
> 
> This reply is intended for syz testing and to provide context for
> review. A formal patch will follow.

> +	/*
> +	 * Before we delete the netdev’s debugfs tree, clear sta->debugfs_dir
> +	 * for every station on this interface.  This ensures any later call to
> +	 * ieee80211_sta_debugfs_remove() sees NULL and avoids touching a dentry
> +	 * that we are about to free.
> +	 */
> +	rcu_read_lock();
> +	list_for_each_entry_rcu(sta, &sdata->local->sta_list, list) {
> +		if (sta->sdata == sdata)
> +			sta->debugfs_dir = NULL;
> +	}
> +	rcu_read_unlock();

Umm... Is there any exclusion between that an ieee80211_sta_debugfs_remove()?
This looks fishy...

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ