From: Al Viro <viro@zeniv.linux.org.uk>
To: Moon Hee Lee <moonhee.lee.ca@gmail.com>
Cc: syzbot+d6ccd49ae046542a0641@syzkaller.appspotmail.com,
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [fs?] [wireless?] general protection fault in simple_recursive_removal (5)
Date: Thu, 24 Jul 2025 16:58:32 +0100 [thread overview]
Message-ID: <20250724155832.GU2580412@ZenIV> (raw)
In-Reply-To: <20250724064051.431879-2-moonhee.lee.ca@gmail.com>
On Wed, Jul 23, 2025 at 11:40:52PM -0700, Moon Hee Lee wrote:
> #syz test git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless-next.git main
>
> A NULL pointer dereference may occur in ieee80211_sta_debugfs_remove()
> when debugfs_remove_recursive() is called on a dentry whose inode has
> already been freed. This can happen due to a race between STA teardown
> and debugfs cleanup.
>
> Fix this by checking that both sta->debugfs_dir and its d_inode are
> valid before invoking debugfs_remove_recursive().
> void ieee80211_sta_debugfs_remove(struct sta_info *sta)
> {
> - debugfs_remove_recursive(sta->debugfs_dir);
> + if (sta->debugfs_dir && sta->debugfs_dir->d_inode)
> + debugfs_remove_recursive(sta->debugfs_dir);
> sta->debugfs_dir = NULL;
> }
It might paper over the specific reproducer, but that's not a fix...
I'm not familiar with that code; will check the details, but in
this form it is obviously still racy.
NAK.
next prev parent reply other threads:[~2025-07-24 15:58 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-24 6:40 [syzbot] [fs?] [wireless?] general protection fault in simple_recursive_removal (5) Moon Hee Lee
2025-07-24 7:03 ` syzbot
2025-07-24 15:58 ` Al Viro [this message]
2025-07-24 17:29 ` Moon Hee Lee
2025-07-24 23:34 ` Hillf Danton
2025-07-25 0:20 ` Al Viro
-- strict thread matches above, loose matches on Subject: below --
2025-07-31 17:17 Moon Hee Lee
2025-07-31 17:28 ` Al Viro
2025-07-31 17:40 ` syzbot
2025-07-24 6:17 Moon Hee Lee
2025-07-24 6:17 ` syzbot
2025-07-24 6:08 Moon Hee Lee
2025-07-24 6:08 ` syzbot
2025-07-23 17:19 syzbot
2025-07-24 2:22 ` Hillf Danton
2025-07-24 2:40 ` syzbot
2025-07-24 3:34 ` Hillf Danton
2025-07-24 3:56 ` syzbot
2025-07-24 10:22 ` Hillf Danton
2025-07-24 10:44 ` syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250724155832.GU2580412@ZenIV \
--to=viro@zeniv.linux.org.uk \
--cc=linux-kernel@vger.kernel.org \
--cc=moonhee.lee.ca@gmail.com \
--cc=syzbot+d6ccd49ae046542a0641@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.