[syzbot] [fs?] [wireless?] general protection fault in simple_recursive_removal (5)

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Moon Hee Lee <moonhee.lee.ca@gmail.com>
To: syzbot+d6ccd49ae046542a0641@syzkaller.appspotmail.com
Cc: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com,
	viro@zeniv.linux.org.uk, hdanton@sina.com,
	Moon Hee Lee <moonhee.lee.ca@gmail.com>
Subject: [syzbot] [fs?] [wireless?] general protection fault in simple_recursive_removal (5)
Date: Thu, 31 Jul 2025 10:17:29 -0700	[thread overview]
Message-ID: <20250731171729.46432-2-moonhee.lee.ca@gmail.com> (raw)

#syz test git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless-next.git main

Thanks for the review and valuable feedback.

Upon investigation, I found the crash occurs when the netdev's debugfs
directory is removed while a station still holds a pointer
(sta->debugfs_dir) to a dentry within it. A subsequent call to
ieee80211_sta_debugfs_remove() may then dereference a freed dentry,
triggering a use-after-free.

To address this, I’m preparing a patch that clears sta->debugfs_dir for
all stations associated with the interface before calling
debugfs_remove_recursive(). This ensures any later station removal
becomes a no-op and avoids referencing a stale pointer.

This reply is intended for syz testing and to provide context for
review. A formal patch will follow.

Many thanks to Hillf Danton and Al Viro for their insights.

---
 net/mac80211/debugfs_netdev.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/net/mac80211/debugfs_netdev.c b/net/mac80211/debugfs_netdev.c
index 1dac78271045..4d45bb4fe380 100644
--- a/net/mac80211/debugfs_netdev.c
+++ b/net/mac80211/debugfs_netdev.c
@@ -1015,9 +1015,24 @@ static void ieee80211_debugfs_add_netdev(struct ieee80211_sub_if_data *sdata,

 void ieee80211_debugfs_remove_netdev(struct ieee80211_sub_if_data *sdata)
 {
+	struct sta_info *sta;
+
 	if (!sdata->vif.debugfs_dir)
 		return;

+	/*
+	 * Before we delete the netdev’s debugfs tree, clear sta->debugfs_dir
+	 * for every station on this interface.  This ensures any later call to
+	 * ieee80211_sta_debugfs_remove() sees NULL and avoids touching a dentry
+	 * that we are about to free.
+	 */
+	rcu_read_lock();
+	list_for_each_entry_rcu(sta, &sdata->local->sta_list, list) {
+		if (sta->sdata == sdata)
+			sta->debugfs_dir = NULL;
+	}
+	rcu_read_unlock();
+
 	debugfs_remove_recursive(sdata->vif.debugfs_dir);
 	sdata->vif.debugfs_dir = NULL;
 	sdata->debugfs.subdir_stations = NULL;
-- 
2.43.0

next             reply	other threads:[~2025-07-31 17:18 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-07-31 17:17 Moon Hee Lee [this message]
2025-07-31 17:28 ` [syzbot] [fs?] [wireless?] general protection fault in simple_recursive_removal (5) Al Viro
2025-07-31 17:40 ` syzbot
  -- strict thread matches above, loose matches on Subject: below --
2025-07-24  6:40 Moon Hee Lee
2025-07-24  7:03 ` syzbot
2025-07-24 15:58 ` Al Viro
2025-07-24 17:29   ` Moon Hee Lee
2025-07-24 23:34     ` Hillf Danton
2025-07-25  0:20     ` Al Viro
2025-07-24  6:17 Moon Hee Lee
2025-07-24  6:17 ` syzbot
2025-07-24  6:08 Moon Hee Lee
2025-07-24  6:08 ` syzbot
2025-07-23 17:19 syzbot
2025-07-24  2:22 ` Hillf Danton
2025-07-24  2:40   ` syzbot
2025-07-24  3:34 ` Hillf Danton
2025-07-24  3:56   ` syzbot
2025-07-24 10:22 ` Hillf Danton
2025-07-24 10:44   ` syzbot

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:1dac7827104 dfblob:4d45bb4fe38 )
 OR (
bs:"[syzbot] [fs?] [wireless?] general protection fault in simple_recursive_removal (5)" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20250731171729.46432-2-moonhee.lee.ca@gmail.com \
    --to=moonhee.lee.ca@gmail.com \
    --cc=hdanton@sina.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=syzbot+d6ccd49ae046542a0641@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.