[syzbot] [fs?] [wireless?] general protection fault in simple_recursive_removal (5)

[syzbot] [fs?] [wireless?] general protection fault in simple_recursive_removal (5)

[Moon Hee Lee]

[-- Attachment #1: Type: text/plain, Size: 88 bytes --]

#syz test git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless-next.git
main

[-- Attachment #2: 0001-wifi-mac80211-fix-use-after-free-risk-in-sta-debugfs.patch --]
[-- Type: text/x-patch, Size: 4006 bytes --]

From b4534144b288d954480728bb4ba291178af43fd8 Mon Sep 17 00:00:00 2001
From: Moon Hee Lee <moonhee.lee.ca@gmail.com>
Date: Wed, 23 Jul 2025 22:45:37 -0700
Subject: [PATCH wireless-next] wifi: mac80211: fix use-after-free risk in sta debugfs
 removal

A NULL pointer dereference may occur in ieee80211_sta_debugfs_remove()
when debugfs_remove_recursive() is called on a dentry whose inode has
already been freed. This can happen due to a race between STA teardown
and debugfs cleanup.

Fix this by checking that both sta->debugfs_dir and its d_inode are
valid before invoking debugfs_remove_recursive().

This avoids the crash reported in syzbot bug:

  wlan1: send auth to aa:09:b7:99:c0:d7 (try 2/3)
  wlan1: send auth to aa:09:b7:99:c0:d7 (try 3/3)
  wlan1: authentication with aa:09:b7:99:c0:d7 timed out
  Oops: general protection fault, probably for non-canonical address 0xdffffc0000000029: 0000 [#1] SMP KASAN NOPTI
  KASAN: null-ptr-deref in range [0x0000000000000148-0x000000000000014f]
  CPU: 0 UID: 0 PID: 171 Comm: kworker/u4:4 Not tainted 6.16.0-rc7-syzkaller #0 PREEMPT(full)
  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
  Workqueue: events_unbound cfg80211_wiphy_work
  RIP: 0010:kasan_byte_accessible+0x12/0x30 mm/kasan/generic.c:199
  Code: 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 48 c1 ef 03 48 b8 00 00 00 00 00 fc ff df <0f> b6 04 07 3c 08 0f   92 c0 c3 cc cc cc cc cc 66 66 66 66 66 66 2e
  RSP: 0018:ffffc90001977400 EFLAGS: 00010202
  RAX: dffffc0000000000 RBX: ffffffff8b713286 RCX: ca5c1933e35f3700
  RDX: 0000000000000000 RSI: ffffffff8b713286 RDI: 0000000000000029
  RBP: ffffffff824067f0 R08: 0000000000000001 R09: 0000000000000000
  R10: dffffc0000000000 R11: ffffed10085cf24c R12: 0000000000000000
  R13: 0000000000000148 R14: 0000000000000148 R15: 0000000000000001
  FS:  0000000000000000(0000) GS:ffff88808d218000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: 0000001b2f55ffff CR3: 000000005030a000 CR4: 0000000000352ef0
  Call Trace:
   <TASK>
   __kasan_check_byte+0x12/0x40 mm/kasan/common.c:556
   kasan_check_byte include/linux/kasan.h:399 [inline]
   lock_acquire+0x8d/0x360 kernel/locking/lockdep.c:5845
   down_write+0x96/0x1f0 kernel/locking/rwsem.c:1577
   inode_lock include/linux/fs.h:869 [inline]
   simple_recursive_removal+0x90/0x690 fs/libfs.c:616
   debugfs_remove+0x5b/0x70 fs/debugfs/inode.c:805
   ieee80211_sta_debugfs_remove+0x40/0x70 net/mac80211/debugfs_sta.c:1279
   __sta_info_destroy_part2+0x352/0x450 net/mac80211/sta_info.c:1501
   __sta_info_destroy net/mac80211/sta_info.c:1517 [inline]
   sta_info_destroy_addr+0xf5/0x140 net/mac80211/sta_info.c:1529
   ieee80211_destroy_auth_data+0x12d/0x260 net/mac80211/mlme.c:4597
   ieee80211_sta_work+0x11cf/0x3600 net/mac80211/mlme.c:8310
   cfg80211_wiphy_work+0x2df/0x460 net/wireless/core.c:435
   process_one_work kernel/workqueue.c:3238 [inline]
   process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321
   worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402
   kthread+0x70e/0x8a0 kernel/kthread.c:464
   ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
   ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
   </TASK>

Fixes: fc4a25c5b741 ("mac80211: remove sta_info debugfs sub-struct")
Signed-off-by: Moon Hee Lee <moonhee.lee.ca@gmail.com>
---
 net/mac80211/debugfs_sta.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/mac80211/debugfs_sta.c b/net/mac80211/debugfs_sta.c
index 49061bd4151b..912b69abab52 100644
--- a/net/mac80211/debugfs_sta.c
+++ b/net/mac80211/debugfs_sta.c
@@ -1276,7 +1276,8 @@ void ieee80211_sta_debugfs_add(struct sta_info *sta)
 
 void ieee80211_sta_debugfs_remove(struct sta_info *sta)
 {
-	debugfs_remove_recursive(sta->debugfs_dir);
+	if (sta->debugfs_dir && sta->debugfs_dir->d_inode)
+		debugfs_remove_recursive(sta->debugfs_dir);
 	sta->debugfs_dir = NULL;
 }
 
-- 
2.43.0

Re: [syzbot] [fs?] [wireless?] general protection fault in simple_recursive_removal (5)

[syzbot]

> #syz test git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless-next.git

want either no args or 2 args (repo, branch), got 1

> main

[syzbot] [fs?] [wireless?] general protection fault in simple_recursive_removal (5)

[Moon Hee Lee]

#syz test git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless-next.git main


Thanks for the review and valuable feedback.

Upon investigation, I found the crash occurs when the netdev's debugfs
directory is removed while a station still holds a pointer
(sta->debugfs_dir) to a dentry within it. A subsequent call to
ieee80211_sta_debugfs_remove() may then dereference a freed dentry,
triggering a use-after-free.

To address this, I’m preparing a patch that clears sta->debugfs_dir for
all stations associated with the interface before calling
debugfs_remove_recursive(). This ensures any later station removal
becomes a no-op and avoids referencing a stale pointer.

This reply is intended for syz testing and to provide context for
review. A formal patch will follow.

Many thanks to Hillf Danton and Al Viro for their insights.

---
 net/mac80211/debugfs_netdev.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/net/mac80211/debugfs_netdev.c b/net/mac80211/debugfs_netdev.c
index 1dac78271045..4d45bb4fe380 100644
--- a/net/mac80211/debugfs_netdev.c
+++ b/net/mac80211/debugfs_netdev.c
@@ -1015,9 +1015,24 @@ static void ieee80211_debugfs_add_netdev(struct ieee80211_sub_if_data *sdata,
 
 void ieee80211_debugfs_remove_netdev(struct ieee80211_sub_if_data *sdata)
 {
+	struct sta_info *sta;
+
 	if (!sdata->vif.debugfs_dir)
 		return;
 
+	/*
+	 * Before we delete the netdev’s debugfs tree, clear sta->debugfs_dir
+	 * for every station on this interface.  This ensures any later call to
+	 * ieee80211_sta_debugfs_remove() sees NULL and avoids touching a dentry
+	 * that we are about to free.
+	 */
+	rcu_read_lock();
+	list_for_each_entry_rcu(sta, &sdata->local->sta_list, list) {
+		if (sta->sdata == sdata)
+			sta->debugfs_dir = NULL;
+	}
+	rcu_read_unlock();
+
 	debugfs_remove_recursive(sdata->vif.debugfs_dir);
 	sdata->vif.debugfs_dir = NULL;
 	sdata->debugfs.subdir_stations = NULL;
-- 
2.43.0

Re: [syzbot] [fs?] [wireless?] general protection fault in simple_recursive_removal (5)

[Al Viro]

On Thu, Jul 31, 2025 at 10:17:29AM -0700, Moon Hee Lee wrote:
> #syz test git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless-next.git main
> 
> 
> Thanks for the review and valuable feedback.
> 
> Upon investigation, I found the crash occurs when the netdev's debugfs
> directory is removed while a station still holds a pointer
> (sta->debugfs_dir) to a dentry within it. A subsequent call to
> ieee80211_sta_debugfs_remove() may then dereference a freed dentry,
> triggering a use-after-free.
> 
> To address this, I’m preparing a patch that clears sta->debugfs_dir for
> all stations associated with the interface before calling
> debugfs_remove_recursive(). This ensures any later station removal
> becomes a no-op and avoids referencing a stale pointer.
> 
> This reply is intended for syz testing and to provide context for
> review. A formal patch will follow.

> +	/*
> +	 * Before we delete the netdev’s debugfs tree, clear sta->debugfs_dir
> +	 * for every station on this interface.  This ensures any later call to
> +	 * ieee80211_sta_debugfs_remove() sees NULL and avoids touching a dentry
> +	 * that we are about to free.
> +	 */
> +	rcu_read_lock();
> +	list_for_each_entry_rcu(sta, &sdata->local->sta_list, list) {
> +		if (sta->sdata == sdata)
> +			sta->debugfs_dir = NULL;
> +	}
> +	rcu_read_unlock();

Umm... Is there any exclusion between that an ieee80211_sta_debugfs_remove()?
This looks fishy...

Re: [syzbot] [fs?] [wireless?] general protection fault in simple_recursive_removal (5)

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+d6ccd49ae046542a0641@syzkaller.appspotmail.com
Tested-by: syzbot+d6ccd49ae046542a0641@syzkaller.appspotmail.com

Tested on:

commit:         126d85fb Merge tag 'wireless-next-2025-07-24' of https..
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless-next.git main
console output: https://syzkaller.appspot.com/x/log.txt?x=1104acf0580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=4e0aa2ee2717f461
dashboard link: https://syzkaller.appspot.com/bug?extid=d6ccd49ae046542a0641
compiler:       Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
patch:          https://syzkaller.appspot.com/x/patch.diff?x=128ee9bc580000

Note: testing is done by a robot and is best-effort only.

[syzbot] [fs?] [wireless?] general protection fault in simple_recursive_removal (5)

[Moon Hee Lee]

#syz test git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless-next.git main

A NULL pointer dereference may occur in ieee80211_sta_debugfs_remove()
when debugfs_remove_recursive() is called on a dentry whose inode has
already been freed. This can happen due to a race between STA teardown
and debugfs cleanup.

Fix this by checking that both sta->debugfs_dir and its d_inode are
valid before invoking debugfs_remove_recursive().

This avoids the crash reported in syzbot bug:

  wlan1: send auth to aa:09:b7:99:c0:d7 (try 2/3)
  wlan1: send auth to aa:09:b7:99:c0:d7 (try 3/3)
  wlan1: authentication with aa:09:b7:99:c0:d7 timed out
  Oops: general protection fault, probably for non-canonical address 0xdffffc0000000029: 0000 [#1] SMP KASAN NOPTI
  KASAN: null-ptr-deref in range [0x0000000000000148-0x000000000000014f]
  CPU: 0 UID: 0 PID: 171 Comm: kworker/u4:4 Not tainted 6.16.0-rc7-syzkaller #0 PREEMPT(full)
  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
  Workqueue: events_unbound cfg80211_wiphy_work
  RIP: 0010:kasan_byte_accessible+0x12/0x30 mm/kasan/generic.c:199
  Code: 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 48 c1 ef 03 48 b8 00 00 00 00 00 fc ff df <0f> b6 04 07 3c 08 0f   92 c0 c3 cc cc cc cc cc 66 66 66 66 66 66 2e
  RSP: 0018:ffffc90001977400 EFLAGS: 00010202
  RAX: dffffc0000000000 RBX: ffffffff8b713286 RCX: ca5c1933e35f3700
  RDX: 0000000000000000 RSI: ffffffff8b713286 RDI: 0000000000000029
  RBP: ffffffff824067f0 R08: 0000000000000001 R09: 0000000000000000
  R10: dffffc0000000000 R11: ffffed10085cf24c R12: 0000000000000000
  R13: 0000000000000148 R14: 0000000000000148 R15: 0000000000000001
  FS:  0000000000000000(0000) GS:ffff88808d218000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: 0000001b2f55ffff CR3: 000000005030a000 CR4: 0000000000352ef0
  Call Trace:
   <TASK>
   __kasan_check_byte+0x12/0x40 mm/kasan/common.c:556
   kasan_check_byte include/linux/kasan.h:399 [inline]
   lock_acquire+0x8d/0x360 kernel/locking/lockdep.c:5845
   down_write+0x96/0x1f0 kernel/locking/rwsem.c:1577
   inode_lock include/linux/fs.h:869 [inline]
   simple_recursive_removal+0x90/0x690 fs/libfs.c:616
   debugfs_remove+0x5b/0x70 fs/debugfs/inode.c:805
   ieee80211_sta_debugfs_remove+0x40/0x70 net/mac80211/debugfs_sta.c:1279
   __sta_info_destroy_part2+0x352/0x450 net/mac80211/sta_info.c:1501
   __sta_info_destroy net/mac80211/sta_info.c:1517 [inline]
   sta_info_destroy_addr+0xf5/0x140 net/mac80211/sta_info.c:1529
   ieee80211_destroy_auth_data+0x12d/0x260 net/mac80211/mlme.c:4597
   ieee80211_sta_work+0x11cf/0x3600 net/mac80211/mlme.c:8310
   cfg80211_wiphy_work+0x2df/0x460 net/wireless/core.c:435
   process_one_work kernel/workqueue.c:3238 [inline]
   process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321
   worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402
   kthread+0x70e/0x8a0 kernel/kthread.c:464
   ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
   ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
   </TASK>

---
 net/mac80211/debugfs_sta.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/mac80211/debugfs_sta.c b/net/mac80211/debugfs_sta.c
index 49061bd4151b..912b69abab52 100644
--- a/net/mac80211/debugfs_sta.c
+++ b/net/mac80211/debugfs_sta.c
@@ -1276,7 +1276,8 @@ void ieee80211_sta_debugfs_add(struct sta_info *sta)
 
 void ieee80211_sta_debugfs_remove(struct sta_info *sta)
 {
-	debugfs_remove_recursive(sta->debugfs_dir);
+	if (sta->debugfs_dir && sta->debugfs_dir->d_inode)
+		debugfs_remove_recursive(sta->debugfs_dir);
 	sta->debugfs_dir = NULL;
 }
 
-- 
2.43.0

Re: [syzbot] [fs?] [wireless?] general protection fault in simple_recursive_removal (5)

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+d6ccd49ae046542a0641@syzkaller.appspotmail.com
Tested-by: syzbot+d6ccd49ae046542a0641@syzkaller.appspotmail.com

Tested on:

commit:         3630f043 Merge tag 'iwlwifi-next-2025-07-23' of https:..
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless-next.git main
console output: https://syzkaller.appspot.com/x/log.txt?x=16a740a2580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=51ebcb9cd994f900
dashboard link: https://syzkaller.appspot.com/bug?extid=d6ccd49ae046542a0641
compiler:       Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
patch:          https://syzkaller.appspot.com/x/patch.diff?x=1449d0a2580000

Note: testing is done by a robot and is best-effort only.

Re: [syzbot] [fs?] [wireless?] general protection fault in simple_recursive_removal (5)

[Al Viro]

On Wed, Jul 23, 2025 at 11:40:52PM -0700, Moon Hee Lee wrote:
> #syz test git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless-next.git main
> 
> A NULL pointer dereference may occur in ieee80211_sta_debugfs_remove()
> when debugfs_remove_recursive() is called on a dentry whose inode has
> already been freed. This can happen due to a race between STA teardown
> and debugfs cleanup.
> 
> Fix this by checking that both sta->debugfs_dir and its d_inode are
> valid before invoking debugfs_remove_recursive().

>  void ieee80211_sta_debugfs_remove(struct sta_info *sta)
>  {
> -	debugfs_remove_recursive(sta->debugfs_dir);
> +	if (sta->debugfs_dir && sta->debugfs_dir->d_inode)
> +		debugfs_remove_recursive(sta->debugfs_dir);
>  	sta->debugfs_dir = NULL;
>  }

It might paper over the specific reproducer, but that's not a fix...
I'm not familiar with that code; will check the details, but in
this form it is obviously still racy.

NAK.

Re: [syzbot] [fs?] [wireless?] general protection fault in simple_recursive_removal (5)

[Moon Hee Lee]

On Thu, Jul 24, 2025 at 8:58 AM Al Viro <viro@zeniv.linux.org.uk> wrote:
> It might paper over the specific reproducer, but that's not a fix...
> I'm not familiar with that code; will check the details, but in
> this form it is obviously still racy.

Thanks for the feedback, Al.

Agreed, this only papers over the issue. I'm tracing the
sta_info_destroy() path to confirm the race and will follow up with a
proper fix if confirmed.

-- 
moon

Re: [syzbot] [fs?] [wireless?] general protection fault in simple_recursive_removal (5)

[Hillf Danton]

On Thu, 24 Jul 2025 10:29:47 -0700 Moon Hee Lee wrote:
> On Thu, Jul 24, 2025 at 8:58 AM Al Viro <viro@zeniv.linux.org.uk> wrote:
> > It might paper over the specific reproducer, but that's not a fix...
> > I'm not familiar with that code; will check the details, but in
> > this form it is obviously still racy.
> 
> Thanks for the feedback, Al.
> 
> Agreed, this only papers over the issue. I'm tracing the
> sta_info_destroy() path to confirm the race and will follow up with a
> proper fix if confirmed.
>
A look at net/mac80211/debugfs_netdev.c:1021 [1] helps to prepare a proper fix.

[1] https://lore.kernel.org/lkml/6881aed3.a00a0220.2f88df.000b.GAE@google.com/

Re: [syzbot] [fs?] [wireless?] general protection fault in simple_recursive_removal (5)

[Al Viro]

On Thu, Jul 24, 2025 at 10:29:47AM -0700, Moon Hee Lee wrote:
> On Thu, Jul 24, 2025 at 8:58 AM Al Viro <viro@zeniv.linux.org.uk> wrote:
> > It might paper over the specific reproducer, but that's not a fix...
> > I'm not familiar with that code; will check the details, but in
> > this form it is obviously still racy.
> 
> Thanks for the feedback, Al.
> 
> Agreed, this only papers over the issue. I'm tracing the
> sta_info_destroy() path to confirm the race and will follow up with a
> proper fix if confirmed.

Note that if you have nested subtrees, you have to be very careful
about removals - after all, removal of the bigger one drops the
references we are holding to the roots of the smaller ones.

[syzbot] [fs?] [wireless?] general protection fault in simple_recursive_removal (5)

[Moon Hee Lee]

[-- Attachment #1: Type: text/plain, Size: 88 bytes --]

#syz test git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless-next.git
main

[-- Attachment #2: 0001-mac80211-fix-use-after-free-risk-in-sta-debugfs-remo.patch --]
[-- Type: text/x-patch, Size: 3999 bytes --]

From a3ad50bd1b1528de302d2d0a5c5bdffcf059e4e6 Mon Sep 17 00:00:00 2001
From: Moon Hee Lee <moonhee.lee.ca@gmail.com>
Date: Wed, 23 Jul 2025 22:45:37 -0700
Subject: [PATCH wireless-next] mac80211: fix use-after-free risk in sta debugfs removal

A NULL pointer dereference may occur in ieee80211_sta_debugfs_remove()
when debugfs_remove_recursive() is called on a dentry whose inode has
already been freed. This can happen due to a race between STA teardown
and debugfs cleanup.

Fix this by checking that both sta->debugfs_dir and its d_inode are
valid before invoking debugfs_remove_recursive().

This avoids the crash reported in syzbot bug:

  wlan1: send auth to aa:09:b7:99:c0:d7 (try 2/3)
  wlan1: send auth to aa:09:b7:99:c0:d7 (try 3/3)
  wlan1: authentication with aa:09:b7:99:c0:d7 timed out
  Oops: general protection fault, probably for non-canonical address 0xdffffc0000000029: 0000 [#1] SMP KASAN NOPTI
  KASAN: null-ptr-deref in range [0x0000000000000148-0x000000000000014f]
  CPU: 0 UID: 0 PID: 171 Comm: kworker/u4:4 Not tainted 6.16.0-rc7-syzkaller #0 PREEMPT(full)
  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
  Workqueue: events_unbound cfg80211_wiphy_work
  RIP: 0010:kasan_byte_accessible+0x12/0x30 mm/kasan/generic.c:199
  Code: 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 48 c1 ef 03 48 b8 00 00 00 00 00 fc ff df <0f> b6 04 07 3c 08 0f   92 c0 c3 cc cc cc cc cc 66 66 66 66 66 66 2e
  RSP: 0018:ffffc90001977400 EFLAGS: 00010202
  RAX: dffffc0000000000 RBX: ffffffff8b713286 RCX: ca5c1933e35f3700
  RDX: 0000000000000000 RSI: ffffffff8b713286 RDI: 0000000000000029
  RBP: ffffffff824067f0 R08: 0000000000000001 R09: 0000000000000000
  R10: dffffc0000000000 R11: ffffed10085cf24c R12: 0000000000000000
  R13: 0000000000000148 R14: 0000000000000148 R15: 0000000000000001
  FS:  0000000000000000(0000) GS:ffff88808d218000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: 0000001b2f55ffff CR3: 000000005030a000 CR4: 0000000000352ef0
  Call Trace:
   <TASK>
   __kasan_check_byte+0x12/0x40 mm/kasan/common.c:556
   kasan_check_byte include/linux/kasan.h:399 [inline]
   lock_acquire+0x8d/0x360 kernel/locking/lockdep.c:5845
   down_write+0x96/0x1f0 kernel/locking/rwsem.c:1577
   inode_lock include/linux/fs.h:869 [inline]
   simple_recursive_removal+0x90/0x690 fs/libfs.c:616
   debugfs_remove+0x5b/0x70 fs/debugfs/inode.c:805
   ieee80211_sta_debugfs_remove+0x40/0x70 net/mac80211/debugfs_sta.c:1279
   __sta_info_destroy_part2+0x352/0x450 net/mac80211/sta_info.c:1501
   __sta_info_destroy net/mac80211/sta_info.c:1517 [inline]
   sta_info_destroy_addr+0xf5/0x140 net/mac80211/sta_info.c:1529
   ieee80211_destroy_auth_data+0x12d/0x260 net/mac80211/mlme.c:4597
   ieee80211_sta_work+0x11cf/0x3600 net/mac80211/mlme.c:8310
   cfg80211_wiphy_work+0x2df/0x460 net/wireless/core.c:435
   process_one_work kernel/workqueue.c:3238 [inline]
   process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321
   worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402
   kthread+0x70e/0x8a0 kernel/kthread.c:464
   ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
   ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
   </TASK>

Fixes: fc4a25c5b741 ("mac80211: remove sta_info debugfs sub-struct")
Signed-off-by: Moon Hee Lee <moonhee.lee.ca@gmail.com>
---
 net/mac80211/debugfs_sta.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/mac80211/debugfs_sta.c b/net/mac80211/debugfs_sta.c
index 49061bd4151b..912b69abab52 100644
--- a/net/mac80211/debugfs_sta.c
+++ b/net/mac80211/debugfs_sta.c
@@ -1276,7 +1276,8 @@ void ieee80211_sta_debugfs_add(struct sta_info *sta)
 
 void ieee80211_sta_debugfs_remove(struct sta_info *sta)
 {
-	debugfs_remove_recursive(sta->debugfs_dir);
+	if (sta->debugfs_dir && sta->debugfs_dir->d_inode)
+		debugfs_remove_recursive(sta->debugfs_dir);
 	sta->debugfs_dir = NULL;
 }
 
-- 
2.43.0

Re: [syzbot] [fs?] [wireless?] general protection fault in simple_recursive_removal (5)

[syzbot]

> #syz test git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless-next.git

want either no args or 2 args (repo, branch), got 1

> main

[syzbot] [fs?] [wireless?] general protection fault in simple_recursive_removal (5)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    89be9a83ccf1 Linux 6.16-rc7
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=11b42fd4580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=8adfe52da0de2761
dashboard link: https://syzkaller.appspot.com/bug?extid=d6ccd49ae046542a0641
compiler:       Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=134baf22580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=16d5a4f0580000

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-89be9a83.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/a3f5f507f252/vmlinux-89be9a83.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a8f9b92c57a6/bzImage-89be9a83.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d6ccd49ae046542a0641@syzkaller.appspotmail.com

wlan1: send auth to aa:09:b7:99:c0:d7 (try 2/3)
wlan1: send auth to aa:09:b7:99:c0:d7 (try 3/3)
wlan1: authentication with aa:09:b7:99:c0:d7 timed out
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000029: 0000 [#1] SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000148-0x000000000000014f]
CPU: 0 UID: 0 PID: 171 Comm: kworker/u4:4 Not tainted 6.16.0-rc7-syzkaller #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Workqueue: events_unbound cfg80211_wiphy_work
RIP: 0010:kasan_byte_accessible+0x12/0x30 mm/kasan/generic.c:199
Code: 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 48 c1 ef 03 48 b8 00 00 00 00 00 fc ff df <0f> b6 04 07 3c 08 0f 92 c0 c3 cc cc cc cc cc 66 66 66 66 66 66 2e
RSP: 0018:ffffc90001977400 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffffffff8b713286 RCX: ca5c1933e35f3700
RDX: 0000000000000000 RSI: ffffffff8b713286 RDI: 0000000000000029
RBP: ffffffff824067f0 R08: 0000000000000001 R09: 0000000000000000
R10: dffffc0000000000 R11: ffffed10085cf24c R12: 0000000000000000
R13: 0000000000000148 R14: 0000000000000148 R15: 0000000000000001
FS:  0000000000000000(0000) GS:ffff88808d218000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2f55ffff CR3: 000000005030a000 CR4: 0000000000352ef0
Call Trace:
 <TASK>
 __kasan_check_byte+0x12/0x40 mm/kasan/common.c:556
 kasan_check_byte include/linux/kasan.h:399 [inline]
 lock_acquire+0x8d/0x360 kernel/locking/lockdep.c:5845
 down_write+0x96/0x1f0 kernel/locking/rwsem.c:1577
 inode_lock include/linux/fs.h:869 [inline]
 simple_recursive_removal+0x90/0x690 fs/libfs.c:616
 debugfs_remove+0x5b/0x70 fs/debugfs/inode.c:805
 ieee80211_sta_debugfs_remove+0x40/0x70 net/mac80211/debugfs_sta.c:1279
 __sta_info_destroy_part2+0x352/0x450 net/mac80211/sta_info.c:1501
 __sta_info_destroy net/mac80211/sta_info.c:1517 [inline]
 sta_info_destroy_addr+0xf5/0x140 net/mac80211/sta_info.c:1529
 ieee80211_destroy_auth_data+0x12d/0x260 net/mac80211/mlme.c:4597
 ieee80211_sta_work+0x11cf/0x3600 net/mac80211/mlme.c:8310
 cfg80211_wiphy_work+0x2df/0x460 net/wireless/core.c:435
 process_one_work kernel/workqueue.c:3238 [inline]
 process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321
 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402
 kthread+0x70e/0x8a0 kernel/kthread.c:464
 ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:kasan_byte_accessible+0x12/0x30 mm/kasan/generic.c:199
Code: 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 48 c1 ef 03 48 b8 00 00 00 00 00 fc ff df <0f> b6 04 07 3c 08 0f 92 c0 c3 cc cc cc cc cc 66 66 66 66 66 66 2e
RSP: 0018:ffffc90001977400 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffffffff8b713286 RCX: ca5c1933e35f3700
RDX: 0000000000000000 RSI: ffffffff8b713286 RDI: 0000000000000029
RBP: ffffffff824067f0 R08: 0000000000000001 R09: 0000000000000000
R10: dffffc0000000000 R11: ffffed10085cf24c R12: 0000000000000000
R13: 0000000000000148 R14: 0000000000000148 R15: 0000000000000001
FS:  0000000000000000(0000) GS:ffff88808d218000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2f55ffff CR3: 0000000011601000 CR4: 0000000000352ef0
----------------
Code disassembly (best guess):
   0:	0f 1f 84 00 00 00 00 	nopl   0x0(%rax,%rax,1)
   7:	00
   8:	90                   	nop
   9:	90                   	nop
   a:	90                   	nop
   b:	90                   	nop
   c:	90                   	nop
   d:	90                   	nop
   e:	90                   	nop
   f:	90                   	nop
  10:	90                   	nop
  11:	90                   	nop
  12:	90                   	nop
  13:	90                   	nop
  14:	90                   	nop
  15:	90                   	nop
  16:	90                   	nop
  17:	90                   	nop
  18:	66 0f 1f 00          	nopw   (%rax)
  1c:	48 c1 ef 03          	shr    $0x3,%rdi
  20:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  27:	fc ff df
* 2a:	0f b6 04 07          	movzbl (%rdi,%rax,1),%eax <-- trapping instruction
  2e:	3c 08                	cmp    $0x8,%al
  30:	0f 92 c0             	setb   %al
  33:	c3                   	ret
  34:	cc                   	int3
  35:	cc                   	int3
  36:	cc                   	int3
  37:	cc                   	int3
  38:	cc                   	int3
  39:	66                   	data16
  3a:	66                   	data16
  3b:	66                   	data16
  3c:	66                   	data16
  3d:	66                   	data16
  3e:	66                   	data16
  3f:	2e                   	cs


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] [fs?] [wireless?] general protection fault in simple_recursive_removal (5)

[Hillf Danton]

> Date: Wed, 23 Jul 2025 10:19:28 -0700	[thread overview]
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    89be9a83ccf1 Linux 6.16-rc7
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=11b42fd4580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=8adfe52da0de2761
> dashboard link: https://syzkaller.appspot.com/bug?extid=d6ccd49ae046542a0641
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=134baf22580000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=16d5a4f0580000

#syz test

--- x/net/mac80211/debugfs_sta.c
+++ y/net/mac80211/debugfs_sta.c
@@ -1276,6 +1276,8 @@ void ieee80211_sta_debugfs_add(struct st
 
 void ieee80211_sta_debugfs_remove(struct sta_info *sta)
 {
+	if (!sta->debugfs_dir)
+		return;
 	debugfs_remove_recursive(sta->debugfs_dir);
 	sta->debugfs_dir = NULL;
 }
--

Re: [syzbot] [fs?] [wireless?] general protection fault in simple_recursive_removal (5)

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Read in lockref_get

wlan1: send auth to aa:09:b7:99:c0:d7 (try 2/3)
wlan1: send auth to aa:09:b7:99:c0:d7 (try 3/3)
wlan1: authentication with aa:09:b7:99:c0:d7 timed out
==================================================================
BUG: KASAN: slab-use-after-free in __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
BUG: KASAN: slab-use-after-free in _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
Read of size 1 at addr ffff888042a47b40 by task kworker/u4:4/169

CPU: 0 UID: 0 PID: 169 Comm: kworker/u4:4 Not tainted 6.16.0-rc7-syzkaller-gf9af7b5d9349-dirty #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Workqueue: events_unbound cfg80211_wiphy_work
Call Trace:
 <TASK>
 dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xca/0x230 mm/kasan/report.c:480
 kasan_report+0x118/0x150 mm/kasan/report.c:593
 __kasan_check_byte+0x2a/0x40 mm/kasan/common.c:557
 kasan_check_byte include/linux/kasan.h:399 [inline]
 lock_acquire+0x8d/0x360 kernel/locking/lockdep.c:5845
 __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
 _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
 spin_lock include/linux/spinlock.h:351 [inline]
 lockref_get+0x15/0x60 lib/lockref.c:50
 dget include/linux/dcache.h:345 [inline]
 simple_recursive_removal+0x35/0x690 fs/libfs.c:611
 debugfs_remove+0x5b/0x70 fs/debugfs/inode.c:805
 ieee80211_sta_debugfs_remove+0x4f/0x80 net/mac80211/debugfs_sta.c:1281
 __sta_info_destroy_part2+0x352/0x450 net/mac80211/sta_info.c:1501
 __sta_info_destroy net/mac80211/sta_info.c:1517 [inline]
 sta_info_destroy_addr+0xf5/0x140 net/mac80211/sta_info.c:1529
 ieee80211_destroy_auth_data+0x12d/0x260 net/mac80211/mlme.c:4597
 ieee80211_sta_work+0x11cf/0x3600 net/mac80211/mlme.c:8310
 cfg80211_wiphy_work+0x2dc/0x460 net/wireless/core.c:435
 process_one_work kernel/workqueue.c:3238 [inline]
 process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321
 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402
 kthread+0x70e/0x8a0 kernel/kthread.c:464
 ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>

Allocated by task 5860:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
 unpoison_slab_object mm/kasan/common.c:319 [inline]
 __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:345
 kasan_slab_alloc include/linux/kasan.h:250 [inline]
 slab_post_alloc_hook mm/slub.c:4148 [inline]
 slab_alloc_node mm/slub.c:4197 [inline]
 kmem_cache_alloc_lru_noprof+0x1c6/0x3d0 mm/slub.c:4216
 __d_alloc+0x31/0x6f0 fs/dcache.c:1690
 d_alloc fs/dcache.c:1769 [inline]
 d_alloc_parallel+0xe0/0x14e0 fs/dcache.c:2533
 __lookup_slow+0x116/0x3d0 fs/namei.c:1802
 start_creating+0x22e/0x3c0 fs/debugfs/inode.c:391
 debugfs_create_dir+0x28/0x420 fs/debugfs/inode.c:586
 ieee80211_sta_debugfs_add+0x12c/0x850 net/mac80211/debugfs_sta.c:1254
 sta_info_insert_finish net/mac80211/sta_info.c:892 [inline]
 sta_info_insert_rcu+0xfac/0x1940 net/mac80211/sta_info.c:960
 sta_info_insert+0x16/0xc0 net/mac80211/sta_info.c:965
 ieee80211_prep_connection+0x10cd/0x1600 net/mac80211/mlme.c:8854
 ieee80211_mgd_auth+0xee3/0x1770 net/mac80211/mlme.c:9119
 rdev_auth net/wireless/rdev-ops.h:486 [inline]
 cfg80211_mlme_auth+0x62f/0x9c0 net/wireless/mlme.c:291
 cfg80211_conn_do_work+0x501/0xd10 net/wireless/sme.c:183
 cfg80211_sme_connect net/wireless/sme.c:626 [inline]
 cfg80211_connect+0x1862/0x21a0 net/wireless/sme.c:1525
 nl80211_connect+0x17bc/0x1cd0 net/wireless/nl80211.c:12303
 genl_family_rcv_msg_doit+0x215/0x300 net/netlink/genetlink.c:1115
 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
 genl_rcv_msg+0x60e/0x790 net/netlink/genetlink.c:1210
 netlink_rcv_skb+0x205/0x470 net/netlink/af_netlink.c:2552
 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219
 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
 netlink_unicast+0x75c/0x8e0 net/netlink/af_netlink.c:1346
 netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896
 sock_sendmsg_nosec net/socket.c:712 [inline]
 __sock_sendmsg+0x219/0x270 net/socket.c:727
 ____sys_sendmsg+0x505/0x830 net/socket.c:2566
 ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2620
 __sys_sendmsg net/socket.c:2652 [inline]
 __do_sys_sendmsg net/socket.c:2657 [inline]
 __se_sys_sendmsg net/socket.c:2655 [inline]
 __x64_sys_sendmsg+0x19b/0x260 net/socket.c:2655
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 15:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576
 poison_slab_object mm/kasan/common.c:247 [inline]
 __kasan_slab_free+0x62/0x70 mm/kasan/common.c:264
 kasan_slab_free include/linux/kasan.h:233 [inline]
 slab_free_hook mm/slub.c:2381 [inline]
 slab_free mm/slub.c:4643 [inline]
 kmem_cache_free+0x18f/0x400 mm/slub.c:4745
 rcu_do_batch kernel/rcu/tree.c:2576 [inline]
 rcu_core+0xca5/0x1710 kernel/rcu/tree.c:2832
 handle_softirqs+0x286/0x870 kernel/softirq.c:579
 run_ksoftirqd+0x9b/0x100 kernel/softirq.c:968
 smpboot_thread_fn+0x53f/0xa60 kernel/smpboot.c:164
 kthread+0x70e/0x8a0 kernel/kthread.c:464
 ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

Last potentially related work creation:
 kasan_save_stack+0x3e/0x60 mm/kasan/common.c:47
 kasan_record_aux_stack+0xbd/0xd0 mm/kasan/generic.c:548
 __call_rcu_common kernel/rcu/tree.c:3094 [inline]
 call_rcu+0x157/0x9c0 kernel/rcu/tree.c:3214
 __dentry_kill+0x4d2/0x660 fs/dcache.c:688
 dput+0x19f/0x2b0 fs/dcache.c:911
 find_next_child+0x1e5/0x250 fs/libfs.c:603
 simple_recursive_removal+0xf4/0x690 fs/libfs.c:619
 debugfs_remove+0x5b/0x70 fs/debugfs/inode.c:805
 ieee80211_debugfs_remove_netdev net/mac80211/debugfs_netdev.c:1021 [inline]
 ieee80211_debugfs_recreate_netdev+0xbf/0x1460 net/mac80211/debugfs_netdev.c:1034
 drv_remove_interface+0x1fa/0x590 net/mac80211/driver-ops.c:125
 _ieee80211_change_mac net/mac80211/iface.c:277 [inline]
 ieee80211_change_mac+0x912/0x12c0 net/mac80211/iface.c:309
 netif_set_mac_address+0x2fc/0x4c0 net/core/dev.c:9688
 do_setlink+0x88c/0x41c0 net/core/rtnetlink.c:3093
 rtnl_changelink net/core/rtnetlink.c:3759 [inline]
 __rtnl_newlink net/core/rtnetlink.c:3918 [inline]
 rtnl_newlink+0x160b/0x1c70 net/core/rtnetlink.c:4055
 rtnetlink_rcv_msg+0x7cc/0xb70 net/core/rtnetlink.c:6944
 netlink_rcv_skb+0x205/0x470 net/netlink/af_netlink.c:2552
 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
 netlink_unicast+0x75c/0x8e0 net/netlink/af_netlink.c:1346
 netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896
 sock_sendmsg_nosec net/socket.c:712 [inline]
 __sock_sendmsg+0x219/0x270 net/socket.c:727
 ____sys_sendmsg+0x505/0x830 net/socket.c:2566
 ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2620
 __sys_sendmsg net/socket.c:2652 [inline]
 __do_sys_sendmsg net/socket.c:2657 [inline]
 __se_sys_sendmsg net/socket.c:2655 [inline]
 __x64_sys_sendmsg+0x19b/0x260 net/socket.c:2655
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff888042a47a70
 which belongs to the cache dentry of size 312
The buggy address is located 208 bytes inside of
 freed 312-byte region [ffff888042a47a70, ffff888042a47ba8)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x42a46
head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
memcg:ffff88803ff67101
flags: 0x4fff00000000040(head|node=1|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 04fff00000000040 ffff88801b6db780 dead000000000100 dead000000000122
raw: 0000000000000000 0000000000150015 00000000f5000000 ffff88803ff67101
head: 04fff00000000040 ffff88801b6db780 dead000000000100 dead000000000122
head: 0000000000000000 0000000000150015 00000000f5000000 ffff88803ff67101
head: 04fff00000000001 ffffea00010a9181 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 1, migratetype Reclaimable, gfp_mask 0xd20d0(__GFP_RECLAIMABLE|__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4739, tgid 4739 (udevd), ts 37957937697, free_ts 0
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1704
 prep_new_page mm/page_alloc.c:1712 [inline]
 get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3669
 __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:4959
 alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2419
 alloc_slab_page mm/slub.c:2451 [inline]
 allocate_slab+0x8a/0x3b0 mm/slub.c:2619
 new_slab mm/slub.c:2673 [inline]
 ___slab_alloc+0xbfc/0x1480 mm/slub.c:3859
 __slab_alloc mm/slub.c:3949 [inline]
 __slab_alloc_node mm/slub.c:4024 [inline]
 slab_alloc_node mm/slub.c:4185 [inline]
 kmem_cache_alloc_lru_noprof+0x288/0x3d0 mm/slub.c:4216
 __d_alloc+0x31/0x6f0 fs/dcache.c:1690
 d_alloc fs/dcache.c:1769 [inline]
 d_alloc_parallel+0xe0/0x14e0 fs/dcache.c:2533
 lookup_open fs/namei.c:3639 [inline]
 open_last_lookups fs/namei.c:3816 [inline]
 path_openat+0xa3b/0x3830 fs/namei.c:4052
 do_filp_open+0x1fa/0x410 fs/namei.c:4082
 do_sys_openat2+0x121/0x1c0 fs/open.c:1437
 do_sys_open fs/open.c:1452 [inline]
 __do_sys_openat fs/open.c:1468 [inline]
 __se_sys_openat fs/open.c:1463 [inline]
 __x64_sys_openat+0x138/0x170 fs/open.c:1463
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
page_owner free stack trace missing

Memory state around the buggy address:
 ffff888042a47a00: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fa fb
 ffff888042a47a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888042a47b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                           ^
 ffff888042a47b80: fb fb fb fb fb fc fc fc fc fc fc fc fc 00 00 00
 ffff888042a47c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================


Tested on:

commit:         f9af7b5d Merge tag 'for-linus' of git://git.kernel.org..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=174640a2580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=8adfe52da0de2761
dashboard link: https://syzkaller.appspot.com/bug?extid=d6ccd49ae046542a0641
compiler:       Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
patch:          https://syzkaller.appspot.com/x/patch.diff?x=151a40a2580000

Re: [syzbot] [fs?] [wireless?] general protection fault in simple_recursive_removal (5)

[Hillf Danton]

> Date: Wed, 23 Jul 2025 10:19:28 -0700	[thread overview]
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    89be9a83ccf1 Linux 6.16-rc7
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=11b42fd4580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=8adfe52da0de2761
> dashboard link: https://syzkaller.appspot.com/bug?extid=d6ccd49ae046542a0641
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=134baf22580000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=16d5a4f0580000

#syz test

--- x/net/mac80211/debugfs_sta.c
+++ y/net/mac80211/debugfs_sta.c
@@ -1276,6 +1276,12 @@ void ieee80211_sta_debugfs_add(struct st
 
 void ieee80211_sta_debugfs_remove(struct sta_info *sta)
 {
+	struct dentry *stations_dir = sta->sdata->debugfs.subdir_stations;
+
+	if (!stations_dir)
+		return;
+	if (!sta->debugfs_dir)
+		return;
 	debugfs_remove_recursive(sta->debugfs_dir);
 	sta->debugfs_dir = NULL;
 }
--

Re: [syzbot] [fs?] [wireless?] general protection fault in simple_recursive_removal (5)

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Read in lockref_get

wlan1: send auth to aa:09:b7:99:c0:d7 (try 2/3)
wlan1: send auth to aa:09:b7:99:c0:d7 (try 3/3)
wlan1: authentication with aa:09:b7:99:c0:d7 timed out
==================================================================
BUG: KASAN: slab-use-after-free in __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
BUG: KASAN: slab-use-after-free in _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
Read of size 1 at addr ffff888042ff76d8 by task kworker/u4:0/12

CPU: 0 UID: 0 PID: 12 Comm: kworker/u4:0 Not tainted 6.16.0-rc7-syzkaller-g25fae0b93d1d-dirty #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Workqueue: events_unbound cfg80211_wiphy_work
Call Trace:
 <TASK>
 dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xca/0x230 mm/kasan/report.c:480
 kasan_report+0x118/0x150 mm/kasan/report.c:593
 __kasan_check_byte+0x2a/0x40 mm/kasan/common.c:557
 kasan_check_byte include/linux/kasan.h:399 [inline]
 lock_acquire+0x8d/0x360 kernel/locking/lockdep.c:5845
 __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
 _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
 spin_lock include/linux/spinlock.h:351 [inline]
 lockref_get+0x15/0x60 lib/lockref.c:50
 dget include/linux/dcache.h:345 [inline]
 simple_recursive_removal+0x35/0x690 fs/libfs.c:611
 debugfs_remove+0x5b/0x70 fs/debugfs/inode.c:805
 ieee80211_sta_debugfs_remove+0x8e/0xc0 net/mac80211/debugfs_sta.c:1285
 __sta_info_destroy_part2+0x352/0x450 net/mac80211/sta_info.c:1501
 __sta_info_destroy net/mac80211/sta_info.c:1517 [inline]
 sta_info_destroy_addr+0xf5/0x140 net/mac80211/sta_info.c:1529
 ieee80211_destroy_auth_data+0x12d/0x260 net/mac80211/mlme.c:4597
 ieee80211_sta_work+0x11cf/0x3600 net/mac80211/mlme.c:8310
 cfg80211_wiphy_work+0x2df/0x460 net/wireless/core.c:435
 process_one_work kernel/workqueue.c:3238 [inline]
 process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321
 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402
 kthread+0x70e/0x8a0 kernel/kthread.c:464
 ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>

Allocated by task 5867:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
 unpoison_slab_object mm/kasan/common.c:319 [inline]
 __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:345
 kasan_slab_alloc include/linux/kasan.h:250 [inline]
 slab_post_alloc_hook mm/slub.c:4148 [inline]
 slab_alloc_node mm/slub.c:4197 [inline]
 kmem_cache_alloc_lru_noprof+0x1c6/0x3d0 mm/slub.c:4216
 __d_alloc+0x31/0x6f0 fs/dcache.c:1690
 d_alloc fs/dcache.c:1769 [inline]
 d_alloc_parallel+0xe0/0x14e0 fs/dcache.c:2533
 __lookup_slow+0x116/0x3d0 fs/namei.c:1802
 start_creating+0x22e/0x3c0 fs/debugfs/inode.c:391
 debugfs_create_dir+0x28/0x420 fs/debugfs/inode.c:586
 ieee80211_sta_debugfs_add+0x12c/0x850 net/mac80211/debugfs_sta.c:1254
 sta_info_insert_finish net/mac80211/sta_info.c:892 [inline]
 sta_info_insert_rcu+0xfac/0x1940 net/mac80211/sta_info.c:960
 sta_info_insert+0x16/0xc0 net/mac80211/sta_info.c:965
 ieee80211_prep_connection+0x10cd/0x1600 net/mac80211/mlme.c:8854
 ieee80211_mgd_auth+0xee3/0x1770 net/mac80211/mlme.c:9119
 rdev_auth net/wireless/rdev-ops.h:486 [inline]
 cfg80211_mlme_auth+0x632/0x9c0 net/wireless/mlme.c:291
 cfg80211_conn_do_work+0x501/0xd10 net/wireless/sme.c:183
 cfg80211_sme_connect net/wireless/sme.c:626 [inline]
 cfg80211_connect+0x1862/0x21a0 net/wireless/sme.c:1525
 nl80211_connect+0x17bc/0x1cd0 net/wireless/nl80211.c:12303
 genl_family_rcv_msg_doit+0x212/0x300 net/netlink/genetlink.c:1115
 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
 genl_rcv_msg+0x60e/0x790 net/netlink/genetlink.c:1210
 netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2552
 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219
 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
 netlink_unicast+0x759/0x8e0 net/netlink/af_netlink.c:1346
 netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896
 sock_sendmsg_nosec net/socket.c:712 [inline]
 __sock_sendmsg+0x21c/0x270 net/socket.c:727
 ____sys_sendmsg+0x505/0x830 net/socket.c:2566
 ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2620
 __sys_sendmsg net/socket.c:2652 [inline]
 __do_sys_sendmsg net/socket.c:2657 [inline]
 __se_sys_sendmsg net/socket.c:2655 [inline]
 __x64_sys_sendmsg+0x19b/0x260 net/socket.c:2655
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 15:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576
 poison_slab_object mm/kasan/common.c:247 [inline]
 __kasan_slab_free+0x62/0x70 mm/kasan/common.c:264
 kasan_slab_free include/linux/kasan.h:233 [inline]
 slab_free_hook mm/slub.c:2381 [inline]
 slab_free mm/slub.c:4643 [inline]
 kmem_cache_free+0x18f/0x400 mm/slub.c:4745
 rcu_do_batch kernel/rcu/tree.c:2576 [inline]
 rcu_core+0xca5/0x1710 kernel/rcu/tree.c:2832
 handle_softirqs+0x286/0x870 kernel/softirq.c:579
 run_ksoftirqd+0x9b/0x100 kernel/softirq.c:968
 smpboot_thread_fn+0x53f/0xa60 kernel/smpboot.c:164
 kthread+0x70e/0x8a0 kernel/kthread.c:464
 ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

Last potentially related work creation:
 kasan_save_stack+0x3e/0x60 mm/kasan/common.c:47
 kasan_record_aux_stack+0xbd/0xd0 mm/kasan/generic.c:548
 __call_rcu_common kernel/rcu/tree.c:3094 [inline]
 call_rcu+0x157/0x9c0 kernel/rcu/tree.c:3214
 __dentry_kill+0x4d2/0x660 fs/dcache.c:688
 dput+0x19f/0x2b0 fs/dcache.c:911
 find_next_child+0x1e5/0x250 fs/libfs.c:603
 simple_recursive_removal+0xf4/0x690 fs/libfs.c:619
 debugfs_remove+0x5b/0x70 fs/debugfs/inode.c:805
 ieee80211_debugfs_remove_netdev net/mac80211/debugfs_netdev.c:1021 [inline]
 ieee80211_debugfs_recreate_netdev+0xbf/0x1460 net/mac80211/debugfs_netdev.c:1034
 drv_remove_interface+0x1fa/0x590 net/mac80211/driver-ops.c:125
 _ieee80211_change_mac net/mac80211/iface.c:277 [inline]
 ieee80211_change_mac+0x912/0x12c0 net/mac80211/iface.c:309
 netif_set_mac_address+0x2f9/0x4c0 net/core/dev.c:9688
 do_setlink+0x88c/0x41c0 net/core/rtnetlink.c:3093
 rtnl_changelink net/core/rtnetlink.c:3759 [inline]
 __rtnl_newlink net/core/rtnetlink.c:3918 [inline]
 rtnl_newlink+0x160b/0x1c70 net/core/rtnetlink.c:4055
 rtnetlink_rcv_msg+0x7cf/0xb70 net/core/rtnetlink.c:6944
 netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2552
 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
 netlink_unicast+0x759/0x8e0 net/netlink/af_netlink.c:1346
 netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896
 sock_sendmsg_nosec net/socket.c:712 [inline]
 __sock_sendmsg+0x21c/0x270 net/socket.c:727
 ____sys_sendmsg+0x505/0x830 net/socket.c:2566
 ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2620
 __sys_sendmsg net/socket.c:2652 [inline]
 __do_sys_sendmsg net/socket.c:2657 [inline]
 __se_sys_sendmsg net/socket.c:2655 [inline]
 __x64_sys_sendmsg+0x19b/0x260 net/socket.c:2655
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff888042ff7608
 which belongs to the cache dentry of size 312
The buggy address is located 208 bytes inside of
 freed 312-byte region [ffff888042ff7608, ffff888042ff7740)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x42ff6
head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
memcg:ffff88803440e501
ksm flags: 0x4fff00000000040(head|node=1|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 04fff00000000040 ffff888030413780 ffffea00010c1d00 dead000000000003
raw: 0000000000000000 0000000000150015 00000000f5000000 ffff88803440e501
head: 04fff00000000040 ffff888030413780 ffffea00010c1d00 dead000000000003
head: 0000000000000000 0000000000150015 00000000f5000000 ffff88803440e501
head: 04fff00000000001 ffffea00010bfd81 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 1, migratetype Reclaimable, gfp_mask 0xd20d0(__GFP_RECLAIMABLE|__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4744, tgid 4744 (udevd), ts 37683151774, free_ts 0
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1704
 prep_new_page mm/page_alloc.c:1712 [inline]
 get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3669
 __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:4959
 alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2419
 alloc_slab_page mm/slub.c:2451 [inline]
 allocate_slab+0x8a/0x3b0 mm/slub.c:2619
 new_slab mm/slub.c:2673 [inline]
 ___slab_alloc+0xbfc/0x1480 mm/slub.c:3859
 __slab_alloc mm/slub.c:3949 [inline]
 __slab_alloc_node mm/slub.c:4024 [inline]
 slab_alloc_node mm/slub.c:4185 [inline]
 kmem_cache_alloc_lru_noprof+0x288/0x3d0 mm/slub.c:4216
 __d_alloc+0x31/0x6f0 fs/dcache.c:1690
 d_alloc fs/dcache.c:1769 [inline]
 d_alloc_parallel+0xe0/0x14e0 fs/dcache.c:2533
 lookup_open fs/namei.c:3639 [inline]
 open_last_lookups fs/namei.c:3816 [inline]
 path_openat+0xa3b/0x3830 fs/namei.c:4052
 do_filp_open+0x1fa/0x410 fs/namei.c:4082
 do_sys_openat2+0x121/0x1c0 fs/open.c:1437
 do_sys_open fs/open.c:1452 [inline]
 __do_sys_openat fs/open.c:1468 [inline]
 __se_sys_openat fs/open.c:1463 [inline]
 __x64_sys_openat+0x138/0x170 fs/open.c:1463
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
page_owner free stack trace missing

Memory state around the buggy address:
 ffff888042ff7580: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc
 ffff888042ff7600: fc fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888042ff7680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                    ^
 ffff888042ff7700: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff888042ff7780: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


Tested on:

commit:         25fae0b9 Merge tag 'drm-fixes-2025-07-24' of https://g..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1357dfd4580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=8adfe52da0de2761
dashboard link: https://syzkaller.appspot.com/bug?extid=d6ccd49ae046542a0641
compiler:       Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
patch:          https://syzkaller.appspot.com/x/patch.diff?x=15c140a2580000

Re: [syzbot] [fs?] [wireless?] general protection fault in simple_recursive_removal (5)

[Hillf Danton]

> Date: Wed, 23 Jul 2025 10:19:28 -0700	[thread overview]
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    89be9a83ccf1 Linux 6.16-rc7
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=11b42fd4580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=8adfe52da0de2761
> dashboard link: https://syzkaller.appspot.com/bug?extid=d6ccd49ae046542a0641
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=134baf22580000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=16d5a4f0580000

#syz test

--- x/net/mac80211/sta_info.h
+++ y/net/mac80211/sta_info.h
@@ -705,7 +705,7 @@ struct sta_info {
 	struct sta_ampdu_mlme ampdu_mlme;
 
 #ifdef CONFIG_MAC80211_DEBUGFS
-	struct dentry *debugfs_dir;
+	struct dentry *debugfs_dir, *pd;
 #endif
 
 	u8 reserved_tid;
--- x/net/mac80211/debugfs_sta.c
+++ y/net/mac80211/debugfs_sta.c
@@ -1252,6 +1252,7 @@ void ieee80211_sta_debugfs_add(struct st
 	 * dir might still be around.
 	 */
 	sta->debugfs_dir = debugfs_create_dir(mac, stations_dir);
+	sta->pd = stations_dir;
 
 	DEBUGFS_ADD(flags);
 	DEBUGFS_ADD(aid);
@@ -1276,7 +1277,14 @@ void ieee80211_sta_debugfs_add(struct st
 
 void ieee80211_sta_debugfs_remove(struct sta_info *sta)
 {
-	debugfs_remove_recursive(sta->debugfs_dir);
+	struct dentry *stations_dir = sta->sdata->debugfs.subdir_stations;
+
+	if (!sta->debugfs_dir)
+		return;
+	if (!stations_dir)
+		return;
+	if (sta->pd == stations_dir)
+		debugfs_remove_recursive(sta->debugfs_dir);
 	sta->debugfs_dir = NULL;
 }
 
--

Re: [syzbot] [fs?] [wireless?] general protection fault in simple_recursive_removal (5)

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+d6ccd49ae046542a0641@syzkaller.appspotmail.com
Tested-by: syzbot+d6ccd49ae046542a0641@syzkaller.appspotmail.com

Tested on:

commit:         25fae0b9 Merge tag 'drm-fixes-2025-07-24' of https://g..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10f13fd4580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=8adfe52da0de2761
dashboard link: https://syzkaller.appspot.com/bug?extid=d6ccd49ae046542a0641
compiler:       Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
patch:          https://syzkaller.appspot.com/x/patch.diff?x=12e13fd4580000

Note: testing is done by a robot and is best-effort only.