From: "Berg, Benjamin" <benjamin.berg@intel.com>
To: "rafael@kernel.org" <rafael@kernel.org>,
"gregkh@linuxfoundation.org" <gregkh@linuxfoundation.org>,
"linux-fsdevel@vger.kernel.org" <linux-fsdevel@vger.kernel.org>,
"syzbot+d5dc2801166df6d34774@syzkaller.appspotmail.com"
<syzbot+d5dc2801166df6d34774@syzkaller.appspotmail.com>,
"gregory.greenman@intel.com" <gregory.greenman@intel.com>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"Korenblit, Miriam Rachel" <miriam.rachel.korenblit@intel.com>,
"netdev@vger.kernel.org" <netdev@vger.kernel.org>,
"hdanton@sina.com" <hdanton@sina.com>,
"Berg, Johannes" <johannes.berg@intel.com>,
"syzkaller-bugs@googlegroups.com"
<syzkaller-bugs@googlegroups.com>
Subject: Re: [syzbot] [fs?] KASAN: slab-use-after-free Read in lockref_get
Date: Wed, 17 Jul 2024 08:31:03 +0000 [thread overview]
Message-ID: <b12aebd3b89bc0b96e11fc83d67aa697dffeb99d.camel@intel.com> (raw)
In-Reply-To: <000000000000a0f1fd061d5cc101@google.com>
Hi,
we assume in ieee80211_debugfs_recreate_netdev that there are no
stations, as their debugfs entries will be removed but not recreated.
In this case, ieee80211_debugfs_recreate_netdev is called because the
mac address is changed and we do have a station.
My hunch right now would be that we should prevent changing the mac
address while we have a valid station on the interface. But, we can
also recreate the station entries and maybe we should do that either
way to ensure we cannot get into this bad state.
Benjamin
On Tue, 2024-07-16 at 05:48 -0700, syzbot wrote:
> syzbot has bisected this issue to:
>
> commit 0a3d898ee9a8303d5b3982b97ef0703919c3ea76
> Author: Benjamin Berg <benjamin.berg@intel.com>
> Date: Wed Dec 20 02:38:01 2023 +0000
>
> wifi: mac80211: add/remove driver debugfs entries as appropriate
>
> bisection log:
> https://syzkaller.appspot.com/x/bisect.txt?x=150e3cf1980000
> start commit: 58f9416d413a Merge branch 'ice-support-to-dump-phy-
> config-..
> git tree: net-next
> final oops:
> https://syzkaller.appspot.com/x/report.txt?x=170e3cf1980000
> console output:
> https://syzkaller.appspot.com/x/log.txt?x=130e3cf1980000
> kernel config:
> https://syzkaller.appspot.com/x/.config?x=db697e01efa9d1d7
> dashboard link:
> https://syzkaller.appspot.com/bug?extid=d5dc2801166df6d34774
> syz repro:
> https://syzkaller.appspot.com/x/repro.syz?x=1658c7dd980000
> C reproducer:
> https://syzkaller.appspot.com/x/repro.c?x=16ed24b5980000
>
> Reported-by: syzbot+d5dc2801166df6d34774@syzkaller.appspotmail.com
> Fixes: 0a3d898ee9a8 ("wifi: mac80211: add/remove driver debugfs
> entries as appropriate")
>
> For information about bisection process see:
> https://goo.gl/tpsmEJ#bisection
Intel Deutschland GmbH
Registered Address: Am Campeon 10, 85579 Neubiberg, Germany
Tel: +49 89 99 8853-0, www.intel.de
Managing Directors: Sean Fennelly, Jeffrey Schneiderman, Tiffany Doon Silva
Chairperson of the Supervisory Board: Nicole Lau
Registered Office: Munich
Commercial Register: Amtsgericht Muenchen HRB 186928
prev parent reply other threads:[~2024-07-17 8:31 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-16 2:02 [syzbot] [fs?] KASAN: slab-use-after-free Read in lockref_get syzbot
2024-07-16 12:48 ` syzbot
2024-07-17 8:31 ` Berg, Benjamin [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b12aebd3b89bc0b96e11fc83d67aa697dffeb99d.camel@intel.com \
--to=benjamin.berg@intel.com \
--cc=gregkh@linuxfoundation.org \
--cc=gregory.greenman@intel.com \
--cc=hdanton@sina.com \
--cc=johannes.berg@intel.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=miriam.rachel.korenblit@intel.com \
--cc=netdev@vger.kernel.org \
--cc=rafael@kernel.org \
--cc=syzbot+d5dc2801166df6d34774@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).