From: greearb@candelatech.com
To: linux-wireless@vger.kernel.org
Cc: Ben Greear <greearb@candelatech.com>
Subject: [PATCH wireless-next 10/28] wifi: mac80211: Ensure sta debugfs is not double-freed.
Date: Wed, 11 Mar 2026 16:07:12 -0700 [thread overview]
Message-ID: <20260311230730.163348-11-greearb@candelatech.com> (raw)
In-Reply-To: <20260311230730.163348-1-greearb@candelatech.com>
From: Ben Greear <greearb@candelatech.com>
I saw an instance where use-after-free was found when attempting to
delete sta's debugfs. Add check to netdev debugfs free logic to ensure
any sta's that still exist have nulled out debugfs entries since
netdev is going to do a recursive debugfs delete.
Signed-off-by: Ben Greear <greearb@candelatech.com>
---
net/mac80211/debugfs_netdev.c | 24 ++++++++++++++++++++++++
1 file changed, 24 insertions(+)
diff --git a/net/mac80211/debugfs_netdev.c b/net/mac80211/debugfs_netdev.c
index 000859b8c005..2e4bc34e6c5c 100644
--- a/net/mac80211/debugfs_netdev.c
+++ b/net/mac80211/debugfs_netdev.c
@@ -1063,6 +1063,8 @@ ieee80211_debugfs_clear_link_ptr(struct ieee80211_sub_if_data *sdata,
void ieee80211_debugfs_remove_netdev(struct ieee80211_sub_if_data *sdata)
{
struct ieee80211_link_data *link;
+ struct rhashtable_iter hti;
+ struct sta_info *sta;
struct dentry *dir;
int i;
@@ -1083,6 +1085,28 @@ void ieee80211_debugfs_remove_netdev(struct ieee80211_sub_if_data *sdata)
link->debugfs_dir = NULL;
}
+
+ /* And, same for all stations. See ieee80211_sta_debugfs_add where
+ * they are added to the sdata->debugfs.subdir_stations directory
+ */
+ rhashtable_walk_enter(&sdata->local->sta_hash.ht, &hti);
+ rhashtable_walk_start(&hti);
+
+ while ((sta = rhashtable_walk_next(&hti))) {
+ if (IS_ERR(sta)) {
+ if (PTR_ERR(sta) != -EAGAIN)
+ break;
+ continue;
+ }
+ if (sta->sdata != sdata)
+ continue;
+
+ sta->debugfs_dir = NULL;
+ }
+
+ rhashtable_walk_stop(&hti);
+ rhashtable_walk_exit(&hti);
+
rcu_read_unlock();
dir = sdata->vif.debugfs_dir;
--
2.42.0
next prev parent reply other threads:[~2026-03-11 23:07 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-11 23:07 [PATCH wireless-next 00/28] iwlwifi + mac80211 stability greearb
2026-03-11 23:07 ` [PATCH wireless-next 01/28] wifi: iwlwifi: mld: Check for NULL before lookup greearb
2026-03-11 23:07 ` [PATCH wireless-next 02/28] wifi: iwlwifi: mld: Fix un-set return value in error case greearb
2026-03-11 23:07 ` [PATCH wireless-next 03/28] wifi: iwlwifi: mld: Add check for null vif in stats callback greearb
2026-03-11 23:07 ` [PATCH wireless-next 04/28] wifi: mac80211: Check debugfs creation return values greearb
2026-03-11 23:07 ` [PATCH wireless-next 05/28] wifi: mac80211: do not fail taking sta to lower state greearb
2026-03-11 23:07 ` [PATCH wireless-next 06/28] wifi: mac80211: Mark sta as uploaded if single transition succeeds greearb
2026-03-11 23:07 ` [PATCH wireless-next 07/28] wifi: mac80211: Fix use-after-free of debugfs inodes greearb
2026-03-11 23:07 ` [PATCH wireless-next 08/28] wifi: mac80211: Debugfs safety checks greearb
2026-03-11 23:07 ` [PATCH wireless-next 09/28] wifi: mac80211: Use warn-on-once in drv_remove_chanctxt greearb
2026-03-11 23:07 ` greearb [this message]
2026-03-11 23:07 ` [PATCH wireless-next 11/28] wifi: iwlwifi: mld: Fix stale reference in fw_id_to_link_sta greearb
2026-03-11 23:07 ` [PATCH wireless-next 12/28] wifi: iwlwifi: mld: Improve logging in error cases greearb
2026-03-11 23:07 ` [PATCH wireless-next 13/28] wifi: iwlwifi: mld: Remove warning about BAID greearb
2026-03-11 23:07 ` [PATCH wireless-next 14/28] wifi: mac80211: Add dmesg log regarding warn-on in drv-stop greearb
2026-03-11 23:07 ` [PATCH wireless-next 15/28] wifi: iwlwifi: mld: Fix use-after-free of bss_conf greearb
2026-03-11 23:07 ` [PATCH wireless-next 16/28] wifi: iwlwifi: mld: Check for null in iwl_mld_wait_sta_txqs_empty greearb
2026-03-11 23:07 ` [PATCH wireless-next 17/28] wifi: iwlwifi: mld: use warn-on-once in error path greearb
2026-03-11 23:07 ` [PATCH wireless-next 18/28] wifi: iwlwifi: mld: Use warn-on-once in emlsr exit logic greearb
2026-03-11 23:07 ` [PATCH wireless-next 19/28] wifi: iwlwifi: mld: Improve error message in rx path greearb
2026-03-11 23:07 ` [PATCH wireless-next 20/28] wifi: iwlwifi: mld: Improve logging message greearb
2026-03-11 23:07 ` [PATCH wireless-next 21/28] wifi: iwlwifi: mld: Protect from null mld_sta greearb
2026-03-11 23:07 ` [PATCH wireless-next 22/28] wifi: mac80211: Add force-cleanup call to driver greearb
2026-03-11 23:07 ` [PATCH wireless-next 23/28] wifi: iwlwifi: mld: Support force-cleanup op greearb
2026-03-11 23:07 ` [PATCH wireless-next 24/28] wifi: iwlwifi: mld: Fix NPE in flush logic greearb
2026-03-11 23:07 ` [PATCH wireless-next 25/28] wifi: iwlwifi: mld: Fix bad return address in tx code greearb
2026-03-11 23:07 ` [PATCH wireless-next 26/28] wifi: mac80211: Ensure link work-items are only initialized once greearb
2026-03-11 23:07 ` [PATCH wireless-next 27/28] wifi: iwlwifi: mld: Convert to WARN_ONCE in link removal path greearb
2026-03-11 23:07 ` [PATCH wireless-next 28/28] wifi: mac80211: Decrease WARN spam greearb
2026-03-12 14:25 ` [syzbot ci] Re: iwlwifi + mac80211 stability syzbot ci
2026-03-12 15:25 ` Ben Greear
2026-03-12 17:44 ` Johannes Berg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260311230730.163348-11-greearb@candelatech.com \
--to=greearb@candelatech.com \
--cc=linux-wireless@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox