From: greearb@candelatech.com
To: linux-wireless@vger.kernel.org
Cc: Ben Greear <greearb@candelatech.com>
Subject: [PATCH wireless-next v2 10/28] wifi: mac80211: Ensure sta debugfs is not double-freed.
Date: Thu, 12 Mar 2026 10:00:08 -0700 [thread overview]
Message-ID: <20260312170026.285494-11-greearb@candelatech.com> (raw)
In-Reply-To: <20260312170026.285494-1-greearb@candelatech.com>
From: Ben Greear <greearb@candelatech.com>
I saw an instance where use-after-free was found when attempting to
delete sta's debugfs. Add check to netdev debugfs free logic to ensure
any sta's that still exist have nulled out debugfs entries since
netdev is going to do a recursive debugfs delete.
Signed-off-by: Ben Greear <greearb@candelatech.com>
---
net/mac80211/debugfs_netdev.c | 24 ++++++++++++++++++++++++
1 file changed, 24 insertions(+)
diff --git a/net/mac80211/debugfs_netdev.c b/net/mac80211/debugfs_netdev.c
index 000859b8c005..2e4bc34e6c5c 100644
--- a/net/mac80211/debugfs_netdev.c
+++ b/net/mac80211/debugfs_netdev.c
@@ -1063,6 +1063,8 @@ ieee80211_debugfs_clear_link_ptr(struct ieee80211_sub_if_data *sdata,
void ieee80211_debugfs_remove_netdev(struct ieee80211_sub_if_data *sdata)
{
struct ieee80211_link_data *link;
+ struct rhashtable_iter hti;
+ struct sta_info *sta;
struct dentry *dir;
int i;
@@ -1083,6 +1085,28 @@ void ieee80211_debugfs_remove_netdev(struct ieee80211_sub_if_data *sdata)
link->debugfs_dir = NULL;
}
+
+ /* And, same for all stations. See ieee80211_sta_debugfs_add where
+ * they are added to the sdata->debugfs.subdir_stations directory
+ */
+ rhashtable_walk_enter(&sdata->local->sta_hash.ht, &hti);
+ rhashtable_walk_start(&hti);
+
+ while ((sta = rhashtable_walk_next(&hti))) {
+ if (IS_ERR(sta)) {
+ if (PTR_ERR(sta) != -EAGAIN)
+ break;
+ continue;
+ }
+ if (sta->sdata != sdata)
+ continue;
+
+ sta->debugfs_dir = NULL;
+ }
+
+ rhashtable_walk_stop(&hti);
+ rhashtable_walk_exit(&hti);
+
rcu_read_unlock();
dir = sdata->vif.debugfs_dir;
--
2.42.0
next prev parent reply other threads:[~2026-03-12 17:01 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-12 16:59 [PATCH wireless-next v2 00/28] iwlwifi + mac80211 stability greearb
2026-03-12 16:59 ` [PATCH wireless-next v2 01/28] wifi: iwlwifi: mld: Check for NULL before lookup greearb
2026-03-12 17:00 ` [PATCH wireless-next v2 02/28] wifi: iwlwifi: mld: Add check for null vif in stats callback greearb
2026-03-12 17:00 ` [PATCH wireless-next v2 03/28] wifi: wireless: Check debugfs create return values greearb
2026-03-12 17:00 ` [PATCH wireless-next v2 04/28] wifi: mac80211: Check debugfs creation " greearb
2026-03-12 17:00 ` [PATCH wireless-next v2 05/28] wifi: mac80211: do not fail taking sta to lower state greearb
2026-03-12 17:00 ` [PATCH wireless-next v2 06/28] wifi: mac80211: Mark sta as uploaded if single transition succeeds greearb
2026-03-12 17:00 ` [PATCH wireless-next v2 07/28] wifi: mac80211: Fix use-after-free of debugfs inodes greearb
2026-03-12 17:00 ` [PATCH wireless-next v2 08/28] wifi: mac80211: Debugfs safety checks greearb
2026-03-12 17:00 ` [PATCH wireless-next v2 09/28] wifi: mac80211: Use warn-on-once in drv_remove_chanctxt greearb
2026-03-12 17:00 ` greearb [this message]
2026-03-12 17:00 ` [PATCH wireless-next v2 11/28] wifi: iwlwifi: mld: Fix stale reference in fw_id_to_link_sta greearb
2026-03-12 17:00 ` [PATCH wireless-next v2 12/28] wifi: iwlwifi: mld: Improve logging in error cases greearb
2026-03-12 17:00 ` [PATCH wireless-next v2 13/28] wifi: iwlwifi: mld: Remove warning about BAID greearb
2026-03-12 17:00 ` [PATCH wireless-next v2 14/28] wifi: mac80211: Add dmesg log regarding warn-on in drv-stop greearb
2026-03-12 17:00 ` [PATCH wireless-next v2 15/28] wifi: iwlwifi: mld: Fix use-after-free of bss_conf greearb
2026-03-12 17:00 ` [PATCH wireless-next v2 16/28] wifi: iwlwifi: mld: Check for null in iwl_mld_wait_sta_txqs_empty greearb
2026-03-12 17:00 ` [PATCH wireless-next v2 17/28] wifi: iwlwifi: mld: use warn-on-once in error path greearb
2026-03-12 17:00 ` [PATCH wireless-next v2 18/28] wifi: iwlwifi: mld: Use warn-on-once in emlsr exit logic greearb
2026-03-12 17:00 ` [PATCH wireless-next v2 19/28] wifi: iwlwifi: mld: Improve error message in rx path greearb
2026-03-12 17:00 ` [PATCH wireless-next v2 20/28] wifi: iwlwifi: mld: Improve logging message greearb
2026-03-12 17:00 ` [PATCH wireless-next v2 21/28] wifi: iwlwifi: mld: Protect from null mld_sta greearb
2026-03-12 17:00 ` [PATCH wireless-next v2 22/28] wifi: mac80211: Add force-cleanup call to driver greearb
2026-03-12 17:00 ` [PATCH wireless-next v2 23/28] wifi: iwlwifi: mld: Support force-cleanup op greearb
2026-03-12 17:00 ` [PATCH wireless-next v2 24/28] wifi: iwlwifi: mld: Fix NPE in flush logic greearb
2026-03-12 17:00 ` [PATCH wireless-next v2 25/28] wifi: iwlwifi: mld: Fix bad return address in tx code greearb
2026-03-12 17:00 ` [PATCH wireless-next v2 26/28] wifi: mac80211: Ensure link work-items are only initialized once greearb
2026-03-12 17:00 ` [PATCH wireless-next v2 27/28] wifi: iwlwifi: mld: Convert to WARN_ONCE in link removal path greearb
2026-03-12 17:00 ` [PATCH wireless-next v2 28/28] wifi: mac80211: Decrease WARN spam greearb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260312170026.285494-11-greearb@candelatech.com \
--to=greearb@candelatech.com \
--cc=linux-wireless@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox