Re: [PATCH wireless-next] wifi: mac80211: fix use-after-free risk in sta debugfs removal

From: Johannes Berg
Date: Thu Jul 24 2025 - 03:18:52 EST

Next message: Takashi Iwai: "Re: [PATCH] soundwire: sysfs_emit() expects a buffer of size PAGE_SIZE"
Previous message: Moon Hee Lee: "[PATCH wireless-next] wifi: mac80211: fix use-after-free risk in sta debugfs removal"
In reply to: Moon Hee Lee: "[PATCH wireless-next] wifi: mac80211: fix use-after-free risk in sta debugfs removal"
Next in thread: Moon Hee Lee: "Re: [PATCH wireless-next] wifi: mac80211: fix use-after-free risk in sta debugfs removal"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 2025-07-24 at 00:15 -0700, Moon Hee Lee wrote:
> A NULL pointer dereference may occur in ieee80211_sta_debugfs_remove()
> when debugfs_remove_recursive() is called on a dentry whose inode has
> already been freed. This can happen due to a race between STA teardown
> and debugfs cleanup.
>
> Fix this by checking that both sta->debugfs_dir and its d_inode are
> valid before invoking debugfs_remove_recursive().
>
> This avoids the crash reported in syzbot bug:

Maybe so, but it really looks like a bandaid?! Why are we trying to
remove it twice in the first place?

johannes

Next message: Takashi Iwai: "Re: [PATCH] soundwire: sysfs_emit() expects a buffer of size PAGE_SIZE"
Previous message: Moon Hee Lee: "[PATCH wireless-next] wifi: mac80211: fix use-after-free risk in sta debugfs removal"
In reply to: Moon Hee Lee: "[PATCH wireless-next] wifi: mac80211: fix use-after-free risk in sta debugfs removal"
Next in thread: Moon Hee Lee: "Re: [PATCH wireless-next] wifi: mac80211: fix use-after-free risk in sta debugfs removal"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]