[syzbot] [fs?] [wireless?] general protection fault in simple_recursive_removal (5)
61 views
Skip to first unread message
syzbot
Jul 23, 2025, 1:19:31 PMJul 23
to da...@kernel.org, gre...@linuxfoundation.org, linux-...@vger.kernel.org, linux-...@vger.kernel.org, linux-w...@vger.kernel.org, net...@vger.kernel.org, raf...@kernel.org, syzkall...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 89be9a83ccf1 Linux 6.16-rc7
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=11b42fd4580000
kernel config: https://syzkaller.appspot.com/x/.config?x=8adfe52da0de2761
dashboard link: https://syzkaller.appspot.com/bug?extid=d6ccd49ae046542a0641
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=134baf22580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16d5a4f0580000
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-89be9a83.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/a3f5f507f252/vmlinux-89be9a83.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a8f9b92c57a6/bzImage-89be9a83.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d6ccd4...@syzkaller.appspotmail.com
wlan1: send auth to aa:09:b7:99:c0:d7 (try 2/3)
wlan1: send auth to aa:09:b7:99:c0:d7 (try 3/3)
wlan1: authentication with aa:09:b7:99:c0:d7 timed out
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000029: 0000 [#1] SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000148-0x000000000000014f]
CPU: 0 UID: 0 PID: 171 Comm: kworker/u4:4 Not tainted 6.16.0-rc7-syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Workqueue: events_unbound cfg80211_wiphy_work
RIP: 0010:kasan_byte_accessible+0x12/0x30 mm/kasan/generic.c:199
Code: 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 48 c1 ef 03 48 b8 00 00 00 00 00 fc ff df <0f> b6 04 07 3c 08 0f 92 c0 c3 cc cc cc cc cc 66 66 66 66 66 66 2e
RSP: 0018:ffffc90001977400 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffffffff8b713286 RCX: ca5c1933e35f3700
RDX: 0000000000000000 RSI: ffffffff8b713286 RDI: 0000000000000029
RBP: ffffffff824067f0 R08: 0000000000000001 R09: 0000000000000000
R10: dffffc0000000000 R11: ffffed10085cf24c R12: 0000000000000000
R13: 0000000000000148 R14: 0000000000000148 R15: 0000000000000001
FS: 0000000000000000(0000) GS:ffff88808d218000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2f55ffff CR3: 000000005030a000 CR4: 0000000000352ef0
Call Trace:
<TASK>
__kasan_check_byte+0x12/0x40 mm/kasan/common.c:556
kasan_check_byte include/linux/kasan.h:399 [inline]
lock_acquire+0x8d/0x360 kernel/locking/lockdep.c:5845
down_write+0x96/0x1f0 kernel/locking/rwsem.c:1577
inode_lock include/linux/fs.h:869 [inline]
simple_recursive_removal+0x90/0x690 fs/libfs.c:616
debugfs_remove+0x5b/0x70 fs/debugfs/inode.c:805
ieee80211_sta_debugfs_remove+0x40/0x70 net/mac80211/debugfs_sta.c:1279
__sta_info_destroy_part2+0x352/0x450 net/mac80211/sta_info.c:1501
__sta_info_destroy net/mac80211/sta_info.c:1517 [inline]
sta_info_destroy_addr+0xf5/0x140 net/mac80211/sta_info.c:1529
ieee80211_destroy_auth_data+0x12d/0x260 net/mac80211/mlme.c:4597
ieee80211_sta_work+0x11cf/0x3600 net/mac80211/mlme.c:8310
cfg80211_wiphy_work+0x2df/0x460 net/wireless/core.c:435
process_one_work kernel/workqueue.c:3238 [inline]
process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402
kthread+0x70e/0x8a0 kernel/kthread.c:464
ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:kasan_byte_accessible+0x12/0x30 mm/kasan/generic.c:199
Code: 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 48 c1 ef 03 48 b8 00 00 00 00 00 fc ff df <0f> b6 04 07 3c 08 0f 92 c0 c3 cc cc cc cc cc 66 66 66 66 66 66 2e
RSP: 0018:ffffc90001977400 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffffffff8b713286 RCX: ca5c1933e35f3700
RDX: 0000000000000000 RSI: ffffffff8b713286 RDI: 0000000000000029
RBP: ffffffff824067f0 R08: 0000000000000001 R09: 0000000000000000
R10: dffffc0000000000 R11: ffffed10085cf24c R12: 0000000000000000
R13: 0000000000000148 R14: 0000000000000148 R15: 0000000000000001
FS: 0000000000000000(0000) GS:ffff88808d218000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2f55ffff CR3: 0000000011601000 CR4: 0000000000352ef0
----------------
Code disassembly (best guess):
0: 0f 1f 84 00 00 00 00 nopl 0x0(%rax,%rax,1)
7: 00
8: 90 nop
9: 90 nop
a: 90 nop
b: 90 nop
c: 90 nop
d: 90 nop
e: 90 nop
f: 90 nop
10: 90 nop
11: 90 nop
12: 90 nop
13: 90 nop
14: 90 nop
15: 90 nop
16: 90 nop
17: 90 nop
18: 66 0f 1f 00 nopw (%rax)
1c: 48 c1 ef 03 shr $0x3,%rdi
20: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
27: fc ff df
* 2a: 0f b6 04 07 movzbl (%rdi,%rax,1),%eax <-- trapping instruction
2e: 3c 08 cmp $0x8,%al
30: 0f 92 c0 setb %al
33: c3 ret
34: cc int3
35: cc int3
36: cc int3
37: cc int3
38: cc int3
39: 66 data16
3a: 66 data16
3b: 66 data16
3c: 66 data16
3d: 66 data16
3e: 66 data16
3f: 2e cs
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 89be9a83ccf1 Linux 6.16-rc7
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=11b42fd4580000
kernel config: https://syzkaller.appspot.com/x/.config?x=8adfe52da0de2761
dashboard link: https://syzkaller.appspot.com/bug?extid=d6ccd49ae046542a0641
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=134baf22580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16d5a4f0580000
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-89be9a83.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/a3f5f507f252/vmlinux-89be9a83.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a8f9b92c57a6/bzImage-89be9a83.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d6ccd4...@syzkaller.appspotmail.com
wlan1: send auth to aa:09:b7:99:c0:d7 (try 2/3)
wlan1: send auth to aa:09:b7:99:c0:d7 (try 3/3)
wlan1: authentication with aa:09:b7:99:c0:d7 timed out
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000029: 0000 [#1] SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000148-0x000000000000014f]
CPU: 0 UID: 0 PID: 171 Comm: kworker/u4:4 Not tainted 6.16.0-rc7-syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Workqueue: events_unbound cfg80211_wiphy_work
RIP: 0010:kasan_byte_accessible+0x12/0x30 mm/kasan/generic.c:199
Code: 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 48 c1 ef 03 48 b8 00 00 00 00 00 fc ff df <0f> b6 04 07 3c 08 0f 92 c0 c3 cc cc cc cc cc 66 66 66 66 66 66 2e
RSP: 0018:ffffc90001977400 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffffffff8b713286 RCX: ca5c1933e35f3700
RDX: 0000000000000000 RSI: ffffffff8b713286 RDI: 0000000000000029
RBP: ffffffff824067f0 R08: 0000000000000001 R09: 0000000000000000
R10: dffffc0000000000 R11: ffffed10085cf24c R12: 0000000000000000
R13: 0000000000000148 R14: 0000000000000148 R15: 0000000000000001
FS: 0000000000000000(0000) GS:ffff88808d218000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2f55ffff CR3: 000000005030a000 CR4: 0000000000352ef0
Call Trace:
<TASK>
__kasan_check_byte+0x12/0x40 mm/kasan/common.c:556
kasan_check_byte include/linux/kasan.h:399 [inline]
lock_acquire+0x8d/0x360 kernel/locking/lockdep.c:5845
down_write+0x96/0x1f0 kernel/locking/rwsem.c:1577
inode_lock include/linux/fs.h:869 [inline]
simple_recursive_removal+0x90/0x690 fs/libfs.c:616
debugfs_remove+0x5b/0x70 fs/debugfs/inode.c:805
ieee80211_sta_debugfs_remove+0x40/0x70 net/mac80211/debugfs_sta.c:1279
__sta_info_destroy_part2+0x352/0x450 net/mac80211/sta_info.c:1501
__sta_info_destroy net/mac80211/sta_info.c:1517 [inline]
sta_info_destroy_addr+0xf5/0x140 net/mac80211/sta_info.c:1529
ieee80211_destroy_auth_data+0x12d/0x260 net/mac80211/mlme.c:4597
ieee80211_sta_work+0x11cf/0x3600 net/mac80211/mlme.c:8310
cfg80211_wiphy_work+0x2df/0x460 net/wireless/core.c:435
process_one_work kernel/workqueue.c:3238 [inline]
process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402
kthread+0x70e/0x8a0 kernel/kthread.c:464
ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:kasan_byte_accessible+0x12/0x30 mm/kasan/generic.c:199
Code: 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 48 c1 ef 03 48 b8 00 00 00 00 00 fc ff df <0f> b6 04 07 3c 08 0f 92 c0 c3 cc cc cc cc cc 66 66 66 66 66 66 2e
RSP: 0018:ffffc90001977400 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffffffff8b713286 RCX: ca5c1933e35f3700
RDX: 0000000000000000 RSI: ffffffff8b713286 RDI: 0000000000000029
RBP: ffffffff824067f0 R08: 0000000000000001 R09: 0000000000000000
R10: dffffc0000000000 R11: ffffed10085cf24c R12: 0000000000000000
R13: 0000000000000148 R14: 0000000000000148 R15: 0000000000000001
FS: 0000000000000000(0000) GS:ffff88808d218000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2f55ffff CR3: 0000000011601000 CR4: 0000000000352ef0
----------------
Code disassembly (best guess):
0: 0f 1f 84 00 00 00 00 nopl 0x0(%rax,%rax,1)
7: 00
8: 90 nop
9: 90 nop
a: 90 nop
b: 90 nop
c: 90 nop
d: 90 nop
e: 90 nop
f: 90 nop
10: 90 nop
11: 90 nop
12: 90 nop
13: 90 nop
14: 90 nop
15: 90 nop
16: 90 nop
17: 90 nop
18: 66 0f 1f 00 nopw (%rax)
1c: 48 c1 ef 03 shr $0x3,%rdi
20: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
27: fc ff df
* 2a: 0f b6 04 07 movzbl (%rdi,%rax,1),%eax <-- trapping instruction
2e: 3c 08 cmp $0x8,%al
30: 0f 92 c0 setb %al
33: c3 ret
34: cc int3
35: cc int3
36: cc int3
37: cc int3
38: cc int3
39: 66 data16
3a: 66 data16
3b: 66 data16
3c: 66 data16
3d: 66 data16
3e: 66 data16
3f: 2e cs
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Hillf Danton
Jul 23, 2025, 10:23:11 PMJul 23
to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com
> Date: Wed, 23 Jul 2025 10:19:28 -0700 [thread overview]
--- x/net/mac80211/debugfs_sta.c
+++ y/net/mac80211/debugfs_sta.c
@@ -1276,6 +1276,8 @@ void ieee80211_sta_debugfs_add(struct st
void ieee80211_sta_debugfs_remove(struct sta_info *sta)
{
+ if (!sta->debugfs_dir)
+ return;
debugfs_remove_recursive(sta->debugfs_dir);
sta->debugfs_dir = NULL;
}
--
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 89be9a83ccf1 Linux 6.16-rc7
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=11b42fd4580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=8adfe52da0de2761
> dashboard link: https://syzkaller.appspot.com/bug?extid=d6ccd49ae046542a0641
>
> syzbot found the following issue on:
>
> HEAD commit: 89be9a83ccf1 Linux 6.16-rc7
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=11b42fd4580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=8adfe52da0de2761
> dashboard link: https://syzkaller.appspot.com/bug?extid=d6ccd49ae046542a0641
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=134baf22580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16d5a4f0580000
#syz test
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16d5a4f0580000
--- x/net/mac80211/debugfs_sta.c
+++ y/net/mac80211/debugfs_sta.c
@@ -1276,6 +1276,8 @@ void ieee80211_sta_debugfs_add(struct st
void ieee80211_sta_debugfs_remove(struct sta_info *sta)
{
+ if (!sta->debugfs_dir)
+ return;
debugfs_remove_recursive(sta->debugfs_dir);
sta->debugfs_dir = NULL;
}
--
syzbot
Jul 23, 2025, 10:40:04 PMJul 23
to hda...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Read in lockref_get
wlan1: send auth to aa:09:b7:99:c0:d7 (try 2/3)
wlan1: send auth to aa:09:b7:99:c0:d7 (try 3/3)
wlan1: authentication with aa:09:b7:99:c0:d7 timed out
==================================================================
BUG: KASAN: slab-use-after-free in __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
BUG: KASAN: slab-use-after-free in _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
Read of size 1 at addr ffff888042a47b40 by task kworker/u4:4/169
CPU: 0 UID: 0 PID: 169 Comm: kworker/u4:4 Not tainted 6.16.0-rc7-syzkaller-gf9af7b5d9349-dirty #0 PREEMPT(full)
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x230 mm/kasan/report.c:480
kasan_report+0x118/0x150 mm/kasan/report.c:593
__kasan_check_byte+0x2a/0x40 mm/kasan/common.c:557
_raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
spin_lock include/linux/spinlock.h:351 [inline]
lockref_get+0x15/0x60 lib/lockref.c:50
dget include/linux/dcache.h:345 [inline]
simple_recursive_removal+0x35/0x690 fs/libfs.c:611
debugfs_remove+0x5b/0x70 fs/debugfs/inode.c:805
ieee80211_sta_debugfs_remove+0x4f/0x80 net/mac80211/debugfs_sta.c:1281
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
unpoison_slab_object mm/kasan/common.c:319 [inline]
__kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:345
kasan_slab_alloc include/linux/kasan.h:250 [inline]
slab_post_alloc_hook mm/slub.c:4148 [inline]
slab_alloc_node mm/slub.c:4197 [inline]
kmem_cache_alloc_lru_noprof+0x1c6/0x3d0 mm/slub.c:4216
__d_alloc+0x31/0x6f0 fs/dcache.c:1690
d_alloc fs/dcache.c:1769 [inline]
d_alloc_parallel+0xe0/0x14e0 fs/dcache.c:2533
__lookup_slow+0x116/0x3d0 fs/namei.c:1802
start_creating+0x22e/0x3c0 fs/debugfs/inode.c:391
debugfs_create_dir+0x28/0x420 fs/debugfs/inode.c:586
ieee80211_sta_debugfs_add+0x12c/0x850 net/mac80211/debugfs_sta.c:1254
sta_info_insert_finish net/mac80211/sta_info.c:892 [inline]
sta_info_insert_rcu+0xfac/0x1940 net/mac80211/sta_info.c:960
sta_info_insert+0x16/0xc0 net/mac80211/sta_info.c:965
ieee80211_prep_connection+0x10cd/0x1600 net/mac80211/mlme.c:8854
ieee80211_mgd_auth+0xee3/0x1770 net/mac80211/mlme.c:9119
rdev_auth net/wireless/rdev-ops.h:486 [inline]
cfg80211_mlme_auth+0x62f/0x9c0 net/wireless/mlme.c:291
cfg80211_conn_do_work+0x501/0xd10 net/wireless/sme.c:183
cfg80211_sme_connect net/wireless/sme.c:626 [inline]
cfg80211_connect+0x1862/0x21a0 net/wireless/sme.c:1525
nl80211_connect+0x17bc/0x1cd0 net/wireless/nl80211.c:12303
genl_family_rcv_msg_doit+0x215/0x300 net/netlink/genetlink.c:1115
genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
genl_rcv_msg+0x60e/0x790 net/netlink/genetlink.c:1210
netlink_rcv_skb+0x205/0x470 net/netlink/af_netlink.c:2552
genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219
netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
netlink_unicast+0x75c/0x8e0 net/netlink/af_netlink.c:1346
netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896
sock_sendmsg_nosec net/socket.c:712 [inline]
__sock_sendmsg+0x219/0x270 net/socket.c:727
____sys_sendmsg+0x505/0x830 net/socket.c:2566
___sys_sendmsg+0x21f/0x2a0 net/socket.c:2620
__sys_sendmsg net/socket.c:2652 [inline]
__do_sys_sendmsg net/socket.c:2657 [inline]
__se_sys_sendmsg net/socket.c:2655 [inline]
__x64_sys_sendmsg+0x19b/0x260 net/socket.c:2655
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 15:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x62/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:233 [inline]
slab_free_hook mm/slub.c:2381 [inline]
slab_free mm/slub.c:4643 [inline]
kmem_cache_free+0x18f/0x400 mm/slub.c:4745
rcu_do_batch kernel/rcu/tree.c:2576 [inline]
rcu_core+0xca5/0x1710 kernel/rcu/tree.c:2832
handle_softirqs+0x286/0x870 kernel/softirq.c:579
run_ksoftirqd+0x9b/0x100 kernel/softirq.c:968
smpboot_thread_fn+0x53f/0xa60 kernel/smpboot.c:164
kasan_save_stack+0x3e/0x60 mm/kasan/common.c:47
kasan_record_aux_stack+0xbd/0xd0 mm/kasan/generic.c:548
__call_rcu_common kernel/rcu/tree.c:3094 [inline]
call_rcu+0x157/0x9c0 kernel/rcu/tree.c:3214
__dentry_kill+0x4d2/0x660 fs/dcache.c:688
dput+0x19f/0x2b0 fs/dcache.c:911
find_next_child+0x1e5/0x250 fs/libfs.c:603
simple_recursive_removal+0xf4/0x690 fs/libfs.c:619
debugfs_remove+0x5b/0x70 fs/debugfs/inode.c:805
ieee80211_debugfs_remove_netdev net/mac80211/debugfs_netdev.c:1021 [inline]
ieee80211_debugfs_recreate_netdev+0xbf/0x1460 net/mac80211/debugfs_netdev.c:1034
drv_remove_interface+0x1fa/0x590 net/mac80211/driver-ops.c:125
_ieee80211_change_mac net/mac80211/iface.c:277 [inline]
ieee80211_change_mac+0x912/0x12c0 net/mac80211/iface.c:309
netif_set_mac_address+0x2fc/0x4c0 net/core/dev.c:9688
do_setlink+0x88c/0x41c0 net/core/rtnetlink.c:3093
rtnl_changelink net/core/rtnetlink.c:3759 [inline]
__rtnl_newlink net/core/rtnetlink.c:3918 [inline]
rtnl_newlink+0x160b/0x1c70 net/core/rtnetlink.c:4055
rtnetlink_rcv_msg+0x7cc/0xb70 net/core/rtnetlink.c:6944
netlink_rcv_skb+0x205/0x470 net/netlink/af_netlink.c:2552
netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
netlink_unicast+0x75c/0x8e0 net/netlink/af_netlink.c:1346
netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896
sock_sendmsg_nosec net/socket.c:712 [inline]
__sock_sendmsg+0x219/0x270 net/socket.c:727
____sys_sendmsg+0x505/0x830 net/socket.c:2566
___sys_sendmsg+0x21f/0x2a0 net/socket.c:2620
__sys_sendmsg net/socket.c:2652 [inline]
__do_sys_sendmsg net/socket.c:2657 [inline]
__se_sys_sendmsg net/socket.c:2655 [inline]
__x64_sys_sendmsg+0x19b/0x260 net/socket.c:2655
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff888042a47a70
which belongs to the cache dentry of size 312
The buggy address is located 208 bytes inside of
freed 312-byte region [ffff888042a47a70, ffff888042a47ba8)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x42a46
head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
memcg:ffff88803ff67101
flags: 0x4fff00000000040(head|node=1|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 04fff00000000040 ffff88801b6db780 dead000000000100 dead000000000122
raw: 0000000000000000 0000000000150015 00000000f5000000 ffff88803ff67101
head: 04fff00000000040 ffff88801b6db780 dead000000000100 dead000000000122
head: 0000000000000000 0000000000150015 00000000f5000000 ffff88803ff67101
head: 04fff00000000001 ffffea00010a9181 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 1, migratetype Reclaimable, gfp_mask 0xd20d0(__GFP_RECLAIMABLE|__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4739, tgid 4739 (udevd), ts 37957937697, free_ts 0
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1704
prep_new_page mm/page_alloc.c:1712 [inline]
get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3669
__alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:4959
alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2419
alloc_slab_page mm/slub.c:2451 [inline]
allocate_slab+0x8a/0x3b0 mm/slub.c:2619
new_slab mm/slub.c:2673 [inline]
___slab_alloc+0xbfc/0x1480 mm/slub.c:3859
__slab_alloc mm/slub.c:3949 [inline]
__slab_alloc_node mm/slub.c:4024 [inline]
slab_alloc_node mm/slub.c:4185 [inline]
kmem_cache_alloc_lru_noprof+0x288/0x3d0 mm/slub.c:4216
__d_alloc+0x31/0x6f0 fs/dcache.c:1690
d_alloc fs/dcache.c:1769 [inline]
d_alloc_parallel+0xe0/0x14e0 fs/dcache.c:2533
lookup_open fs/namei.c:3639 [inline]
open_last_lookups fs/namei.c:3816 [inline]
path_openat+0xa3b/0x3830 fs/namei.c:4052
do_filp_open+0x1fa/0x410 fs/namei.c:4082
do_sys_openat2+0x121/0x1c0 fs/open.c:1437
do_sys_open fs/open.c:1452 [inline]
__do_sys_openat fs/open.c:1468 [inline]
__se_sys_openat fs/open.c:1463 [inline]
__x64_sys_openat+0x138/0x170 fs/open.c:1463
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
page_owner free stack trace missing
Memory state around the buggy address:
ffff888042a47a00: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fa fb
ffff888042a47a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888042a47b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888042a47b80: fb fb fb fb fb fc fc fc fc fc fc fc fc 00 00 00
ffff888042a47c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
Tested on:
commit: f9af7b5d Merge tag 'for-linus' of git://git.kernel.org..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=174640a2580000
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Read in lockref_get
wlan1: send auth to aa:09:b7:99:c0:d7 (try 2/3)
wlan1: send auth to aa:09:b7:99:c0:d7 (try 3/3)
wlan1: authentication with aa:09:b7:99:c0:d7 timed out
BUG: KASAN: slab-use-after-free in __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
BUG: KASAN: slab-use-after-free in _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
Read of size 1 at addr ffff888042a47b40 by task kworker/u4:4/169
CPU: 0 UID: 0 PID: 169 Comm: kworker/u4:4 Not tainted 6.16.0-rc7-syzkaller-gf9af7b5d9349-dirty #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Workqueue: events_unbound cfg80211_wiphy_work
Call Trace:
Workqueue: events_unbound cfg80211_wiphy_work
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x230 mm/kasan/report.c:480
kasan_report+0x118/0x150 mm/kasan/report.c:593
__kasan_check_byte+0x2a/0x40 mm/kasan/common.c:557
kasan_check_byte include/linux/kasan.h:399 [inline]
lock_acquire+0x8d/0x360 kernel/locking/lockdep.c:5845
__raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
lock_acquire+0x8d/0x360 kernel/locking/lockdep.c:5845
_raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
spin_lock include/linux/spinlock.h:351 [inline]
lockref_get+0x15/0x60 lib/lockref.c:50
dget include/linux/dcache.h:345 [inline]
simple_recursive_removal+0x35/0x690 fs/libfs.c:611
debugfs_remove+0x5b/0x70 fs/debugfs/inode.c:805
ieee80211_sta_debugfs_remove+0x4f/0x80 net/mac80211/debugfs_sta.c:1281
__sta_info_destroy_part2+0x352/0x450 net/mac80211/sta_info.c:1501
__sta_info_destroy net/mac80211/sta_info.c:1517 [inline]
sta_info_destroy_addr+0xf5/0x140 net/mac80211/sta_info.c:1529
ieee80211_destroy_auth_data+0x12d/0x260 net/mac80211/mlme.c:4597
ieee80211_sta_work+0x11cf/0x3600 net/mac80211/mlme.c:8310
cfg80211_wiphy_work+0x2dc/0x460 net/wireless/core.c:435
__sta_info_destroy net/mac80211/sta_info.c:1517 [inline]
sta_info_destroy_addr+0xf5/0x140 net/mac80211/sta_info.c:1529
ieee80211_destroy_auth_data+0x12d/0x260 net/mac80211/mlme.c:4597
ieee80211_sta_work+0x11cf/0x3600 net/mac80211/mlme.c:8310
process_one_work kernel/workqueue.c:3238 [inline]
process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402
kthread+0x70e/0x8a0 kernel/kthread.c:464
ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
Allocated by task 5860:
process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402
kthread+0x70e/0x8a0 kernel/kthread.c:464
ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
unpoison_slab_object mm/kasan/common.c:319 [inline]
__kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:345
kasan_slab_alloc include/linux/kasan.h:250 [inline]
slab_post_alloc_hook mm/slub.c:4148 [inline]
slab_alloc_node mm/slub.c:4197 [inline]
kmem_cache_alloc_lru_noprof+0x1c6/0x3d0 mm/slub.c:4216
__d_alloc+0x31/0x6f0 fs/dcache.c:1690
d_alloc fs/dcache.c:1769 [inline]
d_alloc_parallel+0xe0/0x14e0 fs/dcache.c:2533
__lookup_slow+0x116/0x3d0 fs/namei.c:1802
start_creating+0x22e/0x3c0 fs/debugfs/inode.c:391
debugfs_create_dir+0x28/0x420 fs/debugfs/inode.c:586
ieee80211_sta_debugfs_add+0x12c/0x850 net/mac80211/debugfs_sta.c:1254
sta_info_insert_finish net/mac80211/sta_info.c:892 [inline]
sta_info_insert_rcu+0xfac/0x1940 net/mac80211/sta_info.c:960
sta_info_insert+0x16/0xc0 net/mac80211/sta_info.c:965
ieee80211_prep_connection+0x10cd/0x1600 net/mac80211/mlme.c:8854
ieee80211_mgd_auth+0xee3/0x1770 net/mac80211/mlme.c:9119
rdev_auth net/wireless/rdev-ops.h:486 [inline]
cfg80211_mlme_auth+0x62f/0x9c0 net/wireless/mlme.c:291
cfg80211_conn_do_work+0x501/0xd10 net/wireless/sme.c:183
cfg80211_sme_connect net/wireless/sme.c:626 [inline]
cfg80211_connect+0x1862/0x21a0 net/wireless/sme.c:1525
nl80211_connect+0x17bc/0x1cd0 net/wireless/nl80211.c:12303
genl_family_rcv_msg_doit+0x215/0x300 net/netlink/genetlink.c:1115
genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
genl_rcv_msg+0x60e/0x790 net/netlink/genetlink.c:1210
netlink_rcv_skb+0x205/0x470 net/netlink/af_netlink.c:2552
genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219
netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
netlink_unicast+0x75c/0x8e0 net/netlink/af_netlink.c:1346
netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896
sock_sendmsg_nosec net/socket.c:712 [inline]
__sock_sendmsg+0x219/0x270 net/socket.c:727
____sys_sendmsg+0x505/0x830 net/socket.c:2566
___sys_sendmsg+0x21f/0x2a0 net/socket.c:2620
__sys_sendmsg net/socket.c:2652 [inline]
__do_sys_sendmsg net/socket.c:2657 [inline]
__se_sys_sendmsg net/socket.c:2655 [inline]
__x64_sys_sendmsg+0x19b/0x260 net/socket.c:2655
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 15:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x62/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:233 [inline]
slab_free_hook mm/slub.c:2381 [inline]
slab_free mm/slub.c:4643 [inline]
kmem_cache_free+0x18f/0x400 mm/slub.c:4745
rcu_do_batch kernel/rcu/tree.c:2576 [inline]
rcu_core+0xca5/0x1710 kernel/rcu/tree.c:2832
handle_softirqs+0x286/0x870 kernel/softirq.c:579
run_ksoftirqd+0x9b/0x100 kernel/softirq.c:968
smpboot_thread_fn+0x53f/0xa60 kernel/smpboot.c:164
kthread+0x70e/0x8a0 kernel/kthread.c:464
ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
Last potentially related work creation:
ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
kasan_save_stack+0x3e/0x60 mm/kasan/common.c:47
kasan_record_aux_stack+0xbd/0xd0 mm/kasan/generic.c:548
__call_rcu_common kernel/rcu/tree.c:3094 [inline]
call_rcu+0x157/0x9c0 kernel/rcu/tree.c:3214
__dentry_kill+0x4d2/0x660 fs/dcache.c:688
dput+0x19f/0x2b0 fs/dcache.c:911
find_next_child+0x1e5/0x250 fs/libfs.c:603
simple_recursive_removal+0xf4/0x690 fs/libfs.c:619
debugfs_remove+0x5b/0x70 fs/debugfs/inode.c:805
ieee80211_debugfs_remove_netdev net/mac80211/debugfs_netdev.c:1021 [inline]
ieee80211_debugfs_recreate_netdev+0xbf/0x1460 net/mac80211/debugfs_netdev.c:1034
drv_remove_interface+0x1fa/0x590 net/mac80211/driver-ops.c:125
_ieee80211_change_mac net/mac80211/iface.c:277 [inline]
ieee80211_change_mac+0x912/0x12c0 net/mac80211/iface.c:309
netif_set_mac_address+0x2fc/0x4c0 net/core/dev.c:9688
do_setlink+0x88c/0x41c0 net/core/rtnetlink.c:3093
rtnl_changelink net/core/rtnetlink.c:3759 [inline]
__rtnl_newlink net/core/rtnetlink.c:3918 [inline]
rtnl_newlink+0x160b/0x1c70 net/core/rtnetlink.c:4055
rtnetlink_rcv_msg+0x7cc/0xb70 net/core/rtnetlink.c:6944
netlink_rcv_skb+0x205/0x470 net/netlink/af_netlink.c:2552
netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
netlink_unicast+0x75c/0x8e0 net/netlink/af_netlink.c:1346
netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896
sock_sendmsg_nosec net/socket.c:712 [inline]
__sock_sendmsg+0x219/0x270 net/socket.c:727
____sys_sendmsg+0x505/0x830 net/socket.c:2566
___sys_sendmsg+0x21f/0x2a0 net/socket.c:2620
__sys_sendmsg net/socket.c:2652 [inline]
__do_sys_sendmsg net/socket.c:2657 [inline]
__se_sys_sendmsg net/socket.c:2655 [inline]
__x64_sys_sendmsg+0x19b/0x260 net/socket.c:2655
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff888042a47a70
which belongs to the cache dentry of size 312
The buggy address is located 208 bytes inside of
freed 312-byte region [ffff888042a47a70, ffff888042a47ba8)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x42a46
head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
memcg:ffff88803ff67101
flags: 0x4fff00000000040(head|node=1|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 04fff00000000040 ffff88801b6db780 dead000000000100 dead000000000122
raw: 0000000000000000 0000000000150015 00000000f5000000 ffff88803ff67101
head: 04fff00000000040 ffff88801b6db780 dead000000000100 dead000000000122
head: 0000000000000000 0000000000150015 00000000f5000000 ffff88803ff67101
head: 04fff00000000001 ffffea00010a9181 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 1, migratetype Reclaimable, gfp_mask 0xd20d0(__GFP_RECLAIMABLE|__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4739, tgid 4739 (udevd), ts 37957937697, free_ts 0
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1704
prep_new_page mm/page_alloc.c:1712 [inline]
get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3669
__alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:4959
alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2419
alloc_slab_page mm/slub.c:2451 [inline]
allocate_slab+0x8a/0x3b0 mm/slub.c:2619
new_slab mm/slub.c:2673 [inline]
___slab_alloc+0xbfc/0x1480 mm/slub.c:3859
__slab_alloc mm/slub.c:3949 [inline]
__slab_alloc_node mm/slub.c:4024 [inline]
slab_alloc_node mm/slub.c:4185 [inline]
kmem_cache_alloc_lru_noprof+0x288/0x3d0 mm/slub.c:4216
__d_alloc+0x31/0x6f0 fs/dcache.c:1690
d_alloc fs/dcache.c:1769 [inline]
d_alloc_parallel+0xe0/0x14e0 fs/dcache.c:2533
lookup_open fs/namei.c:3639 [inline]
open_last_lookups fs/namei.c:3816 [inline]
path_openat+0xa3b/0x3830 fs/namei.c:4052
do_filp_open+0x1fa/0x410 fs/namei.c:4082
do_sys_openat2+0x121/0x1c0 fs/open.c:1437
do_sys_open fs/open.c:1452 [inline]
__do_sys_openat fs/open.c:1468 [inline]
__se_sys_openat fs/open.c:1463 [inline]
__x64_sys_openat+0x138/0x170 fs/open.c:1463
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
page_owner free stack trace missing
Memory state around the buggy address:
ffff888042a47a00: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fa fb
ffff888042a47a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888042a47b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888042a47b80: fb fb fb fb fb fc fc fc fc fc fc fc fc 00 00 00
ffff888042a47c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
Tested on:
commit: f9af7b5d Merge tag 'for-linus' of git://git.kernel.org..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=174640a2580000
kernel config: https://syzkaller.appspot.com/x/.config?x=8adfe52da0de2761
dashboard link: https://syzkaller.appspot.com/bug?extid=d6ccd49ae046542a0641
dashboard link: https://syzkaller.appspot.com/bug?extid=d6ccd49ae046542a0641
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
patch: https://syzkaller.appspot.com/x/patch.diff?x=151a40a2580000
Hillf Danton
Jul 23, 2025, 11:35:10 PMJul 23
to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com
> Date: Wed, 23 Jul 2025 10:19:28 -0700 [thread overview]
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 89be9a83ccf1 Linux 6.16-rc7
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=11b42fd4580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=8adfe52da0de2761
> dashboard link: https://syzkaller.appspot.com/bug?extid=d6ccd49ae046542a0641
>
> syzbot found the following issue on:
>
> HEAD commit: 89be9a83ccf1 Linux 6.16-rc7
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=11b42fd4580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=8adfe52da0de2761
> dashboard link: https://syzkaller.appspot.com/bug?extid=d6ccd49ae046542a0641
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=134baf22580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16d5a4f0580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16d5a4f0580000
#syz test
--- x/net/mac80211/debugfs_sta.c
+++ y/net/mac80211/debugfs_sta.c
@@ -1276,6 +1276,12 @@ void ieee80211_sta_debugfs_add(struct st
--- x/net/mac80211/debugfs_sta.c
+++ y/net/mac80211/debugfs_sta.c
void ieee80211_sta_debugfs_remove(struct sta_info *sta)
{
+ struct dentry *stations_dir = sta->sdata->debugfs.subdir_stations;
+
+ if (!stations_dir)
+ return;
syzbot
Jul 23, 2025, 11:56:04 PMJul 23
to hda...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Read in lockref_get
wlan1: send auth to aa:09:b7:99:c0:d7 (try 2/3)
wlan1: send auth to aa:09:b7:99:c0:d7 (try 3/3)
wlan1: authentication with aa:09:b7:99:c0:d7 timed out
==================================================================
BUG: KASAN: slab-use-after-free in __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
BUG: KASAN: slab-use-after-free in _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
Read of size 1 at addr ffff888042ff76d8 by task kworker/u4:0/12
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Read in lockref_get
wlan1: send auth to aa:09:b7:99:c0:d7 (try 2/3)
wlan1: send auth to aa:09:b7:99:c0:d7 (try 3/3)
wlan1: authentication with aa:09:b7:99:c0:d7 timed out
==================================================================
BUG: KASAN: slab-use-after-free in __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
BUG: KASAN: slab-use-after-free in _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
CPU: 0 UID: 0 PID: 12 Comm: kworker/u4:0 Not tainted 6.16.0-rc7-syzkaller-g25fae0b93d1d-dirty #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Workqueue: events_unbound cfg80211_wiphy_work
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x230 mm/kasan/report.c:480
kasan_report+0x118/0x150 mm/kasan/report.c:593
__kasan_check_byte+0x2a/0x40 mm/kasan/common.c:557
kasan_check_byte include/linux/kasan.h:399 [inline]
lock_acquire+0x8d/0x360 kernel/locking/lockdep.c:5845
__raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
_raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
spin_lock include/linux/spinlock.h:351 [inline]
lockref_get+0x15/0x60 lib/lockref.c:50
dget include/linux/dcache.h:345 [inline]
simple_recursive_removal+0x35/0x690 fs/libfs.c:611
debugfs_remove+0x5b/0x70 fs/debugfs/inode.c:805
ieee80211_sta_debugfs_remove+0x8e/0xc0 net/mac80211/debugfs_sta.c:1285
Workqueue: events_unbound cfg80211_wiphy_work
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x230 mm/kasan/report.c:480
kasan_report+0x118/0x150 mm/kasan/report.c:593
__kasan_check_byte+0x2a/0x40 mm/kasan/common.c:557
kasan_check_byte include/linux/kasan.h:399 [inline]
lock_acquire+0x8d/0x360 kernel/locking/lockdep.c:5845
__raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
_raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
spin_lock include/linux/spinlock.h:351 [inline]
lockref_get+0x15/0x60 lib/lockref.c:50
dget include/linux/dcache.h:345 [inline]
simple_recursive_removal+0x35/0x690 fs/libfs.c:611
debugfs_remove+0x5b/0x70 fs/debugfs/inode.c:805
__sta_info_destroy_part2+0x352/0x450 net/mac80211/sta_info.c:1501
__sta_info_destroy net/mac80211/sta_info.c:1517 [inline]
sta_info_destroy_addr+0xf5/0x140 net/mac80211/sta_info.c:1529
ieee80211_destroy_auth_data+0x12d/0x260 net/mac80211/mlme.c:4597
ieee80211_sta_work+0x11cf/0x3600 net/mac80211/mlme.c:8310
cfg80211_wiphy_work+0x2df/0x460 net/wireless/core.c:435
__sta_info_destroy net/mac80211/sta_info.c:1517 [inline]
sta_info_destroy_addr+0xf5/0x140 net/mac80211/sta_info.c:1529
ieee80211_destroy_auth_data+0x12d/0x260 net/mac80211/mlme.c:4597
ieee80211_sta_work+0x11cf/0x3600 net/mac80211/mlme.c:8310
process_one_work kernel/workqueue.c:3238 [inline]
process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402
kthread+0x70e/0x8a0 kernel/kthread.c:464
ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
Allocated by task 5867:
process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402
kthread+0x70e/0x8a0 kernel/kthread.c:464
ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
unpoison_slab_object mm/kasan/common.c:319 [inline]
__kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:345
kasan_slab_alloc include/linux/kasan.h:250 [inline]
slab_post_alloc_hook mm/slub.c:4148 [inline]
slab_alloc_node mm/slub.c:4197 [inline]
kmem_cache_alloc_lru_noprof+0x1c6/0x3d0 mm/slub.c:4216
__d_alloc+0x31/0x6f0 fs/dcache.c:1690
d_alloc fs/dcache.c:1769 [inline]
d_alloc_parallel+0xe0/0x14e0 fs/dcache.c:2533
__lookup_slow+0x116/0x3d0 fs/namei.c:1802
start_creating+0x22e/0x3c0 fs/debugfs/inode.c:391
debugfs_create_dir+0x28/0x420 fs/debugfs/inode.c:586
ieee80211_sta_debugfs_add+0x12c/0x850 net/mac80211/debugfs_sta.c:1254
sta_info_insert_finish net/mac80211/sta_info.c:892 [inline]
sta_info_insert_rcu+0xfac/0x1940 net/mac80211/sta_info.c:960
sta_info_insert+0x16/0xc0 net/mac80211/sta_info.c:965
ieee80211_prep_connection+0x10cd/0x1600 net/mac80211/mlme.c:8854
ieee80211_mgd_auth+0xee3/0x1770 net/mac80211/mlme.c:9119
rdev_auth net/wireless/rdev-ops.h:486 [inline]
cfg80211_mlme_auth+0x632/0x9c0 net/wireless/mlme.c:291
kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
unpoison_slab_object mm/kasan/common.c:319 [inline]
__kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:345
kasan_slab_alloc include/linux/kasan.h:250 [inline]
slab_post_alloc_hook mm/slub.c:4148 [inline]
slab_alloc_node mm/slub.c:4197 [inline]
kmem_cache_alloc_lru_noprof+0x1c6/0x3d0 mm/slub.c:4216
__d_alloc+0x31/0x6f0 fs/dcache.c:1690
d_alloc fs/dcache.c:1769 [inline]
d_alloc_parallel+0xe0/0x14e0 fs/dcache.c:2533
__lookup_slow+0x116/0x3d0 fs/namei.c:1802
start_creating+0x22e/0x3c0 fs/debugfs/inode.c:391
debugfs_create_dir+0x28/0x420 fs/debugfs/inode.c:586
ieee80211_sta_debugfs_add+0x12c/0x850 net/mac80211/debugfs_sta.c:1254
sta_info_insert_finish net/mac80211/sta_info.c:892 [inline]
sta_info_insert_rcu+0xfac/0x1940 net/mac80211/sta_info.c:960
sta_info_insert+0x16/0xc0 net/mac80211/sta_info.c:965
ieee80211_prep_connection+0x10cd/0x1600 net/mac80211/mlme.c:8854
ieee80211_mgd_auth+0xee3/0x1770 net/mac80211/mlme.c:9119
rdev_auth net/wireless/rdev-ops.h:486 [inline]
cfg80211_conn_do_work+0x501/0xd10 net/wireless/sme.c:183
cfg80211_sme_connect net/wireless/sme.c:626 [inline]
cfg80211_connect+0x1862/0x21a0 net/wireless/sme.c:1525
nl80211_connect+0x17bc/0x1cd0 net/wireless/nl80211.c:12303
genl_family_rcv_msg_doit+0x212/0x300 net/netlink/genetlink.c:1115
cfg80211_sme_connect net/wireless/sme.c:626 [inline]
cfg80211_connect+0x1862/0x21a0 net/wireless/sme.c:1525
nl80211_connect+0x17bc/0x1cd0 net/wireless/nl80211.c:12303
genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
genl_rcv_msg+0x60e/0x790 net/netlink/genetlink.c:1210
netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2552
genl_rcv_msg+0x60e/0x790 net/netlink/genetlink.c:1210
genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219
netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
netlink_unicast+0x759/0x8e0 net/netlink/af_netlink.c:1346
netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896
sock_sendmsg_nosec net/socket.c:712 [inline]
__sock_sendmsg+0x21c/0x270 net/socket.c:727
sock_sendmsg_nosec net/socket.c:712 [inline]
do_setlink+0x88c/0x41c0 net/core/rtnetlink.c:3093
rtnl_changelink net/core/rtnetlink.c:3759 [inline]
__rtnl_newlink net/core/rtnetlink.c:3918 [inline]
rtnl_newlink+0x160b/0x1c70 net/core/rtnetlink.c:4055
rtnetlink_rcv_msg+0x7cf/0xb70 net/core/rtnetlink.c:6944
rtnl_changelink net/core/rtnetlink.c:3759 [inline]
__rtnl_newlink net/core/rtnetlink.c:3918 [inline]
rtnl_newlink+0x160b/0x1c70 net/core/rtnetlink.c:4055
netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2552
netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
netlink_unicast+0x759/0x8e0 net/netlink/af_netlink.c:1346
netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896
sock_sendmsg_nosec net/socket.c:712 [inline]
__sock_sendmsg+0x21c/0x270 net/socket.c:727
sock_sendmsg_nosec net/socket.c:712 [inline]
____sys_sendmsg+0x505/0x830 net/socket.c:2566
___sys_sendmsg+0x21f/0x2a0 net/socket.c:2620
__sys_sendmsg net/socket.c:2652 [inline]
__do_sys_sendmsg net/socket.c:2657 [inline]
__se_sys_sendmsg net/socket.c:2655 [inline]
__x64_sys_sendmsg+0x19b/0x260 net/socket.c:2655
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff888042ff7608
___sys_sendmsg+0x21f/0x2a0 net/socket.c:2620
__sys_sendmsg net/socket.c:2652 [inline]
__do_sys_sendmsg net/socket.c:2657 [inline]
__se_sys_sendmsg net/socket.c:2655 [inline]
__x64_sys_sendmsg+0x19b/0x260 net/socket.c:2655
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
which belongs to the cache dentry of size 312
The buggy address is located 208 bytes inside of
freed 312-byte region [ffff888042ff7608, ffff888042ff7740)
The buggy address is located 208 bytes inside of
The buggy address belongs to the physical page:
head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
memcg:ffff88803440e501
ksm flags: 0x4fff00000000040(head|node=1|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 04fff00000000040 ffff888030413780 ffffea00010c1d00 dead000000000003
raw: 0000000000000000 0000000000150015 00000000f5000000 ffff88803440e501
head: 04fff00000000040 ffff888030413780 ffffea00010c1d00 dead000000000003
head: 0000000000000000 0000000000150015 00000000f5000000 ffff88803440e501
head: 04fff00000000001 ffffea00010bfd81 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 1, migratetype Reclaimable, gfp_mask 0xd20d0(__GFP_RECLAIMABLE|__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4744, tgid 4744 (udevd), ts 37683151774, free_ts 0
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
ffff888042ff7600: fc fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888042ff7680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888042ff7700: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
ffff888042ff7780: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Tested on:
commit: 25fae0b9 Merge tag 'drm-fixes-2025-07-24' of https://g..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1357dfd4580000
kernel config: https://syzkaller.appspot.com/x/.config?x=8adfe52da0de2761
dashboard link: https://syzkaller.appspot.com/bug?extid=d6ccd49ae046542a0641
dashboard link: https://syzkaller.appspot.com/bug?extid=d6ccd49ae046542a0641
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
patch: https://syzkaller.appspot.com/x/patch.diff?x=15c140a2580000
Moon Hee Lee
Jul 24, 2025, 2:08:57 AMJul 24
to syzbot+d6ccd4...@syzkaller.appspotmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
syzbot
Jul 24, 2025, 2:08:57 AMJul 24
to moonhee...@gmail.com, linux-...@vger.kernel.org, moonhee...@gmail.com, syzkall...@googlegroups.com
> #syz test git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless-next.git
want either no args or 2 args (repo, branch), got 1
> main
want either no args or 2 args (repo, branch), got 1
> main
syzbot
Jul 24, 2025, 2:17:52 AMJul 24
to moonhee...@gmail.com, linux-...@vger.kernel.org, moonhee...@gmail.com, syzkall...@googlegroups.com
Moon Hee Lee
Jul 24, 2025, 2:42:19 AMJul 24
to syzbot+d6ccd4...@syzkaller.appspotmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com, Moon Hee Lee
A NULL pointer dereference may occur in ieee80211_sta_debugfs_remove()
when debugfs_remove_recursive() is called on a dentry whose inode has
already been freed. This can happen due to a race between STA teardown
and debugfs cleanup.
Fix this by checking that both sta->debugfs_dir and its d_inode are
valid before invoking debugfs_remove_recursive().
This avoids the crash reported in syzbot bug:
wlan1: send auth to aa:09:b7:99:c0:d7 (try 2/3)
wlan1: send auth to aa:09:b7:99:c0:d7 (try 3/3)
wlan1: authentication with aa:09:b7:99:c0:d7 timed out
net/mac80211/debugfs_sta.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/mac80211/debugfs_sta.c b/net/mac80211/debugfs_sta.c
index 49061bd4151b..912b69abab52 100644
--- a/net/mac80211/debugfs_sta.c
+++ b/net/mac80211/debugfs_sta.c
@@ -1276,7 +1276,8 @@ void ieee80211_sta_debugfs_add(struct sta_info *sta)
void ieee80211_sta_debugfs_remove(struct sta_info *sta)
{
- debugfs_remove_recursive(sta->debugfs_dir);
+ if (sta->debugfs_dir && sta->debugfs_dir->d_inode)
+ debugfs_remove_recursive(sta->debugfs_dir);
when debugfs_remove_recursive() is called on a dentry whose inode has
already been freed. This can happen due to a race between STA teardown
and debugfs cleanup.
Fix this by checking that both sta->debugfs_dir and its d_inode are
valid before invoking debugfs_remove_recursive().
This avoids the crash reported in syzbot bug:
wlan1: send auth to aa:09:b7:99:c0:d7 (try 2/3)
wlan1: send auth to aa:09:b7:99:c0:d7 (try 3/3)
wlan1: authentication with aa:09:b7:99:c0:d7 timed out
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000029: 0000 [#1] SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000148-0x000000000000014f]
CPU: 0 UID: 0 PID: 171 Comm: kworker/u4:4 Not tainted 6.16.0-rc7-syzkaller #0 PREEMPT(full)
KASAN: null-ptr-deref in range [0x0000000000000148-0x000000000000014f]
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Workqueue: events_unbound cfg80211_wiphy_work
Workqueue: events_unbound cfg80211_wiphy_work
RIP: 0010:kasan_byte_accessible+0x12/0x30 mm/kasan/generic.c:199
Code: 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 48 c1 ef 03 48 b8 00 00 00 00 00 fc ff df <0f> b6 04 07 3c 08 0f 92 c0 c3 cc cc cc cc cc 66 66 66 66 66 66 2e
RSP: 0018:ffffc90001977400 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffffffff8b713286 RCX: ca5c1933e35f3700
RDX: 0000000000000000 RSI: ffffffff8b713286 RDI: 0000000000000029
RBP: ffffffff824067f0 R08: 0000000000000001 R09: 0000000000000000
R10: dffffc0000000000 R11: ffffed10085cf24c R12: 0000000000000000
R13: 0000000000000148 R14: 0000000000000148 R15: 0000000000000001
FS: 0000000000000000(0000) GS:ffff88808d218000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2f55ffff CR3: 000000005030a000 CR4: 0000000000352ef0
Call Trace:
<TASK>
__kasan_check_byte+0x12/0x40 mm/kasan/common.c:556
Code: 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 48 c1 ef 03 48 b8 00 00 00 00 00 fc ff df <0f> b6 04 07 3c 08 0f 92 c0 c3 cc cc cc cc cc 66 66 66 66 66 66 2e
RSP: 0018:ffffc90001977400 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffffffff8b713286 RCX: ca5c1933e35f3700
RDX: 0000000000000000 RSI: ffffffff8b713286 RDI: 0000000000000029
RBP: ffffffff824067f0 R08: 0000000000000001 R09: 0000000000000000
R10: dffffc0000000000 R11: ffffed10085cf24c R12: 0000000000000000
R13: 0000000000000148 R14: 0000000000000148 R15: 0000000000000001
FS: 0000000000000000(0000) GS:ffff88808d218000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2f55ffff CR3: 000000005030a000 CR4: 0000000000352ef0
Call Trace:
<TASK>
__kasan_check_byte+0x12/0x40 mm/kasan/common.c:556
kasan_check_byte include/linux/kasan.h:399 [inline]
lock_acquire+0x8d/0x360 kernel/locking/lockdep.c:5845
lock_acquire+0x8d/0x360 kernel/locking/lockdep.c:5845
down_write+0x96/0x1f0 kernel/locking/rwsem.c:1577
inode_lock include/linux/fs.h:869 [inline]
simple_recursive_removal+0x90/0x690 fs/libfs.c:616
debugfs_remove+0x5b/0x70 fs/debugfs/inode.c:805
ieee80211_sta_debugfs_remove+0x40/0x70 net/mac80211/debugfs_sta.c:1279
inode_lock include/linux/fs.h:869 [inline]
simple_recursive_removal+0x90/0x690 fs/libfs.c:616
debugfs_remove+0x5b/0x70 fs/debugfs/inode.c:805
ieee80211_sta_debugfs_remove+0x40/0x70 net/mac80211/debugfs_sta.c:1279
__sta_info_destroy_part2+0x352/0x450 net/mac80211/sta_info.c:1501
__sta_info_destroy net/mac80211/sta_info.c:1517 [inline]
sta_info_destroy_addr+0xf5/0x140 net/mac80211/sta_info.c:1529
ieee80211_destroy_auth_data+0x12d/0x260 net/mac80211/mlme.c:4597
ieee80211_sta_work+0x11cf/0x3600 net/mac80211/mlme.c:8310
cfg80211_wiphy_work+0x2df/0x460 net/wireless/core.c:435
process_one_work kernel/workqueue.c:3238 [inline]
process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402
kthread+0x70e/0x8a0 kernel/kthread.c:464
ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
---
__sta_info_destroy net/mac80211/sta_info.c:1517 [inline]
sta_info_destroy_addr+0xf5/0x140 net/mac80211/sta_info.c:1529
ieee80211_destroy_auth_data+0x12d/0x260 net/mac80211/mlme.c:4597
ieee80211_sta_work+0x11cf/0x3600 net/mac80211/mlme.c:8310
cfg80211_wiphy_work+0x2df/0x460 net/wireless/core.c:435
process_one_work kernel/workqueue.c:3238 [inline]
process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402
kthread+0x70e/0x8a0 kernel/kthread.c:464
ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
net/mac80211/debugfs_sta.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/mac80211/debugfs_sta.c b/net/mac80211/debugfs_sta.c
index 49061bd4151b..912b69abab52 100644
--- a/net/mac80211/debugfs_sta.c
+++ b/net/mac80211/debugfs_sta.c
@@ -1276,7 +1276,8 @@ void ieee80211_sta_debugfs_add(struct sta_info *sta)
void ieee80211_sta_debugfs_remove(struct sta_info *sta)
{
- debugfs_remove_recursive(sta->debugfs_dir);
+ if (sta->debugfs_dir && sta->debugfs_dir->d_inode)
+ debugfs_remove_recursive(sta->debugfs_dir);
sta->debugfs_dir = NULL;
}
--
2.43.0
}
--
syzbot
Jul 24, 2025, 3:03:08 AMJul 24
to linux-...@vger.kernel.org, moonhee...@gmail.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+d6ccd4...@syzkaller.appspotmail.com
Tested-by: syzbot+d6ccd4...@syzkaller.appspotmail.com
Tested on:
commit: 3630f043 Merge tag 'iwlwifi-next-2025-07-23' of https:..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless-next.git main
console output: https://syzkaller.appspot.com/x/log.txt?x=16a740a2580000
kernel config: https://syzkaller.appspot.com/x/.config?x=51ebcb9cd994f900
Note: testing is done by a robot and is best-effort only.
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+d6ccd4...@syzkaller.appspotmail.com
Tested-by: syzbot+d6ccd4...@syzkaller.appspotmail.com
Tested on:
commit: 3630f043 Merge tag 'iwlwifi-next-2025-07-23' of https:..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless-next.git main
console output: https://syzkaller.appspot.com/x/log.txt?x=16a740a2580000
kernel config: https://syzkaller.appspot.com/x/.config?x=51ebcb9cd994f900
dashboard link: https://syzkaller.appspot.com/bug?extid=d6ccd49ae046542a0641
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
patch: https://syzkaller.appspot.com/x/patch.diff?x=1449d0a2580000
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
Note: testing is done by a robot and is best-effort only.
Hillf Danton
Jul 24, 2025, 6:23:19 AMJul 24
to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com
> Date: Wed, 23 Jul 2025 10:19:28 -0700 [thread overview]
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 89be9a83ccf1 Linux 6.16-rc7
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=11b42fd4580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=8adfe52da0de2761
> dashboard link: https://syzkaller.appspot.com/bug?extid=d6ccd49ae046542a0641
>
> syzbot found the following issue on:
>
> HEAD commit: 89be9a83ccf1 Linux 6.16-rc7
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=11b42fd4580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=8adfe52da0de2761
> dashboard link: https://syzkaller.appspot.com/bug?extid=d6ccd49ae046542a0641
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=134baf22580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16d5a4f0580000
#syz test
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16d5a4f0580000
--- x/net/mac80211/sta_info.h
+++ y/net/mac80211/sta_info.h
@@ -705,7 +705,7 @@ struct sta_info {
struct sta_ampdu_mlme ampdu_mlme;
#ifdef CONFIG_MAC80211_DEBUGFS
- struct dentry *debugfs_dir;
+ struct dentry *debugfs_dir, *pd;
#endif
u8 reserved_tid;
--- x/net/mac80211/debugfs_sta.c
+++ y/net/mac80211/debugfs_sta.c
@@ -1252,6 +1252,7 @@ void ieee80211_sta_debugfs_add(struct st
* dir might still be around.
*/
sta->debugfs_dir = debugfs_create_dir(mac, stations_dir);
+ sta->pd = stations_dir;
DEBUGFS_ADD(flags);
DEBUGFS_ADD(aid);
@@ -1276,7 +1277,14 @@ void ieee80211_sta_debugfs_add(struct st
void ieee80211_sta_debugfs_remove(struct sta_info *sta)
{
- debugfs_remove_recursive(sta->debugfs_dir);
+ struct dentry *stations_dir = sta->sdata->debugfs.subdir_stations;
+
+ if (!sta->debugfs_dir)
+
+ return;
+ if (!stations_dir)
+ return;
+ if (sta->pd == stations_dir)
+ return;
syzbot
Jul 24, 2025, 6:44:05 AMJul 24
to hda...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+d6ccd4...@syzkaller.appspotmail.com
Tested-by: syzbot+d6ccd4...@syzkaller.appspotmail.com
Tested on:
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+d6ccd4...@syzkaller.appspotmail.com
Tested-by: syzbot+d6ccd4...@syzkaller.appspotmail.com
Tested on:
commit: 25fae0b9 Merge tag 'drm-fixes-2025-07-24' of https://g..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10f13fd4580000
kernel config: https://syzkaller.appspot.com/x/.config?x=8adfe52da0de2761
dashboard link: https://syzkaller.appspot.com/bug?extid=d6ccd49ae046542a0641
dashboard link: https://syzkaller.appspot.com/bug?extid=d6ccd49ae046542a0641
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
patch: https://syzkaller.appspot.com/x/patch.diff?x=12e13fd4580000
Al Viro
Jul 24, 2025, 11:58:36 AMJul 24
to Moon Hee Lee, syzbot+d6ccd4...@syzkaller.appspotmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
On Wed, Jul 23, 2025 at 11:40:52PM -0700, Moon Hee Lee wrote:
> #syz test git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless-next.git main
>
> A NULL pointer dereference may occur in ieee80211_sta_debugfs_remove()
> when debugfs_remove_recursive() is called on a dentry whose inode has
> already been freed. This can happen due to a race between STA teardown
> and debugfs cleanup.
>
> Fix this by checking that both sta->debugfs_dir and its d_inode are
> valid before invoking debugfs_remove_recursive().
> #syz test git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless-next.git main
>
> A NULL pointer dereference may occur in ieee80211_sta_debugfs_remove()
> when debugfs_remove_recursive() is called on a dentry whose inode has
> already been freed. This can happen due to a race between STA teardown
> and debugfs cleanup.
>
> Fix this by checking that both sta->debugfs_dir and its d_inode are
> valid before invoking debugfs_remove_recursive().
> void ieee80211_sta_debugfs_remove(struct sta_info *sta)
> {
> - debugfs_remove_recursive(sta->debugfs_dir);
> + if (sta->debugfs_dir && sta->debugfs_dir->d_inode)
> + debugfs_remove_recursive(sta->debugfs_dir);
> sta->debugfs_dir = NULL;
> }
It might paper over the specific reproducer, but that's not a fix...
> {
> - debugfs_remove_recursive(sta->debugfs_dir);
> + if (sta->debugfs_dir && sta->debugfs_dir->d_inode)
> + debugfs_remove_recursive(sta->debugfs_dir);
> sta->debugfs_dir = NULL;
> }
I'm not familiar with that code; will check the details, but in
this form it is obviously still racy.
NAK.
Moon Hee Lee
Jul 24, 2025, 1:30:01 PMJul 24
to Al Viro, syzbot+d6ccd4...@syzkaller.appspotmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
On Thu, Jul 24, 2025 at 8:58 AM Al Viro <vi...@zeniv.linux.org.uk> wrote:
> It might paper over the specific reproducer, but that's not a fix...
> I'm not familiar with that code; will check the details, but in
> this form it is obviously still racy.
Thanks for the feedback, Al.
> It might paper over the specific reproducer, but that's not a fix...
> I'm not familiar with that code; will check the details, but in
> this form it is obviously still racy.
Agreed, this only papers over the issue. I'm tracing the
sta_info_destroy() path to confirm the race and will follow up with a
proper fix if confirmed.
--
moon
Hillf Danton
Jul 24, 2025, 7:34:58 PMJul 24
to Moon Hee Lee, Al Viro, syzbot+d6ccd4...@syzkaller.appspotmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
[1] https://lore.kernel.org/lkml/6881aed3.a00a022...@google.com/
Al Viro
Jul 24, 2025, 8:20:12 PMJul 24
to Moon Hee Lee, syzbot+d6ccd4...@syzkaller.appspotmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
about removals - after all, removal of the bigger one drops the
references we are holding to the roots of the smaller ones.
Moon Hee Lee
Jul 31, 2025, 1:18:07 PMJul 31
to syzbot+d6ccd4...@syzkaller.appspotmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com, vi...@zeniv.linux.org.uk, hda...@sina.com, Moon Hee Lee
Thanks for the review and valuable feedback.
Upon investigation, I found the crash occurs when the netdev's debugfs
directory is removed while a station still holds a pointer
(sta->debugfs_dir) to a dentry within it. A subsequent call to
ieee80211_sta_debugfs_remove() may then dereference a freed dentry,
triggering a use-after-free.
To address this, I’m preparing a patch that clears sta->debugfs_dir for
all stations associated with the interface before calling
debugfs_remove_recursive(). This ensures any later station removal
becomes a no-op and avoids referencing a stale pointer.
This reply is intended for syz testing and to provide context for
review. A formal patch will follow.
Many thanks to Hillf Danton and Al Viro for their insights.
---
net/mac80211/debugfs_netdev.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/net/mac80211/debugfs_netdev.c b/net/mac80211/debugfs_netdev.c
index 1dac78271045..4d45bb4fe380 100644
--- a/net/mac80211/debugfs_netdev.c
+++ b/net/mac80211/debugfs_netdev.c
@@ -1015,9 +1015,24 @@ static void ieee80211_debugfs_add_netdev(struct ieee80211_sub_if_data *sdata,
void ieee80211_debugfs_remove_netdev(struct ieee80211_sub_if_data *sdata)
{
+ struct sta_info *sta;
+
if (!sdata->vif.debugfs_dir)
return;
+ /*
+ * Before we delete the netdev’s debugfs tree, clear sta->debugfs_dir
+ * for every station on this interface. This ensures any later call to
+ * ieee80211_sta_debugfs_remove() sees NULL and avoids touching a dentry
+ * that we are about to free.
+ */
+ rcu_read_lock();
+ list_for_each_entry_rcu(sta, &sdata->local->sta_list, list) {
+ if (sta->sdata == sdata)
+ sta->debugfs_dir = NULL;
+ }
+ rcu_read_unlock();
+
debugfs_remove_recursive(sdata->vif.debugfs_dir);
sdata->vif.debugfs_dir = NULL;
sdata->debugfs.subdir_stations = NULL;
--
2.43.0
Upon investigation, I found the crash occurs when the netdev's debugfs
directory is removed while a station still holds a pointer
(sta->debugfs_dir) to a dentry within it. A subsequent call to
ieee80211_sta_debugfs_remove() may then dereference a freed dentry,
triggering a use-after-free.
To address this, I’m preparing a patch that clears sta->debugfs_dir for
all stations associated with the interface before calling
debugfs_remove_recursive(). This ensures any later station removal
becomes a no-op and avoids referencing a stale pointer.
This reply is intended for syz testing and to provide context for
review. A formal patch will follow.
Many thanks to Hillf Danton and Al Viro for their insights.
---
net/mac80211/debugfs_netdev.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/net/mac80211/debugfs_netdev.c b/net/mac80211/debugfs_netdev.c
index 1dac78271045..4d45bb4fe380 100644
--- a/net/mac80211/debugfs_netdev.c
+++ b/net/mac80211/debugfs_netdev.c
@@ -1015,9 +1015,24 @@ static void ieee80211_debugfs_add_netdev(struct ieee80211_sub_if_data *sdata,
void ieee80211_debugfs_remove_netdev(struct ieee80211_sub_if_data *sdata)
{
+ struct sta_info *sta;
+
if (!sdata->vif.debugfs_dir)
return;
+ /*
+ * Before we delete the netdev’s debugfs tree, clear sta->debugfs_dir
+ * for every station on this interface. This ensures any later call to
+ * ieee80211_sta_debugfs_remove() sees NULL and avoids touching a dentry
+ * that we are about to free.
+ */
+ rcu_read_lock();
+ list_for_each_entry_rcu(sta, &sdata->local->sta_list, list) {
+ if (sta->sdata == sdata)
+ sta->debugfs_dir = NULL;
+ }
+ rcu_read_unlock();
+
debugfs_remove_recursive(sdata->vif.debugfs_dir);
sdata->vif.debugfs_dir = NULL;
sdata->debugfs.subdir_stations = NULL;
--
2.43.0
Al Viro
Jul 31, 2025, 1:29:00 PMJul 31
to Moon Hee Lee, syzbot+d6ccd4...@syzkaller.appspotmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com, hda...@sina.com
On Thu, Jul 31, 2025 at 10:17:29AM -0700, Moon Hee Lee wrote:
> #syz test git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless-next.git main
>
>
> Thanks for the review and valuable feedback.
>
> Upon investigation, I found the crash occurs when the netdev's debugfs
> directory is removed while a station still holds a pointer
> (sta->debugfs_dir) to a dentry within it. A subsequent call to
> ieee80211_sta_debugfs_remove() may then dereference a freed dentry,
> triggering a use-after-free.
>
> To address this, I’m preparing a patch that clears sta->debugfs_dir for
> all stations associated with the interface before calling
> debugfs_remove_recursive(). This ensures any later station removal
> becomes a no-op and avoids referencing a stale pointer.
>
> This reply is intended for syz testing and to provide context for
> review. A formal patch will follow.
> #syz test git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless-next.git main
>
>
> Thanks for the review and valuable feedback.
>
> Upon investigation, I found the crash occurs when the netdev's debugfs
> directory is removed while a station still holds a pointer
> (sta->debugfs_dir) to a dentry within it. A subsequent call to
> ieee80211_sta_debugfs_remove() may then dereference a freed dentry,
> triggering a use-after-free.
>
> To address this, I’m preparing a patch that clears sta->debugfs_dir for
> all stations associated with the interface before calling
> debugfs_remove_recursive(). This ensures any later station removal
> becomes a no-op and avoids referencing a stale pointer.
>
> This reply is intended for syz testing and to provide context for
> review. A formal patch will follow.
> + /*
> + * Before we delete the netdev’s debugfs tree, clear sta->debugfs_dir
> + * for every station on this interface. This ensures any later call to
> + * ieee80211_sta_debugfs_remove() sees NULL and avoids touching a dentry
> + * that we are about to free.
> + */
> + rcu_read_lock();
> + list_for_each_entry_rcu(sta, &sdata->local->sta_list, list) {
> + if (sta->sdata == sdata)
> + sta->debugfs_dir = NULL;
> + }
> + rcu_read_unlock();
Umm... Is there any exclusion between that an ieee80211_sta_debugfs_remove()?
> + * Before we delete the netdev’s debugfs tree, clear sta->debugfs_dir
> + * for every station on this interface. This ensures any later call to
> + * ieee80211_sta_debugfs_remove() sees NULL and avoids touching a dentry
> + * that we are about to free.
> + */
> + rcu_read_lock();
> + list_for_each_entry_rcu(sta, &sdata->local->sta_list, list) {
> + if (sta->sdata == sdata)
> + sta->debugfs_dir = NULL;
> + }
> + rcu_read_unlock();
This looks fishy...
syzbot
Jul 31, 2025, 1:40:05 PMJul 31
to hda...@sina.com, linux-...@vger.kernel.org, moonhee...@gmail.com, syzkall...@googlegroups.com, vi...@zeniv.linux.org.uk
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+d6ccd4...@syzkaller.appspotmail.com
Tested-by: syzbot+d6ccd4...@syzkaller.appspotmail.com
Tested on:
commit: 126d85fb Merge tag 'wireless-next-2025-07-24' of https..
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+d6ccd4...@syzkaller.appspotmail.com
Tested-by: syzbot+d6ccd4...@syzkaller.appspotmail.com
Tested on:
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless-next.git main
console output: https://syzkaller.appspot.com/x/log.txt?x=1104acf0580000
kernel config: https://syzkaller.appspot.com/x/.config?x=4e0aa2ee2717f461
dashboard link: https://syzkaller.appspot.com/bug?extid=d6ccd49ae046542a0641
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
patch: https://syzkaller.appspot.com/x/patch.diff?x=128ee9bc580000
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
syzbot
Dec 23, 2025, 8:23:12 PM (2 days ago) Dec 23
to syzkall...@googlegroups.com
Auto-closing this bug as obsolete.
No recent activity, existing reproducers are no longer triggering the issue.
No recent activity, existing reproducers are no longer triggering the issue.
Reply all
Reply to author
Forward
0 new messages