[lvc-project] Managing debugfs entries and https://syzkaller.appspot.com/bug?extid=d5dc2801166df6d34774

[Dmitry Antipov]

On 7/19/24 12:38 PM, Berg, Benjamin wrote:

> So, the simple way to prevent this error is to make sure that
> ieee80211_debugfs_recreate_netdev is never called while we have a
> station. In the case of this report we seem to be getting there via a
> mac address change (i.e. ieee80211_change_mac) and the sane thing would
> be to just return -EBUSY instead of permitting the operation to
> continue.

Just to check whether I understand this:

diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
index a3485e4c6132..d5adbe5b3e51 100644
--- a/net/mac80211/ieee80211_i.h
+++ b/net/mac80211/ieee80211_i.h
@@ -1173,6 +1173,8 @@ struct ieee80211_sub_if_data {

  	u16 restart_active_links;

+	u32 sta_count;
+
  #ifdef CONFIG_MAC80211_DEBUGFS
  	struct {
  		struct dentry *subdir_stations;
diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c
index b4ad66af3af3..d8e6e411d754 100644
--- a/net/mac80211/iface.c
+++ b/net/mac80211/iface.c
@@ -215,6 +215,9 @@ static int ieee80211_can_powered_addr_change(struct ieee80211_sub_if_data *sdata
  	if (netif_carrier_ok(sdata->dev))
  		return -EBUSY;

+	if (sdata->sta_count)
+		return -EBUSY;
+
  	/* First check no ROC work is happening on this iface */
  	list_for_each_entry(roc, &local->roc_list, list) {
  		if (roc->sdata != sdata)
diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c
index aa22f09e6d14..42657afb6d22 100644
--- a/net/mac80211/sta_info.c
+++ b/net/mac80211/sta_info.c
@@ -443,6 +443,7 @@ void sta_info_free(struct ieee80211_local *local, struct sta_info *sta)
  #endif

  	sta_info_free_link(&sta->deflink);
+	sta->sdata->sta_count--;
  	kfree(sta);
  }

@@ -691,6 +692,7 @@ __sta_info_alloc(struct ieee80211_sub_if_data *sdata,
  	sta->cparams.ce_threshold_mask = 0;

  	sta_dbg(sdata, "Allocated STA %pM\n", sta->sta.addr);
+	sdata->sta_count++;

  	return sta;

Dmitry