Re: [syzbot] [fs?] KASAN: slab-use-after-free Read in lockref_get
From: Edward Adam Davis
Date: Wed Jul 17 2024 - 09:27:17 EST
before remove debugfs_dir set reference pointer to NULL
#syz test: linux-next 58f9416d413a
diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c
index aa22f09e6d14..6d807c3abcb6 100644
--- a/net/mac80211/sta_info.c
+++ b/net/mac80211/sta_info.c
@@ -1473,7 +1473,8 @@ static void __sta_info_destroy_part2(struct sta_info *sta, bool recalc)
cfg80211_del_sta_sinfo(sdata->dev, sta->sta.addr, sinfo, GFP_KERNEL);
kfree(sinfo);
- ieee80211_sta_debugfs_remove(sta);
+ if (sdata->flags & IEEE80211_SDATA_IN_DRIVER)
+ ieee80211_sta_debugfs_remove(sta);
ieee80211_destroy_frag_cache(&sta->frags);