From: Ben Greear When recursively removing debugfs files, clean up child link debugfs pointers since the recursive removal will have deleted their memory. This fixes use-after-free problem when those child links are eventually cleaned up. Signed-off-by: Ben Greear --- net/mac80211/debugfs_netdev.c | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/net/mac80211/debugfs_netdev.c b/net/mac80211/debugfs_netdev.c index 51d2ae232a85..bc2da35db4ae 100644 --- a/net/mac80211/debugfs_netdev.c +++ b/net/mac80211/debugfs_netdev.c @@ -1039,9 +1039,28 @@ static void ieee80211_debugfs_add_netdev(struct ieee80211_sub_if_data *sdata, void ieee80211_debugfs_remove_netdev(struct ieee80211_sub_if_data *sdata) { + struct ieee80211_link_data *link; + int i; + if (!sdata->vif.debugfs_dir) return; + /* In case where there were errors on station creation and maybe + * teardown, we may get here with some links still active. We are + * about to recursively delete debugfs, so remove any pointers the + * links may have. + */ + rcu_read_lock(); + + for (i = 0; i < IEEE80211_MLD_MAX_NUM_LINKS; i++) { + link = rcu_access_pointer(sdata->link[i]); + if (!link) + continue; + + link->debugfs_dir = NULL; + } + rcu_read_unlock(); + debugfs_remove_recursive(sdata->vif.debugfs_dir); sdata->vif.debugfs_dir = NULL; sdata->debugfs.subdir_stations = NULL; -- 2.42.0