On Tue, 13 Jul 2021 17:04:28 +0800 Dongliang Mu <mudongliangabcd@xxxxxxxxx> wrote: > On Tue, Jul 13, 2021 at 4:55 PM Pavel Skripkin <paskripkin@xxxxxxxxx> > wrote: > > > > On Mon, 12 Jul 2021 20:14:24 -0700 > > syzbot <syzbot+5872a520e0ce0a7c7230@xxxxxxxxxxxxxxxxxxxxxxxxx> > > wrote: > > > > > Hello, > > > > > > syzbot found the following issue on: > > > > > > HEAD commit: 92510a7f Add linux-next specific files for > > > 20210709 git tree: linux-next > > > console output: > > > https://syzkaller.appspot.com/x/log.txt?x=16c50180300000 kernel > > > config: > > > https://syzkaller.appspot.com/x/.config?x=505de2716f052686 > > > dashboard link: > > > https://syzkaller.appspot.com/bug?extid=5872a520e0ce0a7c7230 syz > > > repro: https://syzkaller.appspot.com/x/repro.syz?x=1639a73c300000 > > > C reproducer: > > > https://syzkaller.appspot.com/x/repro.c?x=15fcd5e4300000 > > > > > > IMPORTANT: if you fix the issue, please add the following tag to > > > the commit: Reported-by: > > > syzbot+5872a520e0ce0a7c7230@xxxxxxxxxxxxxxxxxxxxxxxxx > > > > > > > Hmm, bisection is wrong this time. It should be > > e02a3b945816 ("staging: rtl8712: fix memory leak in > > rtl871x_load_fw_cb") > > Hi Paval, > ^^^^^ Pavel :) > can you share more details about why the patch e02a3b945816 causes > this UAF problem? > I am not sure, but I think, that free_netdev() call rigth after complete() can cause use-after-free bug in wait_for_completion() since rtl8712_fw_ready is allocated as netdev private data. I guess, schedule() call after complete() can help here. BTW, I send wrong patch in previous email: typo in schedule() :) #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master > > > > #syz test: > > git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git > > master > > > > > > I guess, this should work > > > > > > With regards, > > Pavel Skripkin > > > > -- > > You received this message because you are subscribed to the Google > > Groups "syzkaller-bugs" group. To unsubscribe from this group and > > stop receiving emails from it, send an email to > > syzkaller-bugs+unsubscribe@xxxxxxxxxxxxxxxx. To view this > > discussion on the web visit > > https://groups.google.com/d/msgid/syzkaller-bugs/20210713115546.34c99ea8%40gmail.com. With regards, Pavel Skripkin
>From 4c25accd0fc806687142aadeaa5b19805289ac74 Mon Sep 17 00:00:00 2001 From: Pavel Skripkin <paskripkin@xxxxxxxxx> Date: Tue, 13 Jul 2021 11:52:17 +0300 Subject: [PATCH] staging: rtl8712: fix UAF in r871xu_dev_remove /* .... */ Signed-off-by: Pavel Skripkin <paskripkin@xxxxxxxxx> --- drivers/staging/rtl8712/hal_init.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/staging/rtl8712/hal_init.c b/drivers/staging/rtl8712/hal_init.c index 22974277afa0..e81c66cc8580 100644 --- a/drivers/staging/rtl8712/hal_init.c +++ b/drivers/staging/rtl8712/hal_init.c @@ -43,6 +43,7 @@ static void rtl871x_load_fw_cb(const struct firmware *firmware, void *context) r8712_free_drv_sw(adapter); adapter->dvobj_deinit(adapter); complete(&adapter->rtl8712_fw_ready); + schedule(); /* to not trigger UAF in wait_for_completion() */ free_netdev(adapter->pnetdev); return; } -- 2.32.0
