Hi, rtl8712 developers and stanging maintainers!
In this patch series I rewrote error handling approach in rtl8712 driver.
Detailed description can be found in commit messages. In short:
There was strage approach to handle fw load error. For some reason fw callback
was doing clean up stuff which can lead to UAF bug. For example:
CPU0 CPU1
r871xu_dev_remove()
rtl871x_load_fw_cb()
free_netdev(netdev)
wait_for_completion(netdev_priv->compl) <- UAF, slab-out-of-bound or smth else
I've added free_netdev() call in my previous patch to this driver:
e02a3b945816 ("staging: rtl8712: fix memory leak in rtl871x_load_fw_cb") to avoid
memory leak and I believed, that this approach won't trigger anything else, but,
unfortunately, I was wrong. Syzbot found 2 bugs [1] [2] and I decided to complely
rewrite error handling in case of fw load failure. This patch series was tested
with both reproducers and did't trigger any bugs.
[1] https://syzkaller.appspot.com/bug?id=7646834b55c71c45ed85f601032daa6c23db0513
[2] https://syzkaller.appspot.com/bug?id=89c3ddb9936d3552995130298f1d2633ab9d3541
With regards,
Pavel Skripkin
Pavel Skripkin (2):
staging: rtl8712: get rid of flush_scheduled_work
staging: rtl8712: error handling refactoring
drivers/staging/rtl8712/hal_init.c | 30 ++++++++-----
drivers/staging/rtl8712/rtl8712_led.c | 8 ++++
drivers/staging/rtl8712/rtl871x_led.h | 1 +
drivers/staging/rtl8712/rtl871x_pwrctrl.c | 8 ++++
drivers/staging/rtl8712/rtl871x_pwrctrl.h | 1 +
drivers/staging/rtl8712/usb_intf.c | 51 ++++++++++-------------
6 files changed, 61 insertions(+), 38 deletions(-)
--
2.32.0
