Received: by 2002:a05:6a10:f3d0:0:0:0:0 with SMTP id a16csp3716380pxv; Tue, 13 Jul 2021 01:58:20 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy0ZK2u7DJVLbi+i5Dl+vxbllq4u0a61iD+N5tf+M6SYO8dytbngKI9b2O+tJz7BjRBSsXw X-Received: by 2002:a17:907:2d08:: with SMTP id gs8mr4425330ejc.224.1626166699891; Tue, 13 Jul 2021 01:58:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1626166699; cv=none; d=google.com; s=arc-20160816; b=G/zS8tGm4sxIXQ1AnE1eiWT08p5iyKz2RxZBCL8XAPm1S9NzzM/ilMDIdURMJT1l3N tFVwIO6WVYKVR7crZBKJsDliBupgdMOjmyfC8YUtpG1y5hR1FatEQC+AdXpqEV9iEWXU WRvSCi4q5euJINK5vKw7JIzsO8ULQt4tfhG7p6x1Mfz3LHoldt/krQlrB3d7naeBtb4K OG+Is91AhtGPdeJltA8DA20hZ/mjL2eyMLbGpjACsGu61MZ+RPWPpwKHMU8WmX1C1XHw MYq2pHPJN4xjTGq5Mh/5B9x9i7wDYeigxTy4LtItCZmN3uf4OcgGon5gK4LmVqihIlA4 4xiw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:references:in-reply-to:message-id :subject:cc:to:from:date:dkim-signature; bh=sCcLgRvJkR9iKJtE0TZM54SNoR36AJtTDJVyDy1EBvU=; b=hTP2JUJ8NtOxJv32GW9HLdzg2xWTFrwmqxe9PZR7RlSsNvIlOL1x4QCK46+Xz+yvYm YU0cz2c9Ta1gpWbUuLozlVSoMIC8G4HA+I+K74xS0n1UCGrqlc4K0WaTtVccSWXZ4v9G o1PKhtagQV5GLD0L84fahngLyGvhLJQBQ5DUm6fhAq2nJR+39yHzkb04ubxWwpGmMHiT vmv5wglzYCly8Eue9ljfl8X3N8+DQE+PbO2SKJSfw/TvcFFQoJa2yBe19/G5XC2e/Bky nkfHqtgZaBnvp5cyjFttPote8bME6sGK5LSGkD2KdqgO3Cl6Z4X7Ray2fwDscoSFesQ8 nWFg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=jpo5cchS; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id b20si13216794edy.219.2021.07.13.01.57.57; Tue, 13 Jul 2021 01:58:19 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=jpo5cchS; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234854AbhGMI6n (ORCPT + 99 others); Tue, 13 Jul 2021 04:58:43 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52194 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234599AbhGMI6m (ORCPT ); Tue, 13 Jul 2021 04:58:42 -0400 Received: from mail-lj1-x22a.google.com (mail-lj1-x22a.google.com [IPv6:2a00:1450:4864:20::22a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 345EBC0613DD for ; Tue, 13 Jul 2021 01:55:53 -0700 (PDT) Received: by mail-lj1-x22a.google.com with SMTP id r16so28855651ljk.9 for ; Tue, 13 Jul 2021 01:55:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:in-reply-to:references :mime-version; bh=sCcLgRvJkR9iKJtE0TZM54SNoR36AJtTDJVyDy1EBvU=; b=jpo5cchSZeXcl0k7FRrU2Z0cqs7OHA5O58GKT3ZgQvzf4qGriyzgz+bB5IPBnGoEK4 rUbXAgyne2TNrdMSxHjrukAMg+BkLrAgYeW3UnTFTRctd9rwH/SxohfRAVBGQVB3v0yU vFCB58ihDiFNPsSeGPkBUWGz6TVU/2iQU2X/GttHXVpuSITgqC4GDlbAloQNwVIe2Utj ySbL7KPiaPPZ08Q08NHUscGBqQHparjyJsaF0BOJZfyb+S0TCNZUywO8s65141u/8BmU ToH5fASJwe7ONSVsmbPJeIMpyex6lblpy5zCR374Znx8sTJcsbvM4NTaju9jjgv5xyzF B9tg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:in-reply-to :references:mime-version; bh=sCcLgRvJkR9iKJtE0TZM54SNoR36AJtTDJVyDy1EBvU=; b=TAEyRiCHYJvVc2FahS+HC3XOQqFfWkf0FdZtMtZhSpd2yxXOhC9EFfQ0KMQkluZVoT pHJKUVAwIwqpB9omsoSX47tDevzrtP2AWKowDZs+wMkrhqLhhZ8lNFiXEQnfCnVl1/mJ q8a3wNtBcHYoVNXaYS02Ohc9hZh8eifEvQZMitBMaknhKPOpY4iYht9KB8l+tzhoyZO2 ok0y58ujePM/kCKE3Y6WlP2l2acBBJOwIYjsfqO/Ei6LuCzQrbikAs1R5wvLX0JVUgik uDpgbPCVK5vPxscQ46eHkFkMqWs1fh4WuzFQil7kRxd0eva7viFhE5NVH4pakUeMrMXv 3NUA== X-Gm-Message-State: AOAM533gd9Qu2VIPPv7OaNsuP3u8DB55L+0ndcBBdLceWKWv92we9fJT NBbD5G4UbHwW7Eyb5x5iPMs= X-Received: by 2002:a2e:b80e:: with SMTP id u14mr3289392ljo.204.1626166551528; Tue, 13 Jul 2021 01:55:51 -0700 (PDT) Received: from localhost.localdomain ([94.103.229.115]) by smtp.gmail.com with ESMTPSA id z13sm1516882lfb.40.2021.07.13.01.55.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 13 Jul 2021 01:55:51 -0700 (PDT) Date: Tue, 13 Jul 2021 11:55:46 +0300 From: Pavel Skripkin To: syzbot Cc: Larry.Finger@lwfinger.net, florian.c.schilhabel@googlemail.com, gregkh@linuxfoundation.org, hridayhegde1999@gmail.com, linux-kernel@vger.kernel.org, linux-staging@lists.linux.dev, rkovhaev@gmail.com, straube.linux@gmail.com, syzkaller-bugs@googlegroups.com Subject: Re: [syzbot] KASAN: use-after-free Read in r871xu_dev_remove Message-ID: <20210713115546.34c99ea8@gmail.com> In-Reply-To: <00000000000087b4c305c6f8a243@google.com> References: <00000000000087b4c305c6f8a243@google.com> X-Mailer: Claws Mail 3.17.8 (GTK+ 2.24.33; x86_64-suse-linux-gnu) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="MP_/1xeXNtIU994YuIz1.xGs_4k" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --MP_/1xeXNtIU994YuIz1.xGs_4k Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Disposition: inline On Mon, 12 Jul 2021 20:14:24 -0700 syzbot wrote: > Hello, > > syzbot found the following issue on: > > HEAD commit: 92510a7f Add linux-next specific files for 20210709 > git tree: linux-next > console output: > https://syzkaller.appspot.com/x/log.txt?x=16c50180300000 kernel > config: https://syzkaller.appspot.com/x/.config?x=505de2716f052686 > dashboard link: > https://syzkaller.appspot.com/bug?extid=5872a520e0ce0a7c7230 syz > repro: > https://syzkaller.appspot.com/x/repro.syz?x=1639a73c300000 C > reproducer: https://syzkaller.appspot.com/x/repro.c?x=15fcd5e4300000 > > IMPORTANT: if you fix the issue, please add the following tag to the > commit: Reported-by: > syzbot+5872a520e0ce0a7c7230@syzkaller.appspotmail.com > Hmm, bisection is wrong this time. It should be e02a3b945816 ("staging: rtl8712: fix memory leak in rtl871x_load_fw_cb") #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master I guess, this should work With regards, Pavel Skripkin --MP_/1xeXNtIU994YuIz1.xGs_4k Content-Type: text/x-patch Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=0001-staging-rtl8712-fix-UAF-in-r871xu_dev_remove.patch From 954ffa9067907a5f6d4d6d2b72a98b8773cac11e Mon Sep 17 00:00:00 2001 From: Pavel Skripkin Date: Tue, 13 Jul 2021 11:52:17 +0300 Subject: [PATCH] staging: rtl8712: fix UAF in r871xu_dev_remove /* .... */ Signed-off-by: Pavel Skripkin --- drivers/staging/rtl8712/hal_init.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/staging/rtl8712/hal_init.c b/drivers/staging/rtl8712/hal_init.c index 22974277afa0..c06d31784cd4 100644 --- a/drivers/staging/rtl8712/hal_init.c +++ b/drivers/staging/rtl8712/hal_init.c @@ -43,6 +43,7 @@ static void rtl871x_load_fw_cb(const struct firmware *firmware, void *context) r8712_free_drv_sw(adapter); adapter->dvobj_deinit(adapter); complete(&adapter->rtl8712_fw_ready); + shedule(); /* to not trigger UAF in wait_for_completion() */ free_netdev(adapter->pnetdev); return; } -- 2.32.0 --MP_/1xeXNtIU994YuIz1.xGs_4k--