On Tue, 13 Jul 2021 17:04:28 +0800
Dongliang Mu [off-list ref] wrote:

On Tue, Jul 13, 2021 at 4:55 PM Pavel Skripkin [off-list ref]
wrote:

quoted

On Mon, 12 Jul 2021 20:14:24 -0700
syzbot [off-list ref]
wrote:

quoted

Hello,

syzbot found the following issue on:

HEAD commit:    92510a7f Add linux-next specific files for
20210709 git tree:       linux-next
console output:
https://syzkaller.appspot.com/x/log.txt?x=16c50180300000 kernel
config:
https://syzkaller.appspot.com/x/.config?x=505de2716f052686
dashboard link:
https://syzkaller.appspot.com/bug?extid=5872a520e0ce0a7c7230 syz
repro: https://syzkaller.appspot.com/x/repro.syz?x=1639a73c300000
C reproducer:
https://syzkaller.appspot.com/x/repro.c?x=15fcd5e4300000

IMPORTANT: if you fix the issue, please add the following tag to
the commit: Reported-by:
syzbot+5872a520e0ce0a7c7230@syzkaller.appspotmail.com

Hmm, bisection is wrong this time. It should be
e02a3b945816 ("staging: rtl8712: fix memory leak in
rtl871x_load_fw_cb")

Hi Paval,

    ^^^^^
    Pavel :)

can you share more details about why the patch e02a3b945816 causes
this UAF problem?

I am not sure, but I think, that free_netdev() call rigth after
complete() can cause use-after-free bug in wait_for_completion() since
rtl8712_fw_ready is allocated as netdev private data.

I guess, schedule() call after complete() can help here.


BTW, I send wrong patch in previous email: typo in schedule() :)

#syz test:
git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master

quoted

#syz test:
git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
master


I guess, this should work


With regards,
Pavel Skripkin

--
You received this message because you are subscribed to the Google
Groups "syzkaller-bugs" group. To unsubscribe from this group and
stop receiving emails from it, send an email to
syzkaller-bugs+unsubscribe@googlegroups.com. To view this
discussion on the web visit
https://groups.google.com/d/msgid/syzkaller-bugs/20210713115546.34c99ea8%40gmail.com.

With regards,
Pavel Skripkin