On Tue, 13 Jul 2021 17:04:28 +0800 Dongliang Mu wrote: > On Tue, Jul 13, 2021 at 4:55 PM Pavel Skripkin > wrote: > > > > On Mon, 12 Jul 2021 20:14:24 -0700 > > syzbot > > wrote: > > > > > Hello, > > > > > > syzbot found the following issue on: > > > > > > HEAD commit: 92510a7f Add linux-next specific files for > > > 20210709 git tree: linux-next > > > console output: > > > https://syzkaller.appspot.com/x/log.txt?x=16c50180300000 kernel > > > config: > > > https://syzkaller.appspot.com/x/.config?x=505de2716f052686 > > > dashboard link: > > > https://syzkaller.appspot.com/bug?extid=5872a520e0ce0a7c7230 syz > > > repro: https://syzkaller.appspot.com/x/repro.syz?x=1639a73c300000 > > > C reproducer: > > > https://syzkaller.appspot.com/x/repro.c?x=15fcd5e4300000 > > > > > > IMPORTANT: if you fix the issue, please add the following tag to > > > the commit: Reported-by: > > > syzbot+5872a520e0ce0a7c7230@syzkaller.appspotmail.com > > > > > > > Hmm, bisection is wrong this time. It should be > > e02a3b945816 ("staging: rtl8712: fix memory leak in > > rtl871x_load_fw_cb") > > Hi Paval, > ^^^^^ Pavel :) > can you share more details about why the patch e02a3b945816 causes > this UAF problem? > I am not sure, but I think, that free_netdev() call rigth after complete() can cause use-after-free bug in wait_for_completion() since rtl8712_fw_ready is allocated as netdev private data. I guess, schedule() call after complete() can help here. BTW, I send wrong patch in previous email: typo in schedule() :) #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master > > > > #syz test: > > git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git > > master > > > > > > I guess, this should work > > > > > > With regards, > > Pavel Skripkin > > > > -- > > You received this message because you are subscribed to the Google > > Groups "syzkaller-bugs" group. To unsubscribe from this group and > > stop receiving emails from it, send an email to > > syzkaller-bugs+unsubscribe@googlegroups.com. To view this > > discussion on the web visit > > https://groups.google.com/d/msgid/syzkaller-bugs/20210713115546.34c99ea8%40gmail.com. With regards, Pavel Skripkin