Re: [syzbot] KASAN: use-after-free Read in rtl8712_dl_fw
From: Pavel Skripkin
Date: Tue Oct 19 2021 - 16:49:38 EST
On 10/19/21 18:29, syzbot wrote:
Hello,
syzbot found the following issue on:
HEAD commit: 8ef1e58783b9 usb: typec: STUSB160X should select REGMAP_I2C
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
console output: https://syzkaller.appspot.com/x/log.txt?x=1106dcfb300000
kernel config: https://syzkaller.appspot.com/x/.config?x=c27d285bdb7457e2
dashboard link: https://syzkaller.appspot.com/bug?extid=c55162be492189fb4f51
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12725770b00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1168c158b00000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+c55162be492189fb4f51@xxxxxxxxxxxxxxxxxxxxxxxxx
Ok, this driver can't be fixed.... Let's try unregister netdev before
doing clean up stuff to not race with ->ndo_open()
#syz test:
https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
With regards,
Pavel Skripkindiff --git a/drivers/staging/rtl8712/usb_intf.c b/drivers/staging/rtl8712/usb_intf.c
index 505ebeb643dc..cae04272deff 100644
--- a/drivers/staging/rtl8712/usb_intf.c
+++ b/drivers/staging/rtl8712/usb_intf.c
@@ -595,12 +595,12 @@ static void r871xu_dev_remove(struct usb_interface *pusb_intf)
/* never exit with a firmware callback pending */
wait_for_completion(&padapter->rtl8712_fw_ready);
+ if (pnetdev->reg_state != NETREG_UNINITIALIZED)
+ unregister_netdev(pnetdev); /* will call netdev_close() */
usb_set_intfdata(pusb_intf, NULL);
release_firmware(padapter->fw);
if (drvpriv.drv_registered)
padapter->surprise_removed = true;
- if (pnetdev->reg_state != NETREG_UNINITIALIZED)
- unregister_netdev(pnetdev); /* will call netdev_close() */
r8712_flush_rwctrl_works(padapter);
r8712_flush_led_works(padapter);
udelay(1);