lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <tencent_ADCCB667DF06D952FB064A89952ED1AEFA06@qq.com>
Date: Fri, 26 Jul 2024 20:26:05 +0800
From: Edward Adam Davis <eadavis@...com>
To: syzbot+6c6c08700f9480c41fe3@...kaller.appspotmail.com
Cc: linux-kernel@...r.kernel.org,
	syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [wireless?] [usb?] KASAN: use-after-free Read in rtw_load_firmware_cb

need wait for wow firmward complete

#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git 933069701c1b

diff --git a/drivers/net/wireless/realtek/rtw88/main.c b/drivers/net/wireless/realtek/rtw88/main.c
index 7ab7a988b123..ba2066aa46d9 100644
--- a/drivers/net/wireless/realtek/rtw88/main.c
+++ b/drivers/net/wireless/realtek/rtw88/main.c
@@ -1316,8 +1316,7 @@ static int rtw_wait_firmware_completion(struct rtw_dev *rtwdev)
 
 	fw = &rtwdev->fw;
 	wait_for_completion(&fw->completion);
-	if (!fw->firmware)
-		return -EINVAL;
+	printk("rtwdev: %p, fw name: %s, wow fw name: %s, fw: %p, %s\n", rtwdev, chip->fw_name, chip->wow_fw_name, fw->firmware, __func__);
 
 	if (chip->wow_fw_name) {
 		fw = &rtwdev->wow_fw;
@@ -2174,6 +2173,7 @@ void rtw_core_deinit(struct rtw_dev *rtwdev)
 	struct rtw_rsvd_page *rsvd_pkt, *tmp;
 	unsigned long flags;
 
+	printk("rtwdev: %p, %s\n", rtwdev, __func__);
 	rtw_wait_firmware_completion(rtwdev);
 
 	if (fw->firmware)
diff --git a/drivers/net/wireless/realtek/rtw88/usb.c b/drivers/net/wireless/realtek/rtw88/usb.c
index a0188511099a..2bbf285c021a 100644
--- a/drivers/net/wireless/realtek/rtw88/usb.c
+++ b/drivers/net/wireless/realtek/rtw88/usb.c
@@ -913,6 +913,7 @@ int rtw_usb_probe(struct usb_interface *intf, const struct usb_device_id *id)
 	rtw_usb_free_rx_bufs(rtwusb);
 
 err_release_hw:
+	printk("rtwdev: %p, %s\n", rtwdev, __func__);
 	ieee80211_free_hw(hw);
 
 	return ret;
@@ -944,6 +945,7 @@ void rtw_usb_disconnect(struct usb_interface *intf)
 
 	rtw_usb_intf_deinit(rtwdev, intf);
 	rtw_core_deinit(rtwdev);
+	printk("rtwdev: %p, %s\n", rtwdev, __func__);
 	ieee80211_free_hw(hw);
 }
 EXPORT_SYMBOL(rtw_usb_disconnect);

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ