lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <2025120716-sway-hypnotic-8cb6@gregkh>
Date: Sun, 7 Dec 2025 08:55:59 +0900
From: Greg KH <greg@...ah.com>
To: Michal Pecio <michal.pecio@...il.com>
Cc: Bitterblue Smith <rtl8821cerfe2@...il.com>,
	Ping-Ke Shih <pkshih@...ltek.com>, Zenm Chen <zenmchen@...il.com>,
	"gustavo@...eddedor.com" <gustavo@...eddedor.com>,
	"Jes.Sorensen@...il.com" <Jes.Sorensen@...il.com>,
	"gustavoars@...nel.org" <gustavoars@...nel.org>,
	"linux-hardening@...r.kernel.org" <linux-hardening@...r.kernel.org>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
	"linux-wireless@...r.kernel.org" <linux-wireless@...r.kernel.org>,
	linux-usb@...r.kernel.org
Subject: Re: [PATCH][next] wifi: rtl8xxxu: Avoid
 -Wflex-array-member-not-at-end warnings

On Sun, Dec 07, 2025 at 12:16:08AM +0100, Michal Pecio wrote:
> Hi,
> 
> > >> I got something. In my case everything seemed fine until I
> > >> unplugged the wifi adapter. And then the system still worked for a
> > >> few minutes before it froze.
> 
> Sounds like memory corruption.
> 
> > > Zenm and I tested below changes which can also reproduce the
> > > symptom, so I wonder driver might assume urb is the first member of
> > > struct, but unfortunately I can't find that.
> 
> That's what it seems to be doing, because it uses usb_init_urb()
> on urbs embedded in some struct and then usb_free_urb().
> 
> If you look what usb_free_urb() does, it decrements refcount and
> attempts to free urb. But here urb is a member of a larger struct,
> so I guess the whole struct is freed (and this was either intentional
> or a bug that didn't happen to blow up yet).

That's not ok at all, it's amazing this is working today.  urbs need to
be "stand alone" structures and never embedded into anything else.

So this needs to be fixed up no matter what.

thanks,

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ