In the Linux kernel, the following vulnerability has been resolved:
staging: rtl8712: fix use-after-free in rtl8712dlfw
Syzbot reported use-after-free in rtl8712dlfw(). The problem was in race condition between r871xudevremove() ->ndo_open() callback.
It's easy to see from crash log, that driver accesses released firmware in ->ndoopen() callback. It may happen, since driver was releasing firmware _before unregistering netdev. Fix it by moving unregister_netdev() before cleaning up resources.
Call Trace: ... rtl871xopenfw drivers/staging/rtl8712/halinit.c:83 [inline] rtl8712dlfw+0xd95/0xe10 drivers/staging/rtl8712/halinit.c:170 rtl8712halinit drivers/staging/rtl8712/halinit.c:330 [inline] rtl871xhalinit+0xae/0x180 drivers/staging/rtl8712/halinit.c:394 netdevopen+0xe6/0x6c0 drivers/staging/rtl8712/osintfs.c:380 _devopen+0x2bc/0x4d0 net/core/dev.c:1484
Freed by task 1306: ... releasefirmware+0x1b/0x30 drivers/base/firmwareloader/main.c:1053 r871xudevremove+0xcc/0x2c0 drivers/staging/rtl8712/usbintf.c:599 usbunbind_interface+0x1d8/0x8d0 drivers/usb/core/driver.c:458