Re: [PATCH net-next V2] net/iucv: fix UAF in afiucv_netdev_event()

[Alexandra Winter <wintera@linux.ibm.com>]

On 11.05.26 15:38, Nagamani PV wrote:
> 
> 
> On 11/05/26 2:41 PM, Alexandra Winter wrote:
>>
>>
>> On 08.05.26 19:05, Nagamani PV wrote:

>>> Fixes: 9fbd87d41392 ("af_iucv: handle netdev events")
>>> Cc: stable@vger.kernel.org
>>> Reported-by: syzbotz+89435e7383b82238dd91@linux.ibm.com
>>> Closes: https://lnxgwne1.boeblingen.de.ibm.com/linux-ci/syzbot/dashboard/bug?extid=89435e7383b82238dd91
>>
>> This is an internal website, so we cannot report it upstream.
>> I am not 100% sure how to handle this case.
>> Note that Heiko said, it's ok to use Reported-by without Closes, even if checkpatch complains.
>> (He was referring to Reported-by a person, though).
>> I would add the KASAN report and remove both tags, if you ask me.
>>
>>
[...]
>> I agree with the analysis and the patch.
> Hi Alexandra,
> Thanks for the detailed review.
> I’ll simplify the commit message to be less verbose, include a relevant excerpt of the syzbot KASAN report, and remove the internal dashboard link. I’ll keep the Reported-by: syzbot… tag and drop Closes: as suggested. 

I don't see the benefit in keeping the Reported-by, I don't think our local syszbot reacts to that. But no strong feelings.


The fix will be targeted to net, not net‑next.
> Regarding KASAN: the issue was detected by a syzbot CI run with KASAN enabled. The report does not provide a standalone reproducer or named testcase. I did not rerun the original CI workload, as no reproducer is available; the fix is based on analysis of the reported race and the syzbot KASAN trace.

Now that you understand the path to the UAF, can't you reproduce the KASAN warning yourself?
Can't you write a bash script (tela tc?) that triggers this? Probably by looping instructions for some amount of time.
Then run this script against the fixed debug kernel, to see that there are no other gaps in that area.
(Later you can decide whether it makes sense to add this to CI)