syzbot

 sign-in | mailing list | source | docs
🐞 Open [1169] Subsystems 🐞 Fixed [4404] 🐞 Invalid [9905] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

KASAN: use-after-free Read in ath9k_wmi_ctrl_rx

Status: fixed on 2020/07/17 17:58
Subsystems: wireless (incorrect?)
Reported-by: syzbot+5d338854440137ea0fef@syzkaller.appspotmail.com
Fix commit: abeaa85054ff ath9k: Fix use-after-free Read in ath9k_wmi_ctrl_rx
First crash: 1094d, last: 1094d
Last patch testing requests:
Created Duration User Patch Repo Result
2020/04/04 03:50 18m anenbupt@gmail.com patch https://github.com/google/kasan.git usb-fuzzer OK
2020/04/04 02:18 16m anenbupt@gmail.com patch https://github.com/google/kasan.git usb-fuzzer OK
2020/04/04 01:58 4m anenbupt@gmail.com patch https://github.com/google/kasan.git usb-fuzzer error
2020/04/04 01:01 9m anenbupt@gmail.com patch https://github.com/google/kasan.git usb-fuzzer report log
2020/04/04 00:26 9m anenbupt@gmail.com patch https://github.com/google/kasan.git usb-fuzzer report log
2020/04/04 00:04 9m anenbupt@gmail.com patch https://github.com/google/kasan.git usb-fuzzer report log
2020/04/03 23:34 9m anenbupt@gmail.com patch https://github.com/google/kasan.git usb-fuzzer report log
2020/04/03 23:12 9m anenbupt@gmail.com patch https://github.com/google/kasan.git usb-fuzzer report log
2020/04/03 22:08 9m anenbupt@gmail.com patch https://github.com/google/kasan.git usb-fuzzer report log
2020/04/03 20:39 10m anenbupt@gmail.com patch https://github.com/google/kasan.git usb-fuzzer report log
2020/04/03 16:53 16m anenbupt@gmail.com patch https://github.com/google/kasan.git usb-fuzzer OK
2020/04/03 09:29 11m anenbupt@gmail.com patch https://github.com/google/kasan.git usb-fuzzer report log
2020/04/03 04:28 11m anenbupt@gmail.com patch https://github.com/google/kasan.git usb-fuzzer report log
2020/04/03 01:51 9m anenbupt@gmail.com patch https://github.com/google/kasan.git usb-fuzzer report log

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in ath9k_wmi_ctrl_rx+0x416/0x500 drivers/net/wireless/ath/ath9k/wmi.c:215
Read of size 1 at addr ffff8881cef1417c by task swapper/1/0

CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.6.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0xef/0x16e lib/dump_stack.c:118
 print_address_description.constprop.0.cold+0xd3/0x314 mm/kasan/report.c:374
 __kasan_report.cold+0x37/0x77 mm/kasan/report.c:506
 kasan_report+0xe/0x20 mm/kasan/common.c:641
 ath9k_wmi_ctrl_rx+0x416/0x500 drivers/net/wireless/ath/ath9k/wmi.c:215
 ath9k_htc_rx_msg+0x2da/0xaf0 drivers/net/wireless/ath/ath9k/htc_hst.c:459
 ath9k_hif_usb_reg_in_cb+0x1ba/0x630 drivers/net/wireless/ath/ath9k/hif_usb.c:718
 __usb_hcd_giveback_urb+0x29a/0x550 drivers/usb/core/hcd.c:1650
 usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1716
 dummy_timer+0x1258/0x32ae drivers/usb/gadget/udc/dummy_hcd.c:1966
 call_timer_fn+0x195/0x6f0 kernel/time/timer.c:1404
 expire_timers kernel/time/timer.c:1449 [inline]
 __run_timers kernel/time/timer.c:1773 [inline]
 __run_timers kernel/time/timer.c:1740 [inline]
 run_timer_softirq+0x5f9/0x1500 kernel/time/timer.c:1786

Crashes (1):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets Title
ci2-upstream-usb 2020/03/27 02:16 https://github.com/google/kasan.git usb-fuzzer e17994d1e7b1 6d25c5a0 .config console log report syz C
* Struck through repros no longer work on HEAD.