syzbot


KASAN: use-after-free Read in ath9k_wmi_ctrl_rx

Status: fixed on 2020/07/17 17:58
Subsystems: wireless
[Documentation on labels]
Reported-by: syzbot+5d338854440137ea0fef@syzkaller.appspotmail.com
Fix commit: abeaa85054ff ath9k: Fix use-after-free Read in ath9k_wmi_ctrl_rx
First crash: 1437d, last: 1437d
Discussions (15)
Title Replies (including bot) Last reply
[PATCH 4.9 000/128] 4.9.228-rc1 review 135 (135) 2021/02/26 19:09
[PATCH 5.4 000/134] 5.4.47-rc1 review 141 (141) 2021/01/28 17:06
[PATCH 0/5] ath9k: bug fixes 17 (17) 2020/07/13 14:26
[PATCH AUTOSEL 4.19 001/106] ath9x: Fix stack-out-of-bounds Write in ath9k_hif_usb_rx_cb 107 (107) 2020/07/11 10:01
[PATCH 4.19 000/267] 4.19.129-rc1 review 280 (280) 2020/06/30 01:36
[PATCH 4.14 000/190] 4.14.185-rc1 review 197 (197) 2020/06/26 07:05
[PATCH 4.4 000/101] 4.4.228-rc1 review 109 (109) 2020/06/20 15:06
[PATCH AUTOSEL 5.7 001/274] drm/amdgpu: fix and cleanup amdgpu_gem_object_close v4 281 (281) 2020/06/17 17:29
[PATCH 5.6 000/161] 5.6.19-rc1 review 164 (164) 2020/06/16 17:11
[PATCH 5.7 000/163] 5.7.3-rc1 review 164 (164) 2020/06/16 15:35
[PATCH AUTOSEL 4.14 01/72] ath9x: Fix stack-out-of-bounds Write in ath9k_hif_usb_rx_cb 76 (76) 2020/06/09 13:55
[PATCH AUTOSEL 4.4 01/37] ath9x: Fix stack-out-of-bounds Write in ath9k_hif_usb_rx_cb 37 (37) 2020/06/08 23:27
[PATCH AUTOSEL 4.9 01/50] ath9x: Fix stack-out-of-bounds Write in ath9k_hif_usb_rx_cb 50 (50) 2020/06/08 23:26
[PATCH AUTOSEL 5.4 001/175] drm/amdgpu: fix and cleanup amdgpu_gem_object_close v4 175 (175) 2020/06/08 23:18
KASAN: use-after-free Read in ath9k_wmi_ctrl_rx 3 (7) 2020/04/04 04:09
Last patch testing requests (14)
Created Duration User Patch Repo Result
2020/04/04 03:50 18m anenbupt@gmail.com patch https://github.com/google/kasan.git usb-fuzzer OK
2020/04/04 02:18 16m anenbupt@gmail.com patch https://github.com/google/kasan.git usb-fuzzer OK
2020/04/04 01:58 4m anenbupt@gmail.com patch https://github.com/google/kasan.git usb-fuzzer error OK
2020/04/04 01:01 9m anenbupt@gmail.com patch https://github.com/google/kasan.git usb-fuzzer report log
2020/04/04 00:26 9m anenbupt@gmail.com patch https://github.com/google/kasan.git usb-fuzzer report log
2020/04/04 00:04 9m anenbupt@gmail.com patch https://github.com/google/kasan.git usb-fuzzer report log
2020/04/03 23:34 9m anenbupt@gmail.com patch https://github.com/google/kasan.git usb-fuzzer report log
2020/04/03 23:12 9m anenbupt@gmail.com patch https://github.com/google/kasan.git usb-fuzzer report log
2020/04/03 22:08 9m anenbupt@gmail.com patch https://github.com/google/kasan.git usb-fuzzer report log
2020/04/03 20:39 10m anenbupt@gmail.com patch https://github.com/google/kasan.git usb-fuzzer report log
2020/04/03 16:53 16m anenbupt@gmail.com patch https://github.com/google/kasan.git usb-fuzzer OK
2020/04/03 09:29 11m anenbupt@gmail.com patch https://github.com/google/kasan.git usb-fuzzer report log
2020/04/03 04:28 11m anenbupt@gmail.com patch https://github.com/google/kasan.git usb-fuzzer report log
2020/04/03 01:51 9m anenbupt@gmail.com patch https://github.com/google/kasan.git usb-fuzzer report log

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in ath9k_wmi_ctrl_rx+0x416/0x500 drivers/net/wireless/ath/ath9k/wmi.c:215
Read of size 1 at addr ffff8881cef1417c by task swapper/1/0

CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.6.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0xef/0x16e lib/dump_stack.c:118
 print_address_description.constprop.0.cold+0xd3/0x314 mm/kasan/report.c:374
 __kasan_report.cold+0x37/0x77 mm/kasan/report.c:506
 kasan_report+0xe/0x20 mm/kasan/common.c:641
 ath9k_wmi_ctrl_rx+0x416/0x500 drivers/net/wireless/ath/ath9k/wmi.c:215
 ath9k_htc_rx_msg+0x2da/0xaf0 drivers/net/wireless/ath/ath9k/htc_hst.c:459
 ath9k_hif_usb_reg_in_cb+0x1ba/0x630 drivers/net/wireless/ath/ath9k/hif_usb.c:718
 __usb_hcd_giveback_urb+0x29a/0x550 drivers/usb/core/hcd.c:1650
 usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1716
 dummy_timer+0x1258/0x32ae drivers/usb/gadget/udc/dummy_hcd.c:1966
 call_timer_fn+0x195/0x6f0 kernel/time/timer.c:1404
 expire_timers kernel/time/timer.c:1449 [inline]
 __run_timers kernel/time/timer.c:1773 [inline]
 __run_timers kernel/time/timer.c:1740 [inline]
 run_timer_softirq+0x5f9/0x1500 kernel/time/timer.c:1786

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/03/27 02:16 https://github.com/google/kasan.git usb-fuzzer e17994d1e7b1 6d25c5a0 .config console log report syz C ci2-upstream-usb
* Struck through repros no longer work on HEAD.