KASAN: use-after-free Read in ath9k_htc_rx

Title	Repro	Cause bisect	Fix bisect	Count	Last	Reported
KASAN: use-after-free Write in ath9k_htc_rx_msg wireless	C			93	1750d	1828d

1750d

1828d

Title	Replies (including bot)	Last reply
KASAN: use-after-free Read in ath9k_htc_rx_msg	1 (2)	2020/06/12 13:03

================================================================== BUG: KASAN: use-after-free in __wake_up_common+0x634/0x650 kernel/sched/wait.c:86 Read of size 8 at addr ffff8881cec10000 by task swapper/1/0 CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.6.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: <IRQ> __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xef/0x16e lib/dump_stack.c:118 print_address_description.constprop.0.cold+0xd3/0x314 mm/kasan/report.c:374 __kasan_report.cold+0x37/0x77 mm/kasan/report.c:506 kasan_report+0xe/0x20 mm/kasan/common.c:641 __wake_up_common+0x634/0x650 kernel/sched/wait.c:86 complete+0x51/0x70 kernel/sched/completion.c:36 htc_process_conn_rsp drivers/net/wireless/ath/ath9k/htc_hst.c:138 [inline] ath9k_htc_rx_msg+0x7c2/0xaf0 drivers/net/wireless/ath/ath9k/htc_hst.c:443 ath9k_hif_usb_reg_in_cb+0x1ba/0x630 drivers/net/wireless/ath/ath9k/hif_usb.c:718 __usb_hcd_giveback_urb+0x29a/0x550 drivers/usb/core/hcd.c:1650 usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1716 dummy_timer+0x1258/0x32ae drivers/usb/gadget/udc/dummy_hcd.c:1966

Crashes (3):
Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	Manager
2020/03/26 14:42	https://github.com/google/kasan.git usb-fuzzer	e17994d1e7b1	6d25c5a0	.config	console log	report	syz	C	ci2-upstream-usb
2020/04/07 07:34	https://github.com/google/kasan.git usb-fuzzer	0fa84af850a4	99a96044	.config	console log	report			ci2-upstream-usb
2020/03/27 21:15	https://github.com/google/kasan.git usb-fuzzer	e17994d1e7b1	831e9a81	.config	console log	report			ci2-upstream-usb

Crashes (3):