syzbot


KASAN: use-after-free Write in ath9k_htc_rx_msg

Status: fixed on 2020/07/17 17:58
Reported-by: syzbot+b1c61e5f11be5782f192@syzkaller.appspotmail.com
Fix commit: e4ff08a4d727 ath9k: Fix use-after-free Write in ath9k_htc_rx_msg
First crash: 868d, last: 789d
duplicates (3):
Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
INFO: trying to register non-static key in ath9k_htc_rx_msg C 2 803d 866d 0/23 closed as dup on 2020/06/12 13:02
KASAN: use-after-free Read in ath9k_htc_rx_msg C 3 855d 867d 0/23 closed as dup on 2020/06/12 13:03
KASAN: slab-out-of-bounds Write in ath9k_htc_rx_msg C 393 789d 867d 0/23 closed as dup on 2020/06/12 13:03
Patch testing requests:
Created Duration User Patch Repo Result
2020/04/03 20:40 16m anenbupt@gmail.com patch https://github.com/google/kasan.git usb-fuzzer OK
2020/04/03 01:49 16m anenbupt@gmail.com patch https://github.com/google/kasan.git usb-fuzzer OK
2020/04/03 01:12 16m anenbupt@gmail.com patch https://github.com/google/kasan.git usb-fuzzer OK
2020/04/03 00:32 12m anenbupt@gmail.com patch https://github.com/google/kasan.git usb-fuzzer report log
2020/04/02 16:20 4m anenbupt@gmail.com patch https://github.com/google/kasan.git usb-fuzzer error
2020/04/02 14:51 11m anenbupt@gmail.com patch https://github.com/google/kasan.git usb-fuzzer report log
2020/04/02 13:56 10m anenbupt@gmail.com patch https://github.com/google/kasan.git usb-fuzzer report log
2020/04/01 13:05 10m anenbupt@gmail.com patch https://github.com/google/kasan.git usb-fuzzer report log
2020/04/01 11:42 11m anenbupt@gmail.com patch https://github.com/google/kasan.git usb-fuzzer report log
2020/04/01 07:56 9m anenbupt@gmail.com patch https://github.com/google/kasan.git usb-fuzzer report log
2020/04/01 05:02 9m anenbupt@gmail.com patch https://github.com/google/kasan.git usb-fuzzer report log
2020/04/01 03:25 10m anenbupt@gmail.com patch https://github.com/google/kasan.git usb-fuzzer report log
2020/03/31 16:37 9m anenbupt@gmail.com patch https://github.com/google/kasan.git usb-fuzzer report log

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in htc_process_conn_rsp drivers/net/wireless/ath/ath9k/htc_hst.c:131 [inline]
BUG: KASAN: use-after-free in ath9k_htc_rx_msg+0xa25/0xaf0 drivers/net/wireless/ath/ath9k/htc_hst.c:443
Write of size 2 at addr ffff8881cd2804b0 by task swapper/1/0

CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.7.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0xef/0x16e lib/dump_stack.c:118
 print_address_description.constprop.0.cold+0xd3/0x415 mm/kasan/report.c:382
 __kasan_report.cold+0x37/0x7d mm/kasan/report.c:511
 kasan_report+0x33/0x50 mm/kasan/common.c:625
 htc_process_conn_rsp drivers/net/wireless/ath/ath9k/htc_hst.c:131 [inline]
 ath9k_htc_rx_msg+0xa25/0xaf0 drivers/net/wireless/ath/ath9k/htc_hst.c:443
 ath9k_hif_usb_reg_in_cb+0x1c0/0x630 drivers/net/wireless/ath/ath9k/hif_usb.c:718
 __usb_hcd_giveback_urb+0x29a/0x550 drivers/usb/core/hcd.c:1650
 usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1716
 dummy_timer+0x125e/0x32b4 drivers/usb/gadget/udc/dummy_hcd.c:1967
 call_timer_fn+0x1ac/0x700 kernel/time/timer.c:1405

Crashes (93):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci2-upstream-usb 2020/05/31 03:43 https://github.com/google/kasan.git usb-fuzzer 2089c6ed5a17 6f3e1c7c .config log report syz C
ci2-upstream-usb 2020/05/30 09:13 https://github.com/google/kasan.git usb-fuzzer 2089c6ed5a17 954bd312 .config log report syz C
ci2-upstream-usb 2020/05/29 11:16 https://github.com/google/kasan.git usb-fuzzer d19c64b3d097 d19ed305 .config log report syz C
ci2-upstream-usb 2020/05/29 06:36 https://github.com/google/kasan.git usb-fuzzer d19c64b3d097 d19ed305 .config log report syz C
ci2-upstream-usb 2020/05/29 03:56 https://github.com/google/kasan.git usb-fuzzer d19c64b3d097 d19ed305 .config log report syz C
ci2-upstream-usb 2020/04/20 19:41 https://github.com/google/kasan.git usb-fuzzer 0fa84af850a4 347a5dc3 .config log report syz C
ci2-upstream-usb 2020/04/07 20:10 https://github.com/google/kasan.git usb-fuzzer 0fa84af850a4 db9bcd4b .config log report syz C
ci2-upstream-usb 2020/03/28 22:49 https://github.com/google/kasan.git usb-fuzzer 0fa84af850a4 f1ebdfba .config log report syz C
ci2-upstream-usb 2020/03/27 14:12 https://github.com/google/kasan.git usb-fuzzer e17994d1e7b1 831e9a81 .config log report syz C
ci2-upstream-usb 2020/03/25 21:37 https://github.com/google/kasan.git usb-fuzzer e17994d1e7b1 e8e6c7d2 .config log report syz C
ci2-upstream-usb 2020/06/12 00:07 https://github.com/google/kasan.git usb-fuzzer 2089c6ed5a17 1beaee21 .config log report
ci2-upstream-usb 2020/06/11 21:14 https://github.com/google/kasan.git usb-fuzzer 2089c6ed5a17 1beaee21 .config log report
ci2-upstream-usb 2020/06/11 14:25 https://github.com/google/kasan.git usb-fuzzer 2089c6ed5a17 3ab7a05a .config log report
ci2-upstream-usb 2020/06/11 08:35 https://github.com/google/kasan.git usb-fuzzer 2089c6ed5a17 3ab7a05a .config log report
ci2-upstream-usb 2020/06/11 07:10 https://github.com/google/kasan.git usb-fuzzer 2089c6ed5a17 3ab7a05a .config log report
ci2-upstream-usb 2020/06/11 03:55 https://github.com/google/kasan.git usb-fuzzer 2089c6ed5a17 3ab7a05a .config log report
ci2-upstream-usb 2020/06/10 01:19 https://github.com/google/kasan.git usb-fuzzer 2089c6ed5a17 860c4de9 .config log report
ci2-upstream-usb 2020/06/09 06:26 https://github.com/google/kasan.git usb-fuzzer 2089c6ed5a17 0d60b78a .config log report
ci2-upstream-usb 2020/06/09 03:10 https://github.com/google/kasan.git usb-fuzzer 2089c6ed5a17 0d60b78a .config log report
ci2-upstream-usb 2020/06/08 16:45 https://github.com/google/kasan.git usb-fuzzer 2089c6ed5a17 7604bb03 .config log report
ci2-upstream-usb 2020/06/07 17:56 https://github.com/google/kasan.git usb-fuzzer 2089c6ed5a17 2c2b926c .config log report
ci2-upstream-usb 2020/06/07 16:15 https://github.com/google/kasan.git usb-fuzzer 2089c6ed5a17 2c2b926c .config log report
ci2-upstream-usb 2020/06/07 06:25 https://github.com/google/kasan.git usb-fuzzer 2089c6ed5a17 e6b89e4e .config log report
ci2-upstream-usb 2020/06/07 04:59 https://github.com/google/kasan.git usb-fuzzer 2089c6ed5a17 e6b89e4e .config log report
ci2-upstream-usb 2020/06/06 17:46 https://github.com/google/kasan.git usb-fuzzer 2089c6ed5a17 e6b89e4e .config log report
ci2-upstream-usb 2020/06/06 11:07 https://github.com/google/kasan.git usb-fuzzer 2089c6ed5a17 c3e9afb3 .config log report
ci2-upstream-usb 2020/06/06 06:55 https://github.com/google/kasan.git usb-fuzzer 2089c6ed5a17 c3e9afb3 .config log report
ci2-upstream-usb 2020/06/04 01:45 https://github.com/google/kasan.git usb-fuzzer 2089c6ed5a17 b0d1c0d5 .config log report
ci2-upstream-usb 2020/06/03 18:38 https://github.com/google/kasan.git usb-fuzzer 2089c6ed5a17 a5ce5de0 .config log report
ci2-upstream-usb 2020/06/03 07:15 https://github.com/google/kasan.git usb-fuzzer 2089c6ed5a17 f3ba1b5b .config log report
ci2-upstream-usb 2020/06/03 02:56 https://github.com/google/kasan.git usb-fuzzer 2089c6ed5a17 f3ba1b5b .config log report
ci2-upstream-usb 2020/06/02 16:42 https://github.com/google/kasan.git usb-fuzzer 2089c6ed5a17 52fd7b7d .config log report
ci2-upstream-usb 2020/06/02 03:54 https://github.com/google/kasan.git usb-fuzzer 2089c6ed5a17 a0331e89 .config log report
ci2-upstream-usb 2020/06/01 17:37 https://github.com/google/kasan.git usb-fuzzer 2089c6ed5a17 a0331e89 .config log report
ci2-upstream-usb 2020/06/01 16:09 https://github.com/google/kasan.git usb-fuzzer 2089c6ed5a17 a0331e89 .config log report
ci2-upstream-usb 2020/05/31 21:00 https://github.com/google/kasan.git usb-fuzzer 2089c6ed5a17 a0331e89 .config log report
ci2-upstream-usb 2020/05/31 06:43 https://github.com/google/kasan.git usb-fuzzer 2089c6ed5a17 6f3e1c7c .config log report
ci2-upstream-usb 2020/05/30 22:03 https://github.com/google/kasan.git usb-fuzzer 2089c6ed5a17 6f3e1c7c .config log report
ci2-upstream-usb 2020/05/29 07:57 https://github.com/google/kasan.git usb-fuzzer d19c64b3d097 d19ed305 .config log report
ci2-upstream-usb 2020/05/29 03:08 https://github.com/google/kasan.git usb-fuzzer d19c64b3d097 d19ed305 .config log report
ci2-upstream-usb 2020/05/25 19:08 https://github.com/google/kasan.git usb-fuzzer 806d8acc2890 73964a9b .config log report
ci2-upstream-usb 2020/05/25 17:37 https://github.com/google/kasan.git usb-fuzzer 806d8acc2890 73964a9b .config log report
ci2-upstream-usb 2020/05/25 11:10 https://github.com/google/kasan.git usb-fuzzer 806d8acc2890 11284182 .config log report
ci2-upstream-usb 2020/05/25 02:17 https://github.com/google/kasan.git usb-fuzzer 806d8acc2890 11284182 .config log report
ci2-upstream-usb 2020/05/25 00:24 https://github.com/google/kasan.git usb-fuzzer 806d8acc2890 ce7ca010 .config log report
ci2-upstream-usb 2020/05/24 22:13 https://github.com/google/kasan.git usb-fuzzer 806d8acc2890 ce7ca010 .config log report
ci2-upstream-usb 2020/05/24 19:38 https://github.com/google/kasan.git usb-fuzzer 806d8acc2890 ce7ca010 .config log report
ci2-upstream-usb 2020/05/24 14:13 https://github.com/google/kasan.git usb-fuzzer 806d8acc2890 ce7ca010 .config log report
ci2-upstream-usb 2020/05/24 11:08 https://github.com/google/kasan.git usb-fuzzer 806d8acc2890 96c92ad3 .config log report
ci2-upstream-usb 2020/05/23 09:49 https://github.com/google/kasan.git usb-fuzzer 806d8acc2890 4afdfa20 .config log report
ci2-upstream-usb 2020/05/23 05:35 https://github.com/google/kasan.git usb-fuzzer 806d8acc2890 4afdfa20 .config log report
ci2-upstream-usb 2020/05/22 19:31 https://github.com/google/kasan.git usb-fuzzer 806d8acc2890 4afdfa20 .config log report
ci2-upstream-usb 2020/05/22 13:15 https://github.com/google/kasan.git usb-fuzzer 806d8acc2890 4afdfa20 .config log report