KASAN: use-after-free Read in p54u_load_firmware

duplicates (1):
Title	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
KASAN: slab-out-of-bounds Read in p54u_load_firmware_cb wireless usb	syz			8	1950d	2026d	0/28	closed as dup on 2019/08/13 13:28

duplicates (1):

syz

1950d

2026d

0/28

closed as dup on 2019/08/13 13:28

Title	Replies (including bot)	Last reply
[PATCH 4.4 00/76] 4.4.211-stable review	81 (81)	2020/01/22 20:52
[PATCH 3.16 000/132] 3.16.74-rc1 review	141 (141)	2019/11/19 20:40
[PATCH 4.14 00/80] 4.14.134-stable review	87 (87)	2019/07/19 04:44
[PATCH 4.9 00/54] 4.9.186-stable review	61 (61)	2019/07/19 04:41
[PATCH 5.2 00/61] 5.2.1-stable review	78 (78)	2019/07/14 06:02
[PATCH 5.1 000/138] 5.1.18-stable review	156 (156)	2019/07/14 06:01
[PATCH 4.19 00/91] 4.19.59-stable review	99 (99)	2019/07/14 05:34
Reminder: 12 open syzbot bugs in "net/wireless" subsystem	1 (1)	2019/06/25 05:51
[PATCH] network: wireless: p54u: Fix race between disconnect and firmware loading	6 (6)	2019/06/25 04:43
Reminder: 42 open syzbot bugs in usb subsystem	1 (1)	2019/06/25 03:44
KASAN: use-after-free Read in p54u_load_firmware_cb	8 (15)	2019/05/18 20:11

Title

Replies (including bot)

Last reply

[PATCH 4.4 00/76] 4.4.211-stable review

81 (81)

2020/01/22 20:52

[PATCH 3.16 000/132] 3.16.74-rc1 review

141 (141)

2019/11/19 20:40

[PATCH 4.14 00/80] 4.14.134-stable review

87 (87)

2019/07/19 04:44

[PATCH 4.9 00/54] 4.9.186-stable review

61 (61)

2019/07/19 04:41

[PATCH 5.2 00/61] 5.2.1-stable review

78 (78)

2019/07/14 06:02

[PATCH 5.1 000/138] 5.1.18-stable review

156 (156)

2019/07/14 06:01

[PATCH 4.19 00/91] 4.19.59-stable review

99 (99)

2019/07/14 05:34

Reminder: 12 open syzbot bugs in "net/wireless" subsystem

1 (1)

2019/06/25 05:51

[PATCH] network: wireless: p54u: Fix race between disconnect and firmware loading

6 (6)

2019/06/25 04:43

Reminder: 42 open syzbot bugs in usb subsystem

1 (1)

2019/06/25 03:44

KASAN: use-after-free Read in p54u_load_firmware_cb

8 (15)

2019/05/18 20:11


Created	Duration	User	Patch	Repo	Result
2019/05/18 17:49	41m	stern@rowland.harvard.edu	patch	https://github.com/google/kasan.git usb-fuzzer	OK
2019/05/18 17:01	33m	stern@rowland.harvard.edu	patch	https://github.com/google/kasan.git usb-fuzzer	report log
2019/05/18 16:32	16m	stern@rowland.harvard.edu	patch	https://github.com/google/kasan.git usb-fuzzer	error
2019/05/18 15:13	35m	stern@rowland.harvard.edu	patch	https://github.com/google/kasan.git usb-fuzzer	report log
2019/05/17 20:46	14m	stern@rowland.harvard.edu	patch	https://github.com/google/kasan.git usb-fuzzer	error

usb 4-1: Direct firmware load for isl3887usb failed with error -2 usb 4-1: Firmware not found. ================================================================== BUG: KASAN: use-after-free in p54u_load_firmware_cb.cold+0x97/0x13d drivers/net/wireless/intersil/p54/p54usb.c:936 Read of size 8 at addr ffff8881ca22f588 by task kworker/0:6/2861 CPU: 0 PID: 2861 Comm: kworker/0:6 Not tainted 5.2.0-rc1+ #10 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events request_firmware_work_func Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xca/0x13e lib/dump_stack.c:113 print_address_description+0x67/0x231 mm/kasan/report.c:188 __kasan_report.cold+0x1a/0x32 mm/kasan/report.c:317 kasan_report+0xe/0x20 mm/kasan/common.c:614 p54u_load_firmware_cb.cold+0x97/0x13d drivers/net/wireless/intersil/p54/p54usb.c:936 request_firmware_work_func+0x126/0x242 drivers/base/firmware_loader/main.c:785 process_one_work+0x905/0x1570 kernel/workqueue.c:2268 worker_thread+0x96/0xe20 kernel/workqueue.c:2414 kthread+0x30b/0x410 kernel/kthread.c:254 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 The buggy address belongs to the page: page:ffffea0007288bc0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 flags: 0x200000000000000() raw: 0200000000000000 0000000000000000 ffffffff07280101 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8881ca22f480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8881ca22f500: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff8881ca22f580: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff8881ca22f600: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8881ca22f680: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ==================================================================

Crashes (40):
Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	Manager
2019/05/31 10:13	https://github.com/google/kasan.git usb-fuzzer	69bbe8c72e6f	d9aaf3c2	.config	console log	report	syz	ci2-upstream-usb
2019/05/13 10:22	https://github.com/google/kasan.git usb-fuzzer	43151d6c3fce	16ab1e89	.config	console log	report	syz	ci2-upstream-usb
2019/07/28 20:06	https://github.com/google/kasan.git usb-fuzzer	6a3599ceaa39	c85e1c5b	.config	console log	report		ci2-upstream-usb
2019/07/25 17:17	https://github.com/google/kasan.git usb-fuzzer	6a3599ceaa39	0d7a1249	.config	console log	report		ci2-upstream-usb
2019/07/25 10:51	https://github.com/google/kasan.git usb-fuzzer	6a3599ceaa39	32329ceb	.config	console log	report		ci2-upstream-usb
2019/07/24 19:37	https://github.com/google/kasan.git usb-fuzzer	6a3599ceaa39	32329ceb	.config	console log	report		ci2-upstream-usb
2019/07/24 16:18	https://github.com/google/kasan.git usb-fuzzer	6a3599ceaa39	32329ceb	.config	console log	report		ci2-upstream-usb
2019/07/24 10:50	https://github.com/google/kasan.git usb-fuzzer	6a3599ceaa39	32329ceb	.config	console log	report		ci2-upstream-usb
2019/07/23 13:06	https://github.com/google/kasan.git usb-fuzzer	6a3599ceaa39	bb071d58	.config	console log	report		ci2-upstream-usb
2019/07/22 07:22	https://github.com/google/kasan.git usb-fuzzer	6a3599ceaa39	b3c615f5	.config	console log	report		ci2-upstream-usb
2019/07/21 22:37	https://github.com/google/kasan.git usb-fuzzer	6a3599ceaa39	1656845f	.config	console log	report		ci2-upstream-usb
2019/07/21 16:46	https://github.com/google/kasan.git usb-fuzzer	6a3599ceaa39	1656845f	.config	console log	report		ci2-upstream-usb
2019/07/21 06:19	https://github.com/google/kasan.git usb-fuzzer	6a3599ceaa39	1656845f	.config	console log	report		ci2-upstream-usb
2019/07/21 04:11	https://github.com/google/kasan.git usb-fuzzer	6a3599ceaa39	1656845f	.config	console log	report		ci2-upstream-usb
2019/07/20 21:27	https://github.com/google/kasan.git usb-fuzzer	6a3599ceaa39	1656845f	.config	console log	report		ci2-upstream-usb
2019/07/20 06:35	https://github.com/google/kasan.git usb-fuzzer	6a3599ceaa39	1656845f	.config	console log	report		ci2-upstream-usb
2019/07/20 00:34	https://github.com/google/kasan.git usb-fuzzer	6a3599ceaa39	1656845f	.config	console log	report		ci2-upstream-usb
2019/07/19 04:59	https://github.com/google/kasan.git usb-fuzzer	6a3599ceaa39	7bb222f7	.config	console log	report		ci2-upstream-usb
2019/07/18 20:10	https://github.com/google/kasan.git usb-fuzzer	6a3599ceaa39	7bb222f7	.config	console log	report		ci2-upstream-usb
2019/07/17 10:40	https://github.com/google/kasan.git usb-fuzzer	6a3599ceaa39	0d10349c	.config	console log	report		ci2-upstream-usb
2019/07/09 23:24	https://github.com/google/kasan.git usb-fuzzer	7829a896a587	f62e1e85	.config	console log	report		ci2-upstream-usb
2019/07/09 03:41	https://github.com/google/kasan.git usb-fuzzer	7829a896a587	f62e1e85	.config	console log	report		ci2-upstream-usb
2019/07/08 19:42	https://github.com/google/kasan.git usb-fuzzer	7829a896a587	f62e1e85	.config	console log	report		ci2-upstream-usb
2019/07/07 02:21	https://github.com/google/kasan.git usb-fuzzer	7829a896a587	f62e1e85	.config	console log	report		ci2-upstream-usb
2019/07/06 17:31	https://github.com/google/kasan.git usb-fuzzer	7829a896a587	f62e1e85	.config	console log	report		ci2-upstream-usb
2019/07/06 15:20	https://github.com/google/kasan.git usb-fuzzer	7829a896a587	f62e1e85	.config	console log	report		ci2-upstream-usb
2019/07/05 14:35	https://github.com/google/kasan.git usb-fuzzer	7829a896a587	429efa16	.config	console log	report		ci2-upstream-usb
2019/07/05 13:08	https://github.com/google/kasan.git usb-fuzzer	7829a896a587	429efa16	.config	console log	report		ci2-upstream-usb
2019/06/28 08:38	https://github.com/google/kasan.git usb-fuzzer	7829a896a587	7509bf36	.config	console log	report		ci2-upstream-usb
2019/06/26 05:23	https://github.com/google/kasan.git usb-fuzzer	9939f56ee6c0	0a8d1a96	.config	console log	report		ci2-upstream-usb
2019/06/14 02:10	https://github.com/google/kasan.git usb-fuzzer	69bbe8c72e6f	d25bb7ad	.config	console log	report		ci2-upstream-usb
2019/06/04 19:53	https://github.com/google/kasan.git usb-fuzzer	69bbe8c72e6f	e41a20c5	.config	console log	report		ci2-upstream-usb
2019/06/03 09:58	https://github.com/google/kasan.git usb-fuzzer	69bbe8c72e6f	53c81ea5	.config	console log	report		ci2-upstream-usb
2019/06/03 06:46	https://github.com/google/kasan.git usb-fuzzer	69bbe8c72e6f	53c81ea5	.config	console log	report		ci2-upstream-usb
2019/06/01 23:14	https://github.com/google/kasan.git usb-fuzzer	69bbe8c72e6f	53c81ea5	.config	console log	report		ci2-upstream-usb
2019/06/01 14:53	https://github.com/google/kasan.git usb-fuzzer	69bbe8c72e6f	53c81ea5	.config	console log	report		ci2-upstream-usb
2019/06/01 08:57	https://github.com/google/kasan.git usb-fuzzer	69bbe8c72e6f	53c81ea5	.config	console log	report		ci2-upstream-usb
2019/06/01 03:40	https://github.com/google/kasan.git usb-fuzzer	69bbe8c72e6f	53c81ea5	.config	console log	report		ci2-upstream-usb
2019/05/13 09:27	https://github.com/google/kasan.git usb-fuzzer	43151d6c3fce	16ab1e89	.config	console log	report		ci2-upstream-usb
2019/05/05 13:12	https://github.com/google/kasan.git usb-fuzzer	43151d6c3fce	d28f4ce5	.config	console log	report		ci2-upstream-usb

Crashes (40):

Assets (help?)

2019/05/31 10:13

https://github.com/google/kasan.git usb-fuzzer