syzbot

 sign-in | mailing list | source | docs
🐞 Open [987] Subsystems 🐞 Fixed [5236] 🐞 Invalid [12505] Missing Backports [83] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

general protection fault in ath9k_hif_usb_rx_cb

Status: fixed on 2020/07/17 17:58
Subsystems: wireless
[Documentation on labels]
Reported-by: syzbot+40d5d2e8a4680952f042@syzkaller.appspotmail.com
Fix commit: 2bbcaaee1fcb ath9k: Fix general protection fault in ath9k_hif_usb_rx_cb
First crash: 1491d, last: 1377d
Discussions (21)
Title Replies (including bot) Last reply
[PATCH 4.9 000/128] 4.9.228-rc1 review 135 (135) 2021/02/26 19:09
[PATCH 5.4 000/134] 5.4.47-rc1 review 141 (141) 2021/01/28 17:06
[PATCH 4.4 00/54] 4.4.232-rc1 review 57 (57) 2020/07/31 12:47
[PATCH 4.9 00/61] 4.9.232-rc1 review 64 (64) 2020/07/31 12:43
[PATCH 5.7 000/179] 5.7.11-rc1 review 187 (187) 2020/07/29 08:22
[PATCH 4.19 00/86] 4.19.135-rc1 review 109 (109) 2020/07/28 21:18
[PATCH 5.4 000/138] 5.4.54-rc1 review 143 (143) 2020/07/28 18:23
[PATCH 4.14 00/64] 4.14.190-rc1 review 68 (68) 2020/07/28 18:22
[PATCH 0/5] ath9k: bug fixes 17 (17) 2020/07/13 14:26
[PATCH AUTOSEL 4.19 001/106] ath9x: Fix stack-out-of-bounds Write in ath9k_hif_usb_rx_cb 107 (107) 2020/07/11 10:01
[PATCH 4.19 000/267] 4.19.129-rc1 review 280 (280) 2020/06/30 01:36
[PATCH 4.14 000/190] 4.14.185-rc1 review 197 (197) 2020/06/26 07:05
[PATCH 4.4 000/101] 4.4.228-rc1 review 109 (109) 2020/06/20 15:06
[PATCH AUTOSEL 5.7 001/274] drm/amdgpu: fix and cleanup amdgpu_gem_object_close v4 281 (281) 2020/06/17 17:29
[PATCH 5.6 000/161] 5.6.19-rc1 review 164 (164) 2020/06/16 17:11
[PATCH 5.7 000/163] 5.7.3-rc1 review 164 (164) 2020/06/16 15:35
[PATCH AUTOSEL 4.14 01/72] ath9x: Fix stack-out-of-bounds Write in ath9k_hif_usb_rx_cb 76 (76) 2020/06/09 13:55
[PATCH AUTOSEL 4.4 01/37] ath9x: Fix stack-out-of-bounds Write in ath9k_hif_usb_rx_cb 37 (37) 2020/06/08 23:27
[PATCH AUTOSEL 4.9 01/50] ath9x: Fix stack-out-of-bounds Write in ath9k_hif_usb_rx_cb 50 (50) 2020/06/08 23:26
[PATCH AUTOSEL 5.4 001/175] drm/amdgpu: fix and cleanup amdgpu_gem_object_close v4 175 (175) 2020/06/08 23:18
general protection fault in ath9k_hif_usb_rx_cb 2 (5) 2020/04/03 20:32
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream general protection fault in ath9k_hif_usb_rx_cb (2) wireless C error 1678 623d 1377d 22/26 fixed on 2023/02/24 13:50
Last patch testing requests (11)
Created Duration User Patch Repo Result
2020/04/03 20:14 17m anenbupt@gmail.com patch https://github.com/google/kasan.git usb-fuzzer OK
2020/04/03 16:20 16m anenbupt@gmail.com patch https://github.com/google/kasan.git usb-fuzzer OK
2020/04/03 15:24 11m anenbupt@gmail.com patch https://github.com/google/kasan.git usb-fuzzer report log
2020/04/03 15:15 4m anenbupt@gmail.com patch https://github.com/google/kasan.git usb-fuzzer error OK
2020/04/03 15:03 4m anenbupt@gmail.com patch https://github.com/google/kasan.git usb-fuzzer error OK
2020/04/03 14:21 4m anenbupt@gmail.com patch https://github.com/google/kasan.git usb-fuzzer error OK
2020/04/03 12:44 9m anenbupt@gmail.com patch https://github.com/google/kasan.git usb-fuzzer report log
2020/04/03 12:22 9m anenbupt@gmail.com patch https://github.com/google/kasan.git usb-fuzzer report log
2020/04/03 09:28 9m anenbupt@gmail.com patch https://github.com/google/kasan.git usb-fuzzer report log
2020/04/03 04:28 10m anenbupt@gmail.com patch https://github.com/google/kasan.git usb-fuzzer report log
2020/04/03 01:52 9m anenbupt@gmail.com patch https://github.com/google/kasan.git usb-fuzzer report log

Sample crash report:
general protection fault, probably for non-canonical address 0xdffffc0000000015: 0000 [#1] SMP KASAN
KASAN: null-ptr-deref in range [0x00000000000000a8-0x00000000000000af]
CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.7.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:usb_get_intfdata include/linux/usb.h:265 [inline]
RIP: 0010:ath9k_hif_usb_rx_cb+0x103/0xf90 drivers/net/wireless/ath/ath9k/hif_usb.c:643
Code: 83 3c 24 00 48 89 c3 0f 84 19 04 00 00 e8 e5 9a 64 fe 48 8d bb a8 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 42 0c 00 00 4c 8b a3 a8 00 00 00 4d 85 e4 0f 84
RSP: 0018:ffff8881db309910 EFLAGS: 00010002
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff836a92fc
RDX: 0000000000000015 RSI: ffffffff82db9fcb RDI: 00000000000000a8
RBP: ffff8881d5550e00 R08: ffff8881da20b180 R09: ffffed1039d0864b
R10: ffff8881ce843253 R11: ffffed1039d0864a R12: 00000000ffffff94
R13: ffff8881d4e2e000 R14: ffff8881d5550e00 R15: ffff8881d5550e00
FS:  0000000000000000(0000) GS:ffff8881db300000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000006d00a0 CR3: 00000001d220e000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 __usb_hcd_giveback_urb+0x1f2/0x470 drivers/usb/core/hcd.c:1648
 usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1713
 dummy_timer+0x125e/0x32b4 drivers/usb/gadget/udc/dummy_hcd.c:1966
 call_timer_fn+0x1ac/0x700 kernel/time/timer.c:1405
 expire_timers kernel/time/timer.c:1450 [inline]
 __run_timers kernel/time/timer.c:1774 [inline]
 __run_timers kernel/time/timer.c:1741 [inline]
 run_timer_softirq+0x5f9/0x1500 kernel/time/timer.c:1787
 __do_softirq+0x21e/0x9aa kernel/softirq.c:292
 invoke_softirq kernel/softirq.c:373 [inline]
 irq_exit+0x178/0x1a0 kernel/softirq.c:413
 exiting_irq arch/x86/include/asm/apic.h:546 [inline]
 smp_apic_timer_interrupt+0x141/0x540 arch/x86/kernel/apic/apic.c:1140
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829
 </IRQ>
RIP: 0010:default_idle+0x28/0x300 arch/x86/kernel/process.c:698
Code: cc cc 41 56 41 55 65 44 8b 2d d4 d2 6b 7a 41 54 55 53 0f 1f 44 00 00 e8 c6 b5 af fb e9 07 00 00 00 0f 00 2d fa 73 4c 00 fb f4 <65> 44 8b 2d b0 d2 6b 7a 0f 1f 44 00 00 5b 5d 41 5c 41 5d 41 5e c3
RSP: 0018:ffff8881da227da8 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
RAX: 0000000000000007 RBX: ffff8881da20b180 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000006 RDI: ffff8881da20b9fc
RBP: ffffed103b441630 R08: ffff8881da20b180 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001
R13: 0000000000000001 R14: ffffffff87e87b40 R15: 0000000000000000
 cpuidle_idle_call kernel/sched/idle.c:154 [inline]
 do_idle+0x3e0/0x500 kernel/sched/idle.c:269
 cpu_startup_entry+0x14/0x20 kernel/sched/idle.c:361
 start_secondary+0x2a9/0x390 arch/x86/kernel/smpboot.c:268
 secondary_startup_64+0xb6/0xc0 arch/x86/kernel/head_64.S:242
Modules linked in:
---[ end trace 5e7715d0354fde6c ]---
RIP: 0010:usb_get_intfdata include/linux/usb.h:265 [inline]
RIP: 0010:ath9k_hif_usb_rx_cb+0x103/0xf90 drivers/net/wireless/ath/ath9k/hif_usb.c:643
Code: 83 3c 24 00 48 89 c3 0f 84 19 04 00 00 e8 e5 9a 64 fe 48 8d bb a8 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 42 0c 00 00 4c 8b a3 a8 00 00 00 4d 85 e4 0f 84
RSP: 0018:ffff8881db309910 EFLAGS: 00010002
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff836a92fc
RDX: 0000000000000015 RSI: ffffffff82db9fcb RDI: 00000000000000a8
RBP: ffff8881d5550e00 R08: ffff8881da20b180 R09: ffffed1039d0864b
R10: ffff8881ce843253 R11: ffffed1039d0864a R12: 00000000ffffff94
R13: ffff8881d4e2e000 R14: ffff8881d5550e00 R15: ffff8881d5550e00
FS:  0000000000000000(0000) GS:ffff8881db300000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000006d00a0 CR3: 00000001d220e000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Crashes (913):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/05/14 01:05 https://github.com/google/kasan.git usb-fuzzer 059e7e0ff26c a885920d .config console log report syz C ci2-upstream-usb
2020/03/26 01:03 https://github.com/google/kasan.git usb-fuzzer e17994d1e7b1 e8e6c7d2 .config console log report syz C ci2-upstream-usb
2020/07/17 13:05 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 313da01ad524 54b3c45e .config console log report ci2-upstream-usb
2020/07/17 04:52 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 313da01ad524 54b3c45e .config console log report ci2-upstream-usb
2020/07/16 19:30 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 313da01ad524 b090c643 .config console log report ci2-upstream-usb
2020/07/16 13:35 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 313da01ad524 b090c643 .config console log report ci2-upstream-usb
2020/07/16 10:40 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 313da01ad524 b090c643 .config console log report ci2-upstream-usb
2020/07/16 07:59 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 313da01ad524 ada108d0 .config console log report ci2-upstream-usb
2020/07/16 06:30 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 313da01ad524 ada108d0 .config console log report ci2-upstream-usb
2020/07/16 06:13 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 313da01ad524 ada108d0 .config console log report ci2-upstream-usb
2020/07/16 04:08 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 10fadd5e8117 ada108d0 .config console log report ci2-upstream-usb
2020/07/16 02:49 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 10fadd5e8117 ada108d0 .config console log report ci2-upstream-usb
2020/07/15 20:36 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 10fadd5e8117 ada108d0 .config console log report ci2-upstream-usb
2020/07/15 17:48 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 10fadd5e8117 ada108d0 .config console log report ci2-upstream-usb
2020/07/15 16:44 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 10fadd5e8117 ada108d0 .config console log report ci2-upstream-usb
2020/07/15 15:29 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 10fadd5e8117 ada108d0 .config console log report ci2-upstream-usb
2020/07/15 13:28 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 25051b55a2f6 ada108d0 .config console log report ci2-upstream-usb
2020/07/15 12:03 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 25051b55a2f6 ada108d0 .config console log report ci2-upstream-usb
2020/07/15 10:07 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 25051b55a2f6 ada108d0 .config console log report ci2-upstream-usb
2020/07/15 08:59 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 25051b55a2f6 ada108d0 .config console log report ci2-upstream-usb
2020/07/15 07:33 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 25051b55a2f6 ada108d0 .config console log report ci2-upstream-usb
2020/07/15 06:16 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 25051b55a2f6 ada108d0 .config console log report ci2-upstream-usb
2020/07/15 05:36 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 25051b55a2f6 ada108d0 .config console log report ci2-upstream-usb
2020/07/15 02:38 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 25051b55a2f6 ada108d0 .config console log report ci2-upstream-usb
2020/07/14 20:31 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 25051b55a2f6 6f458026 .config console log report ci2-upstream-usb
2020/07/14 15:45 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 25051b55a2f6 6f458026 .config console log report ci2-upstream-usb
2020/07/14 13:26 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 25051b55a2f6 6f458026 .config console log report ci2-upstream-usb
2020/07/14 12:08 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 25051b55a2f6 6f458026 .config console log report ci2-upstream-usb
2020/07/14 08:06 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 25051b55a2f6 ce4c95b3 .config console log report ci2-upstream-usb
2020/07/14 02:40 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 25051b55a2f6 ce4c95b3 .config console log report ci2-upstream-usb
2020/07/14 00:20 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 25051b55a2f6 ce4c95b3 .config console log report ci2-upstream-usb
2020/07/13 20:18 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 25051b55a2f6 ce4c95b3 .config console log report ci2-upstream-usb
2020/07/13 18:57 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 25051b55a2f6 f90ec899 .config console log report ci2-upstream-usb
2020/07/13 18:50 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 25051b55a2f6 f90ec899 .config console log report ci2-upstream-usb
2020/07/13 16:48 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 25051b55a2f6 f90ec899 .config console log report ci2-upstream-usb
2020/07/13 15:42 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 25051b55a2f6 f90ec899 .config console log report ci2-upstream-usb
2020/07/13 14:33 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 25051b55a2f6 f90ec899 .config console log report ci2-upstream-usb
2020/07/13 13:07 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 25051b55a2f6 f90ec899 .config console log report ci2-upstream-usb
2020/07/13 04:15 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 25051b55a2f6 9ebcc5b1 .config console log report ci2-upstream-usb
2020/07/13 02:38 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 25051b55a2f6 9ebcc5b1 .config console log report ci2-upstream-usb
2020/07/13 01:14 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 25051b55a2f6 9ebcc5b1 .config console log report ci2-upstream-usb
2020/07/12 23:08 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 25051b55a2f6 9ebcc5b1 .config console log report ci2-upstream-usb
2020/07/12 21:13 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 25051b55a2f6 9ebcc5b1 .config console log report ci2-upstream-usb
2020/07/12 20:08 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 25051b55a2f6 9ebcc5b1 .config console log report ci2-upstream-usb
2020/07/12 18:46 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 25051b55a2f6 9ebcc5b1 .config console log report ci2-upstream-usb
2020/07/12 17:34 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 25051b55a2f6 115e1930 .config console log report ci2-upstream-usb
2020/07/12 15:04 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 25051b55a2f6 115e1930 .config console log report ci2-upstream-usb
2020/07/12 13:56 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 25051b55a2f6 115e1930 .config console log report ci2-upstream-usb
2020/07/12 12:54 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 25051b55a2f6 115e1930 .config console log report ci2-upstream-usb
* Struck through repros no longer work on HEAD.