syzbot

 sign-in | mailing list | source | docs
🐞 Open [955] Subsystems 🐞 Fixed [4575] 🐞 Invalid [10562] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

KASAN: use-after-free Read in rtl_fw_do_work

Status: upstream: reported C repro on 2020/08/11 17:00
Labels: usb wireless (incorrect?)
Reported-by: syzbot+ff4b26b0bfbff2dc7960@syzkaller.appspotmail.com
First crash: 1033d, last: 909d
Discussions (1)
Title Replies (including bot) Last reply
KASAN: use-after-free Read in rtl_fw_do_work 0 (2) 2020/08/19 11:28
Last patch testing requests (12)
Created Duration User Patch Repo Result
2023/04/12 17:11 21m retest repro https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing OK log
2023/04/12 16:11 21m retest repro https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing report log
2023/01/01 12:31 15m retest repro https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing OK log
2023/01/01 02:31 16m retest repro https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing report log
2022/12/31 17:31 17m retest repro https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing OK log
2022/12/31 16:31 21m retest repro https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing report log
2022/12/31 06:31 21m retest repro https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing OK log
2022/09/02 22:27 17m retest repro https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing error
2022/09/02 21:27 16m retest repro https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing error
2022/09/02 20:27 16m retest repro https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing error
2020/09/15 14:53 16m anant.thazhemadam@gmail.com upstream OK
2020/08/29 05:58 18m brookebasile@gmail.com upstream report log

Sample crash report:
usb 5-1: Direct firmware load for rtlwifi/rtl8192cufw_TMSC.bin failed with error -2
usb 5-1: Direct firmware load for rtlwifi/rtl8192cufw.bin failed with error -2
==================================================================
BUG: KASAN: use-after-free in rtl_fw_do_work+0x407/0x430 drivers/net/wireless/realtek/rtlwifi/core.c:87
Read of size 8 at addr ffff88811aa4ff58 by task kworker/0:2/2169

CPU: 0 PID: 2169 Comm: kworker/0:2 Not tainted 5.10.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events request_firmware_work_func
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x107/0x163 lib/dump_stack.c:118
 print_address_description.constprop.0.cold+0xae/0x4c8 mm/kasan/report.c:385
 __kasan_report mm/kasan/report.c:545 [inline]
 kasan_report.cold+0x1f/0x37 mm/kasan/report.c:562
 rtl_fw_do_work+0x407/0x430 drivers/net/wireless/realtek/rtlwifi/core.c:87
 request_firmware_work_func+0x12c/0x230 drivers/base/firmware_loader/main.c:1079
 process_one_work+0x933/0x1520 kernel/workqueue.c:2272
 worker_thread+0x64c/0x1120 kernel/workqueue.c:2418
 kthread+0x38c/0x460 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296

The buggy address belongs to the page:
page:00000000f5ab9dad refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11aa4f
flags: 0x200000000000000()
raw: 0200000000000000 0000000000000000 ffffea00046a93c8 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88811aa4fe00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88811aa4fe80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff88811aa4ff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                    ^
 ffff88811aa4ff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88811aa50000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

Crashes (16):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets Manager Title
2020/12/11 09:01 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 8704fd73bf56 f900b48c .config console log report syz C ci2-upstream-usb
2020/12/11 19:50 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 3db4c21c0f71 ba24ffcd .config console log report syz C ci2-upstream-usb
2020/08/19 11:27 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 28157b8c7d9a e1c29030 .config console log report syz C ci2-upstream-usb
2020/12/13 02:53 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing a256e24021bf bca53db9 .config console log report syz ci2-upstream-usb
2020/12/11 23:08 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 3db4c21c0f71 ba24ffcd .config console log report syz ci2-upstream-usb
2020/12/13 08:45 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing a256e24021bf bca53db9 .config console log report info ci2-upstream-usb
2020/12/12 21:41 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing a256e24021bf bca53db9 .config console log report info ci2-upstream-usb
2020/12/10 12:49 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing d2a968dddf98 2a55c22b .config console log report info ci2-upstream-usb
2020/12/09 13:44 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing b175d273d4e4 99917735 .config console log report info ci2-upstream-usb
2020/08/30 19:42 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 3ed8e1c2ac99 d5a3ae1f .config console log report ci2-upstream-usb
2020/08/30 17:33 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 3ed8e1c2ac99 d5a3ae1f .config console log report ci2-upstream-usb
2020/08/27 06:23 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing cb06b385d536 816e0689 .config console log report ci2-upstream-usb
2020/08/24 23:07 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 28157b8c7d9a 67b599d1 .config console log report ci2-upstream-usb
2020/08/24 16:32 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 28157b8c7d9a 67b599d1 .config console log report ci2-upstream-usb
2020/08/14 03:53 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 449dc8c97089 54ce1ed6 .config console log report ci2-upstream-usb
2020/08/10 21:34 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 449dc8c97089 7adc7b65 .config console log report ci2-upstream-usb
* Struck through repros no longer work on HEAD.