* KASAN: stack-out-of-bounds Write in ath9k_hif_usb_rx_cb @ 2020-03-30 18:21 syzbot 2020-03-31 2:38 ` Qiujun Huang 2020-04-03 20:40 ` Qiujun Huang 0 siblings, 2 replies; 7+ messages in thread From: syzbot @ 2020-03-30 18:21 UTC (permalink / raw) To: andreyknvl, ath9k-devel, davem, kvalo, linux-kernel, linux-usb, linux-wireless, netdev, syzkaller-bugs Hello, syzbot found the following crash on: HEAD commit: 0fa84af8 Merge tag 'usb-serial-5.7-rc1' of https://git.ker.. git tree: https://github.com/google/kasan.git usb-fuzzer console output: https://syzkaller.appspot.com/x/log.txt?x=159a0583e00000 kernel config: https://syzkaller.appspot.com/x/.config?x=a782c087b1f425c6 dashboard link: https://syzkaller.appspot.com/bug?extid=d403396d4df67ad0bd5f compiler: gcc (GCC) 9.0.0 20181231 (experimental) syz repro: https://syzkaller.appspot.com/x/repro.syz?x=177a266de00000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1579f947e00000 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+d403396d4df67ad0bd5f@syzkaller.appspotmail.com ================================================================== BUG: KASAN: stack-out-of-bounds in ath9k_hif_usb_rx_stream drivers/net/wireless/ath/ath9k/hif_usb.c:626 [inline] BUG: KASAN: stack-out-of-bounds in ath9k_hif_usb_rx_cb+0xdf6/0xf70 drivers/net/wireless/ath/ath9k/hif_usb.c:666 Write of size 8 at addr ffff8881db309a28 by task swapper/1/0 CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.6.0-rc7-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: <IRQ> __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xef/0x16e lib/dump_stack.c:118 print_address_description.constprop.0.cold+0xd3/0x314 mm/kasan/report.c:374 __kasan_report.cold+0x37/0x77 mm/kasan/report.c:506 kasan_report+0xe/0x20 mm/kasan/common.c:641 ath9k_hif_usb_rx_stream drivers/net/wireless/ath/ath9k/hif_usb.c:626 [inline] ath9k_hif_usb_rx_cb+0xdf6/0xf70 drivers/net/wireless/ath/ath9k/hif_usb.c:666 __usb_hcd_giveback_urb+0x1f2/0x470 drivers/usb/core/hcd.c:1648 usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1713 dummy_timer+0x1258/0x32ae drivers/usb/gadget/udc/dummy_hcd.c:1966 call_timer_fn+0x195/0x6f0 kernel/time/timer.c:1404 expire_timers kernel/time/timer.c:1449 [inline] __run_timers kernel/time/timer.c:1773 [inline] __run_timers kernel/time/timer.c:1740 [inline] run_timer_softirq+0x5f9/0x1500 kernel/time/timer.c:1786 --- This bug is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkaller@googlegroups.com. syzbot will keep track of this bug report. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. syzbot can test patches for this bug, for details see: https://goo.gl/tpsmEJ#testing-patches ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: KASAN: stack-out-of-bounds Write in ath9k_hif_usb_rx_cb 2020-03-30 18:21 KASAN: stack-out-of-bounds Write in ath9k_hif_usb_rx_cb syzbot @ 2020-03-31 2:38 ` Qiujun Huang 2020-03-31 2:45 ` syzbot 2020-04-03 20:40 ` Qiujun Huang 1 sibling, 1 reply; 7+ messages in thread From: Qiujun Huang @ 2020-03-31 2:38 UTC (permalink / raw) To: syzbot Cc: Andrey Konovalov, ath9k-devel, davem, kvalo, LKML, USB list, linux-wireless, netdev, syzkaller-bugs [-- Attachment #1: Type: text/plain, Size: 2802 bytes --] #syz test: https://github.com/google/kasan.git usb-fuzzer On Tue, Mar 31, 2020 at 2:21 AM syzbot <syzbot+d403396d4df67ad0bd5f@syzkaller.appspotmail.com> wrote: > > Hello, > > syzbot found the following crash on: > > HEAD commit: 0fa84af8 Merge tag 'usb-serial-5.7-rc1' of https://git.ker.. > git tree: https://github.com/google/kasan.git usb-fuzzer > console output: https://syzkaller.appspot.com/x/log.txt?x=159a0583e00000 > kernel config: https://syzkaller.appspot.com/x/.config?x=a782c087b1f425c6 > dashboard link: https://syzkaller.appspot.com/bug?extid=d403396d4df67ad0bd5f > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=177a266de00000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1579f947e00000 > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+d403396d4df67ad0bd5f@syzkaller.appspotmail.com > > ================================================================== > BUG: KASAN: stack-out-of-bounds in ath9k_hif_usb_rx_stream drivers/net/wireless/ath/ath9k/hif_usb.c:626 [inline] > BUG: KASAN: stack-out-of-bounds in ath9k_hif_usb_rx_cb+0xdf6/0xf70 drivers/net/wireless/ath/ath9k/hif_usb.c:666 > Write of size 8 at addr ffff8881db309a28 by task swapper/1/0 > > CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.6.0-rc7-syzkaller #0 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 > Call Trace: > <IRQ> > __dump_stack lib/dump_stack.c:77 [inline] > dump_stack+0xef/0x16e lib/dump_stack.c:118 > print_address_description.constprop.0.cold+0xd3/0x314 mm/kasan/report.c:374 > __kasan_report.cold+0x37/0x77 mm/kasan/report.c:506 > kasan_report+0xe/0x20 mm/kasan/common.c:641 > ath9k_hif_usb_rx_stream drivers/net/wireless/ath/ath9k/hif_usb.c:626 [inline] > ath9k_hif_usb_rx_cb+0xdf6/0xf70 drivers/net/wireless/ath/ath9k/hif_usb.c:666 > __usb_hcd_giveback_urb+0x1f2/0x470 drivers/usb/core/hcd.c:1648 > usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1713 > dummy_timer+0x1258/0x32ae drivers/usb/gadget/udc/dummy_hcd.c:1966 > call_timer_fn+0x195/0x6f0 kernel/time/timer.c:1404 > expire_timers kernel/time/timer.c:1449 [inline] > __run_timers kernel/time/timer.c:1773 [inline] > __run_timers kernel/time/timer.c:1740 [inline] > run_timer_softirq+0x5f9/0x1500 kernel/time/timer.c:1786 > > > --- > This bug is generated by a bot. It may contain errors. > See https://goo.gl/tpsmEJ for more information about syzbot. > syzbot engineers can be reached at syzkaller@googlegroups.com. > > syzbot will keep track of this bug report. See: > https://goo.gl/tpsmEJ#status for how to communicate with syzbot. > syzbot can test patches for this bug, for details see: > https://goo.gl/tpsmEJ#testing-patches [-- Attachment #2: hif_usb.patch --] [-- Type: application/octet-stream, Size: 615 bytes --] diff --git a/drivers/net/wireless/ath/ath9k/hif_usb.c b/drivers/net/wireless/ath/ath9k/hif_usb.c index dd0c323..92c94fc 100644 --- a/drivers/net/wireless/ath/ath9k/hif_usb.c +++ b/drivers/net/wireless/ath/ath9k/hif_usb.c @@ -612,6 +612,10 @@ static void ath9k_hif_usb_rx_stream(struct hif_device_usb *hif_dev, hif_dev->remain_skb = nskb; spin_unlock(&hif_dev->rx_lock); } else { + if (pool_index == MAX_PKT_NUM_IN_TRANSFER) { + dev_err("ath9k_htc: over RX MAX_PKT_NUM\n"); + goto err; + } nskb = __dev_alloc_skb(pkt_len + 32, GFP_ATOMIC); if (!nskb) { dev_err(&hif_dev->udev->dev, ^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: KASAN: stack-out-of-bounds Write in ath9k_hif_usb_rx_cb 2020-03-31 2:38 ` Qiujun Huang @ 2020-03-31 2:45 ` syzbot 2020-03-31 2:54 ` Qiujun Huang 0 siblings, 1 reply; 7+ messages in thread From: syzbot @ 2020-03-31 2:45 UTC (permalink / raw) To: andreyknvl, anenbupt, ath9k-devel, davem, kvalo, linux-kernel, linux-usb, linux-wireless, netdev, syzkaller-bugs Hello, syzbot tried to test the proposed patch but build/boot failed: 828/au0828-video.o AR drivers/media/usb/msi2500/built-in.a CC drivers/media/dvb-frontends/isl6423.o CC drivers/media/rc/keymaps/rc-nec-terratec-cinergy-xs.o CC drivers/media/usb/gspca/mars.o CC drivers/hid/hid-lg4ff.o CC drivers/gpu/drm/drm_vblank.o CC drivers/gpu/drm/drm_syncobj.o CC drivers/gpu/drm/drm_lease.o AR drivers/staging/rtl8712/built-in.a CC drivers/media/usb/dvb-usb/dw2102.o AR drivers/staging/built-in.a CC drivers/media/dvb-frontends/ec100.o CC drivers/media/dvb-frontends/ds3000.o CC drivers/media/rc/keymaps/rc-norwood.o CC drivers/media/dvb-frontends/ts2020.o CC drivers/media/usb/gspca/mr97310a.o CC drivers/media/usb/dvb-usb/dtv5100.o CC drivers/gpu/drm/drm_writeback.o CC drivers/hid/hid-lg-g15.o AR drivers/media/usb/cpia2/built-in.a CC drivers/media/usb/dvb-usb/cinergyT2-core.o CC drivers/media/usb/gspca/nw80x.o CC drivers/media/usb/pvrusb2/pvrusb2-i2c-core.o CC drivers/media/usb/usbvision/usbvision-core.o CC drivers/media/usb/stk1160/stk1160-core.o CC drivers/media/usb/stk1160/stk1160-v4l.o CC drivers/media/usb/dvb-usb/cinergyT2-fe.o CC drivers/media/usb/cx231xx/cx231xx-video.o CC drivers/media/usb/usbvision/usbvision-video.o CC drivers/media/usb/usbvision/usbvision-i2c.o CC drivers/media/usb/usbvision/usbvision-cards.o CC drivers/media/usb/au0828/au0828-vbi.o CC drivers/media/usb/au0828/au0828-input.o CC drivers/media/rc/keymaps/rc-npgtech.o CC drivers/media/usb/stk1160/stk1160-video.o CC drivers/media/usb/tm6000/tm6000-cards.o CC drivers/media/usb/tm6000/tm6000-core.o CC drivers/media/usb/tm6000/tm6000-i2c.o CC drivers/media/usb/tm6000/tm6000-video.o CC drivers/media/rc/keymaps/rc-odroid.o CC drivers/media/usb/pvrusb2/pvrusb2-audio.o CC drivers/media/usb/gspca/ov519.o CC drivers/hid/hid-logitech-dj.o CC drivers/media/usb/pvrusb2/pvrusb2-encoder.o AR drivers/media/usb/hdpvr/built-in.a CC drivers/media/usb/gspca/ov534.o CC drivers/hid/hid-logitech-hidpp.o CC drivers/media/usb/stk1160/stk1160-i2c.o CC drivers/hid/hid-magicmouse.o CC drivers/gpu/drm/i915/display/intel_crt.o CC drivers/media/rc/keymaps/rc-pctv-sedna.o CC drivers/hid/hid-mf.o CC drivers/gpu/drm/drm_client.o CC drivers/gpu/drm/drm_client_modeset.o CC drivers/gpu/drm/drm_atomic_uapi.o CC drivers/gpu/drm/drm_hdcp.o CC drivers/media/usb/tm6000/tm6000-stds.o CC drivers/media/usb/cx231xx/cx231xx-i2c.o CC drivers/media/dvb-frontends/mb86a20s.o CC drivers/media/usb/gspca/ov534_9.o CC drivers/media/usb/cx231xx/cx231xx-cards.o CC drivers/media/rc/keymaps/rc-pinnacle-color.o CC drivers/media/usb/cx231xx/cx231xx-core.o CC drivers/gpu/drm/drm_ioc32.o CC drivers/media/usb/cx231xx/cx231xx-avcore.o CC drivers/media/usb/tm6000/tm6000-input.o CC drivers/media/usb/pvrusb2/pvrusb2-video-v4l.o CC drivers/media/usb/pvrusb2/pvrusb2-eeprom.o CC drivers/media/usb/stk1160/stk1160-ac97.o CC drivers/media/usb/dvb-usb/az6027.o CC drivers/gpu/drm/drm_gem_shmem_helper.o CC drivers/gpu/drm/drm_panel.o CC drivers/media/rc/keymaps/rc-pinnacle-grey.o CC drivers/media/usb/pvrusb2/pvrusb2-main.o CC drivers/gpu/drm/drm_agpsupport.o CC drivers/hid/hid-microsoft.o CC drivers/media/usb/em28xx/em28xx-core.o CC drivers/media/usb/em28xx/em28xx-i2c.o AR drivers/media/usb/au0828/built-in.a CC drivers/media/usb/tm6000/tm6000-alsa.o CC drivers/media/usb/tm6000/tm6000-dvb.o CC drivers/gpu/drm/drm_pci.o CC drivers/media/usb/dvb-usb/technisat-usb2.o CC drivers/media/usb/em28xx/em28xx-cards.o CC drivers/media/usb/cx231xx/cx231xx-417.o CC drivers/media/rc/keymaps/rc-pinnacle-pctv-hd.o AR drivers/media/usb/stk1160/built-in.a CC drivers/gpu/drm/drm_debugfs.o CC drivers/media/usb/gspca/pac207.o CC drivers/gpu/drm/i915/display/intel_ddi.o CC drivers/media/usb/em28xx/em28xx-camera.o CC drivers/media/usb/pvrusb2/pvrusb2-hdw.o CC drivers/media/usb/usbtv/usbtv-core.o CC drivers/media/usb/go7007/go7007-v4l2.o CC drivers/media/dvb-frontends/ix2505v.o CC drivers/hid/hid-monterey.o CC drivers/gpu/drm/drm_debugfs_crc.o CC drivers/media/rc/keymaps/rc-pixelview.o CC drivers/media/usb/pvrusb2/pvrusb2-v4l2.o CC drivers/gpu/drm/drm_mipi_dsi.o CC drivers/gpu/drm/i915/display/intel_dp.o CC drivers/media/usb/pvrusb2/pvrusb2-ctrl.o CC drivers/media/usb/pvrusb2/pvrusb2-std.o CC drivers/media/dvb-frontends/cxd2820r_core.o AR drivers/media/usb/tm6000/built-in.a CC drivers/media/rc/keymaps/rc-pixelview-mk12.o AR drivers/media/usb/usbvision/built-in.a CC drivers/gpu/drm/drm_panel_orientation_quirks.o CC drivers/media/usb/em28xx/em28xx-video.o CC drivers/gpu/drm/i915/display/intel_dp_aux_backlight.o CC drivers/media/usb/usbtv/usbtv-video.o CC drivers/media/usb/cx231xx/cx231xx-pcb-cfg.o CC drivers/gpu/drm/i915/display/intel_dp_link_training.o CC drivers/media/usb/go7007/go7007-driver.o CC drivers/media/usb/cx231xx/cx231xx-vbi.o AR drivers/media/usb/dvb-usb/built-in.a CC drivers/media/rc/keymaps/rc-pixelview-002t.o CC drivers/gpu/drm/i915/display/intel_dp_mst.o CC drivers/hid/hid-multitouch.o CC drivers/media/usb/em28xx/em28xx-vbi.o CC drivers/media/usb/em28xx/em28xx-audio.o CC drivers/media/rc/keymaps/rc-pixelview-new.o CC drivers/hid/hid-nti.o CC drivers/media/usb/pvrusb2/pvrusb2-devattr.o CC drivers/media/usb/em28xx/em28xx-dvb.o CC drivers/hid/hid-ntrig.o CC drivers/media/usb/em28xx/em28xx-input.o CC drivers/media/usb/go7007/go7007-i2c.o CC drivers/media/rc/keymaps/rc-powercolor-real-angel.o CC drivers/media/rc/keymaps/rc-proteus-2309.o CC drivers/media/usb/go7007/go7007-fw.o CC drivers/media/rc/keymaps/rc-purpletv.o CC drivers/media/usb/pvrusb2/pvrusb2-context.o CC drivers/media/usb/pvrusb2/pvrusb2-io.o CC drivers/media/dvb-frontends/cxd2820r_c.o CC drivers/hid/hid-ortek.o CC drivers/hid/hid-prodikeys.o CC drivers/media/usb/as102/as102_drv.o CC drivers/media/usb/as102/as102_fw.o CC drivers/media/usb/as102/as10x_cmd.o CC drivers/media/rc/keymaps/rc-pv951.o CC drivers/media/rc/keymaps/rc-hauppauge.o CC drivers/media/usb/usbtv/usbtv-audio.o CC drivers/gpu/drm/i915/display/intel_dsi.o CC drivers/media/rc/keymaps/rc-rc6-mce.o CC drivers/hid/hid-pl.o CC drivers/gpu/drm/i915/display/intel_dsi_dcs_backlight.o CC drivers/media/usb/go7007/snd-go7007.o CC drivers/media/usb/cx231xx/cx231xx-input.o CC drivers/media/usb/gspca/pac7302.o CC drivers/media/usb/gspca/pac7311.o CC drivers/media/usb/cx231xx/cx231xx-dvb.o CC drivers/media/usb/cx231xx/cx231xx-audio.o CC drivers/media/usb/go7007/go7007-usb.o CC drivers/gpu/drm/i915/display/intel_dsi_vbt.o CC drivers/media/rc/keymaps/rc-real-audio-220-32-keys.o CC drivers/media/usb/pvrusb2/pvrusb2-ioread.o CC drivers/media/rc/keymaps/rc-reddo.o CC drivers/media/dvb-frontends/cxd2820r_t.o CC drivers/media/rc/keymaps/rc-snapstream-firefly.o CC drivers/media/usb/pulse8-cec/pulse8-cec.o CC drivers/media/usb/go7007/go7007-loader.o CC drivers/media/usb/rainshadow-cec/rainshadow-cec.o CC drivers/hid/hid-penmount.o CC drivers/hid/hid-petalynx.o CC drivers/gpu/drm/i915/display/intel_dvo.o CC drivers/hid/hid-picolcd_core.o CC drivers/media/usb/gspca/se401.o CC drivers/media/usb/as102/as10x_cmd_stream.o AR drivers/media/usb/usbtv/built-in.a CC drivers/media/rc/keymaps/rc-streamzap.o CC drivers/gpu/drm/i915/display/intel_gmbus.o CC drivers/gpu/drm/i915/display/intel_hdmi.o CC drivers/gpu/drm/i915/display/intel_lspcon.o CC drivers/media/usb/pvrusb2/pvrusb2-cx2584x-v4l.o CC drivers/media/rc/keymaps/rc-tango.o CC drivers/gpu/drm/i915/display/intel_lvds.o CC drivers/media/usb/pvrusb2/pvrusb2-wm8775.o CC drivers/media/usb/gspca/sn9c2028.o CC drivers/media/usb/go7007/s2250-board.o CC drivers/media/usb/as102/as102_usb_drv.o CC drivers/media/usb/as102/as10x_cmd_cfg.o CC drivers/media/usb/pvrusb2/pvrusb2-cs53l32a.o CC drivers/hid/hid-picolcd_fb.o CC drivers/media/usb/pvrusb2/pvrusb2-dvb.o CC drivers/media/usb/pvrusb2/pvrusb2-sysfs.o CC drivers/media/rc/keymaps/rc-tanix-tx3mini.o CC drivers/media/dvb-frontends/cxd2820r_t2.o AR drivers/media/usb/rainshadow-cec/built-in.a CC drivers/gpu/drm/i915/display/intel_panel.o CC drivers/media/rc/keymaps/rc-tanix-tx5max.o CC drivers/gpu/drm/i915/display/intel_sdvo.o CC drivers/media/dvb-frontends/cxd2841er.o AR drivers/media/usb/pulse8-cec/built-in.a CC drivers/media/rc/keymaps/rc-tbs-nec.o CC drivers/media/rc/keymaps/rc-technisat-ts35.o AR drivers/media/usb/em28xx/built-in.a CC drivers/media/rc/keymaps/rc-technisat-usb2.o CC drivers/gpu/drm/i915/display/intel_tv.o CC drivers/media/usb/gspca/sn9c20x.o CC drivers/media/usb/gspca/sonixb.o CC drivers/media/usb/gspca/sonixj.o CC drivers/media/rc/keymaps/rc-terratec-cinergy-c-pci.o CC drivers/media/rc/keymaps/rc-terratec-cinergy-s2-hd.o AR drivers/media/usb/cx231xx/built-in.a CC drivers/gpu/drm/i915/display/intel_vdsc.o CC drivers/hid/hid-picolcd_backlight.o CC drivers/hid/hid-picolcd_lcd.o CC drivers/hid/hid-picolcd_leds.o CC drivers/media/rc/keymaps/rc-terratec-cinergy-xs.o AR drivers/media/usb/as102/built-in.a CC drivers/media/rc/keymaps/rc-terratec-slim.o CC drivers/hid/hid-picolcd_cir.o AR drivers/media/usb/go7007/built-in.a CC drivers/media/rc/keymaps/rc-terratec-slim-2.o CC drivers/media/dvb-frontends/drxk_hard.o CC drivers/media/rc/keymaps/rc-tevii-nec.o CC drivers/media/rc/keymaps/rc-tivo.o CC drivers/hid/hid-picolcd_debugfs.o CC drivers/hid/hid-plantronics.o CC drivers/gpu/drm/i915/display/vlv_dsi.o CC drivers/media/rc/keymaps/rc-total-media-in-hand.o CC drivers/media/usb/gspca/spca500.o CC drivers/media/usb/gspca/spca501.o CC drivers/gpu/drm/i915/display/vlv_dsi_pll.o CC drivers/media/usb/gspca/spca505.o CC drivers/media/usb/gspca/spca506.o CC drivers/gpu/drm/i915/oa/i915_oa_hsw.o CC drivers/media/dvb-frontends/tda18271c2dd.o CC drivers/hid/hid-primax.o CC drivers/media/usb/gspca/spca508.o CC drivers/hid/hid-retrode.o CC drivers/gpu/drm/i915/oa/i915_oa_chv.o CC drivers/gpu/drm/i915/oa/i915_oa_bdw.o CC drivers/media/rc/keymaps/rc-total-media-in-hand-02.o CC drivers/media/rc/keymaps/rc-trekstor.o CC drivers/media/rc/keymaps/rc-tt-1500.o CC drivers/gpu/drm/i915/oa/i915_oa_sklgt2.o CC drivers/gpu/drm/i915/oa/i915_oa_sklgt3.o CC drivers/gpu/drm/i915/oa/i915_oa_sklgt4.o CC drivers/hid/hid-roccat.o CC drivers/media/usb/gspca/spca561.o CC drivers/media/rc/keymaps/rc-twinhan-dtv-cab-ci.o CC drivers/media/dvb-frontends/si2165.o CC drivers/media/usb/gspca/spca1528.o CC drivers/media/rc/keymaps/rc-twinhan1027.o CC drivers/media/dvb-frontends/a8293.o CC drivers/gpu/drm/i915/oa/i915_oa_bxt.o CC drivers/gpu/drm/i915/oa/i915_oa_kblgt2.o CC drivers/media/dvb-frontends/sp2.o CC drivers/hid/hid-roccat-common.o CC drivers/hid/hid-roccat-arvo.o CC drivers/hid/hid-roccat-isku.o CC drivers/hid/hid-roccat-kone.o CC drivers/hid/hid-roccat-koneplus.o CC drivers/hid/hid-roccat-konepure.o CC drivers/media/rc/keymaps/rc-vega-s9x.o CC drivers/media/usb/gspca/sq905.o CC drivers/media/dvb-frontends/tda10071.o CC drivers/media/dvb-frontends/rtl2830.o CC drivers/hid/hid-roccat-kovaplus.o CC drivers/hid/hid-roccat-lua.o CC drivers/hid/hid-roccat-pyra.o CC drivers/media/rc/keymaps/rc-videomate-m1f.o CC drivers/gpu/drm/i915/oa/i915_oa_kblgt3.o CC drivers/media/dvb-frontends/rtl2832.o AR drivers/media/usb/pvrusb2/built-in.a CC drivers/hid/hid-roccat-ryos.o CC drivers/gpu/drm/i915/oa/i915_oa_glk.o CC drivers/hid/hid-roccat-savu.o CC drivers/gpu/drm/i915/oa/i915_oa_cflgt2.o CC drivers/gpu/drm/i915/oa/i915_oa_cflgt3.o CC drivers/media/rc/keymaps/rc-videomate-s350.o CC drivers/gpu/drm/i915/oa/i915_oa_cnl.o CC drivers/media/rc/keymaps/rc-videomate-tv-pvr.o CC drivers/media/usb/gspca/sq905c.o CC drivers/media/usb/gspca/sq930x.o CC drivers/gpu/drm/i915/oa/i915_oa_icl.o CC drivers/gpu/drm/i915/oa/i915_oa_tgl.o CC drivers/hid/hid-rmi.o CC drivers/gpu/drm/i915/i915_perf.o CC drivers/media/usb/gspca/sunplus.o CC drivers/media/dvb-frontends/rtl2832_sdr.o CC drivers/hid/hid-saitek.o CC drivers/hid/hid-samsung.o CC drivers/media/dvb-frontends/m88rs2000.o CC drivers/media/dvb-frontends/af9033.o CC drivers/media/rc/keymaps/rc-wetek-hub.o CC drivers/media/usb/gspca/stk014.o CC drivers/media/rc/keymaps/rc-wetek-play2.o CC drivers/media/dvb-frontends/as102_fe.o CC drivers/gpu/drm/i915/i915_gpu_error.o CC drivers/media/dvb-frontends/tc90522.o CC drivers/media/dvb-frontends/gp8psk-fe.o CC drivers/media/rc/keymaps/rc-winfast.o CC drivers/hid/hid-sjoy.o CC drivers/hid/hid-sony.o CC drivers/gpu/drm/i915/i915_vgpu.o CC drivers/media/rc/keymaps/rc-winfast-usbii-deluxe.o CC drivers/hid/hid-speedlink.o CC drivers/media/rc/keymaps/rc-su3000.o CC drivers/media/dvb-frontends/zd1301_demod.o CC drivers/media/rc/keymaps/rc-xbox-dvd.o CC drivers/media/usb/gspca/stk1135.o CC drivers/hid/hid-steelseries.o CC drivers/hid/hid-sunplus.o CC drivers/media/usb/gspca/stv0680.o CC drivers/hid/hid-gaff.o CC drivers/hid/hid-tmff.o CC drivers/media/rc/keymaps/rc-x96max.o CC drivers/media/rc/keymaps/rc-zx-irdec.o CC drivers/hid/hid-tivo.o CC drivers/hid/hid-topseed.o CC drivers/media/usb/gspca/t613.o CC drivers/media/usb/gspca/topro.o CC drivers/media/usb/gspca/tv8532.o CC drivers/media/usb/gspca/touptek.o CC drivers/hid/hid-uclogic-core.o CC drivers/hid/hid-twinhan.o CC drivers/hid/hid-uclogic-rdesc.o CC drivers/media/usb/gspca/vc032x.o CC drivers/media/usb/gspca/xirlink_cit.o CC drivers/hid/hid-uclogic-params.o CC drivers/media/usb/gspca/vicam.o CC drivers/hid/hid-udraw-ps3.o CC drivers/hid/hid-led.o CC drivers/hid/hid-xinmo.o AR drivers/media/rc/keymaps/built-in.a CC drivers/hid/hid-zpff.o AR drivers/media/rc/built-in.a CC drivers/hid/hid-zydacron.o CC drivers/media/usb/gspca/zc3xx.o CC drivers/hid/wacom_wac.o CC drivers/hid/wacom_sys.o CC drivers/hid/hid-waltop.o CC drivers/hid/hid-wiimote-core.o CC drivers/hid/hid-wiimote-modules.o CC drivers/hid/hid-wiimote-debug.o CC drivers/hid/hid-sensor-hub.o CC drivers/hid/hid-sensor-custom.o AR drivers/media/dvb-frontends/built-in.a AR drivers/media/usb/gspca/built-in.a AR drivers/media/usb/built-in.a AR drivers/media/built-in.a AR drivers/gpu/drm/i915/built-in.a AR drivers/gpu/drm/built-in.a AR drivers/gpu/built-in.a AR drivers/hid/built-in.a Makefile:1683: recipe for target 'drivers' failed make: *** [drivers] Error 2 Error text is too large and was truncated, full error text is at: https://syzkaller.appspot.com/x/error.txt?x=12e89493e00000 Tested on: commit: 0fa84af8 Merge tag 'usb-serial-5.7-rc1' of https://git.ker.. git tree: https://github.com/google/kasan.git usb-fuzzer dashboard link: https://syzkaller.appspot.com/bug?extid=d403396d4df67ad0bd5f compiler: gcc (GCC) 9.0.0 20181231 (experimental) patch: https://syzkaller.appspot.com/x/patch.diff?x=14aafcb7e00000 ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: KASAN: stack-out-of-bounds Write in ath9k_hif_usb_rx_cb 2020-03-31 2:45 ` syzbot @ 2020-03-31 2:54 ` Qiujun Huang 2020-03-31 3:08 ` syzbot 0 siblings, 1 reply; 7+ messages in thread From: Qiujun Huang @ 2020-03-31 2:54 UTC (permalink / raw) To: syzbot Cc: Andrey Konovalov, ath9k-devel, davem, kvalo, LKML, USB list, linux-wireless, netdev, syzkaller-bugs [-- Attachment #1: Type: text/plain, Size: 17841 bytes --] #syz test: https://github.com/google/kasan.git usb-fuzzer On Tue, Mar 31, 2020 at 10:45 AM syzbot <syzbot+d403396d4df67ad0bd5f@syzkaller.appspotmail.com> wrote: > > Hello, > > syzbot tried to test the proposed patch but build/boot failed: > > 828/au0828-video.o > AR drivers/media/usb/msi2500/built-in.a > CC drivers/media/dvb-frontends/isl6423.o > CC drivers/media/rc/keymaps/rc-nec-terratec-cinergy-xs.o > CC drivers/media/usb/gspca/mars.o > CC drivers/hid/hid-lg4ff.o > CC drivers/gpu/drm/drm_vblank.o > CC drivers/gpu/drm/drm_syncobj.o > CC drivers/gpu/drm/drm_lease.o > AR drivers/staging/rtl8712/built-in.a > CC drivers/media/usb/dvb-usb/dw2102.o > AR drivers/staging/built-in.a > CC drivers/media/dvb-frontends/ec100.o > CC drivers/media/dvb-frontends/ds3000.o > CC drivers/media/rc/keymaps/rc-norwood.o > CC drivers/media/dvb-frontends/ts2020.o > CC drivers/media/usb/gspca/mr97310a.o > CC drivers/media/usb/dvb-usb/dtv5100.o > CC drivers/gpu/drm/drm_writeback.o > CC drivers/hid/hid-lg-g15.o > AR drivers/media/usb/cpia2/built-in.a > CC drivers/media/usb/dvb-usb/cinergyT2-core.o > CC drivers/media/usb/gspca/nw80x.o > CC drivers/media/usb/pvrusb2/pvrusb2-i2c-core.o > CC drivers/media/usb/usbvision/usbvision-core.o > CC drivers/media/usb/stk1160/stk1160-core.o > CC drivers/media/usb/stk1160/stk1160-v4l.o > CC drivers/media/usb/dvb-usb/cinergyT2-fe.o > CC drivers/media/usb/cx231xx/cx231xx-video.o > CC drivers/media/usb/usbvision/usbvision-video.o > CC drivers/media/usb/usbvision/usbvision-i2c.o > CC drivers/media/usb/usbvision/usbvision-cards.o > CC drivers/media/usb/au0828/au0828-vbi.o > CC drivers/media/usb/au0828/au0828-input.o > CC drivers/media/rc/keymaps/rc-npgtech.o > CC drivers/media/usb/stk1160/stk1160-video.o > CC drivers/media/usb/tm6000/tm6000-cards.o > CC drivers/media/usb/tm6000/tm6000-core.o > CC drivers/media/usb/tm6000/tm6000-i2c.o > CC drivers/media/usb/tm6000/tm6000-video.o > CC drivers/media/rc/keymaps/rc-odroid.o > CC drivers/media/usb/pvrusb2/pvrusb2-audio.o > CC drivers/media/usb/gspca/ov519.o > CC drivers/hid/hid-logitech-dj.o > CC drivers/media/usb/pvrusb2/pvrusb2-encoder.o > AR drivers/media/usb/hdpvr/built-in.a > CC drivers/media/usb/gspca/ov534.o > CC drivers/hid/hid-logitech-hidpp.o > CC drivers/media/usb/stk1160/stk1160-i2c.o > CC drivers/hid/hid-magicmouse.o > CC drivers/gpu/drm/i915/display/intel_crt.o > CC drivers/media/rc/keymaps/rc-pctv-sedna.o > CC drivers/hid/hid-mf.o > CC drivers/gpu/drm/drm_client.o > CC drivers/gpu/drm/drm_client_modeset.o > CC drivers/gpu/drm/drm_atomic_uapi.o > CC drivers/gpu/drm/drm_hdcp.o > CC drivers/media/usb/tm6000/tm6000-stds.o > CC drivers/media/usb/cx231xx/cx231xx-i2c.o > CC drivers/media/dvb-frontends/mb86a20s.o > CC drivers/media/usb/gspca/ov534_9.o > CC drivers/media/usb/cx231xx/cx231xx-cards.o > CC drivers/media/rc/keymaps/rc-pinnacle-color.o > CC drivers/media/usb/cx231xx/cx231xx-core.o > CC drivers/gpu/drm/drm_ioc32.o > CC drivers/media/usb/cx231xx/cx231xx-avcore.o > CC drivers/media/usb/tm6000/tm6000-input.o > CC drivers/media/usb/pvrusb2/pvrusb2-video-v4l.o > CC drivers/media/usb/pvrusb2/pvrusb2-eeprom.o > CC drivers/media/usb/stk1160/stk1160-ac97.o > CC drivers/media/usb/dvb-usb/az6027.o > CC drivers/gpu/drm/drm_gem_shmem_helper.o > CC drivers/gpu/drm/drm_panel.o > CC drivers/media/rc/keymaps/rc-pinnacle-grey.o > CC drivers/media/usb/pvrusb2/pvrusb2-main.o > CC drivers/gpu/drm/drm_agpsupport.o > CC drivers/hid/hid-microsoft.o > CC drivers/media/usb/em28xx/em28xx-core.o > CC drivers/media/usb/em28xx/em28xx-i2c.o > AR drivers/media/usb/au0828/built-in.a > CC drivers/media/usb/tm6000/tm6000-alsa.o > CC drivers/media/usb/tm6000/tm6000-dvb.o > CC drivers/gpu/drm/drm_pci.o > CC drivers/media/usb/dvb-usb/technisat-usb2.o > CC drivers/media/usb/em28xx/em28xx-cards.o > CC drivers/media/usb/cx231xx/cx231xx-417.o > CC drivers/media/rc/keymaps/rc-pinnacle-pctv-hd.o > AR drivers/media/usb/stk1160/built-in.a > CC drivers/gpu/drm/drm_debugfs.o > CC drivers/media/usb/gspca/pac207.o > CC drivers/gpu/drm/i915/display/intel_ddi.o > CC drivers/media/usb/em28xx/em28xx-camera.o > CC drivers/media/usb/pvrusb2/pvrusb2-hdw.o > CC drivers/media/usb/usbtv/usbtv-core.o > CC drivers/media/usb/go7007/go7007-v4l2.o > CC drivers/media/dvb-frontends/ix2505v.o > CC drivers/hid/hid-monterey.o > CC drivers/gpu/drm/drm_debugfs_crc.o > CC drivers/media/rc/keymaps/rc-pixelview.o > CC drivers/media/usb/pvrusb2/pvrusb2-v4l2.o > CC drivers/gpu/drm/drm_mipi_dsi.o > CC drivers/gpu/drm/i915/display/intel_dp.o > CC drivers/media/usb/pvrusb2/pvrusb2-ctrl.o > CC drivers/media/usb/pvrusb2/pvrusb2-std.o > CC drivers/media/dvb-frontends/cxd2820r_core.o > AR drivers/media/usb/tm6000/built-in.a > CC drivers/media/rc/keymaps/rc-pixelview-mk12.o > AR drivers/media/usb/usbvision/built-in.a > CC drivers/gpu/drm/drm_panel_orientation_quirks.o > CC drivers/media/usb/em28xx/em28xx-video.o > CC drivers/gpu/drm/i915/display/intel_dp_aux_backlight.o > CC drivers/media/usb/usbtv/usbtv-video.o > CC drivers/media/usb/cx231xx/cx231xx-pcb-cfg.o > CC drivers/gpu/drm/i915/display/intel_dp_link_training.o > CC drivers/media/usb/go7007/go7007-driver.o > CC drivers/media/usb/cx231xx/cx231xx-vbi.o > AR drivers/media/usb/dvb-usb/built-in.a > CC drivers/media/rc/keymaps/rc-pixelview-002t.o > CC drivers/gpu/drm/i915/display/intel_dp_mst.o > CC drivers/hid/hid-multitouch.o > CC drivers/media/usb/em28xx/em28xx-vbi.o > CC drivers/media/usb/em28xx/em28xx-audio.o > CC drivers/media/rc/keymaps/rc-pixelview-new.o > CC drivers/hid/hid-nti.o > CC drivers/media/usb/pvrusb2/pvrusb2-devattr.o > CC drivers/media/usb/em28xx/em28xx-dvb.o > CC drivers/hid/hid-ntrig.o > CC drivers/media/usb/em28xx/em28xx-input.o > CC drivers/media/usb/go7007/go7007-i2c.o > CC drivers/media/rc/keymaps/rc-powercolor-real-angel.o > CC drivers/media/rc/keymaps/rc-proteus-2309.o > CC drivers/media/usb/go7007/go7007-fw.o > CC drivers/media/rc/keymaps/rc-purpletv.o > CC drivers/media/usb/pvrusb2/pvrusb2-context.o > CC drivers/media/usb/pvrusb2/pvrusb2-io.o > CC drivers/media/dvb-frontends/cxd2820r_c.o > CC drivers/hid/hid-ortek.o > CC drivers/hid/hid-prodikeys.o > CC drivers/media/usb/as102/as102_drv.o > CC drivers/media/usb/as102/as102_fw.o > CC drivers/media/usb/as102/as10x_cmd.o > CC drivers/media/rc/keymaps/rc-pv951.o > CC drivers/media/rc/keymaps/rc-hauppauge.o > CC drivers/media/usb/usbtv/usbtv-audio.o > CC drivers/gpu/drm/i915/display/intel_dsi.o > CC drivers/media/rc/keymaps/rc-rc6-mce.o > CC drivers/hid/hid-pl.o > CC drivers/gpu/drm/i915/display/intel_dsi_dcs_backlight.o > CC drivers/media/usb/go7007/snd-go7007.o > CC drivers/media/usb/cx231xx/cx231xx-input.o > CC drivers/media/usb/gspca/pac7302.o > CC drivers/media/usb/gspca/pac7311.o > CC drivers/media/usb/cx231xx/cx231xx-dvb.o > CC drivers/media/usb/cx231xx/cx231xx-audio.o > CC drivers/media/usb/go7007/go7007-usb.o > CC drivers/gpu/drm/i915/display/intel_dsi_vbt.o > CC drivers/media/rc/keymaps/rc-real-audio-220-32-keys.o > CC drivers/media/usb/pvrusb2/pvrusb2-ioread.o > CC drivers/media/rc/keymaps/rc-reddo.o > CC drivers/media/dvb-frontends/cxd2820r_t.o > CC drivers/media/rc/keymaps/rc-snapstream-firefly.o > CC drivers/media/usb/pulse8-cec/pulse8-cec.o > CC drivers/media/usb/go7007/go7007-loader.o > CC drivers/media/usb/rainshadow-cec/rainshadow-cec.o > CC drivers/hid/hid-penmount.o > CC drivers/hid/hid-petalynx.o > CC drivers/gpu/drm/i915/display/intel_dvo.o > CC drivers/hid/hid-picolcd_core.o > CC drivers/media/usb/gspca/se401.o > CC drivers/media/usb/as102/as10x_cmd_stream.o > AR drivers/media/usb/usbtv/built-in.a > CC drivers/media/rc/keymaps/rc-streamzap.o > CC drivers/gpu/drm/i915/display/intel_gmbus.o > CC drivers/gpu/drm/i915/display/intel_hdmi.o > CC drivers/gpu/drm/i915/display/intel_lspcon.o > CC drivers/media/usb/pvrusb2/pvrusb2-cx2584x-v4l.o > CC drivers/media/rc/keymaps/rc-tango.o > CC drivers/gpu/drm/i915/display/intel_lvds.o > CC drivers/media/usb/pvrusb2/pvrusb2-wm8775.o > CC drivers/media/usb/gspca/sn9c2028.o > CC drivers/media/usb/go7007/s2250-board.o > CC drivers/media/usb/as102/as102_usb_drv.o > CC drivers/media/usb/as102/as10x_cmd_cfg.o > CC drivers/media/usb/pvrusb2/pvrusb2-cs53l32a.o > CC drivers/hid/hid-picolcd_fb.o > CC drivers/media/usb/pvrusb2/pvrusb2-dvb.o > CC drivers/media/usb/pvrusb2/pvrusb2-sysfs.o > CC drivers/media/rc/keymaps/rc-tanix-tx3mini.o > CC drivers/media/dvb-frontends/cxd2820r_t2.o > AR drivers/media/usb/rainshadow-cec/built-in.a > CC drivers/gpu/drm/i915/display/intel_panel.o > CC drivers/media/rc/keymaps/rc-tanix-tx5max.o > CC drivers/gpu/drm/i915/display/intel_sdvo.o > CC drivers/media/dvb-frontends/cxd2841er.o > AR drivers/media/usb/pulse8-cec/built-in.a > CC drivers/media/rc/keymaps/rc-tbs-nec.o > CC drivers/media/rc/keymaps/rc-technisat-ts35.o > AR drivers/media/usb/em28xx/built-in.a > CC drivers/media/rc/keymaps/rc-technisat-usb2.o > CC drivers/gpu/drm/i915/display/intel_tv.o > CC drivers/media/usb/gspca/sn9c20x.o > CC drivers/media/usb/gspca/sonixb.o > CC drivers/media/usb/gspca/sonixj.o > CC drivers/media/rc/keymaps/rc-terratec-cinergy-c-pci.o > CC drivers/media/rc/keymaps/rc-terratec-cinergy-s2-hd.o > AR drivers/media/usb/cx231xx/built-in.a > CC drivers/gpu/drm/i915/display/intel_vdsc.o > CC drivers/hid/hid-picolcd_backlight.o > CC drivers/hid/hid-picolcd_lcd.o > CC drivers/hid/hid-picolcd_leds.o > CC drivers/media/rc/keymaps/rc-terratec-cinergy-xs.o > AR drivers/media/usb/as102/built-in.a > CC drivers/media/rc/keymaps/rc-terratec-slim.o > CC drivers/hid/hid-picolcd_cir.o > AR drivers/media/usb/go7007/built-in.a > CC drivers/media/rc/keymaps/rc-terratec-slim-2.o > CC drivers/media/dvb-frontends/drxk_hard.o > CC drivers/media/rc/keymaps/rc-tevii-nec.o > CC drivers/media/rc/keymaps/rc-tivo.o > CC drivers/hid/hid-picolcd_debugfs.o > CC drivers/hid/hid-plantronics.o > CC drivers/gpu/drm/i915/display/vlv_dsi.o > CC drivers/media/rc/keymaps/rc-total-media-in-hand.o > CC drivers/media/usb/gspca/spca500.o > CC drivers/media/usb/gspca/spca501.o > CC drivers/gpu/drm/i915/display/vlv_dsi_pll.o > CC drivers/media/usb/gspca/spca505.o > CC drivers/media/usb/gspca/spca506.o > CC drivers/gpu/drm/i915/oa/i915_oa_hsw.o > CC drivers/media/dvb-frontends/tda18271c2dd.o > CC drivers/hid/hid-primax.o > CC drivers/media/usb/gspca/spca508.o > CC drivers/hid/hid-retrode.o > CC drivers/gpu/drm/i915/oa/i915_oa_chv.o > CC drivers/gpu/drm/i915/oa/i915_oa_bdw.o > CC drivers/media/rc/keymaps/rc-total-media-in-hand-02.o > CC drivers/media/rc/keymaps/rc-trekstor.o > CC drivers/media/rc/keymaps/rc-tt-1500.o > CC drivers/gpu/drm/i915/oa/i915_oa_sklgt2.o > CC drivers/gpu/drm/i915/oa/i915_oa_sklgt3.o > CC drivers/gpu/drm/i915/oa/i915_oa_sklgt4.o > CC drivers/hid/hid-roccat.o > CC drivers/media/usb/gspca/spca561.o > CC drivers/media/rc/keymaps/rc-twinhan-dtv-cab-ci.o > CC drivers/media/dvb-frontends/si2165.o > CC drivers/media/usb/gspca/spca1528.o > CC drivers/media/rc/keymaps/rc-twinhan1027.o > CC drivers/media/dvb-frontends/a8293.o > CC drivers/gpu/drm/i915/oa/i915_oa_bxt.o > CC drivers/gpu/drm/i915/oa/i915_oa_kblgt2.o > CC drivers/media/dvb-frontends/sp2.o > CC drivers/hid/hid-roccat-common.o > CC drivers/hid/hid-roccat-arvo.o > CC drivers/hid/hid-roccat-isku.o > CC drivers/hid/hid-roccat-kone.o > CC drivers/hid/hid-roccat-koneplus.o > CC drivers/hid/hid-roccat-konepure.o > CC drivers/media/rc/keymaps/rc-vega-s9x.o > CC drivers/media/usb/gspca/sq905.o > CC drivers/media/dvb-frontends/tda10071.o > CC drivers/media/dvb-frontends/rtl2830.o > CC drivers/hid/hid-roccat-kovaplus.o > CC drivers/hid/hid-roccat-lua.o > CC drivers/hid/hid-roccat-pyra.o > CC drivers/media/rc/keymaps/rc-videomate-m1f.o > CC drivers/gpu/drm/i915/oa/i915_oa_kblgt3.o > CC drivers/media/dvb-frontends/rtl2832.o > AR drivers/media/usb/pvrusb2/built-in.a > CC drivers/hid/hid-roccat-ryos.o > CC drivers/gpu/drm/i915/oa/i915_oa_glk.o > CC drivers/hid/hid-roccat-savu.o > CC drivers/gpu/drm/i915/oa/i915_oa_cflgt2.o > CC drivers/gpu/drm/i915/oa/i915_oa_cflgt3.o > CC drivers/media/rc/keymaps/rc-videomate-s350.o > CC drivers/gpu/drm/i915/oa/i915_oa_cnl.o > CC drivers/media/rc/keymaps/rc-videomate-tv-pvr.o > CC drivers/media/usb/gspca/sq905c.o > CC drivers/media/usb/gspca/sq930x.o > CC drivers/gpu/drm/i915/oa/i915_oa_icl.o > CC drivers/gpu/drm/i915/oa/i915_oa_tgl.o > CC drivers/hid/hid-rmi.o > CC drivers/gpu/drm/i915/i915_perf.o > CC drivers/media/usb/gspca/sunplus.o > CC drivers/media/dvb-frontends/rtl2832_sdr.o > CC drivers/hid/hid-saitek.o > CC drivers/hid/hid-samsung.o > CC drivers/media/dvb-frontends/m88rs2000.o > CC drivers/media/dvb-frontends/af9033.o > CC drivers/media/rc/keymaps/rc-wetek-hub.o > CC drivers/media/usb/gspca/stk014.o > CC drivers/media/rc/keymaps/rc-wetek-play2.o > CC drivers/media/dvb-frontends/as102_fe.o > CC drivers/gpu/drm/i915/i915_gpu_error.o > CC drivers/media/dvb-frontends/tc90522.o > CC drivers/media/dvb-frontends/gp8psk-fe.o > CC drivers/media/rc/keymaps/rc-winfast.o > CC drivers/hid/hid-sjoy.o > CC drivers/hid/hid-sony.o > CC drivers/gpu/drm/i915/i915_vgpu.o > CC drivers/media/rc/keymaps/rc-winfast-usbii-deluxe.o > CC drivers/hid/hid-speedlink.o > CC drivers/media/rc/keymaps/rc-su3000.o > CC drivers/media/dvb-frontends/zd1301_demod.o > CC drivers/media/rc/keymaps/rc-xbox-dvd.o > CC drivers/media/usb/gspca/stk1135.o > CC drivers/hid/hid-steelseries.o > CC drivers/hid/hid-sunplus.o > CC drivers/media/usb/gspca/stv0680.o > CC drivers/hid/hid-gaff.o > CC drivers/hid/hid-tmff.o > CC drivers/media/rc/keymaps/rc-x96max.o > CC drivers/media/rc/keymaps/rc-zx-irdec.o > CC drivers/hid/hid-tivo.o > CC drivers/hid/hid-topseed.o > CC drivers/media/usb/gspca/t613.o > CC drivers/media/usb/gspca/topro.o > CC drivers/media/usb/gspca/tv8532.o > CC drivers/media/usb/gspca/touptek.o > CC drivers/hid/hid-uclogic-core.o > CC drivers/hid/hid-twinhan.o > CC drivers/hid/hid-uclogic-rdesc.o > CC drivers/media/usb/gspca/vc032x.o > CC drivers/media/usb/gspca/xirlink_cit.o > CC drivers/hid/hid-uclogic-params.o > CC drivers/media/usb/gspca/vicam.o > CC drivers/hid/hid-udraw-ps3.o > CC drivers/hid/hid-led.o > CC drivers/hid/hid-xinmo.o > AR drivers/media/rc/keymaps/built-in.a > CC drivers/hid/hid-zpff.o > AR drivers/media/rc/built-in.a > CC drivers/hid/hid-zydacron.o > CC drivers/media/usb/gspca/zc3xx.o > CC drivers/hid/wacom_wac.o > CC drivers/hid/wacom_sys.o > CC drivers/hid/hid-waltop.o > CC drivers/hid/hid-wiimote-core.o > CC drivers/hid/hid-wiimote-modules.o > CC drivers/hid/hid-wiimote-debug.o > CC drivers/hid/hid-sensor-hub.o > CC drivers/hid/hid-sensor-custom.o > AR drivers/media/dvb-frontends/built-in.a > AR drivers/media/usb/gspca/built-in.a > AR drivers/media/usb/built-in.a > AR drivers/media/built-in.a > AR drivers/gpu/drm/i915/built-in.a > AR drivers/gpu/drm/built-in.a > AR drivers/gpu/built-in.a > AR drivers/hid/built-in.a > Makefile:1683: recipe for target 'drivers' failed > make: *** [drivers] Error 2 > > > Error text is too large and was truncated, full error text is at: > https://syzkaller.appspot.com/x/error.txt?x=12e89493e00000 > > > Tested on: > > commit: 0fa84af8 Merge tag 'usb-serial-5.7-rc1' of https://git.ker.. > git tree: https://github.com/google/kasan.git usb-fuzzer > dashboard link: https://syzkaller.appspot.com/bug?extid=d403396d4df67ad0bd5f > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > patch: https://syzkaller.appspot.com/x/patch.diff?x=14aafcb7e00000 > [-- Attachment #2: hif_usb_1.patch --] [-- Type: application/octet-stream, Size: 642 bytes --] diff --git a/drivers/net/wireless/ath/ath9k/hif_usb.c b/drivers/net/wireless/ath/ath9k/hif_usb.c index dd0c323..c4a2b72 100644 --- a/drivers/net/wireless/ath/ath9k/hif_usb.c +++ b/drivers/net/wireless/ath/ath9k/hif_usb.c @@ -612,6 +612,11 @@ static void ath9k_hif_usb_rx_stream(struct hif_device_usb *hif_dev, hif_dev->remain_skb = nskb; spin_unlock(&hif_dev->rx_lock); } else { + if (pool_index == MAX_PKT_NUM_IN_TRANSFER) { + dev_err(&hif_dev->udev->dev, + "ath9k_htc: over RX MAX_PKT_NUM\n"); + goto err; + } nskb = __dev_alloc_skb(pkt_len + 32, GFP_ATOMIC); if (!nskb) { dev_err(&hif_dev->udev->dev, ^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: KASAN: stack-out-of-bounds Write in ath9k_hif_usb_rx_cb 2020-03-31 2:54 ` Qiujun Huang @ 2020-03-31 3:08 ` syzbot 0 siblings, 0 replies; 7+ messages in thread From: syzbot @ 2020-03-31 3:08 UTC (permalink / raw) To: andreyknvl, anenbupt, ath9k-devel, davem, kvalo, linux-kernel, linux-usb, linux-wireless, netdev, syzkaller-bugs Hello, syzbot has tested the proposed patch but the reproducer still triggered crash: KASAN: use-after-free Read in htc_connect_service usb 4-1: Service connection timeout for: 256 ================================================================== BUG: KASAN: use-after-free in atomic_read include/asm-generic/atomic-instrumented.h:26 [inline] BUG: KASAN: use-after-free in refcount_read include/linux/refcount.h:134 [inline] BUG: KASAN: use-after-free in skb_unref include/linux/skbuff.h:1042 [inline] BUG: KASAN: use-after-free in kfree_skb+0x32/0x3d0 net/core/skbuff.c:692 Read of size 4 at addr ffff8881c7ec2d54 by task kworker/0:5/3237 CPU: 0 PID: 3237 Comm: kworker/0:5 Not tainted 5.6.0-rc7-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events request_firmware_work_func Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xef/0x16e lib/dump_stack.c:118 print_address_description.constprop.0.cold+0xd3/0x314 mm/kasan/report.c:374 __kasan_report.cold+0x37/0x77 mm/kasan/report.c:506 kasan_report+0xe/0x20 mm/kasan/common.c:641 check_memory_region_inline mm/kasan/generic.c:185 [inline] check_memory_region+0x152/0x1c0 mm/kasan/generic.c:192 atomic_read include/asm-generic/atomic-instrumented.h:26 [inline] refcount_read include/linux/refcount.h:134 [inline] skb_unref include/linux/skbuff.h:1042 [inline] kfree_skb+0x32/0x3d0 net/core/skbuff.c:692 htc_connect_service.cold+0xa9/0x109 drivers/net/wireless/ath/ath9k/htc_hst.c:282 ath9k_wmi_connect+0xd2/0x1a0 drivers/net/wireless/ath/ath9k/wmi.c:265 ath9k_init_htc_services.constprop.0+0xb4/0x650 drivers/net/wireless/ath/ath9k/htc_drv_init.c:146 ath9k_htc_probe_device+0x25a/0x1d80 drivers/net/wireless/ath/ath9k/htc_drv_init.c:959 ath9k_htc_hw_init+0x31/0x60 drivers/net/wireless/ath/ath9k/htc_hst.c:501 ath9k_hif_usb_firmware_cb+0x26b/0x500 drivers/net/wireless/ath/ath9k/hif_usb.c:1192 request_firmware_work_func+0x126/0x242 drivers/base/firmware_loader/main.c:976 process_one_work+0x94b/0x1620 kernel/workqueue.c:2266 worker_thread+0x96/0xe20 kernel/workqueue.c:2412 kthread+0x318/0x420 kernel/kthread.c:255 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 Allocated by task 3237: save_stack+0x1b/0x80 mm/kasan/common.c:72 set_track mm/kasan/common.c:80 [inline] __kasan_kmalloc mm/kasan/common.c:515 [inline] __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:488 slab_post_alloc_hook mm/slab.h:584 [inline] slab_alloc_node mm/slub.c:2786 [inline] kmem_cache_alloc_node+0xdc/0x330 mm/slub.c:2822 __alloc_skb+0xba/0x5a0 net/core/skbuff.c:198 alloc_skb include/linux/skbuff.h:1081 [inline] htc_connect_service+0x2cc/0x840 drivers/net/wireless/ath/ath9k/htc_hst.c:257 ath9k_wmi_connect+0xd2/0x1a0 drivers/net/wireless/ath/ath9k/wmi.c:265 ath9k_init_htc_services.constprop.0+0xb4/0x650 drivers/net/wireless/ath/ath9k/htc_drv_init.c:146 ath9k_htc_probe_device+0x25a/0x1d80 drivers/net/wireless/ath/ath9k/htc_drv_init.c:959 ath9k_htc_hw_init+0x31/0x60 drivers/net/wireless/ath/ath9k/htc_hst.c:501 ath9k_hif_usb_firmware_cb+0x26b/0x500 drivers/net/wireless/ath/ath9k/hif_usb.c:1192 request_firmware_work_func+0x126/0x242 drivers/base/firmware_loader/main.c:976 process_one_work+0x94b/0x1620 kernel/workqueue.c:2266 worker_thread+0x96/0xe20 kernel/workqueue.c:2412 kthread+0x318/0x420 kernel/kthread.c:255 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 Freed by task 0: save_stack+0x1b/0x80 mm/kasan/common.c:72 set_track mm/kasan/common.c:80 [inline] kasan_set_free_info mm/kasan/common.c:337 [inline] __kasan_slab_free+0x117/0x160 mm/kasan/common.c:476 slab_free_hook mm/slub.c:1444 [inline] slab_free_freelist_hook mm/slub.c:1477 [inline] slab_free mm/slub.c:3034 [inline] kmem_cache_free+0x9b/0x360 mm/slub.c:3050 kfree_skbmem net/core/skbuff.c:622 [inline] kfree_skbmem+0xef/0x1b0 net/core/skbuff.c:616 __kfree_skb net/core/skbuff.c:679 [inline] kfree_skb net/core/skbuff.c:696 [inline] kfree_skb+0x102/0x3d0 net/core/skbuff.c:690 ath9k_htc_txcompletion_cb+0x1f8/0x2b0 drivers/net/wireless/ath/ath9k/htc_hst.c:356 hif_usb_regout_cb+0x10b/0x1b0 drivers/net/wireless/ath/ath9k/hif_usb.c:90 __usb_hcd_giveback_urb+0x1f2/0x470 drivers/usb/core/hcd.c:1648 usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1713 dummy_timer+0x1258/0x32ae drivers/usb/gadget/udc/dummy_hcd.c:1966 call_timer_fn+0x195/0x6f0 kernel/time/timer.c:1404 expire_timers kernel/time/timer.c:1449 [inline] __run_timers kernel/time/timer.c:1773 [inline] __run_timers kernel/time/timer.c:1740 [inline] run_timer_softirq+0x5f9/0x1500 kernel/time/timer.c:1786 __do_softirq+0x21e/0x950 kernel/softirq.c:292 The buggy address belongs to the object at ffff8881c7ec2c80 which belongs to the cache skbuff_head_cache of size 224 The buggy address is located 212 bytes inside of 224-byte region [ffff8881c7ec2c80, ffff8881c7ec2d60) The buggy address belongs to the page: page:ffffea00071fb080 refcount:1 mapcount:0 mapping:ffff8881da16b400 index:0x0 flags: 0x200000000000200(slab) raw: 0200000000000200 dead000000000100 dead000000000122 ffff8881da16b400 raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8881c7ec2c00: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc ffff8881c7ec2c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8881c7ec2d00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ^ ffff8881c7ec2d80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ffff8881c7ec2e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== Tested on: commit: 0fa84af8 Merge tag 'usb-serial-5.7-rc1' of https://git.ker.. git tree: https://github.com/google/kasan.git usb-fuzzer console output: https://syzkaller.appspot.com/x/log.txt?x=17c2dadbe00000 kernel config: https://syzkaller.appspot.com/x/.config?x=a782c087b1f425c6 dashboard link: https://syzkaller.appspot.com/bug?extid=d403396d4df67ad0bd5f compiler: gcc (GCC) 9.0.0 20181231 (experimental) patch: https://syzkaller.appspot.com/x/patch.diff?x=14b7b40be00000 ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: KASAN: stack-out-of-bounds Write in ath9k_hif_usb_rx_cb 2020-03-30 18:21 KASAN: stack-out-of-bounds Write in ath9k_hif_usb_rx_cb syzbot 2020-03-31 2:38 ` Qiujun Huang @ 2020-04-03 20:40 ` Qiujun Huang 2020-04-03 22:45 ` syzbot 1 sibling, 1 reply; 7+ messages in thread From: Qiujun Huang @ 2020-04-03 20:40 UTC (permalink / raw) To: syzbot Cc: Andrey Konovalov, ath9k-devel, davem, kvalo, LKML, USB list, linux-wireless, netdev, syzkaller-bugs [-- Attachment #1: Type: text/plain, Size: 58 bytes --] #syz test: https://github.com/google/kasan.git usb-fuzzer [-- Attachment #2: ath9k_040401.patch --] [-- Type: application/octet-stream, Size: 8780 bytes --] diff --git a/drivers/net/wireless/ath/ath9k/hif_usb.c b/drivers/net/wireless/ath/ath9k/hif_usb.c index dd0c32379375..02b2f4ce5e18 100644 --- a/drivers/net/wireless/ath/ath9k/hif_usb.c +++ b/drivers/net/wireless/ath/ath9k/hif_usb.c @@ -612,6 +612,11 @@ static void ath9k_hif_usb_rx_stream(struct hif_device_usb *hif_dev, hif_dev->remain_skb = nskb; spin_unlock(&hif_dev->rx_lock); } else { + if (pool_index == MAX_PKT_NUM_IN_TRANSFER) { + dev_err(&hif_dev->udev->dev, + "ath9k_htc: over RX MAX_PKT_NUM\n"); + goto err; + } nskb = __dev_alloc_skb(pkt_len + 32, GFP_ATOMIC); if (!nskb) { dev_err(&hif_dev->udev->dev, @@ -638,9 +643,9 @@ static void ath9k_hif_usb_rx_stream(struct hif_device_usb *hif_dev, static void ath9k_hif_usb_rx_cb(struct urb *urb) { - struct sk_buff *skb = (struct sk_buff *) urb->context; - struct hif_device_usb *hif_dev = - usb_get_intfdata(usb_ifnum_to_if(urb->dev, 0)); + struct rx_buf *rx_buf = (struct rx_buf*) urb->context; + struct sk_buff *skb = rx_buf->skb; + struct hif_device_usb *hif_dev = rx_buf->hif_dev; int ret; if (!skb) @@ -680,14 +685,15 @@ static void ath9k_hif_usb_rx_cb(struct urb *urb) return; free: kfree_skb(skb); + kfree(rx_buf); } static void ath9k_hif_usb_reg_in_cb(struct urb *urb) { - struct sk_buff *skb = (struct sk_buff *) urb->context; + struct rx_buf *rx_buf = (struct rx_buf*) urb->context; + struct hif_device_usb *hif_dev = rx_buf->hif_dev; + struct sk_buff *skb = rx_buf->skb; struct sk_buff *nskb; - struct hif_device_usb *hif_dev = - usb_get_intfdata(usb_ifnum_to_if(urb->dev, 0)); int ret; if (!skb) @@ -745,6 +751,7 @@ static void ath9k_hif_usb_reg_in_cb(struct urb *urb) return; free: kfree_skb(skb); + kfree(rx_buf); urb->context = NULL; } @@ -827,8 +834,9 @@ static void ath9k_hif_usb_dealloc_rx_urbs(struct hif_device_usb *hif_dev) static int ath9k_hif_usb_alloc_rx_urbs(struct hif_device_usb *hif_dev) { - struct urb *urb = NULL; + struct rx_buf *rx_buf = NULL; struct sk_buff *skb = NULL; + struct urb *urb = NULL; int i, ret; init_usb_anchor(&hif_dev->rx_submitted); @@ -836,6 +844,12 @@ static int ath9k_hif_usb_alloc_rx_urbs(struct hif_device_usb *hif_dev) for (i = 0; i < MAX_RX_URB_NUM; i++) { + rx_buf = kzalloc(sizeof(struct rx_buf), GFP_KERNEL); + if (!rx_buf) { + ret = -ENOMEM; + goto err_rxb; + } + /* Allocate URB */ urb = usb_alloc_urb(0, GFP_KERNEL); if (urb == NULL) { @@ -850,11 +864,14 @@ static int ath9k_hif_usb_alloc_rx_urbs(struct hif_device_usb *hif_dev) goto err_skb; } + rx_buf->hif_dev = hif_dev; + rx_buf->skb = skb; + usb_fill_bulk_urb(urb, hif_dev->udev, usb_rcvbulkpipe(hif_dev->udev, USB_WLAN_RX_PIPE), skb->data, MAX_RX_BUF_SIZE, - ath9k_hif_usb_rx_cb, skb); + ath9k_hif_usb_rx_cb, rx_buf); /* Anchor URB */ usb_anchor_urb(urb, &hif_dev->rx_submitted); @@ -880,6 +897,8 @@ static int ath9k_hif_usb_alloc_rx_urbs(struct hif_device_usb *hif_dev) err_skb: usb_free_urb(urb); err_urb: + kfree(rx_buf); +err_rxb: ath9k_hif_usb_dealloc_rx_urbs(hif_dev); return ret; } @@ -891,14 +910,21 @@ static void ath9k_hif_usb_dealloc_reg_in_urbs(struct hif_device_usb *hif_dev) static int ath9k_hif_usb_alloc_reg_in_urbs(struct hif_device_usb *hif_dev) { - struct urb *urb = NULL; + struct rx_buf *rx_buf = NULL; struct sk_buff *skb = NULL; + struct urb *urb = NULL; int i, ret; init_usb_anchor(&hif_dev->reg_in_submitted); for (i = 0; i < MAX_REG_IN_URB_NUM; i++) { + rx_buf = kzalloc(sizeof(struct rx_buf), GFP_KERNEL); + if (!rx_buf) { + ret = -ENOMEM; + goto err_rxb; + } + /* Allocate URB */ urb = usb_alloc_urb(0, GFP_KERNEL); if (urb == NULL) { @@ -913,11 +939,14 @@ static int ath9k_hif_usb_alloc_reg_in_urbs(struct hif_device_usb *hif_dev) goto err_skb; } + rx_buf->hif_dev = hif_dev; + rx_buf->skb = skb; + usb_fill_int_urb(urb, hif_dev->udev, usb_rcvintpipe(hif_dev->udev, USB_REG_IN_PIPE), skb->data, MAX_REG_IN_BUF_SIZE, - ath9k_hif_usb_reg_in_cb, skb, 1); + ath9k_hif_usb_reg_in_cb, rx_buf, 1); /* Anchor URB */ usb_anchor_urb(urb, &hif_dev->reg_in_submitted); @@ -943,6 +972,8 @@ static int ath9k_hif_usb_alloc_reg_in_urbs(struct hif_device_usb *hif_dev) err_skb: usb_free_urb(urb); err_urb: + kfree(rx_buf); +err_rxb: ath9k_hif_usb_dealloc_reg_in_urbs(hif_dev); return ret; } @@ -1341,8 +1372,9 @@ static void ath9k_hif_usb_disconnect(struct usb_interface *interface) if (hif_dev->flags & HIF_USB_READY) { ath9k_htc_hw_deinit(hif_dev->htc_handle, unplugged); - ath9k_htc_hw_free(hif_dev->htc_handle); ath9k_hif_usb_dev_deinit(hif_dev); + ath9k_destoy_wmi(hif_dev->htc_handle->drv_priv); + ath9k_htc_hw_free(hif_dev->htc_handle); } usb_set_intfdata(interface, NULL); diff --git a/drivers/net/wireless/ath/ath9k/hif_usb.h b/drivers/net/wireless/ath/ath9k/hif_usb.h index 7846916aa01d..25b8020a8581 100644 --- a/drivers/net/wireless/ath/ath9k/hif_usb.h +++ b/drivers/net/wireless/ath/ath9k/hif_usb.h @@ -86,6 +86,11 @@ struct tx_buf { struct list_head list; }; +struct rx_buf { + struct sk_buff *skb; + struct hif_device_usb *hif_dev; +}; + #define HIF_USB_TX_STOP BIT(0) #define HIF_USB_TX_FLUSH BIT(1) diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_init.c b/drivers/net/wireless/ath/ath9k/htc_drv_init.c index d961095ab01f..d1d0ed6e653c 100644 --- a/drivers/net/wireless/ath/ath9k/htc_drv_init.c +++ b/drivers/net/wireless/ath/ath9k/htc_drv_init.c @@ -982,7 +982,7 @@ void ath9k_htc_disconnect_device(struct htc_target *htc_handle, bool hotunplug) htc_handle->drv_priv->ah->ah_flags |= AH_UNPLUGGED; ath9k_deinit_device(htc_handle->drv_priv); - ath9k_deinit_wmi(htc_handle->drv_priv); + ath9k_stop_wmi(htc_handle->drv_priv); ieee80211_free_hw(htc_handle->drv_priv->hw); } } diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.c b/drivers/net/wireless/ath/ath9k/htc_hst.c index d091c8ebdcf0..d2e062eaf561 100644 --- a/drivers/net/wireless/ath/ath9k/htc_hst.c +++ b/drivers/net/wireless/ath/ath9k/htc_hst.c @@ -113,6 +113,9 @@ static void htc_process_conn_rsp(struct htc_target *target, if (svc_rspmsg->status == HTC_SERVICE_SUCCESS) { epid = svc_rspmsg->endpoint_id; + if (epid < 0 || epid >= ENDPOINT_MAX) + return; + service_id = be16_to_cpu(svc_rspmsg->service_id); max_msglen = be16_to_cpu(svc_rspmsg->max_msg_len); endpoint = &target->endpoint[epid]; @@ -170,7 +173,6 @@ static int htc_config_pipe_credits(struct htc_target *target) time_left = wait_for_completion_timeout(&target->cmd_wait, HZ); if (!time_left) { dev_err(target->dev, "HTC credit config timeout\n"); - kfree_skb(skb); return -ETIMEDOUT; } @@ -206,7 +208,6 @@ static int htc_setup_complete(struct htc_target *target) time_left = wait_for_completion_timeout(&target->cmd_wait, HZ); if (!time_left) { dev_err(target->dev, "HTC start timeout\n"); - kfree_skb(skb); return -ETIMEDOUT; } @@ -279,7 +280,6 @@ int htc_connect_service(struct htc_target *target, if (!time_left) { dev_err(target->dev, "Service connection timeout for: %d\n", service_connreq->service_id); - kfree_skb(skb); return -ETIMEDOUT; } diff --git a/drivers/net/wireless/ath/ath9k/wmi.c b/drivers/net/wireless/ath/ath9k/wmi.c index cdc146091194..9ae631bcc84e 100644 --- a/drivers/net/wireless/ath/ath9k/wmi.c +++ b/drivers/net/wireless/ath/ath9k/wmi.c @@ -123,6 +123,20 @@ void ath9k_deinit_wmi(struct ath9k_htc_priv *priv) kfree(priv->wmi); } +void ath9k_stop_wmi(struct ath9k_htc_priv *priv) +{ + struct wmi *wmi = priv->wmi; + + mutex_lock(&wmi->op_mutex); + wmi->stopped = true; + mutex_unlock(&wmi->op_mutex); +} + +void ath9k_destoy_wmi(struct ath9k_htc_priv *priv) +{ + kfree(priv->wmi); +} + void ath9k_wmi_event_drain(struct ath9k_htc_priv *priv) { unsigned long flags; @@ -336,7 +350,6 @@ int ath9k_wmi_cmd(struct wmi *wmi, enum wmi_cmd_id cmd_id, ath_dbg(common, WMI, "Timeout waiting for WMI command: %s\n", wmi_cmd_to_name(cmd_id)); mutex_unlock(&wmi->op_mutex); - kfree_skb(skb); return -ETIMEDOUT; } diff --git a/drivers/net/wireless/ath/ath9k/wmi.h b/drivers/net/wireless/ath/ath9k/wmi.h index 380175d5ecd7..c3e278377365 100644 --- a/drivers/net/wireless/ath/ath9k/wmi.h +++ b/drivers/net/wireless/ath/ath9k/wmi.h @@ -189,6 +189,8 @@ int ath9k_wmi_cmd(struct wmi *wmi, enum wmi_cmd_id cmd_id, void ath9k_wmi_event_tasklet(unsigned long data); void ath9k_fatal_work(struct work_struct *work); void ath9k_wmi_event_drain(struct ath9k_htc_priv *priv); +void ath9k_stop_wmi(struct ath9k_htc_priv *priv); +void ath9k_destoy_wmi(struct ath9k_htc_priv *priv); #define WMI_CMD(_wmi_cmd) \ do { \ ^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: KASAN: stack-out-of-bounds Write in ath9k_hif_usb_rx_cb 2020-04-03 20:40 ` Qiujun Huang @ 2020-04-03 22:45 ` syzbot 0 siblings, 0 replies; 7+ messages in thread From: syzbot @ 2020-04-03 22:45 UTC (permalink / raw) To: andreyknvl, anenbupt, ath9k-devel, davem, kvalo, linux-kernel, linux-usb, linux-wireless, netdev, syzkaller-bugs Hello, syzbot has tested the proposed patch and the reproducer did not trigger crash: Reported-and-tested-by: syzbot+d403396d4df67ad0bd5f@syzkaller.appspotmail.com Tested on: commit: 0fa84af8 Merge tag 'usb-serial-5.7-rc1' of https://git.ker.. git tree: https://github.com/google/kasan.git usb-fuzzer kernel config: https://syzkaller.appspot.com/x/.config?x=a782c087b1f425c6 dashboard link: https://syzkaller.appspot.com/bug?extid=d403396d4df67ad0bd5f compiler: gcc (GCC) 9.0.0 20181231 (experimental) patch: https://syzkaller.appspot.com/x/patch.diff?x=15bd0cfbe00000 Note: testing is done by a robot and is best-effort only. ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2020-04-03 22:45 UTC | newest] Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2020-03-30 18:21 KASAN: stack-out-of-bounds Write in ath9k_hif_usb_rx_cb syzbot 2020-03-31 2:38 ` Qiujun Huang 2020-03-31 2:45 ` syzbot 2020-03-31 2:54 ` Qiujun Huang 2020-03-31 3:08 ` syzbot 2020-04-03 20:40 ` Qiujun Huang 2020-04-03 22:45 ` syzbot
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).