KASAN: use-after-free Read in ath9k_hif_usb_rx_cb (2) should share the same root cause with "KASAN: slab-out-of-bounds Read in ath9k_hif_usb_rx_cb (2)"
Dear kernel developers, I found that KASAN: use-after-free Read in ath9k_hif_usb_rx_cb (2) and "KASAN: slab-out-of-bounds Read in ath9k_hif_usb_rx_cb (2)" should share the same root cause. The reasons for my above statement, 1) the stack trace is the same; 2) we observed two crash behaviors appear alternatively when you run one PoC in its building environment multiple times. 3) their PoCs have a really high similarity If you can have any issues with this statement or our information is useful for you, please let us know. Thanks very much. -- My best regards to you. No System Is Safe! Dongliang Mu
Re: KASAN: slab-out-of-bounds Read in ath9k_hif_usb_rx_cb (2)
syzbot has found a reproducer for the following issue on: HEAD commit:3650b228 Linux 5.10-rc1 git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing console output: https://syzkaller.appspot.com/x/log.txt?x=14485e5050 kernel config: https://syzkaller.appspot.com/x/.config?x=b1c5bd23a80035ea dashboard link: https://syzkaller.appspot.com/bug?extid=6ecc26112e7241c454ef compiler: gcc (GCC) 10.1.0-syz 20200507 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11d8eff790 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1513039050 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+6ecc26112e7241c45...@syzkaller.appspotmail.com == BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:399 [inline] BUG: KASAN: slab-out-of-bounds in ath9k_hif_usb_rx_stream drivers/net/wireless/ath/ath9k/hif_usb.c:562 [inline] BUG: KASAN: slab-out-of-bounds in ath9k_hif_usb_rx_cb+0x3ab/0x1020 drivers/net/wireless/ath/ath9k/hif_usb.c:680 Read of size 41740 at addr 88810bf1 by task swapper/0/0 CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.10.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x107/0x163 lib/dump_stack.c:118 print_address_description.constprop.0.cold+0xae/0x4c8 mm/kasan/report.c:385 __kasan_report mm/kasan/report.c:545 [inline] kasan_report.cold+0x1f/0x37 mm/kasan/report.c:562 check_memory_region_inline mm/kasan/generic.c:186 [inline] check_memory_region+0x13d/0x180 mm/kasan/generic.c:192 memcpy+0x20/0x60 mm/kasan/common.c:105 memcpy include/linux/string.h:399 [inline] ath9k_hif_usb_rx_stream drivers/net/wireless/ath/ath9k/hif_usb.c:562 [inline] ath9k_hif_usb_rx_cb+0x3ab/0x1020 drivers/net/wireless/ath/ath9k/hif_usb.c:680 __usb_hcd_giveback_urb+0x32d/0x560 drivers/usb/core/hcd.c:1650 usb_hcd_giveback_urb+0x367/0x410 drivers/usb/core/hcd.c:1716 dummy_timer+0x11f4/0x3280 drivers/usb/gadget/udc/dummy_hcd.c:1967 call_timer_fn+0x1a5/0x630 kernel/time/timer.c:1415 expire_timers kernel/time/timer.c:1460 [inline] __run_timers.part.0+0x67c/0xa10 kernel/time/timer.c:1752 __run_timers kernel/time/timer.c:1733 [inline] run_timer_softirq+0x80/0x120 kernel/time/timer.c:1765 __do_softirq+0x1b2/0x945 kernel/softirq.c:298 asm_call_irq_on_stack+0xf/0x20 __run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline] run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline] do_softirq_own_stack+0x80/0xa0 arch/x86/kernel/irq_64.c:77 invoke_softirq kernel/softirq.c:393 [inline] __irq_exit_rcu kernel/softirq.c:423 [inline] irq_exit_rcu+0x110/0x1a0 kernel/softirq.c:435 sysvec_apic_timer_interrupt+0x43/0xa0 arch/x86/kernel/apic/apic.c:1091 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:631 RIP: 0010:native_save_fl arch/x86/include/asm/irqflags.h:29 [inline] RIP: 0010:arch_local_save_flags arch/x86/include/asm/irqflags.h:79 [inline] RIP: 0010:arch_irqs_disabled arch/x86/include/asm/irqflags.h:169 [inline] RIP: 0010:acpi_safe_halt drivers/acpi/processor_idle.c:112 [inline] RIP: 0010:acpi_idle_do_entry+0x1c9/0x250 drivers/acpi/processor_idle.c:517 Code: bd 13 a1 fb 84 db 75 ac e8 64 1b a1 fb e8 8f c1 a6 fb e9 0c 00 00 00 e8 55 1b a1 fb 0f 00 2d 1e be 69 00 e8 49 1b a1 fb fb f4 <9c> 5b 81 e3 00 02 00 00 fa 31 ff 48 89 de e8 e4 13 a1 fb 48 85 db RSP: 0018:87007d60 EFLAGS: 0293 RAX: RBX: RCX: 11079e01 RDX: 87031000 RSI: 859daf27 RDI: 859daf11 RBP: 888103980864 R08: 0001 R09: 0001 R10: R11: 0001 R12: 0001 R13: 888103980800 R14: 888103980864 R15: 88810545e804 acpi_idle_enter+0x355/0x4f0 drivers/acpi/processor_idle.c:648 cpuidle_enter_state+0x1b1/0xc80 drivers/cpuidle/cpuidle.c:237 cpuidle_enter+0x4a/0xa0 drivers/cpuidle/cpuidle.c:351 call_cpuidle kernel/sched/idle.c:132 [inline] cpuidle_idle_call kernel/sched/idle.c:213 [inline] do_idle+0x3d5/0x580 kernel/sched/idle.c:273 cpu_startup_entry+0x14/0x20 kernel/sched/idle.c:369 start_kernel+0x472/0x493 init/main.c:1051 secondary_startup_64_no_verify+0xa6/0xab The buggy address belongs to the page: page:dfda5045 refcount:1 mapcount:0 mapping: index:0x0 pfn:0x10bf10 head:dfda5045 order:3 compound_mapcount:0 compound_pincount:0 flags: 0x201(head) raw: 0201 dead0100 dead0122 raw: 0001 page dumped because: kasan: bad access detected Memory state around the buggy address: 88810bf18380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 88810bf18400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00
KASAN: slab-out-of-bounds Read in ath9k_hif_usb_rx_cb (2)
Hello, syzbot found the following issue on: HEAD commit:ab4dc051 usb: mtu3: simplify mtu3_req_complete() git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing console output: https://syzkaller.appspot.com/x/log.txt?x=11c0666c90 kernel config: https://syzkaller.appspot.com/x/.config?x=fb6677a3d4f11788 dashboard link: https://syzkaller.appspot.com/bug?extid=6ecc26112e7241c454ef compiler: gcc (GCC) 10.1.0-syz 20200507 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=171e600490 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+6ecc26112e7241c45...@syzkaller.appspotmail.com == BUG: KASAN: slab-out-of-bounds in ath9k_hif_usb_rx_stream drivers/net/wireless/ath/ath9k/hif_usb.c:627 [inline] BUG: KASAN: slab-out-of-bounds in ath9k_hif_usb_rx_cb+0xd7d/0xf80 drivers/net/wireless/ath/ath9k/hif_usb.c:671 Read of size 4 at addr 8881cbf6c090 by task swapper/0/0 CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.8.0-rc7-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xf6/0x16e lib/dump_stack.c:118 print_address_description.constprop.0+0x1a/0x210 mm/kasan/report.c:383 __kasan_report mm/kasan/report.c:513 [inline] kasan_report.cold+0x37/0x7c mm/kasan/report.c:530 ath9k_hif_usb_rx_stream drivers/net/wireless/ath/ath9k/hif_usb.c:627 [inline] ath9k_hif_usb_rx_cb+0xd7d/0xf80 drivers/net/wireless/ath/ath9k/hif_usb.c:671 __usb_hcd_giveback_urb+0x32d/0x560 drivers/usb/core/hcd.c:1650 usb_hcd_giveback_urb+0x367/0x410 drivers/usb/core/hcd.c:1716 dummy_timer+0x11f2/0x3240 drivers/usb/gadget/udc/dummy_hcd.c:1967 call_timer_fn+0x1ac/0x6e0 kernel/time/timer.c:1415 expire_timers kernel/time/timer.c:1460 [inline] __run_timers.part.0+0x54c/0x9e0 kernel/time/timer.c:1784 __run_timers kernel/time/timer.c:1756 [inline] run_timer_softirq+0x80/0x120 kernel/time/timer.c:1797 __do_softirq+0x222/0x95b kernel/softirq.c:292 asm_call_on_stack+0xf/0x20 arch/x86/entry/entry_64.S:711 __run_on_irqstack arch/x86/include/asm/irq_stack.h:22 [inline] run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:48 [inline] do_softirq_own_stack+0xed/0x140 arch/x86/kernel/irq_64.c:77 invoke_softirq kernel/softirq.c:387 [inline] __irq_exit_rcu kernel/softirq.c:417 [inline] irq_exit_rcu+0x150/0x1f0 kernel/softirq.c:429 sysvec_apic_timer_interrupt+0x49/0xc0 arch/x86/kernel/apic/apic.c:1091 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:585 RIP: 0010:native_irq_disable arch/x86/include/asm/irqflags.h:49 [inline] RIP: 0010:arch_local_irq_disable arch/x86/include/asm/irqflags.h:89 [inline] RIP: 0010:acpi_safe_halt+0x72/0x90 drivers/acpi/processor_idle.c:112 Code: 74 06 5b e9 e0 4c 8f fb e8 db 4c 8f fb e8 26 d8 94 fb e9 0c 00 00 00 e8 cc 4c 8f fb 0f 00 2d 05 63 74 00 e8 c0 4c 8f fb fb f4 e8 18 d2 94 fb 5b e9 b2 4c 8f fb 48 89 df e8 fa fb b8 fb eb ab RSP: 0018:87207c80 EFLAGS: 0293 RAX: RBX: RCX: RDX: 8722f840 RSI: 85b05d40 RDI: 85b05d2a RBP: 8881d8cca864 R08: R09: R10: 0001 R11: R12: 8881d8cca864 R13: 10e40f99 R14: 8881d8cca865 R15: 0001 acpi_idle_do_entry+0x15c/0x1b0 drivers/acpi/processor_idle.c:525 acpi_idle_enter+0x3f0/0xa50 drivers/acpi/processor_idle.c:651 cpuidle_enter_state+0xff/0x870 drivers/cpuidle/cpuidle.c:235 cpuidle_enter+0x4a/0xa0 drivers/cpuidle/cpuidle.c:346 call_cpuidle kernel/sched/idle.c:126 [inline] cpuidle_idle_call kernel/sched/idle.c:214 [inline] do_idle+0x3d6/0x5a0 kernel/sched/idle.c:276 cpu_startup_entry+0x14/0x20 kernel/sched/idle.c:372 start_kernel+0xa1b/0xa56 init/main.c:1043 secondary_startup_64+0xb6/0xc0 arch/x86/kernel/head_64.S:243 Allocated by task 0: (stack is not available) Freed by task 0: (stack is not available) The buggy address belongs to the object at 8881cbf6c000 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 144 bytes inside of 1024-byte region [8881cbf6c000, 8881cbf6c400) The buggy address belongs to the page: page:ea00072fda00 refcount:1 mapcount:0 mapping: index:0x0 head:ea00072fda00 order:3 compound_mapcount:0 compound_pincount:0 flags: 0x2010200(slab|head) raw: 02010200 dead0100 dead0122 8881da002280 raw: 80100010 0001 page dumped because: kasan: bad access detected Memory state around the buggy address: 8881cbf6bf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc 8881cbf6c000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >8881cbf6c080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
Re: KASAN: slab-out-of-bounds Read in ath9k_hif_usb_rx_cb
On Sun, May 17, 2020 at 5:32 PM syzbot wrote: > > Hello, > > syzbot found the following crash on: > > HEAD commit:806d8acc USB: dummy-hcd: use configurable endpoint naming .. > git tree: https://github.com/google/kasan.git usb-fuzzer > console output: https://syzkaller.appspot.com/x/log.txt?x=1147bce610 > kernel config: https://syzkaller.appspot.com/x/.config?x=d800e9bad158025f > dashboard link: https://syzkaller.appspot.com/bug?extid=c15a0a825788b6ba2bc4 > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > Unfortunately, I don't have any reproducer for this crash yet. > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+c15a0a825788b6ba2...@syzkaller.appspotmail.com > > == > BUG: KASAN: slab-out-of-bounds in ath9k_hif_usb_rx_stream > drivers/net/wireless/ath/ath9k/hif_usb.c:580 [inline] > BUG: KASAN: slab-out-of-bounds in ath9k_hif_usb_rx_cb+0xad3/0xf90 > drivers/net/wireless/ath/ath9k/hif_usb.c:666 > Read of size 4 at addr 8881cca0c0dc by task kworker/1:3/3075 > > CPU: 1 PID: 3075 Comm: kworker/1:3 Not tainted 5.7.0-rc5-syzkaller #0 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > Workqueue: events request_firmware_work_func > Call Trace: > > __dump_stack lib/dump_stack.c:77 [inline] > dump_stack+0xef/0x16e lib/dump_stack.c:118 > print_address_description.constprop.0.cold+0xd3/0x314 mm/kasan/report.c:382 > __kasan_report.cold+0x37/0x92 mm/kasan/report.c:511 > kasan_report+0x33/0x50 mm/kasan/common.c:625 > ath9k_hif_usb_rx_stream drivers/net/wireless/ath/ath9k/hif_usb.c:580 [inline] > ath9k_hif_usb_rx_cb+0xad3/0xf90 drivers/net/wireless/ath/ath9k/hif_usb.c:666 > __usb_hcd_giveback_urb+0x1f2/0x470 drivers/usb/core/hcd.c:1648 > usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1713 > dummy_timer+0x125e/0x32b4 drivers/usb/gadget/udc/dummy_hcd.c:1966 > call_timer_fn+0x1ac/0x700 kernel/time/timer.c:1405 > expire_timers kernel/time/timer.c:1450 [inline] > __run_timers kernel/time/timer.c:1774 [inline] > __run_timers kernel/time/timer.c:1741 [inline] > run_timer_softirq+0x5f9/0x1500 kernel/time/timer.c:1787 > __do_softirq+0x21e/0x9aa kernel/softirq.c:292 > invoke_softirq kernel/softirq.c:373 [inline] > irq_exit+0x178/0x1a0 kernel/softirq.c:413 > exiting_irq arch/x86/include/asm/apic.h:546 [inline] > smp_apic_timer_interrupt+0x141/0x540 arch/x86/kernel/apic/apic.c:1140 > apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829 > > RIP: 0010:arch_local_irq_restore arch/x86/include/asm/irqflags.h:85 [inline] > RIP: 0010:console_trylock_spinning kernel/printk/printk.c:1779 [inline] > RIP: 0010:vprintk_emit+0x3d0/0x3e0 kernel/printk/printk.c:2020 > Code: 00 83 fb ff 75 d6 e9 d8 fc ff ff e8 7a 2f 16 00 e8 55 8b 1b 00 41 56 9d > e9 aa fd ff ff e8 68 2f 16 00 e8 43 8b 1b 00 41 56 9d 2a ff ff ff 90 66 > 2e 0f 1f 84 00 00 00 00 00 55 48 89 f5 53 48 > RSP: 0018:8881d5f8fab8 EFLAGS: 0293 ORIG_RAX: ff13 > RAX: 0007 RBX: 0200 RCX: 11270ab2 > RDX: RSI: RDI: 8881d5aeeb7c > RBP: 8881d5f8fb00 R08: 0001 R09: fbfff126c8c8 > R10: 8936463f R11: fbfff126c8c7 R12: 002a > R13: 8881d5e48000 R14: 0293 R15: > vprintk_func+0x75/0x113 kernel/printk/printk_safe.c:385 > printk+0xba/0xed kernel/printk/printk.c:2081 > ath9k_htc_hw_init.cold+0x17/0x2a drivers/net/wireless/ath/ath9k/htc_hst.c:502 > ath9k_hif_usb_firmware_cb+0x274/0x510 > drivers/net/wireless/ath/ath9k/hif_usb.c:1187 > request_firmware_work_func+0x126/0x242 > drivers/base/firmware_loader/main.c:1005 > process_one_work+0x965/0x1630 kernel/workqueue.c:2268 > worker_thread+0x96/0xe20 kernel/workqueue.c:2414 > kthread+0x326/0x430 kernel/kthread.c:268 > ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:351 > > Allocated by task 147: > save_stack+0x1b/0x40 mm/kasan/common.c:49 > set_track mm/kasan/common.c:57 [inline] > __kasan_kmalloc mm/kasan/common.c:495 [inline] > __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:468 > slab_post_alloc_hook mm/slab.h:586 [inline] > slab_alloc_node mm/slub.c:2797 [inline] > slab_alloc mm/slub.c:2805 [inline] > kmem_cache_alloc+0xd8/0x300 mm/slub.c:2810 > getname_flags fs/namei.c:138 [inline] > getname_flags+0xd2/0x5b0 fs/namei.c:128 > user_path_at_empty+0x2a/0x50 fs/namei.c:2632 > user_path_at include/linux/namei.h:59 [inline] > vfs_statx+0x119/0x1e0 fs/stat.c:197 > vfs_lstat include/linux/fs.h:3284 [inline] > __do_sys_newlstat+0x96/0x120 fs/stat.c:364 > do_syscall_64+0xb6/0x5a0 arch/x86/entry/common.c:295 > entry_SYSCALL_64_after_hwframe+0x49/0xb3 > > Freed by task 147: > save_stack+0x1b/0x40 mm/kasan/common.c:49 > set_track mm/kasan/common.c:57 [inline] > kasan_set_free_info mm/kasan/common.c:317 [inline] >
Re: KASAN: slab-out-of-bounds Read in ath9k_hif_usb_rx_cb
syzbot has found a reproducer for the following crash on: HEAD commit:806d8acc USB: dummy-hcd: use configurable endpoint naming .. git tree: https://github.com/google/kasan.git usb-fuzzer console output: https://syzkaller.appspot.com/x/log.txt?x=113b269a10 kernel config: https://syzkaller.appspot.com/x/.config?x=d800e9bad158025f dashboard link: https://syzkaller.appspot.com/bug?extid=c15a0a825788b6ba2bc4 compiler: gcc (GCC) 9.0.0 20181231 (experimental) syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1060eee210 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1022b6e210 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+c15a0a825788b6ba2...@syzkaller.appspotmail.com == BUG: KASAN: slab-out-of-bounds in ath9k_hif_usb_rx_stream drivers/net/wireless/ath/ath9k/hif_usb.c:580 [inline] BUG: KASAN: slab-out-of-bounds in ath9k_hif_usb_rx_cb+0xad3/0xf90 drivers/net/wireless/ath/ath9k/hif_usb.c:666 Read of size 4 at addr 8881c2f5c0dc by task kworker/0:8/398 CPU: 0 PID: 398 Comm: kworker/0:8 Not tainted 5.7.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events request_firmware_work_func Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xef/0x16e lib/dump_stack.c:118 print_address_description.constprop.0.cold+0xd3/0x314 mm/kasan/report.c:382 __kasan_report.cold+0x37/0x92 mm/kasan/report.c:511 kasan_report+0x33/0x50 mm/kasan/common.c:625 ath9k_hif_usb_rx_stream drivers/net/wireless/ath/ath9k/hif_usb.c:580 [inline] ath9k_hif_usb_rx_cb+0xad3/0xf90 drivers/net/wireless/ath/ath9k/hif_usb.c:666 __usb_hcd_giveback_urb+0x1f2/0x470 drivers/usb/core/hcd.c:1648 usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1713 dummy_timer+0x125e/0x32b4 drivers/usb/gadget/udc/dummy_hcd.c:1966 call_timer_fn+0x1ac/0x700 kernel/time/timer.c:1405 expire_timers kernel/time/timer.c:1450 [inline] __run_timers kernel/time/timer.c:1774 [inline] __run_timers kernel/time/timer.c:1741 [inline] run_timer_softirq+0x5f9/0x1500 kernel/time/timer.c:1787 __do_softirq+0x21e/0x9aa kernel/softirq.c:292 invoke_softirq kernel/softirq.c:373 [inline] irq_exit+0x178/0x1a0 kernel/softirq.c:413 exiting_irq arch/x86/include/asm/apic.h:546 [inline] smp_apic_timer_interrupt+0x141/0x540 arch/x86/kernel/apic/apic.c:1140 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829 RIP: 0010:_raw_spin_unlock_irq+0x27/0x30 kernel/locking/spinlock.c:200 Code: 44 00 00 55 48 8b 74 24 08 48 89 fd 48 8d 7f 18 e8 1e b4 90 fb 48 89 ef e8 b6 b0 91 fb e8 a1 54 af fb fb 65 ff 0d 51 ca 6b 7a <5d> c3 0f 1f 80 00 00 00 00 55 48 89 fd 48 83 c7 18 53 48 89 f3 48 RSP: 0018:8881cd6175e8 EFLAGS: 0282 ORIG_RAX: ff13 RAX: 0007 RBX: 8881c1d04a40 RCX: 11270ab2 RDX: RSI: RDI: 8881c1d052bc RBP: 8881db234900 R08: 0001 R09: fbfff126c8c8 R10: 8936463f R11: fbfff126c8c7 R12: 8881db234900 R13: 8881ce3ee300 R14: R15: 0001 finish_lock_switch kernel/sched/core.c:3106 [inline] finish_task_switch+0x11d/0x5d0 kernel/sched/core.c:3206 context_switch kernel/sched/core.c:3370 [inline] __schedule+0x89a/0x1d80 kernel/sched/core.c:4083 preempt_schedule_common+0x30/0x60 kernel/sched/core.c:4239 _cond_resched+0x18/0x20 kernel/sched/core.c:5624 start_flush_work kernel/workqueue.c:2980 [inline] __flush_work+0x117/0xa90 kernel/workqueue.c:3044 __cancel_work_timer+0x32c/0x460 kernel/workqueue.c:3132 rhashtable_free_and_destroy+0x29/0x8b0 lib/rhashtable.c:1130 ieee80211_free_hw+0xab/0x270 net/mac80211/main.c:1407 ath9k_htc_probe_device+0x1c2/0x1da0 drivers/net/wireless/ath/ath9k/htc_drv_init.c:972 ath9k_htc_hw_init+0x31/0x60 drivers/net/wireless/ath/ath9k/htc_hst.c:501 ath9k_hif_usb_firmware_cb+0x274/0x510 drivers/net/wireless/ath/ath9k/hif_usb.c:1187 request_firmware_work_func+0x126/0x242 drivers/base/firmware_loader/main.c:1005 process_one_work+0x965/0x1630 kernel/workqueue.c:2268 worker_thread+0x96/0xe20 kernel/workqueue.c:2414 kthread+0x326/0x430 kernel/kthread.c:268 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:351 Allocated by task 150: save_stack+0x1b/0x40 mm/kasan/common.c:49 set_track mm/kasan/common.c:57 [inline] __kasan_kmalloc mm/kasan/common.c:495 [inline] __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:468 slab_post_alloc_hook mm/slab.h:586 [inline] slab_alloc_node mm/slub.c:2797 [inline] slab_alloc mm/slub.c:2805 [inline] kmem_cache_alloc+0xd8/0x300 mm/slub.c:2810 getname_flags fs/namei.c:138 [inline] getname_flags+0xd2/0x5b0 fs/namei.c:128 do_sys_openat2+0x3fc/0x7d0 fs/open.c:1142 do_sys_open+0xc3/0x140 fs/open.c:1164 do_syscall_64+0xb6/0x5a0 arch/x86/entry/common.c:295 entry_SYSCALL_64_after_hwframe+0x49/0xb3 Freed by task
KASAN: slab-out-of-bounds Read in ath9k_hif_usb_rx_cb
Hello, syzbot found the following crash on: HEAD commit:806d8acc USB: dummy-hcd: use configurable endpoint naming .. git tree: https://github.com/google/kasan.git usb-fuzzer console output: https://syzkaller.appspot.com/x/log.txt?x=1147bce610 kernel config: https://syzkaller.appspot.com/x/.config?x=d800e9bad158025f dashboard link: https://syzkaller.appspot.com/bug?extid=c15a0a825788b6ba2bc4 compiler: gcc (GCC) 9.0.0 20181231 (experimental) Unfortunately, I don't have any reproducer for this crash yet. IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+c15a0a825788b6ba2...@syzkaller.appspotmail.com == BUG: KASAN: slab-out-of-bounds in ath9k_hif_usb_rx_stream drivers/net/wireless/ath/ath9k/hif_usb.c:580 [inline] BUG: KASAN: slab-out-of-bounds in ath9k_hif_usb_rx_cb+0xad3/0xf90 drivers/net/wireless/ath/ath9k/hif_usb.c:666 Read of size 4 at addr 8881cca0c0dc by task kworker/1:3/3075 CPU: 1 PID: 3075 Comm: kworker/1:3 Not tainted 5.7.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events request_firmware_work_func Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xef/0x16e lib/dump_stack.c:118 print_address_description.constprop.0.cold+0xd3/0x314 mm/kasan/report.c:382 __kasan_report.cold+0x37/0x92 mm/kasan/report.c:511 kasan_report+0x33/0x50 mm/kasan/common.c:625 ath9k_hif_usb_rx_stream drivers/net/wireless/ath/ath9k/hif_usb.c:580 [inline] ath9k_hif_usb_rx_cb+0xad3/0xf90 drivers/net/wireless/ath/ath9k/hif_usb.c:666 __usb_hcd_giveback_urb+0x1f2/0x470 drivers/usb/core/hcd.c:1648 usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1713 dummy_timer+0x125e/0x32b4 drivers/usb/gadget/udc/dummy_hcd.c:1966 call_timer_fn+0x1ac/0x700 kernel/time/timer.c:1405 expire_timers kernel/time/timer.c:1450 [inline] __run_timers kernel/time/timer.c:1774 [inline] __run_timers kernel/time/timer.c:1741 [inline] run_timer_softirq+0x5f9/0x1500 kernel/time/timer.c:1787 __do_softirq+0x21e/0x9aa kernel/softirq.c:292 invoke_softirq kernel/softirq.c:373 [inline] irq_exit+0x178/0x1a0 kernel/softirq.c:413 exiting_irq arch/x86/include/asm/apic.h:546 [inline] smp_apic_timer_interrupt+0x141/0x540 arch/x86/kernel/apic/apic.c:1140 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829 RIP: 0010:arch_local_irq_restore arch/x86/include/asm/irqflags.h:85 [inline] RIP: 0010:console_trylock_spinning kernel/printk/printk.c:1779 [inline] RIP: 0010:vprintk_emit+0x3d0/0x3e0 kernel/printk/printk.c:2020 Code: 00 83 fb ff 75 d6 e9 d8 fc ff ff e8 7a 2f 16 00 e8 55 8b 1b 00 41 56 9d e9 aa fd ff ff e8 68 2f 16 00 e8 43 8b 1b 00 41 56 9d 2a ff ff ff 90 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 f5 53 48 RSP: 0018:8881d5f8fab8 EFLAGS: 0293 ORIG_RAX: ff13 RAX: 0007 RBX: 0200 RCX: 11270ab2 RDX: RSI: RDI: 8881d5aeeb7c RBP: 8881d5f8fb00 R08: 0001 R09: fbfff126c8c8 R10: 8936463f R11: fbfff126c8c7 R12: 002a R13: 8881d5e48000 R14: 0293 R15: vprintk_func+0x75/0x113 kernel/printk/printk_safe.c:385 printk+0xba/0xed kernel/printk/printk.c:2081 ath9k_htc_hw_init.cold+0x17/0x2a drivers/net/wireless/ath/ath9k/htc_hst.c:502 ath9k_hif_usb_firmware_cb+0x274/0x510 drivers/net/wireless/ath/ath9k/hif_usb.c:1187 request_firmware_work_func+0x126/0x242 drivers/base/firmware_loader/main.c:1005 process_one_work+0x965/0x1630 kernel/workqueue.c:2268 worker_thread+0x96/0xe20 kernel/workqueue.c:2414 kthread+0x326/0x430 kernel/kthread.c:268 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:351 Allocated by task 147: save_stack+0x1b/0x40 mm/kasan/common.c:49 set_track mm/kasan/common.c:57 [inline] __kasan_kmalloc mm/kasan/common.c:495 [inline] __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:468 slab_post_alloc_hook mm/slab.h:586 [inline] slab_alloc_node mm/slub.c:2797 [inline] slab_alloc mm/slub.c:2805 [inline] kmem_cache_alloc+0xd8/0x300 mm/slub.c:2810 getname_flags fs/namei.c:138 [inline] getname_flags+0xd2/0x5b0 fs/namei.c:128 user_path_at_empty+0x2a/0x50 fs/namei.c:2632 user_path_at include/linux/namei.h:59 [inline] vfs_statx+0x119/0x1e0 fs/stat.c:197 vfs_lstat include/linux/fs.h:3284 [inline] __do_sys_newlstat+0x96/0x120 fs/stat.c:364 do_syscall_64+0xb6/0x5a0 arch/x86/entry/common.c:295 entry_SYSCALL_64_after_hwframe+0x49/0xb3 Freed by task 147: save_stack+0x1b/0x40 mm/kasan/common.c:49 set_track mm/kasan/common.c:57 [inline] kasan_set_free_info mm/kasan/common.c:317 [inline] __kasan_slab_free+0x117/0x160 mm/kasan/common.c:456 slab_free_hook mm/slub.c:1455 [inline] slab_free_freelist_hook mm/slub.c:1488 [inline] slab_free mm/slub.c:3045 [inline] kmem_cache_free+0x9b/0x360 mm/slub.c:3061 putname+0xe1/0x120 fs/namei.c:259
