[syzbot] [wireless?] [usb?] UBSAN: array-index-out-of-bounds in htc_issue_send

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: a788e53c05ae usb: usb-acpi: Fix oops due to freeing uninit..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
console output: https://syzkaller.appspot.com/x/log.txt?x=1324bffa180000
kernel config: https://syzkaller.appspot.com/x/.config?x=dd8c589043bc2b49
dashboard link: https://syzkaller.appspot.com/bug?extid=93cbd5fbb85814306ba1
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11c95c6e180000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1734b9f1180000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/070d17d2f510/disk-a788e53c.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/13f35a4bb3f0/vmlinux-a788e53c.xz
kernel image: https://storage.googleapis.com/syzbot-assets/6825f1cdc918/bzImage-a788e53c.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+93cbd5...@syzkaller.appspotmail.com

usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008
ath9k_htc 1-1:1.0: ath9k_htc: HTC initialized with 33 credits
------------[ cut here ]------------
UBSAN: array-index-out-of-bounds in drivers/net/wireless/ath/ath9k/htc_hst.c:26:51
index 255 is out of range for type 'htc_endpoint [22]'
CPU: 1 PID: 2494 Comm: kworker/1:2 Not tainted 6.8.0-rc6-syzkaller-00190-ga788e53c05ae #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024
Workqueue: events request_firmware_work_func
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x125/0x1b0 lib/dump_stack.c:106
ubsan_epilogue lib/ubsan.c:217 [inline]
__ubsan_handle_out_of_bounds+0x111/0x150 lib/ubsan.c:347
htc_issue_send.constprop.0+0x209/0x230 drivers/net/wireless/ath/ath9k/htc_hst.c:26
ath9k_wmi_cmd_issue drivers/net/wireless/ath/ath9k/wmi.c:305 [inline]
ath9k_wmi_cmd+0x424/0x630 drivers/net/wireless/ath/ath9k/wmi.c:342
ath9k_regread+0xdb/0x160 drivers/net/wireless/ath/ath9k/htc_drv_init.c:242
ath9k_hw_read_revisions drivers/net/wireless/ath/ath9k/hw.c:287 [inline]
__ath9k_hw_init drivers/net/wireless/ath/ath9k/hw.c:572 [inline]
ath9k_hw_init+0xf02/0x2b30 drivers/net/wireless/ath/ath9k/hw.c:700
ath9k_init_priv drivers/net/wireless/ath/ath9k/htc_drv_init.c:662 [inline]
ath9k_init_device drivers/net/wireless/ath/ath9k/htc_drv_init.c:839 [inline]
ath9k_htc_probe_device+0xb37/0x25f0 drivers/net/wireless/ath/ath9k/htc_drv_init.c:963
ath9k_htc_hw_init+0x33/0x70 drivers/net/wireless/ath/ath9k/htc_hst.c:529
ath9k_hif_usb_firmware_cb+0x272/0x620 drivers/net/wireless/ath/ath9k/hif_usb.c:1273
request_firmware_work_func+0x13a/0x240 drivers/base/firmware_loader/main.c:1163
process_one_work+0x886/0x15d0 kernel/workqueue.c:2633
process_scheduled_works kernel/workqueue.c:2706 [inline]
worker_thread+0x8b9/0x1290 kernel/workqueue.c:2787
kthread+0x2c6/0x3a0 kernel/kthread.c:388
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:243
</TASK>
---[ end trace ]---


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

[Edward Adam Davis]

please test oob in htc_issue_send

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

diff --git a/drivers/net/wireless/ath/ath9k/wmi.c b/drivers/net/wireless/ath/ath9k/wmi.c
index 805ad31edba2..5d531aacedbc 100644
--- a/drivers/net/wireless/ath/ath9k/wmi.c
+++ b/drivers/net/wireless/ath/ath9k/wmi.c
@@ -275,6 +275,7 @@ int ath9k_wmi_connect(struct htc_target *htc, struct wmi *wmi,
connect.service_id = WMI_CONTROL_SVC;

ret = htc_connect_service(htc, &connect, &wmi->ctrl_epid);
+ printk("ret: %d, wmi: %p, epid: %d, %s\n", ret, wmi, wmi->ctrl_epid, __func__);
if (ret)
return ret;

@@ -304,6 +305,9 @@ static int ath9k_wmi_cmd_issue(struct wmi *wmi,
wmi->last_seq_id = wmi->tx_seq_id;
spin_unlock_irqrestore(&wmi->wmi_lock, flags);

+ printk("wmi: %p, epid: %d, %s\n", wmi, wmi->ctrl_epid, __func__);
+ if (wmi->ctrl_epid < 0 || wmi->ctrl_epid > ENDPOINT_MAX)
+ return -EINVAL;
return htc_send_epid(wmi->htc, skb, wmi->ctrl_epid);
}

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

3.305058][ T1] ACPI: 2 ACPI AML tables successfully acquired and loaded
[ 3.345167][ T1] ACPI: _OSC evaluation for CPUs failed, trying _PDC
[ 3.380560][ T1] ACPI: Interpreter enabled
[ 3.381986][ T1] ACPI: PM: (supports S0 S3 S4 S5)
[ 3.383436][ T1] ACPI: Using IOAPIC for interrupt routing
[ 3.386458][ T1] PCI: Using host bridge windows from ACPI; if necessary, use "pci=nocrs" and report a bug
[ 3.390677][ T1] PCI: Ignoring E820 reservations for host bridge windows
[ 3.404120][ T1] ACPI: Enabled 16 GPEs in block 00 to 0F
[ 3.816060][ T1] ACPI: PCI Root Bridge [PCI0] (domain 0000 [bus 00-ff])
[ 3.818685][ T1] acpi PNP0A03:00: _OSC: OS supports [ASPM ClockPM Segments MSI HPX-Type3]
[ 3.820678][ T1] acpi PNP0A03:00: _OSC: not requesting OS control; OS requires [ExtendedConfig ASPM ClockPM MSI]
[ 3.825853][ T1] acpi PNP0A03:00: fail to add MMCONFIG information, can't access extended configuration space under this bridge
[ 3.866305][ T1] PCI host bridge to bus 0000:00
[ 3.867808][ T1] pci_bus 0000:00: root bus resource [io 0x0000-0x0cf7 window]
[ 3.870746][ T1] pci_bus 0000:00: root bus resource [io 0x0d00-0xffff window]
[ 3.873420][ T1] pci_bus 0000:00: root bus resource [mem 0x000a0000-0x000bffff window]
[ 3.875780][ T1] pci_bus 0000:00: root bus resource [mem 0xc0000000-0xfebfefff window]
[ 3.877928][ T1] pci_bus 0000:00: root bus resource [bus 00-ff]
[ 3.882258][ T1] pci 0000:00:00.0: [8086:1237] type 00 class 0x060000 conventional PCI endpoint
[ 3.893319][ T1] pci 0000:00:01.0: [8086:7110] type 00 class 0x060100 conventional PCI endpoint
[ 3.934727][ T1] pci 0000:00:01.3: [8086:7113] type 00 class 0x068000 conventional PCI endpoint
[ 3.962720][ T1] pci 0000:00:01.3: quirk: [io 0xb000-0xb03f] claimed by PIIX4 ACPI
[ 3.974606][ T1] pci 0000:00:03.0: [1af4:1004] type 00 class 0x000000 conventional PCI endpoint
[ 3.987448][ T1] pci 0000:00:03.0: BAR 0 [io 0xc000-0xc03f]
[ 3.996068][ T1] pci 0000:00:03.0: BAR 1 [mem 0xfe800000-0xfe80007f]
[ 4.026294][ T1] pci 0000:00:04.0: [1af4:1000] type 00 class 0x020000 conventional PCI endpoint
[ 4.037205][ T1] pci 0000:00:04.0: BAR 0 [io 0xc040-0xc07f]
[ 4.047843][ T1] pci 0000:00:04.0: BAR 1 [mem 0xfe801000-0xfe80107f]
[ 4.079535][ T1] pci 0000:00:05.0: [1ae0:a002] type 00 class 0x030000 conventional PCI endpoint
[ 4.095238][ T1] pci 0000:00:05.0: BAR 0 [mem 0xfe000000-0xfe7fffff]
[ 4.131357][ T1] pci 0000:00:05.0: Video device with shadowed ROM at [mem 0x000c0000-0x000dffff]
[ 4.144658][ T1] pci 0000:00:06.0: [1af4:1002] type 00 class 0x00ff00 conventional PCI endpoint
[ 4.159996][ T1] pci 0000:00:06.0: BAR 0 [io 0xc080-0xc09f]
[ 4.167804][ T1] pci 0000:00:06.0: BAR 1 [mem 0xfe802000-0xfe80207f]
[ 4.199732][ T1] pci 0000:00:07.0: [1af4:1005] type 00 class 0x00ff00 conventional PCI endpoint
[ 4.212382][ T1] pci 0000:00:07.0: BAR 0 [io 0xc0a0-0xc0bf]
[ 4.220686][ T1] pci 0000:00:07.0: BAR 1 [mem 0xfe803000-0xfe80303f]
[ 4.317862][ T1] ACPI: PCI: Interrupt link LNKA configured for IRQ 10
[ 4.332924][ T1] ACPI: PCI: Interrupt link LNKB configured for IRQ 10
[ 4.347440][ T1] ACPI: PCI: Interrupt link LNKC configured for IRQ 11
[ 4.361995][ T1] ACPI: PCI: Interrupt link LNKD configured for IRQ 11
[ 4.369427][ T1] ACPI: PCI: Interrupt link LNKS configured for IRQ 9
[ 4.408938][ T1] iommu: Default domain type: Translated
[ 4.410243][ T1] iommu: DMA domain TLB invalidation policy: lazy mode
[ 4.417307][ T1] SCSI subsystem initialized
[ 4.424332][ T1] ACPI: bus type USB registered
[ 4.426871][ T1] usbcore: registered new interface driver usbfs
[ 4.429598][ T1] usbcore: registered new interface driver hub
[ 4.431177][ T1] usbcore: registered new device driver usb
[ 4.437120][ T1] mc: Linux media interface: v0.10
[ 4.438490][ T1] videodev: Linux video capture interface: v2.00
[ 4.442426][ T1] pps_core: LinuxPPS API ver. 1 registered
[ 4.444018][ T1] pps_core: Software ver. 5.3.6 - Copyright 2005-2007 Rodolfo Giometti <giom...@linux.it>
[ 4.447319][ T1] PTP clock support registered
[ 4.451694][ T1] EDAC MC: Ver: 3.0.0
[ 4.461095][ T1] Advanced Linux Sound Architecture Driver Initialized.
[ 4.473440][ T1] Bluetooth: Core ver 2.22
[ 4.474741][ T1] NET: Registered PF_BLUETOOTH protocol family
[ 4.476138][ T1] Bluetooth: HCI device and connection manager initialized
[ 4.478227][ T1] Bluetooth: HCI socket layer initialized
[ 4.479583][ T1] Bluetooth: L2CAP socket layer initialized
[ 4.480955][ T1] Bluetooth: SCO socket layer initialized
[ 4.482638][ T1] NET: Registered PF_ATMPVC protocol family
[ 4.484003][ T1] NET: Registered PF_ATMSVC protocol family
[ 4.485973][ T1] NetLabel: Initializing
[ 4.486946][ T1] NetLabel: domain hash size = 128
[ 4.487956][ T1] NetLabel: protocols = UNLABELED CIPSOv4 CALIPSO
[ 4.491596][ T1] NetLabel: unlabeled traffic allowed by default
[ 4.497799][ T1] nfc: nfc_init: NFC Core ver 0.1
[ 4.499829][ T1] NET: Registered PF_NFC protocol family
[ 4.500687][ T1] PCI: Using ACPI for IRQ routing
[ 4.503830][ T1] pci 0000:00:05.0: vgaarb: setting as boot VGA device
[ 4.505644][ T1] pci 0000:00:05.0: vgaarb: bridge control possible
[ 4.507273][ T1] pci 0000:00:05.0: vgaarb: VGA device added: decodes=io+mem,owns=io+mem,locks=none
[ 4.510167][ T1] vgaarb: loaded
[ 4.527031][ T1] clocksource: Switched to clocksource kvm-clock
[ 4.530275][ T1] VFS: Disk quotas dquot_6.6.0
[ 4.530642][ T1] VFS: Dquot-cache hash table entries: 512 (order 0, 4096 bytes)
[ 4.535808][ T1] TOMOYO: 2.6.0
[ 4.536472][ T1] Mandatory Access Control activated.
[ 4.546108][ T1] AppArmor: AppArmor Filesystem Enabled
[ 4.549360][ T1] pnp: PnP ACPI init
[ 4.604367][ T1] pnp: PnP ACPI: found 7 devices
[ 4.694258][ T1] clocksource: acpi_pm: mask: 0xffffff max_cycles: 0xffffff, max_idle_ns: 2085701024 ns
[ 4.698986][ T1] NET: Registered PF_INET protocol family
[ 4.701555][ T1] IP idents hash table entries: 131072 (order: 8, 1048576 bytes, linear)
[ 4.734977][ T1] ------------[ cut here ]------------
[ 4.736183][ T1] refcount_t: decrement hit 0; leaking memory.
[ 4.738151][ T1] WARNING: CPU: 0 PID: 1 at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210
[ 4.741044][ T1] Modules linked in:
[ 4.742030][ T1] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.8.0-syzkaller-11767-g23956900041d-dirty #0
[ 4.744715][ T1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024
[ 4.746880][ T1] RIP: 0010:refcount_warn_saturate+0x1ed/0x210
[ 4.748509][ T1] Code: 86 e8 07 31 ca fe 90 0f 0b 90 90 e9 c3 fe ff ff e8 c8 05 04 ff c6 05 de 77 3d 07 01 90 48 c7 c7 80 27 e7 86 e8 e4 30 ca fe 90 <0f> 0b 90 90 e9 a0 fe ff ff 48 89 ef e8 f2 dd 55 ff e9 44 fe ff ff
[ 4.753988][ T1] RSP: 0000:ffffc9000001fba0 EFLAGS: 00010282
[ 4.755467][ T1] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff8118b199
[ 4.756870][ T1] RDX: ffff8881012b0000 RSI: ffffffff8118b1a6 RDI: 0000000000000001
[ 4.759096][ T1] RBP: ffff8881076c8aac R08: 0000000000000001 R09: 0000000000000000
[ 4.761254][ T1] R10: 0000000000000000 R11: 0000000000000001 R12: ffff8881076c8aac
[ 4.762823][ T1] R13: 0000000000000000 R14: 000000000152005a R15: ffff888106899f28
[ 4.764957][ T1] FS: 0000000000000000(0000) GS:ffff8881f6400000(0000) knlGS:0000000000000000
[ 4.768035][ T1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 4.769740][ T1] CR2: ffff88823ffff000 CR3: 000000000829e000 CR4: 00000000003506f0
[ 4.771844][ T1] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 4.774449][ T1] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 4.776329][ T1] Call Trace:
[ 4.777314][ T1] <TASK>
[ 4.778263][ T1] ? show_regs+0x8c/0xa0
[ 4.779980][ T1] ? __warn+0xe5/0x3c0
[ 4.781778][ T1] ? __wake_up_klogd.part.0+0x99/0xf0
[ 4.783348][ T1] ? refcount_warn_saturate+0x1ed/0x210
[ 4.784682][ T1] ? report_bug+0x3c0/0x580
[ 4.786057][ T1] ? handle_bug+0x3d/0x70
[ 4.786960][ T1] ? exc_invalid_op+0x17/0x50
[ 4.788001][ T1] ? asm_exc_invalid_op+0x1a/0x20
[ 4.789478][ T1] ? __warn_printk+0x199/0x350
[ 4.790751][ T1] ? __warn_printk+0x1a6/0x350
[ 4.792085][ T1] ? refcount_warn_saturate+0x1ed/0x210
[ 4.793191][ T1] __reset_page_owner+0x2ea/0x370
[ 4.794640][ T1] __free_pages_ok+0x5d0/0xbd0
[ 4.795484][ T1] ? __split_page_owner+0xdd/0x120
[ 4.796259][ T1] make_alloc_exact+0x165/0x260
[ 4.797178][ T1] alloc_large_system_hash+0x4e0/0x640
[ 4.798659][ T1] inet_hashinfo2_init+0x4b/0xd0
[ 4.799662][ T1] tcp_init+0xba/0x9f0
[ 4.800581][ T1] inet_init+0x419/0x6f0
[ 4.801638][ T1] ? __pfx_inet_init+0x10/0x10
[ 4.802833][ T1] do_one_initcall+0x128/0x700
[ 4.803971][ T1] ? __pfx_do_one_initcall+0x10/0x10
[ 4.806124][ T1] ? trace_kmalloc+0x2d/0xe0
[ 4.807395][ T1] ? __kmalloc+0x213/0x400
[ 4.808797][ T1] kernel_init_freeable+0x69d/0xca0
[ 4.810003][ T1] ? __pfx_kernel_init+0x10/0x10
[ 4.810805][ T1] kernel_init+0x1c/0x2b0
[ 4.811720][ T1] ? __pfx_kernel_init+0x10/0x10
[ 4.812936][ T1] ret_from_fork+0x45/0x80
[ 4.813638][ T1] ? __pfx_kernel_init+0x10/0x10
[ 4.814804][ T1] ret_from_fork_asm+0x1a/0x30
[ 4.816207][ T1] </TASK>
[ 4.816802][ T1] Kernel panic - not syncing: kernel: panic_on_warn set ...
[ 4.817978][ T1] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.8.0-syzkaller-11767-g23956900041d-dirty #0
[ 4.819974][ T1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024
[ 4.819974][ T1] Call Trace:
[ 4.819974][ T1] <TASK>
[ 4.819974][ T1] dump_stack_lvl+0x3d/0x1f0
[ 4.819974][ T1] panic+0x6f5/0x7a0
[ 4.819974][ T1] ? __pfx_panic+0x10/0x10
[ 4.819974][ T1] ? show_trace_log_lvl+0x363/0x500
[ 4.819974][ T1] ? check_panic_on_warn+0x1f/0xb0
[ 4.819974][ T1] ? refcount_warn_saturate+0x1ed/0x210
[ 4.819974][ T1] check_panic_on_warn+0xab/0xb0
[ 4.819974][ T1] __warn+0xf1/0x3c0
[ 4.819974][ T1] ? __wake_up_klogd.part.0+0x99/0xf0
[ 4.819974][ T1] ? refcount_warn_saturate+0x1ed/0x210
[ 4.819974][ T1] report_bug+0x3c0/0x580
[ 4.819974][ T1] handle_bug+0x3d/0x70
[ 4.819974][ T1] exc_invalid_op+0x17/0x50
[ 4.819974][ T1] asm_exc_invalid_op+0x1a/0x20
[ 4.819974][ T1] RIP: 0010:refcount_warn_saturate+0x1ed/0x210
[ 4.819974][ T1] Code: 86 e8 07 31 ca fe 90 0f 0b 90 90 e9 c3 fe ff ff e8 c8 05 04 ff c6 05 de 77 3d 07 01 90 48 c7 c7 80 27 e7 86 e8 e4 30 ca fe 90 <0f> 0b 90 90 e9 a0 fe ff ff 48 89 ef e8 f2 dd 55 ff e9 44 fe ff ff
[ 4.819974][ T1] RSP: 0000:ffffc9000001fba0 EFLAGS: 00010282
[ 4.819974][ T1] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff8118b199
[ 4.819974][ T1] RDX: ffff8881012b0000 RSI: ffffffff8118b1a6 RDI: 0000000000000001
[ 4.819974][ T1] RBP: ffff8881076c8aac R08: 0000000000000001 R09: 0000000000000000
[ 4.819974][ T1] R10: 0000000000000000 R11: 0000000000000001 R12: ffff8881076c8aac
[ 4.819974][ T1] R13: 0000000000000000 R14: 000000000152005a R15: ffff888106899f28
[ 4.819974][ T1] ? __warn_printk+0x199/0x350
[ 4.819974][ T1] ? __warn_printk+0x1a6/0x350
[ 4.819974][ T1] __reset_page_owner+0x2ea/0x370
[ 4.819974][ T1] __free_pages_ok+0x5d0/0xbd0
[ 4.819974][ T1] ? __split_page_owner+0xdd/0x120
[ 4.819974][ T1] make_alloc_exact+0x165/0x260
[ 4.819974][ T1] alloc_large_system_hash+0x4e0/0x640
[ 4.819974][ T1] inet_hashinfo2_init+0x4b/0xd0
[ 4.819974][ T1] tcp_init+0xba/0x9f0
[ 4.819974][ T1] inet_init+0x419/0x6f0
[ 4.819974][ T1] ? __pfx_inet_init+0x10/0x10
[ 4.819974][ T1] do_one_initcall+0x128/0x700
[ 4.819974][ T1] ? __pfx_do_one_initcall+0x10/0x10
[ 4.819974][ T1] ? trace_kmalloc+0x2d/0xe0
[ 4.819974][ T1] ? __kmalloc+0x213/0x400
[ 4.819974][ T1] kernel_init_freeable+0x69d/0xca0
[ 4.819974][ T1] ? __pfx_kernel_init+0x10/0x10
[ 4.819974][ T1] kernel_init+0x1c/0x2b0
[ 4.869878][ T1] ? __pfx_kernel_init+0x10/0x10
[ 4.869878][ T1] ret_from_fork+0x45/0x80
[ 4.869878][ T1] ? __pfx_kernel_init+0x10/0x10
[ 4.869878][ T1] ret_from_fork_asm+0x1a/0x30
[ 4.869878][ T1] </TASK>
[ 4.869878][ T1] Rebooting in 86400 seconds..


syzkaller build log:
go env (err=<nil>)
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/syzkaller/jobs-2/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs-2/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.21.4'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build1907310309=/tmp/go-build -gno-record-gcc-switches'

git status (err=<nil>)
HEAD detached at a485f2390
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=a485f2390d41decb9fca41e15902295e293464d2 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240319-162551'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=a485f2390d41decb9fca41e15902295e293464d2 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240319-162551'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=a485f2390d41decb9fca41e15902295e293464d2 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240319-162551'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"a485f2390d41decb9fca41e15902295e293464d2\"


Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=10e977be180000


Tested on:

commit: 23956900 Merge tag 'v6.9-rc-smb3-server-fixes' of git:..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
kernel config: https://syzkaller.appspot.com/x/.config?x=7168075f97c12252

dashboard link: https://syzkaller.appspot.com/bug?extid=93cbd5fbb85814306ba1
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=15a8783a180000

[Edward Adam Davis]

please test oob in htc_issue_send

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+93cbd5...@syzkaller.appspotmail.com

Tested on:

commit: a788e53c usb: usb-acpi: Fix oops due to freeing uninit..

git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing

console output: https://syzkaller.appspot.com/x/log.txt?x=1714bbb9180000
kernel config: https://syzkaller.appspot.com/x/.config?x=dd8c589043bc2b49

dashboard link: https://syzkaller.appspot.com/bug?extid=93cbd5fbb85814306ba1
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=16944006180000

Note: testing is done by a robot and is best-effort only.

[Edward Adam Davis]

please test oob in htc_issue_send

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing

diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.c b/drivers/net/wireless/ath/ath9k/htc_hst.c
index eb631fd3336d..9edc72601bf2 100644
--- a/drivers/net/wireless/ath/ath9k/htc_hst.c
+++ b/drivers/net/wireless/ath/ath9k/htc_hst.c
@@ -295,6 +295,10 @@ int htc_connect_service(struct htc_target *target,
}

*conn_rsp_epid = target->conn_rsp_epid;
+ if (*conn_rsp_epid < 0 || *conn_rsp_epid > ENDPOINT_MAX) {
+ ret = -EINVAL;
+ goto err;
+ }
return 0;
err:
kfree_skb(skb);

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Read in hif_usb_regout_cb

==================================================================
BUG: KASAN: slab-use-after-free in instrument_atomic_read include/linux/instrumented.h:68 [inline]
BUG: KASAN: slab-use-after-free in atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline]
BUG: KASAN: slab-use-after-free in refcount_read include/linux/refcount.h:136 [inline]
BUG: KASAN: slab-use-after-free in skb_unref include/linux/skbuff.h:1227 [inline]
BUG: KASAN: slab-use-after-free in __kfree_skb_reason net/core/skbuff.c:1116 [inline]
BUG: KASAN: slab-use-after-free in kfree_skb_reason+0x36/0x210 net/core/skbuff.c:1143
Read of size 4 at addr ffff888121db8c1c by task swapper/0/0

CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.8.0-rc6-syzkaller-00190-ga788e53c05ae-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024

Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:377 [inline]
print_report+0xc4/0x620 mm/kasan/report.c:488
kasan_report+0xda/0x110 mm/kasan/report.c:601
check_region_inline mm/kasan/generic.c:183 [inline]
kasan_check_range+0xef/0x190 mm/kasan/generic.c:189
instrument_atomic_read include/linux/instrumented.h:68 [inline]
atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline]
refcount_read include/linux/refcount.h:136 [inline]
skb_unref include/linux/skbuff.h:1227 [inline]
__kfree_skb_reason net/core/skbuff.c:1116 [inline]
kfree_skb_reason+0x36/0x210 net/core/skbuff.c:1143
kfree_skb include/linux/skbuff.h:1244 [inline]
hif_usb_regout_cb+0x15f/0x1d0 drivers/net/wireless/ath/ath9k/hif_usb.c:95
__usb_hcd_giveback_urb+0x359/0x5c0 drivers/usb/core/hcd.c:1648
usb_hcd_giveback_urb+0x389/0x430 drivers/usb/core/hcd.c:1731
dummy_timer+0x1415/0x3600 drivers/usb/gadget/udc/dummy_hcd.c:1987
call_timer_fn+0x193/0x590 kernel/time/timer.c:1700
expire_timers kernel/time/timer.c:1751 [inline]
__run_timers+0x759/0xaa0 kernel/time/timer.c:2038
run_timer_softirq+0x58/0xd0 kernel/time/timer.c:2051
__do_softirq+0x20a/0x8c1 kernel/softirq.c:553
invoke_softirq kernel/softirq.c:427 [inline]
__irq_exit_rcu kernel/softirq.c:632 [inline]
irq_exit_rcu+0xa7/0x110 kernel/softirq.c:644
sysvec_apic_timer_interrupt+0x90/0xb0 arch/x86/kernel/apic/apic.c:1076
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:649
RIP: 0010:native_irq_disable arch/x86/include/asm/irqflags.h:37 [inline]
RIP: 0010:arch_local_irq_disable arch/x86/include/asm/irqflags.h:72 [inline]
RIP: 0010:acpi_safe_halt+0x1b/0x20 drivers/acpi/processor_idle.c:113
Code: ed c3 66 66 2e 0f 1f 84 00 00 00 00 00 66 90 65 48 8b 04 25 c0 b0 03 00 48 8b 00 a8 08 75 0c 66 90 0f 00 2d e7 5b 58 00 fb f4 <fa> c3 0f 1f 00 0f b6 47 08 3c 01 74 0b 3c 02 74 05 8b 7f 04 eb 9f
RSP: 0018:ffffffff87c07d68 EFLAGS: 00000246
RAX: 0000000000004000 RBX: 0000000000000001 RCX: ffffffff86574aa7
RDX: 0000000000000001 RSI: ffff88810369d800 RDI: ffff88810369d864
RBP: ffff88810369d864 R08: 0000000000000001 R09: ffffed103ecc6da5
R10: ffff8881f6636d2b R11: 0000000000000000 R12: ffff88810fec8000
R13: ffffffff88308580 R14: 0000000000000000 R15: 0000000000000000
acpi_idle_enter+0xc5/0x160 drivers/acpi/processor_idle.c:707
cpuidle_enter_state+0x83/0x500 drivers/cpuidle/cpuidle.c:267
cpuidle_enter+0x4e/0xa0 drivers/cpuidle/cpuidle.c:388
cpuidle_idle_call kernel/sched/idle.c:215 [inline]
do_idle+0x319/0x400 kernel/sched/idle.c:312
cpu_startup_entry+0x50/0x60 kernel/sched/idle.c:410
rest_init+0x16f/0x2b0 init/main.c:730
arch_call_rest_init+0x13/0x30 init/main.c:827
start_kernel+0x39a/0x480 init/main.c:1072
x86_64_start_reservations+0x18/0x30 arch/x86/kernel/head64.c:555
x86_64_start_kernel+0xb2/0xc0 arch/x86/kernel/head64.c:536
secondary_startup_64_no_verify+0x15e/0x16b
</TASK>

Allocated by task 2166:
kasan_save_stack+0x33/0x50 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
unpoison_slab_object mm/kasan/common.c:314 [inline]
__kasan_slab_alloc+0x66/0x70 mm/kasan/common.c:340
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook mm/slub.c:3813 [inline]
slab_alloc_node mm/slub.c:3860 [inline]
kmem_cache_alloc_node+0x156/0x310 mm/slub.c:3903
__alloc_skb+0x287/0x330 net/core/skbuff.c:641
alloc_skb include/linux/skbuff.h:1296 [inline]
htc_connect_service+0x2d7/0x9f0 drivers/net/wireless/ath/ath9k/htc_hst.c:265
ath9k_wmi_connect+0xf1/0x1c0 drivers/net/wireless/ath/ath9k/wmi.c:275
ath9k_init_htc_services.constprop.0+0xb3/0x820 drivers/net/wireless/ath/ath9k/htc_drv_init.c:146
ath9k_htc_probe_device+0x23f/0x25f0 drivers/net/wireless/ath/ath9k/htc_drv_init.c:959
ath9k_htc_hw_init+0x33/0x70 drivers/net/wireless/ath/ath9k/htc_hst.c:533

ath9k_hif_usb_firmware_cb+0x272/0x620 drivers/net/wireless/ath/ath9k/hif_usb.c:1273
request_firmware_work_func+0x13a/0x240 drivers/base/firmware_loader/main.c:1163
process_one_work+0x886/0x15d0 kernel/workqueue.c:2633
process_scheduled_works kernel/workqueue.c:2706 [inline]
worker_thread+0x8b9/0x1290 kernel/workqueue.c:2787
kthread+0x2c6/0x3a0 kernel/kthread.c:388
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:243

Freed by task 2166:
kasan_save_stack+0x33/0x50 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
kasan_save_free_info+0x3f/0x60 mm/kasan/generic.c:643
poison_slab_object mm/kasan/common.c:241 [inline]
__kasan_slab_free+0x106/0x1b0 mm/kasan/common.c:257
kasan_slab_free include/linux/kasan.h:184 [inline]
slab_free_hook mm/slub.c:2121 [inline]
slab_free mm/slub.c:4299 [inline]
kmem_cache_free+0x10a/0x330 mm/slub.c:4363
kfree_skbmem+0xef/0x1b0 net/core/skbuff.c:1051
__kfree_skb net/core/skbuff.c:1109 [inline]
kfree_skb_reason+0x13a/0x210 net/core/skbuff.c:1144
kfree_skb include/linux/skbuff.h:1244 [inline]
htc_connect_service+0x641/0x9f0 drivers/net/wireless/ath/ath9k/htc_hst.c:304
ath9k_wmi_connect+0xf1/0x1c0 drivers/net/wireless/ath/ath9k/wmi.c:275
ath9k_init_htc_services.constprop.0+0xb3/0x820 drivers/net/wireless/ath/ath9k/htc_drv_init.c:146
ath9k_htc_probe_device+0x23f/0x25f0 drivers/net/wireless/ath/ath9k/htc_drv_init.c:959
ath9k_htc_hw_init+0x33/0x70 drivers/net/wireless/ath/ath9k/htc_hst.c:533

ath9k_hif_usb_firmware_cb+0x272/0x620 drivers/net/wireless/ath/ath9k/hif_usb.c:1273
request_firmware_work_func+0x13a/0x240 drivers/base/firmware_loader/main.c:1163
process_one_work+0x886/0x15d0 kernel/workqueue.c:2633
process_scheduled_works kernel/workqueue.c:2706 [inline]
worker_thread+0x8b9/0x1290 kernel/workqueue.c:2787
kthread+0x2c6/0x3a0 kernel/kthread.c:388
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:243

The buggy address belongs to the object at ffff888121db8b40
which belongs to the cache skbuff_head_cache of size 232
The buggy address is located 220 bytes inside of
freed 232-byte region [ffff888121db8b40, ffff888121db8c28)

The buggy address belongs to the physical page:
page:ffffea0004876e00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x121db8
anon flags: 0x200000000000800(slab|node=0|zone=2)
page_type: 0xffffffff()
raw: 0200000000000800 ffff8881026d7000 ffffea000440c480 dead000000000005
raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY), pid 2477, tgid 2477 (sshd), ts 29846224506, free_ts 29763017245
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x2d0/0x350 mm/page_alloc.c:1533
prep_new_page mm/page_alloc.c:1540 [inline]
get_page_from_freelist+0x139c/0x3470 mm/page_alloc.c:3311
__alloc_pages+0x228/0x2250 mm/page_alloc.c:4567
__alloc_pages_node include/linux/gfp.h:238 [inline]
alloc_pages_node include/linux/gfp.h:261 [inline]
alloc_slab_page mm/slub.c:2190 [inline]
allocate_slab mm/slub.c:2354 [inline]
new_slab+0xcc/0x3a0 mm/slub.c:2407
___slab_alloc+0x4b0/0x1860 mm/slub.c:3540
__slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3625
__slab_alloc_node mm/slub.c:3678 [inline]
slab_alloc_node mm/slub.c:3850 [inline]
kmem_cache_alloc_node+0x286/0x310 mm/slub.c:3903
__alloc_skb+0x287/0x330 net/core/skbuff.c:641
alloc_skb include/linux/skbuff.h:1296 [inline]
__tcp_send_ack.part.0+0x64/0x720 net/ipv4/tcp_output.c:4206
__tcp_send_ack net/ipv4/tcp_output.c:4238 [inline]
tcp_send_ack+0x82/0xa0 net/ipv4/tcp_output.c:4238
__tcp_cleanup_rbuf+0x278/0x4b0 net/ipv4/tcp.c:1491
tcp_recvmsg_locked+0x113a/0x2450 net/ipv4/tcp.c:2547
tcp_recvmsg+0x12e/0x670 net/ipv4/tcp.c:2577
inet_recvmsg+0x114/0x630 net/ipv4/af_inet.c:882
sock_recvmsg_nosec net/socket.c:1046 [inline]
sock_recvmsg+0xe2/0x170 net/socket.c:1068
sock_read_iter+0x2c3/0x3c0 net/socket.c:1138
page last free pid 2479 tgid 2479 stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1140 [inline]
free_unref_page_prepare+0x504/0xae0 mm/page_alloc.c:2346
free_unref_page+0x33/0x2d0 mm/page_alloc.c:2486
__folio_put_small mm/swap.c:106 [inline]
__folio_put+0x83/0xb0 mm/swap.c:129
folio_put include/linux/mm.h:1494 [inline]
put_page include/linux/mm.h:1563 [inline]
anon_pipe_buf_release+0x36c/0x430 fs/pipe.c:138
pipe_buf_release include/linux/pipe_fs_i.h:219 [inline]
pipe_update_tail fs/pipe.c:234 [inline]
pipe_read+0x6fc/0x1020 fs/pipe.c:354
call_read_iter include/linux/fs.h:2081 [inline]
new_sync_read fs/read_write.c:395 [inline]
vfs_read+0x9f3/0xb70 fs/read_write.c:476
ksys_read+0x1f0/0x250 fs/read_write.c:619
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b

Memory state around the buggy address:
ffff888121db8b00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
ffff888121db8b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888121db8c00: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc
^
ffff888121db8c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888121db8d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc
==================================================================
----------------
Code disassembly (best guess):
0: ed in (%dx),%eax
1: c3 ret
2: 66 66 2e 0f 1f 84 00 data16 cs nopw 0x0(%rax,%rax,1)
9: 00 00 00 00
d: 66 90 xchg %ax,%ax
f: 65 48 8b 04 25 c0 b0 mov %gs:0x3b0c0,%rax
16: 03 00
18: 48 8b 00 mov (%rax),%rax
1b: a8 08 test $0x8,%al
1d: 75 0c jne 0x2b
1f: 66 90 xchg %ax,%ax
21: 0f 00 2d e7 5b 58 00 verw 0x585be7(%rip) # 0x585c0f
28: fb sti
29: f4 hlt
* 2a: fa cli <-- trapping instruction
2b: c3 ret
2c: 0f 1f 00 nopl (%rax)
2f: 0f b6 47 08 movzbl 0x8(%rdi),%eax
33: 3c 01 cmp $0x1,%al
35: 74 0b je 0x42
37: 3c 02 cmp $0x2,%al
39: 74 05 je 0x40
3b: 8b 7f 04 mov 0x4(%rdi),%edi
3e: eb 9f jmp 0xffffffdf

Tested on:

commit: a788e53c usb: usb-acpi: Fix oops due to freeing uninit..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing

console output: https://syzkaller.appspot.com/x/log.txt?x=162fafc1180000

kernel config: https://syzkaller.appspot.com/x/.config?x=dd8c589043bc2b49
dashboard link: https://syzkaller.appspot.com/bug?extid=93cbd5fbb85814306ba1
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=120566be180000

[Edward Adam Davis]

please test oob in htc_issue_send

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing

diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.c b/drivers/net/wireless/ath/ath9k/htc_hst.c

index eb631fd3336d..0d1115d1cc29 100644
--- a/drivers/net/wireless/ath/ath9k/htc_hst.c
+++ b/drivers/net/wireless/ath/ath9k/htc_hst.c
@@ -295,6 +295,9 @@ int htc_connect_service(struct htc_target *target,

}

*conn_rsp_epid = target->conn_rsp_epid;
+ if (*conn_rsp_epid < 0 || *conn_rsp_epid > ENDPOINT_MAX)

+ return -EINVAL;

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+93cbd5...@syzkaller.appspotmail.com

Tested on:

commit: a788e53c usb: usb-acpi: Fix oops due to freeing uninit..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing

console output: https://syzkaller.appspot.com/x/log.txt?x=17b25385180000

kernel config: https://syzkaller.appspot.com/x/.config?x=dd8c589043bc2b49
dashboard link: https://syzkaller.appspot.com/bug?extid=93cbd5fbb85814306ba1
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=103eb1be180000

[Edward Adam Davis]

[syzbot reported]

[Fix]
If the target does not return a valid end point id during the device connection
process, returns a failure.

Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.")
Reported-and-tested-by: syzbot+93cbd5...@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <ead...@qq.com>
---
drivers/net/wireless/ath/ath9k/htc_hst.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.c b/drivers/net/wireless/ath/ath9k/htc_hst.c
index eb631fd3336d..0d1115d1cc29 100644
--- a/drivers/net/wireless/ath/ath9k/htc_hst.c
+++ b/drivers/net/wireless/ath/ath9k/htc_hst.c
@@ -295,6 +295,9 @@ int htc_connect_service(struct htc_target *target,
}

*conn_rsp_epid = target->conn_rsp_epid;
+ if (*conn_rsp_epid < 0 || *conn_rsp_epid > ENDPOINT_MAX)
+ return -EINVAL;
+
return 0;
err:
kfree_skb(skb);

--
2.43.0

[Greg KH]

Hi,

This is the friendly patch-bot of Greg Kroah-Hartman. You have sent him
a patch that has triggered this response. He used to manually respond
to these common problems, but in order to save his sanity (he kept
writing the same thing over and over, yet to different people), I was
created. Hopefully you will not take offence and will fix the problem
in your patch and resubmit it so that it can be accepted into the Linux
kernel tree.

You are receiving this message because of the following common error(s)
as indicated below:

- You have marked a patch with a "Fixes:" tag for a commit that is in an
older released kernel, yet you do not have a cc: stable line in the
signed-off-by area at all, which means that the patch will not be
applied to any older kernel releases. To properly fix this, please
follow the documented rules in the
Documentation/process/stable-kernel-rules.rst file for how to resolve
this.

If you wish to discuss this problem further, or you have questions about
how to resolve this issue, please feel free to respond to this email and
Greg will reply once he has dug out from the pending patches received
from other developers.

thanks,

greg k-h's patch email bot

[Kalle Valo]

This should go to ath tree, not usb. No need to resend because of this.

--
https://patchwork.kernel.org/project/linux-wireless/list/

https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches

[Toke Høiland-Jørgensen]

Edward Adam Davis <ead...@qq.com> writes:

Hmm, there's an off-by-one error here: the arrays in question are
defined as var[ENDPOINT_MAX], so a value of ENDPOINT_MAX is going to
overflow.

IOW, this should be:

+ if (*conn_rsp_epid < 0 || *conn_rsp_epid >= ENDPOINT_MAX)
+ return -EINVAL;
+


-Toke