[PATCH RFC] wifi: rt2x00usb: fix NULL pointer dereference in rt2x00usb_disconnect()
3 views
Skip to first unread message
syzbot
May 16, 2026, 2:22:06 PM (3 days ago) May 16
to syzkaller-upst...@googlegroups.com, syz...@lists.linux.dev
In `rt2x00usb_probe()`, `usb_reset_device()` is called early. If this
reset fails or detects an unexpected device state (which is common with
malicious or rapidly disconnecting simulated USB devices), the USB core
schedules an asynchronous logical disconnect for the device. If the
probe function subsequently fails (e.g., due to hardware allocation or
registration failure), it cleans up by freeing the hardware struct and
setting the interface data to NULL via `usb_set_intfdata(usb_intf,
NULL)`.
Due to a race condition with the asynchronous disconnect scheduled by
the early reset, the `rt2x00usb_disconnect()` callback can be invoked
even after the probe has failed and cleared the interface data. When
`rt2x00usb_disconnect()` is called, it fetches the interface data using
`usb_get_intfdata()` and unconditionally dereferences it to access
`hw->priv`, leading to a kernel panic since `hw` is NULL.
Fix this by adding a NULL check for `hw` at the beginning of
`rt2x00usb_disconnect()`. If `hw` is NULL, it means the probe failed and
the cleanup has already been performed, so the function can safely
return early.
Fixes: bf4c02d5e772903be5bf8952bac730a2956d0619 ("rt2x00: reset usb devices at probe")
Assisted-by: Gemini:gemini-3.1-pro-preview Gemini:gemini-3-flash-preview
Reported-by: syzbot+e84ecc...@syzkaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?extid=e84ecca6d1fa09a9b3d9
Link: https://syzkaller.appspot.com/ai_job?id=63946763-bd49-4c8e-b059-d7248e547b72
To: <linux-w...@vger.kernel.org>
To: <stf...@wp.pl>
Cc: <linux-...@vger.kernel.org>
---
diff --git a/drivers/net/wireless/ralink/rt2x00/rt2x00usb.c b/drivers/net/wireless/ralink/rt2x00/rt2x00usb.c
index 174d89b0b..ea6ceb3a1 100644
--- a/drivers/net/wireless/ralink/rt2x00/rt2x00usb.c
+++ b/drivers/net/wireless/ralink/rt2x00/rt2x00usb.c
@@ -858,7 +858,12 @@ EXPORT_SYMBOL_GPL(rt2x00usb_probe);
void rt2x00usb_disconnect(struct usb_interface *usb_intf)
{
struct ieee80211_hw *hw = usb_get_intfdata(usb_intf);
- struct rt2x00_dev *rt2x00dev = hw->priv;
+ struct rt2x00_dev *rt2x00dev;
+
+ if (!hw)
+ return;
+
+ rt2x00dev = hw->priv;
/*
* Free all allocated data.
base-commit: 5d6919055dec134de3c40167a490f33c74c12581
--
This is an AI-generated patch subject to moderation.
Reply with '#syz upstream' to send it to the mailing list.
Reply with '#syz reject' to reject it.
See for more information.
reset fails or detects an unexpected device state (which is common with
malicious or rapidly disconnecting simulated USB devices), the USB core
schedules an asynchronous logical disconnect for the device. If the
probe function subsequently fails (e.g., due to hardware allocation or
registration failure), it cleans up by freeing the hardware struct and
setting the interface data to NULL via `usb_set_intfdata(usb_intf,
NULL)`.
Due to a race condition with the asynchronous disconnect scheduled by
the early reset, the `rt2x00usb_disconnect()` callback can be invoked
even after the probe has failed and cleared the interface data. When
`rt2x00usb_disconnect()` is called, it fetches the interface data using
`usb_get_intfdata()` and unconditionally dereferences it to access
`hw->priv`, leading to a kernel panic since `hw` is NULL.
Fix this by adding a NULL check for `hw` at the beginning of
`rt2x00usb_disconnect()`. If `hw` is NULL, it means the probe failed and
the cleanup has already been performed, so the function can safely
return early.
Fixes: bf4c02d5e772903be5bf8952bac730a2956d0619 ("rt2x00: reset usb devices at probe")
Assisted-by: Gemini:gemini-3.1-pro-preview Gemini:gemini-3-flash-preview
Reported-by: syzbot+e84ecc...@syzkaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?extid=e84ecca6d1fa09a9b3d9
Link: https://syzkaller.appspot.com/ai_job?id=63946763-bd49-4c8e-b059-d7248e547b72
To: <linux-w...@vger.kernel.org>
To: <stf...@wp.pl>
Cc: <linux-...@vger.kernel.org>
---
diff --git a/drivers/net/wireless/ralink/rt2x00/rt2x00usb.c b/drivers/net/wireless/ralink/rt2x00/rt2x00usb.c
index 174d89b0b..ea6ceb3a1 100644
--- a/drivers/net/wireless/ralink/rt2x00/rt2x00usb.c
+++ b/drivers/net/wireless/ralink/rt2x00/rt2x00usb.c
@@ -858,7 +858,12 @@ EXPORT_SYMBOL_GPL(rt2x00usb_probe);
void rt2x00usb_disconnect(struct usb_interface *usb_intf)
{
struct ieee80211_hw *hw = usb_get_intfdata(usb_intf);
- struct rt2x00_dev *rt2x00dev = hw->priv;
+ struct rt2x00_dev *rt2x00dev;
+
+ if (!hw)
+ return;
+
+ rt2x00dev = hw->priv;
/*
* Free all allocated data.
base-commit: 5d6919055dec134de3c40167a490f33c74c12581
--
This is an AI-generated patch subject to moderation.
Reply with '#syz upstream' to send it to the mailing list.
Reply with '#syz reject' to reject it.
See for more information.
Aleksandr Nogikh
10:24 AM (8 hours ago) 10:24 AM
to syzbot, syzkaller-upst...@googlegroups.com, syz...@lists.linux.dev
#syz reject
Syzbot apparently got confused by NULLs in the strace output.
On Sat, May 16, 2026 at 8:22 PM 'syzbot' via
syzkaller-upstream-moderation
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-upstream-moderation" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-upstream-m...@googlegroups.com.
> To view this discussion visit https://groups.google.com/d/msgid/syzkaller-upstream-moderation/f98a17ac-9a06-46f2-af52-ba19ff0ead38%40mail.kernel.org.
Syzbot apparently got confused by NULLs in the strace output.
On Sat, May 16, 2026 at 8:22 PM 'syzbot' via
syzkaller-upstream-moderation
> You received this message because you are subscribed to the Google Groups "syzkaller-upstream-moderation" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-upstream-m...@googlegroups.com.
> To view this discussion visit https://groups.google.com/d/msgid/syzkaller-upstream-moderation/f98a17ac-9a06-46f2-af52-ba19ff0ead38%40mail.kernel.org.
Reply all
Reply to author
Forward
0 new messages