Reminder: 11 open syzbot bugs in "net/wireless" subsystem

From: Eric Biggers
Date: Tue Jul 23 2019 - 21:48:05 EST


[This email was generated by a script. Let me know if you have any suggestions
to make it better, or if you want it re-generated with the latest status.]

Of the currently open syzbot reports against the upstream kernel, I've manually
marked 11 of them as possibly being bugs in the "net/wireless" subsystem. I've
listed these reports below, sorted by an algorithm that tries to list first the
reports most likely to be still valid, important, and actionable.

Of these 11 bugs, 9 were seen in mainline in the last week.

If you believe a bug is no longer valid, please close the syzbot report by
sending a '#syz fix', '#syz dup', or '#syz invalid' command in reply to the
original thread, as explained at https://goo.gl/tpsmEJ#status

If you believe I misattributed a bug to the "net/wireless" subsystem, please let
me know, and if possible forward the report to the correct people or mailing
list.

Here are the bugs:

--------------------------------------------------------------------------------
Title: general protection fault in ath6kl_usb_alloc_urb_from_pipe
Last occurred: 0 days ago
Reported: 102 days ago
Branches: Mainline (with usb-fuzzer patches)
Dashboard link: https://syzkaller.appspot.com/bug?id=cd8b9cfe50a0bf36ee19eda2d7e2e06843dfbeaf
Original thread: https://lkml.kernel.org/lkml/0000000000008e825105865615e3@xxxxxxxxxx/T/#u

This bug has a C reproducer.

No one replied to the original thread for this bug.

This looks like a bug in a net/wireless USB driver.

If you fix this bug, please add the following tag to the commit:
Reported-by: syzbot+ead4037ec793e025e66f@xxxxxxxxxxxxxxxxxxxxxxxxx

If you send any email or patch for this bug, please consider replying to the
original thread. For the git send-email command to use, or tips on how to reply
if the thread isn't in your mailbox, see the "Reply instructions" at
https://lkml.kernel.org/r/0000000000008e825105865615e3@xxxxxxxxxx

--------------------------------------------------------------------------------
Title: WARNING: ODEBUG bug in rsi_probe
Last occurred: 0 days ago
Reported: 100 days ago
Branches: Mainline (with usb-fuzzer patches)
Dashboard link: https://syzkaller.appspot.com/bug?id=3b35267abf182bd98ba95c0943bc0f957e021101
Original thread: https://lkml.kernel.org/lkml/00000000000024bbd7058682eda1@xxxxxxxxxx/T/#u

This bug has a C reproducer.

No one replied to the original thread for this bug.

This looks like a bug in a net/wireless USB driver.

If you fix this bug, please add the following tag to the commit:
Reported-by: syzbot+1d1597a5aa3679c65b9f@xxxxxxxxxxxxxxxxxxxxxxxxx

If you send any email or patch for this bug, please consider replying to the
original thread. For the git send-email command to use, or tips on how to reply
if the thread isn't in your mailbox, see the "Reply instructions" at
https://lkml.kernel.org/r/00000000000024bbd7058682eda1@xxxxxxxxxx

--------------------------------------------------------------------------------
Title: INFO: trying to register non-static key in del_timer_sync (2)
Last occurred: 0 days ago
Reported: 102 days ago
Branches: Mainline (with usb-fuzzer patches)
Dashboard link: https://syzkaller.appspot.com/bug?id=26525f643f454dd7be0078423e3cdb0d57744959
Original thread: https://lkml.kernel.org/lkml/000000000000927a7b0586561537@xxxxxxxxxx/T/#u

This bug has a C reproducer.

The original thread for this bug received 5 replies; the last was 41 days ago.

This looks like a bug in a net/wireless USB driver.

If you fix this bug, please add the following tag to the commit:
Reported-by: syzbot+dc4127f950da51639216@xxxxxxxxxxxxxxxxxxxxxxxxx

If you send any email or patch for this bug, please consider replying to the
original thread. For the git send-email command to use, or tips on how to reply
if the thread isn't in your mailbox, see the "Reply instructions" at
https://lkml.kernel.org/r/000000000000927a7b0586561537@xxxxxxxxxx

--------------------------------------------------------------------------------
Title: WARNING in zd_mac_clear
Last occurred: 0 days ago
Reported: 102 days ago
Branches: Mainline (with usb-fuzzer patches)
Dashboard link: https://syzkaller.appspot.com/bug?id=46e5ae5074764b5f0eed428a8c4989d9efbe9146
Original thread: https://lkml.kernel.org/lkml/00000000000075a7a6058653d977@xxxxxxxxxx/T/#u

This bug has a C reproducer.

No one replied to the original thread for this bug.

This looks like a bug in a net/wireless USB driver.

If you fix this bug, please add the following tag to the commit:
Reported-by: syzbot+74c65761783d66a9c97c@xxxxxxxxxxxxxxxxxxxxxxxxx

If you send any email or patch for this bug, please consider replying to the
original thread. For the git send-email command to use, or tips on how to reply
if the thread isn't in your mailbox, see the "Reply instructions" at
https://lkml.kernel.org/r/00000000000075a7a6058653d977@xxxxxxxxxx

--------------------------------------------------------------------------------
Title: KASAN: invalid-free in rsi_91x_deinit
Last occurred: 0 days ago
Reported: 91 days ago
Branches: Mainline (with usb-fuzzer patches)
Dashboard link: https://syzkaller.appspot.com/bug?id=426fbebc1eac728afa08e52b1bcf8171c9413e29
Original thread: https://lkml.kernel.org/lkml/0000000000005ae4cd058731d407@xxxxxxxxxx/T/#u

This bug has a C reproducer.

No one replied to the original thread for this bug.

This looks like a bug in a net/wireless USB driver.

If you fix this bug, please add the following tag to the commit:
Reported-by: syzbot+7c72edfb407b2bd866ce@xxxxxxxxxxxxxxxxxxxxxxxxx

If you send any email or patch for this bug, please consider replying to the
original thread. For the git send-email command to use, or tips on how to reply
if the thread isn't in your mailbox, see the "Reply instructions" at
https://lkml.kernel.org/r/0000000000005ae4cd058731d407@xxxxxxxxxx

--------------------------------------------------------------------------------
Title: KMSAN: uninit-value in rt2500usb_bbp_read
Last occurred: 0 days ago
Reported: 47 days ago
Branches: Mainline (with KMSAN patches)
Dashboard link: https://syzkaller.appspot.com/bug?id=f35d123de7d393019c1ed4d4e60dc66596ed62cd
Original thread: https://lkml.kernel.org/lkml/000000000000cf6a70058aa48695@xxxxxxxxxx/T/#u

This bug has a C reproducer.

The original thread for this bug has received 1 reply, 47 days ago.

This looks like a bug in a net/wireless USB driver.

If you fix this bug, please add the following tag to the commit:
Reported-by: syzbot+a106a5b084a6890d2607@xxxxxxxxxxxxxxxxxxxxxxxxx

If you send any email or patch for this bug, please consider replying to the
original thread. For the git send-email command to use, or tips on how to reply
if the thread isn't in your mailbox, see the "Reply instructions" at
https://lkml.kernel.org/r/000000000000cf6a70058aa48695@xxxxxxxxxx

--------------------------------------------------------------------------------
Title: WARNING in submit_rx_urb/usb_submit_urb
Last occurred: 0 days ago
Reported: 55 days ago
Branches: Mainline (with usb-fuzzer patches)
Dashboard link: https://syzkaller.appspot.com/bug?id=97fff2c33c48264fba4d185f5f0f0961bdcd2ae2
Original thread: https://lkml.kernel.org/lkml/0000000000004da71e058a06318b@xxxxxxxxxx/T/#u

This bug has a C reproducer.

The original thread for this bug has received 1 reply, 55 days ago.

This looks like a bug in a net/wireless USB driver.

If you fix this bug, please add the following tag to the commit:
Reported-by: syzbot+c2a1fa67c02faa0de723@xxxxxxxxxxxxxxxxxxxxxxxxx

If you send any email or patch for this bug, please consider replying to the
original thread. For the git send-email command to use, or tips on how to reply
if the thread isn't in your mailbox, see the "Reply instructions" at
https://lkml.kernel.org/r/0000000000004da71e058a06318b@xxxxxxxxxx

--------------------------------------------------------------------------------
Title: WARNING in ar5523_submit_rx_cmd/usb_submit_urb
Last occurred: 0 days ago
Reported: 50 days ago
Branches: Mainline (with usb-fuzzer patches)
Dashboard link: https://syzkaller.appspot.com/bug?id=d4cdc65d1db112b294b568e0cff47bca7cd3edbd
Original thread: https://lkml.kernel.org/lkml/000000000000f4900f058a69d6c5@xxxxxxxxxx/T/#u

This bug has a C reproducer.

The original thread for this bug has received 1 reply, 50 days ago.

This looks like a bug in a net/wireless USB driver.

If you fix this bug, please add the following tag to the commit:
Reported-by: syzbot+6101b0c732dea13ea55b@xxxxxxxxxxxxxxxxxxxxxxxxx

If you send any email or patch for this bug, please consider replying to the
original thread. For the git send-email command to use, or tips on how to reply
if the thread isn't in your mailbox, see the "Reply instructions" at
https://lkml.kernel.org/r/000000000000f4900f058a69d6c5@xxxxxxxxxx

--------------------------------------------------------------------------------
Title: KASAN: slab-out-of-bounds Read in p54u_load_firmware_cb
Last occurred: 3 days ago
Reported: 78 days ago
Branches: Mainline (with usb-fuzzer patches)
Dashboard link: https://syzkaller.appspot.com/bug?id=a7d7aec13ac4d6981c15814acb900348d340dd70
Original thread: https://lkml.kernel.org/lkml/00000000000001de810588363aaf@xxxxxxxxxx/T/#u

This bug has a syzkaller reproducer only.

The original thread for this bug has received 4 replies; the last was 29 days
ago.

This looks like a bug in a net/wireless USB driver.

If you fix this bug, please add the following tag to the commit:
Reported-by: syzbot+6d237e74cdc13f036473@xxxxxxxxxxxxxxxxxxxxxxxxx

If you send any email or patch for this bug, please consider replying to the
original thread. For the git send-email command to use, or tips on how to reply
if the thread isn't in your mailbox, see the "Reply instructions" at
https://lkml.kernel.org/r/00000000000001de810588363aaf@xxxxxxxxxx

--------------------------------------------------------------------------------
Title: WARNING in i2400mu_bus_bm_wait_for_ack/usb_submit_urb
Last occurred: 0 days ago
Reported: 13 days ago
Branches: Mainline (with usb-fuzzer patches)
Dashboard link: https://syzkaller.appspot.com/bug?id=78aca5360820e5e91ba12dec842dabeb5349b431
Original thread: https://lkml.kernel.org/lkml/0000000000009b6e7f058d51adba@xxxxxxxxxx/T/#u

This bug has a C reproducer.

No one has replied to the original thread for this bug yet.

This looks like a bug in a net/wireless USB driver.

If you fix this bug, please add the following tag to the commit:
Reported-by: syzbot+7886801de1cc3958a0d1@xxxxxxxxxxxxxxxxxxxxxxxxx

If you send any email or patch for this bug, please reply to the original
thread. For the git send-email command to use, or tips on how to reply if the
thread isn't in your mailbox, see the "Reply instructions" at
https://lkml.kernel.org/r/0000000000009b6e7f058d51adba@xxxxxxxxxx

--------------------------------------------------------------------------------
Title: KASAN: global-out-of-bounds Read in load_next_firmware_from_table
Last occurred: 18 days ago
Reported: 14 days ago
Branches: Mainline (with usb-fuzzer patches)
Dashboard link: https://syzkaller.appspot.com/bug?id=9e4fafb6fbc53782278754488801c0bbe1fd2a85
Original thread: https://lkml.kernel.org/lkml/000000000000df0913058d3ead47@xxxxxxxxxx/T/#u

This bug has a C reproducer.

No one has replied to the original thread for this bug yet.

This looks like a bug in a net/wireless USB driver.

If you fix this bug, please add the following tag to the commit:
Reported-by: syzbot+98156c174c5a2cad9f8f@xxxxxxxxxxxxxxxxxxxxxxxxx

If you send any email or patch for this bug, please reply to the original
thread. For the git send-email command to use, or tips on how to reply if the
thread isn't in your mailbox, see the "Reply instructions" at
https://lkml.kernel.org/r/000000000000df0913058d3ead47@xxxxxxxxxx