Forwarded: Re: [PATCH RFC] wifi: rt2x00usb: fix NULL pointer dereference in rt2x00usb_disconnect()
From: syzbot
Date: Tue May 19 2026 - 10:31:05 EST
For archival purposes, forwarding an incoming command email to
linux-kernel@xxxxxxxxxxxxxxx, syzkaller-bugs@xxxxxxxxxxxxxxxx.
***
Subject: Re: [PATCH RFC] wifi: rt2x00usb: fix NULL pointer dereference in rt2x00usb_disconnect()
Author: nogikh@xxxxxxxxxx
#syz reject
Syzbot apparently got confused by NULLs in the strace output.
On Sat, May 16, 2026 at 8:22 PM 'syzbot' via
syzkaller-upstream-moderation
<syzkaller-upstream-moderation@xxxxxxxxxxxxxxxx> wrote:
>
> In `rt2x00usb_probe()`, `usb_reset_device()` is called early. If this
> reset fails or detects an unexpected device state (which is common with
> malicious or rapidly disconnecting simulated USB devices), the USB core
> schedules an asynchronous logical disconnect for the device. If the
> probe function subsequently fails (e.g., due to hardware allocation or
> registration failure), it cleans up by freeing the hardware struct and
> setting the interface data to NULL via `usb_set_intfdata(usb_intf,
> NULL)`.
>
> Due to a race condition with the asynchronous disconnect scheduled by
> the early reset, the `rt2x00usb_disconnect()` callback can be invoked
> even after the probe has failed and cleared the interface data. When
> `rt2x00usb_disconnect()` is called, it fetches the interface data using
> `usb_get_intfdata()` and unconditionally dereferences it to access
> `hw->priv`, leading to a kernel panic since `hw` is NULL.
>
> Fix this by adding a NULL check for `hw` at the beginning of
> `rt2x00usb_disconnect()`. If `hw` is NULL, it means the probe failed and
> the cleanup has already been performed, so the function can safely
> return early.
>
> Fixes: bf4c02d5e772903be5bf8952bac730a2956d0619 ("rt2x00: reset usb devices at probe")
> Assisted-by: Gemini:gemini-3.1-pro-preview Gemini:gemini-3-flash-preview
> Reported-by: syzbot+e84ecca6d1fa09a9b3d9@xxxxxxxxxxxxxxxxxxxxxxxxx
> Link: https://syzkaller.appspot.com/bug?extid=e84ecca6d1fa09a9b3d9
> Link: https://syzkaller.appspot.com/ai_job?id=63946763-bd49-4c8e-b059-d7248e547b72
> To: <linux-wireless@xxxxxxxxxxxxxxx>
> To: <stf_xl@xxxxx>
> Cc: <linux-kernel@xxxxxxxxxxxxxxx>
>
> ---
> diff --git a/drivers/net/wireless/ralink/rt2x00/rt2x00usb.c b/drivers/net/wireless/ralink/rt2x00/rt2x00usb.c
> index 174d89b0b..ea6ceb3a1 100644
> --- a/drivers/net/wireless/ralink/rt2x00/rt2x00usb.c
> +++ b/drivers/net/wireless/ralink/rt2x00/rt2x00usb.c
> @@ -858,7 +858,12 @@ EXPORT_SYMBOL_GPL(rt2x00usb_probe);
> void rt2x00usb_disconnect(struct usb_interface *usb_intf)
> {
> struct ieee80211_hw *hw = usb_get_intfdata(usb_intf);
> - struct rt2x00_dev *rt2x00dev = hw->priv;
> + struct rt2x00_dev *rt2x00dev;
> +
> + if (!hw)
> + return;
> +
> + rt2x00dev = hw->priv;
>
> /*
> * Free all allocated data.
>
>
> base-commit: 5d6919055dec134de3c40167a490f33c74c12581
> --
> This is an AI-generated patch subject to moderation.
> Reply with '#syz upstream' to send it to the mailing list.
> Reply with '#syz reject' to reject it.
>
> See for more information.
>
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-upstream-moderation" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-upstream-moderation+unsubscribe@xxxxxxxxxxxxxxxx.
> To view this discussion visit https://groups.google.com/d/msgid/syzkaller-upstream-moderation/f98a17ac-9a06-46f2-af52-ba19ff0ead38%40mail.kernel.org.
--
You received this message because you are subscribed to the Google Groups "syzkaller-upstream-moderation" group.
To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-upstream-moderation+unsubscribe@xxxxxxxxxxxxxxxx.
To view this discussion visit https://groups.google.com/d/msgid/syzkaller-upstream-moderation/CANp29Y6a2q%2Bbn6zL1%2BR5Vac8Wa3tNX682WQB1s-aYAmyHS8syg%40mail.gmail.com.