From nobody Mon Jun 8 05:26:23 2026 Received: from mail-dy1-f173.google.com (mail-dy1-f173.google.com [74.125.82.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1C7523B8958 for ; Fri, 5 Jun 2026 15:32:30 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.82.173 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780673558; cv=none; b=cvn0Vh5GqL2T0diy9OSjIxPi8K41BZLV+fLZV6xC95Dy4W9JGE9BUOa54XMAHdmIkOU3k9c4fe5Z2RF5+PLgkezF7i3ZxrfR6R1RW7TZad5UGw4YSEQ8QpKcvRiNf476ILnibTRG376hRQWa8tqGx3ktM4Vts02o9p9t/j56rC4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780673558; c=relaxed/simple; bh=ZO7DJ7Q2TV4680BwGuSuTa3KdjZPbRsVMqoCigQf3oM=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=YwNcRAnamjpKTzpGGpMcsDIDZGTLh3QGYHfpX4uOHYwxf5fxQHUdA6VYgjUcGGtsr4v6WRuRbV00K5/LHygqOuAOk36S358hU/0lB1iIAs05comCEkDTE7liKIa/0U0hiCz0BiNNMeiscCP7KZV1RnKCU4mo/ZZyMzmbPwjEp7E= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=hGmpHWq/; arc=none smtp.client-ip=74.125.82.173 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="hGmpHWq/" Received: by mail-dy1-f173.google.com with SMTP id 5a478bee46e88-304cf518c9dso2564237eec.1 for ; Fri, 05 Jun 2026 08:32:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1780673550; x=1781278350; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=4t1HT0gmdAX/Od4iwq0hPUAZwXn8xg5Ne+EioTpL46U=; b=hGmpHWq/kg9NltI2Jp4iky04Mo71s+8R5b/+UpZuQ395SLWV8XguOdsxf+UL2XNV4T 4oIZPWpx8Pu6ilwgo2EOFTOyqHXTdAqFQhhdimQWeer4LbP67zwMHNMPEiTUw9eXQK+4 BJ1qn9WDgTPek85X5tOeagafgi4po3o82acQPm3NwqrUp5erjDBUW877n53oaCqYwDV3 YF5K3qKPmnAa3Nvfa/WrLCHP53/ytuwv3lrkqhVkqAL/OpzyNZx/hPhOokMcvKwiUxd9 1W4MuEOUWmNdHmYicl8WF9HU19aHHL7rlD6XL0b+b2inPSo7hklVVgX2Z1/Vpx1obycp z1+g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780673550; x=1781278350; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=4t1HT0gmdAX/Od4iwq0hPUAZwXn8xg5Ne+EioTpL46U=; b=g702+pw3AHsViqYV+mgYiw17Jr9zqoEIeij6+NnDlcs5a5pTWl05r/cx2Ymr/uMfqE y9GENweEeunJgi8zoHVV+0hgYomEKNyjIWUeG4TL+MQNvYOVLVwKwM2FscvctI2/cVg8 SLTfok5dxdwfLqTIJjTDif/JvakyMfUmIDUNYmR6mOJ+3pMd1NnXdahsgyG/bii31arM CFJVqGiwKnSQorT6JTUc1Pj5vWqOgg3WzwQEc0IWY05HPsBNzGBECIvxE1aJ+2tw+yzX BwCLeShncu8LDrzPMmZ+Khb5k2oTT95DNW/uaMuwjMhGwjExsAIvzteVmd26Q2Q+oSyA 9h4Q== X-Forwarded-Encrypted: i=1; AFNElJ+AxtNnGk03XcE/x3tcsRLL2tXN+WQq3Kk29VXUOrWQy2ZUVaRJ5ahC0QvUCjDdjYvLg4BQWPNp8XUsStE=@vger.kernel.org X-Gm-Message-State: AOJu0Yy2zfA2RzsVpj+3V0W9URegTMOR7zaSZlOLcksyJcQVVVLUHogp BUjqztssoc5b6L1FZzDu+LiVzYUX6Gr4pmwXJNV4VbL1OnLfPpUgR0B5 X-Gm-Gg: Acq92OFvEH0yy+k7EMxlQWjBUqkas2GbStZPA5X8rHBcLVtkzI9SbeeIq7t08m/M20c dwbHuV62p73Cibhg8jSi099NbN7Ui1/U2RRKTE/A4wqIu/OKdFImFV0EdDQH85zRRb3KGkBuLeK LxqxrUYZgWZ3q9YYKlMlfaDvQIGxKcxC7pPitniji08uRRSQ1FI6ShaC8geppivGoVKnLMVr2lJ haFD3bTfoBORtWaEgo6WD4YZpW2f5NAoUssUUcptEmI/I/3jNja9CvVgC24sVlTkoYMmRA9pHY0 VfT37NsxYX5EOHBfHm2UPAZ8LbY6FLEh3qE/LVf3elj0GOnRBi5kG7yMuCVIqHZQABDcf71DAnL +eaiUFS8fbL1oQoTTkHN6UcF2meMS88z/53oEKmoHzvRrrT4aFtcBZxqYkF2aDrZVKlbVEkavx+ lMyOxVfa5dofrV1h02IcgNEBzhL3+WiWYk226u0zufKCm5/olpWbF3GupMZGPfB+iikFrZ0RFX X-Received: by 2002:a05:7300:ec15:b0:2ed:e14:7f5c with SMTP id 5a478bee46e88-3077b2d99efmr2017679eec.32.1780673549840; Fri, 05 Jun 2026 08:32:29 -0700 (PDT) Received: from youngkk-vm.localdomain (67.216.200.102.16clouds.com. [67.216.200.102]) by smtp.gmail.com with ESMTPSA id 5a478bee46e88-3074db56697sm8127092eec.2.2026.06.05.08.32.27 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 05 Jun 2026 08:32:29 -0700 (PDT) From: xiaoblac X-Google-Original-From: xiaoblac <1020691186@qq.com> To: =?UTF-8?q?Toke=20H=C3=B8iland-J=C3=B8rgensen?= , Kalle Valo Cc: Oleksij Rempel , linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com, Cheng Yongkang , syzbot+50122cbc2874b1eb25b0@syzkaller.appspotmail.com Subject: [PATCH] wifi: ath9k: hif_usb: don't dereference hif_dev after re-arming firmware request Date: Fri, 5 Jun 2026 08:32:10 -0700 Message-Id: <20260605153210.20471-1-1020691186@qq.com> X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Cheng Yongkang ath9k_hif_request_firmware() re-arms an asynchronous firmware load via request_firmware_nowait(), passing hif_dev as the completion context, and then still dereferences hif_dev: dev_info(&hif_dev->udev->dev, "ath9k_htc: Firmware %s requested\n", hif_dev->fw_name); The re-armed callback ath9k_hif_usb_firmware_cb() runs on the "events" workqueue and, when the firmware is missing, walks the retry chain into ath9k_hif_usb_firmware_fail() -> complete_all(&hif_dev->fw_done). That releases the wait_for_completion(&hif_dev->fw_done) in a concurrent ath9k_hif_usb_disconnect(), which then kfree()s hif_dev. The trailing dev_info() in the frame that re-armed the request can therefore read freed memory (hif_dev->udev, the first field of struct hif_device_usb): BUG: KASAN: slab-use-after-free in ath9k_hif_request_firmware Read of size 8 ... by task kworker/... ath9k_hif_request_firmware ath9k_hif_usb_firmware_cb drivers/net/wireless/ath/ath9k/hif_u= sb.c:1247 request_firmware_work_func Allocated by ...: ath9k_hif_usb_probe drivers/net/wireless/ath/ath9k/hif_u= sb.c Freed by ...: ath9k_hif_usb_disconnect -> kfree drivers/net/wireless/ath/ath9k/hif_u= sb.c The fw_done barrier only makes disconnect wait for the firmware chain to *terminate*; it does not protect the outer ath9k_hif_request_firmware() frame that re-armed the request and keeps touching hif_dev afterwards. Drop the post-request dev_info(): it is the only use of hif_dev after the async request is armed, and it is purely informational (the dev_err() on the failure path runs only when request_firmware_nowait() did not arm a callbac= k, so hif_dev is still alive there). This was first reported by syzbot as a single, non-reproduced crash that was later auto-obsoleted, and was independently rediscovered by the reFuzz fuzz= er, which produced a C reproducer (USB-gadget connect/disconnect of an ath9k_htc device whose firmware download fails). The vulnerable code is unchanged and still present in v7.1-rc6, where the slab-use-after-free reproduces under K= ASAN once the (sub-microsecond) race window is widened. Fixes: e904cf6fe230 ("ath9k_htc: introduce support for different fw version= s") Reported-by: syzbot+50122cbc2874b1eb25b0@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3D50122cbc2874b1eb25b0 Signed-off-by: Cheng Yongkang --- drivers/net/wireless/ath/ath9k/hif_usb.c | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) --- a/drivers/net/wireless/ath/ath9k/hif_usb.c +++ b/drivers/net/wireless/ath/ath9k/hif_usb.c @@ -1225,15 +1225,10 @@ static int ath9k_hif_request_firmware(struct hif_de= vice_usb *hif_dev, ret =3D request_firmware_nowait(THIS_MODULE, true, hif_dev->fw_name, &hif_dev->udev->dev, GFP_KERNEL, hif_dev, ath9k_hif_usb_firmware_cb); - if (ret) { + if (ret) dev_err(&hif_dev->udev->dev, "ath9k_htc: Async request for firmware %s failed\n", hif_dev->fw_name); - return ret; - } - - dev_info(&hif_dev->udev->dev, "ath9k_htc: Firmware %s requested\n", - hif_dev->fw_name); return ret; }