From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-oo1-f70.google.com (mail-oo1-f70.google.com [209.85.161.70]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id AB49B4028FF for ; Tue, 19 May 2026 14:24:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.161.70 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779200662; cv=none; b=U08Eb0X3vWwD4M+RpVeT36mPDafLLBpl/CkeLHrgI4ibry/sXM6GV3+ag8Vo0vz9pB3cRvCvwheYH2arJrTlgHsewHEin3IhvbPJjqw9aHRbEwl44LRKBLedXZg8E7pMKDp6xV43lWcIy/6nPdqG4tfFiUOMUkh/hqG4hPHiRPc= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779200662; c=relaxed/simple; bh=v15Rs75OKJu56RG10bvVtKLDtFJS4Udzi910MyO2ZGQ=; h=MIME-Version:Date:In-Reply-To:Message-ID:Subject:From:To: Content-Type; b=uOTSmgvw44Mn6Q1NFSXI+/CIVmmgjybnA1PNDHGjOIX8SaInee70pYxeTLXRVLLKxGrVpy10IlMFYWI8QSg3K+seeXQgMwrZisaPhf0aqYr8SIuYTwyhsHr5k0mbkkChCnERNR6MVfwsCtMxBvKQn8jYoXVGoGuUb4EomkfjT7Y= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com; arc=none smtp.client-ip=209.85.161.70 Authentication-Results: smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com Received: by mail-oo1-f70.google.com with SMTP id 006d021491bc7-695391d14acso4311262eaf.2 for ; Tue, 19 May 2026 07:24:20 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779200659; x=1779805459; h=content-transfer-encoding:to:from:subject:message-id:in-reply-to :date:mime-version:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=Dd+MgY7eFyypXq9mRFU0TUIFi408sx9OqpbCwmE7pEk=; b=K0fvFBnmstmpy0mNIz4XLU9nVu4YiIPwS3R9TpL+CZbDkVhyMN83AKfO8XJtwSxjF+ eN+2RUtEkBuILvISsSYammXgQuymJzOShveIXZNNbZ5+ii1VHsEn5WePs4IJDaxNUC0c NPKuKFpYxqajOkQUHzZu1ktMCukgd/OeUXSlL7ogYQXZW1KimbUdqTZYVrH5pkJbxRqi ego400J2QQWzHrKPAN8whu9z8cbV0qJN+jyskZjT5vLQNzC3MIRCRnpPpPJXC/xn11Jj LMdT89+q4/Y8BwEBPdy6PyX9abDwoozsSl9NLOu6SFeLfGCKWUJvX9Cp+POs98X1Y7bs XPxA== X-Gm-Message-State: AOJu0YxlZZbDeKLyVtKgsNci2tHB8YMZQQGXdDvfQC2Jlf5aEFK4sbr0 hlzOtCiZpUgEJ8bXmk1ZTipXfKTtx0R380kUXg5TEynnS6n3E9VlKxKbPiK+QXg64Mrd/+nELq8 BiJuj8WM5V8cmKZH4YWuggmDS/QZ1J5Akvwb7IAOV8xfRlhJHkmasJH/0w4g= Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Received: by 2002:a05:6820:6ae5:b0:68e:b81b:d81b with SMTP id 006d021491bc7-69c94372a7cmr11378521eaf.31.1779200659611; Tue, 19 May 2026 07:24:19 -0700 (PDT) Date: Tue, 19 May 2026 07:24:19 -0700 In-Reply-To: <671906e2.050a0220.1e4b4d.008d.GAE@google.com> X-Google-Appengine-App-Id: s~syzkaller X-Google-Appengine-App-Id-Alias: syzkaller Message-ID: <6a0c7293.170a0220.3cbd30.0136.GAE@google.com> Subject: Forwarded: Re: [PATCH RFC] wifi: rt2x00usb: fix NULL pointer dereference in rt2x00usb_disconnect() From: syzbot To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable For archival purposes, forwarding an incoming command email to linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com. *** Subject: Re: [PATCH RFC] wifi: rt2x00usb: fix NULL pointer dereference in r= t2x00usb_disconnect() Author: nogikh@google.com #syz reject Syzbot apparently got confused by NULLs in the strace output. On Sat, May 16, 2026 at 8:22=E2=80=AFPM 'syzbot' via syzkaller-upstream-moderation wrote: > > In `rt2x00usb_probe()`, `usb_reset_device()` is called early. If this > reset fails or detects an unexpected device state (which is common with > malicious or rapidly disconnecting simulated USB devices), the USB core > schedules an asynchronous logical disconnect for the device. If the > probe function subsequently fails (e.g., due to hardware allocation or > registration failure), it cleans up by freeing the hardware struct and > setting the interface data to NULL via `usb_set_intfdata(usb_intf, > NULL)`. > > Due to a race condition with the asynchronous disconnect scheduled by > the early reset, the `rt2x00usb_disconnect()` callback can be invoked > even after the probe has failed and cleared the interface data. When > `rt2x00usb_disconnect()` is called, it fetches the interface data using > `usb_get_intfdata()` and unconditionally dereferences it to access > `hw->priv`, leading to a kernel panic since `hw` is NULL. > > Fix this by adding a NULL check for `hw` at the beginning of > `rt2x00usb_disconnect()`. If `hw` is NULL, it means the probe failed and > the cleanup has already been performed, so the function can safely > return early. > > Fixes: bf4c02d5e772903be5bf8952bac730a2956d0619 ("rt2x00: reset usb devic= es at probe") > Assisted-by: Gemini:gemini-3.1-pro-preview Gemini:gemini-3-flash-preview > Reported-by: syzbot+e84ecca6d1fa09a9b3d9@syzkaller.appspotmail.com > Link: https://syzkaller.appspot.com/bug?extid=3De84ecca6d1fa09a9b3d9 > Link: https://syzkaller.appspot.com/ai_job?id=3D63946763-bd49-4c8e-b059-d= 7248e547b72 > To: > To: > Cc: > > --- > diff --git a/drivers/net/wireless/ralink/rt2x00/rt2x00usb.c b/drivers/net= /wireless/ralink/rt2x00/rt2x00usb.c > index 174d89b0b..ea6ceb3a1 100644 > --- a/drivers/net/wireless/ralink/rt2x00/rt2x00usb.c > +++ b/drivers/net/wireless/ralink/rt2x00/rt2x00usb.c > @@ -858,7 +858,12 @@ EXPORT_SYMBOL_GPL(rt2x00usb_probe); > void rt2x00usb_disconnect(struct usb_interface *usb_intf) > { > struct ieee80211_hw *hw =3D usb_get_intfdata(usb_intf); > - struct rt2x00_dev *rt2x00dev =3D hw->priv; > + struct rt2x00_dev *rt2x00dev; > + > + if (!hw) > + return; > + > + rt2x00dev =3D hw->priv; > > /* > * Free all allocated data. > > > base-commit: 5d6919055dec134de3c40167a490f33c74c12581 > -- > This is an AI-generated patch subject to moderation. > Reply with '#syz upstream' to send it to the mailing list. > Reply with '#syz reject' to reject it. > > See for more information. > > -- > You received this message because you are subscribed to the Google Groups= "syzkaller-upstream-moderation" group. > To unsubscribe from this group and stop receiving emails from it, send an= email to syzkaller-upstream-moderation+unsubscribe@googlegroups.com. > To view this discussion visit https://groups.google.com/d/msgid/syzkaller= -upstream-moderation/f98a17ac-9a06-46f2-af52-ba19ff0ead38%40mail.kernel.org= . --=20 You received this message because you are subscribed to the Google Groups "= syzkaller-upstream-moderation" group. To unsubscribe from this group and stop receiving emails from it, send an e= mail to syzkaller-upstream-moderation+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/syzkaller-u= pstream-moderation/CANp29Y6a2q%2Bbn6zL1%2BR5Vac8Wa3tNX682WQB1s-aYAmyHS8syg%= 40mail.gmail.com.