On 6/10/25 12:02 PM, Dmitry Antipov wrote:
Syzkaller reports [1, 2] crashes caused by an attempts to ping the device which has failed to load firmware. Since such a device doesn't pass 'ieee80211_register_hw()', an internal workqueue managed by 'ieee80211_queue_work()' is not yet created and an attempt to queue work on it causes null-ptr-deref. [1] https://syzkaller.appspot.com/bug?extid=9a4aec827829942045ff
hmm, the sample crash report didn't show any carl9170 involvement. But the provided console log did have it: <https://syzkaller.appspot.com/text?tag=CrashLog&x=12cf580c580000> |[ 144.671347][ C1] Call Trace: |[ 144.674634][ C1] <TASK> |[ 144.677574][ C1] ? do_raw_spin_unlock+0x122/0x240 |[ 144.682819][ C1] queue_work_on+0x181/0x270 |[ 144.687414][ C1] ? __pfx_queue_work_on+0x10/0x10 |[ 144.692525][ C1] ? carl9170_usb_submit_rx_urb+0x198/0x1d0 |[ 144.698424][ C1] ? carl9170_usb_rx_complete+0x207/0x280 |[ 144.704149][ C1] __usb_hcd_giveback_urb+0x41a/0x690 |[ 144.709555][ C1] ? usb_hcd_unlink_urb_from_ep+0x2c/0x110 |[ 144.715455][ C1] ? __pfx___usb_hcd_giveback_urb+0x10/0x10
[2] https://syzkaller.appspot.com/bug?extid=0d8afba53e8fb2633217 Fixes: e4a668c59080 ("carl9170: fix spurious restart due to high latency") Signed-off-by: Dmitry Antipov <dmantipov@xxxxxxxxx>
Acked-by: Christian Lamparter <chunkeey@xxxxxxxxx> Cc: <stable@xxxxxxxxxxxxxxx>
