syzbot

Oops: general protection fault, probably for non-canonical address 0xdffffc0000000038: 0000 [#1] SMP KASAN PTI
KASAN: null-ptr-deref in range [0x00000000000001c0-0x00000000000001c7]
CPU: 1 UID: 0 PID: 38 Comm: kworker/1:1 Not tainted 6.15.0-rc6-syzkaller-00177-g882826f58b2c #0 PREEMPT(voluntary) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Workqueue: usb_hub_wq hub_event
RIP: 0010:__queue_work+0x9d/0x10f0 kernel/workqueue.c:2256
Code: 85 db 0f 84 ae 04 00 00 e8 b0 da 33 00 49 8d 86 c0 01 00 00 48 89 c2 48 89 44 24 10 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e e8 0c 00 00 41 8b 9e c0 01 00
RSP: 0018:ffffc900001a8a48 EFLAGS: 00010002
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff8148954e
RDX: 0000000000000038 RSI: ffffffff81489090 RDI: 0000000000000005
RBP: ffff88810ff73bd0 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000008
R13: 0000000000000000 R14: 0000000000000000 R15: 0100000000000004
FS:  0000000000000000(0000) GS:ffff8882692c2000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fd9d9eca0c8 CR3: 0000000124b4e000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 queue_work_on+0x15f/0x1f0 kernel/workqueue.c:2392
 queue_work include/linux/workqueue.h:662 [inline]
 ieee80211_queue_work net/mac80211/util.c:906 [inline]
 ieee80211_queue_work+0x113/0x180 net/mac80211/util.c:899
 carl9170_usb_rx_complete+0x275/0x2b0 drivers/net/wireless/ath/carl9170/usb.c:448
 __usb_hcd_giveback_urb+0x38a/0x6e0 drivers/usb/core/hcd.c:1650
 usb_hcd_giveback_urb+0x39b/0x450 drivers/usb/core/hcd.c:1734
 dummy_timer+0x180e/0x3a20 drivers/usb/gadget/udc/dummy_hcd.c:1994
 __run_hrtimer kernel/time/hrtimer.c:1761 [inline]
 __hrtimer_run_queues+0x1ff/0xad0 kernel/time/hrtimer.c:1825
 hrtimer_run_softirq+0x17d/0x350 kernel/time/hrtimer.c:1842
 handle_softirqs+0x205/0x8d0 kernel/softirq.c:579
 __do_softirq kernel/softirq.c:613 [inline]
 invoke_softirq kernel/softirq.c:453 [inline]
 __irq_exit_rcu+0xfa/0x160 kernel/softirq.c:680
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline]
 sysvec_apic_timer_interrupt+0x90/0xb0 arch/x86/kernel/apic/apic.c:1049
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:console_flush_all+0x9a2/0xc60 kernel/printk/printk.c:3227
Code: 00 e8 72 c5 27 00 9c 5b 81 e3 00 02 00 00 31 ff 48 89 de e8 e0 08 20 00 48 85 db 0f 85 55 01 00 00 e8 62 0d 20 00 fb 4c 89 e0 <48> c1 e8 03 42 80 3c 38 00 0f 84 11 ff ff ff 4c 89 e7 e8 17 d3 7b
RSP: 0018:ffffc90000287438 EFLAGS: 00000293
RAX: ffffffff895ba678 RBX: 0000000000000000 RCX: ffffffff815c5dd0
RDX: ffff8881062b0000 RSI: ffffffff815c5dde RDI: 0000000000000007
RBP: 0000000000000000 R08: 0000000000000007 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffffffff895ba678
R13: ffffffff895ba620 R14: ffffc900002874c8 R15: dffffc0000000000
 __console_flush_and_unlock kernel/printk/printk.c:3285 [inline]
 console_unlock+0xd8/0x210 kernel/printk/printk.c:3325
 vprintk_emit+0x418/0x6d0 kernel/printk/printk.c:2450
 dev_vprintk_emit drivers/base/core.c:4917 [inline]
 dev_printk_emit+0xfa/0x140 drivers/base/core.c:4928
 __dev_printk+0xf5/0x270 drivers/base/core.c:4940
 _dev_info+0xe4/0x120 drivers/base/core.c:4986
 show_string drivers/usb/core/hub.c:2369 [inline]
 show_string drivers/usb/core/hub.c:2365 [inline]
 announce_device drivers/usb/core/hub.c:2388 [inline]
 usb_new_device+0x94c/0x1a20 drivers/usb/core/hub.c:2644
 hub_port_connect drivers/usb/core/hub.c:5535 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5675 [inline]
 port_event drivers/usb/core/hub.c:5835 [inline]
 hub_event+0x2f85/0x5030 drivers/usb/core/hub.c:5917
 process_one_work+0x9cc/0x1b70 kernel/workqueue.c:3238
 process_scheduled_works kernel/workqueue.c:3319 [inline]
 worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400
 kthread+0x3c2/0x780 kernel/kthread.c:464
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:153
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__queue_work+0x9d/0x10f0 kernel/workqueue.c:2256
Code: 85 db 0f 84 ae 04 00 00 e8 b0 da 33 00 49 8d 86 c0 01 00 00 48 89 c2 48 89 44 24 10 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e e8 0c 00 00 41 8b 9e c0 01 00
RSP: 0018:ffffc900001a8a48 EFLAGS: 00010002
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff8148954e
RDX: 0000000000000038 RSI: ffffffff81489090 RDI: 0000000000000005
RBP: ffff88810ff73bd0 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000008
R13: 0000000000000000 R14: 0000000000000000 R15: 0100000000000004
FS:  0000000000000000(0000) GS:ffff8882692c2000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fd9d9eca0c8 CR3: 0000000124b4e000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	85 db                	test   %ebx,%ebx
   2:	0f 84 ae 04 00 00    	je     0x4b6
   8:	e8 b0 da 33 00       	call   0x33dabd
   d:	49 8d 86 c0 01 00 00 	lea    0x1c0(%r14),%rax
  14:	48 89 c2             	mov    %rax,%rdx
  17:	48 89 44 24 10       	mov    %rax,0x10(%rsp)
  1c:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  23:	fc ff df
  26:	48 c1 ea 03          	shr    $0x3,%rdx
* 2a:	0f b6 04 02          	movzbl (%rdx,%rax,1),%eax <-- trapping instruction
  2e:	84 c0                	test   %al,%al
  30:	74 08                	je     0x3a
  32:	3c 03                	cmp    $0x3,%al
  34:	0f 8e e8 0c 00 00    	jle    0xd22
  3a:	41                   	rex.B
  3b:	8b                   	.byte 0x8b
  3c:	9e                   	sahf
  3d:	c0 01 00             	rolb   $0x0,(%rcx)