syzbot

==================================================================
BUG: KASAN: use-after-free in ath9k_hif_usb_rx_stream drivers/net/wireless/ath/ath9k/hif_usb.c:588 [inline]
BUG: KASAN: use-after-free in ath9k_hif_usb_rx_cb+0xd17/0x10d0 drivers/net/wireless/ath/ath9k/hif_usb.c:686
Read of size 4 at addr ffff88806d6a42f4 by task swapper/1/0

CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.19.0-syzkaller-02972-g200e340f2196 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
 print_address_description.constprop.0.cold+0xeb/0x467 mm/kasan/report.c:313
 print_report mm/kasan/report.c:429 [inline]
 kasan_report.cold+0xf4/0x1c6 mm/kasan/report.c:491
 ath9k_hif_usb_rx_stream drivers/net/wireless/ath/ath9k/hif_usb.c:588 [inline]
 ath9k_hif_usb_rx_cb+0xd17/0x10d0 drivers/net/wireless/ath/ath9k/hif_usb.c:686
 __usb_hcd_giveback_urb+0x2b0/0x5c0 drivers/usb/core/hcd.c:1670
 usb_hcd_giveback_urb+0x367/0x410 drivers/usb/core/hcd.c:1747
 dummy_timer+0x11f9/0x32b0 drivers/usb/gadget/udc/dummy_hcd.c:1988
 call_timer_fn+0x1a5/0x6b0 kernel/time/timer.c:1474
 expire_timers kernel/time/timer.c:1519 [inline]
 __run_timers.part.0+0x679/0xa80 kernel/time/timer.c:1790
 __run_timers kernel/time/timer.c:1768 [inline]
 run_timer_softirq+0xb3/0x1d0 kernel/time/timer.c:1803
 __do_softirq+0x29b/0x9c2 kernel/softirq.c:571
 invoke_softirq kernel/softirq.c:445 [inline]
 __irq_exit_rcu+0x123/0x180 kernel/softirq.c:650
 irq_exit_rcu+0x5/0x20 kernel/softirq.c:662
 sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1106
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:649
RIP: 0010:native_save_fl arch/x86/include/asm/irqflags.h:29 [inline]
RIP: 0010:arch_local_save_flags arch/x86/include/asm/irqflags.h:70 [inline]
RIP: 0010:arch_irqs_disabled arch/x86/include/asm/irqflags.h:130 [inline]
RIP: 0010:acpi_safe_halt drivers/acpi/processor_idle.c:113 [inline]
RIP: 0010:acpi_idle_do_entry+0x1c9/0x240 drivers/acpi/processor_idle.c:555
Code: 89 de e8 aa 43 ff f7 84 db 75 98 e8 a1 47 ff f7 e8 5c 97 05 f8 66 90 e8 95 47 ff f7 0f 00 2d ce 40 b9 00 e8 89 47 ff f7 fb f4 <9c> 5b 81 e3 00 02 00 00 fa 31 ff 48 89 de e8 d4 43 ff f7 48 85 db
RSP: 0018:ffffc9000038fd20 EFLAGS: 00000293
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff88801206c200 RSI: ffffffff897ac377 RDI: 0000000000000000
RBP: ffff888017656064 R08: 0000000000000001 R09: 0000000000000001
R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000001
R13: ffff888017656000 R14: ffff888017656064 R15: ffff888146a97804
 acpi_idle_enter+0x369/0x510 drivers/acpi/processor_idle.c:692
 cpuidle_enter_state+0x1b1/0xc80 drivers/cpuidle/cpuidle.c:238
 cpuidle_enter+0x4a/0xa0 drivers/cpuidle/cpuidle.c:352
 call_cpuidle kernel/sched/idle.c:155 [inline]
 cpuidle_idle_call kernel/sched/idle.c:236 [inline]
 do_idle+0x3e8/0x590 kernel/sched/idle.c:303
 cpu_startup_entry+0x14/0x20 kernel/sched/idle.c:400
 start_secondary+0x21d/0x2b0 arch/x86/kernel/smpboot.c:266
 secondary_startup_64_no_verify+0xce/0xdb
 </TASK>

Allocated by task 26:
 kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:45 [inline]
 set_alloc_info mm/kasan/common.c:437 [inline]
 ____kasan_kmalloc mm/kasan/common.c:516 [inline]
 ____kasan_kmalloc mm/kasan/common.c:475 [inline]
 __kasan_kmalloc+0xa6/0xd0 mm/kasan/common.c:525
 kasan_kmalloc include/linux/kasan.h:234 [inline]
 __do_kmalloc mm/slab.c:3696 [inline]
 __kmalloc+0x209/0x4e0 mm/slab.c:3705
 kmalloc include/linux/slab.h:605 [inline]
 kzalloc include/linux/slab.h:733 [inline]
 wiphy_new_nm+0x6f0/0x2080 net/wireless/core.c:440
 ieee80211_alloc_hw_nm+0x373/0x2270 net/mac80211/main.c:585
 ieee80211_alloc_hw include/net/mac80211.h:4412 [inline]
 ath9k_htc_probe_device+0x97/0x1f30 drivers/net/wireless/ath/ath9k/htc_drv_init.c:939
 ath9k_htc_hw_init+0x31/0x60 drivers/net/wireless/ath/ath9k/htc_hst.c:508
 ath9k_hif_usb_firmware_cb+0x274/0x530 drivers/net/wireless/ath/ath9k/hif_usb.c:1245
 request_firmware_work_func+0x12c/0x230 drivers/base/firmware_loader/main.c:1107
 process_one_work+0x996/0x1610 kernel/workqueue.c:2289
 worker_thread+0x665/0x1080 kernel/workqueue.c:2436
 kthread+0x2e9/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306

Freed by task 26:
 kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
 kasan_set_track+0x21/0x30 mm/kasan/common.c:45
 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370
 ____kasan_slab_free mm/kasan/common.c:367 [inline]
 ____kasan_slab_free+0x13d/0x180 mm/kasan/common.c:329
 kasan_slab_free include/linux/kasan.h:200 [inline]
 __cache_free mm/slab.c:3426 [inline]
 kfree+0x173/0x390 mm/slab.c:3796
 device_release+0x9f/0x240 drivers/base/core.c:2241
 kobject_cleanup lib/kobject.c:673 [inline]
 kobject_release lib/kobject.c:704 [inline]
 kref_put include/linux/kref.h:65 [inline]
 kobject_put+0x1c8/0x540 lib/kobject.c:721
 put_device+0x1b/0x30 drivers/base/core.c:3535
 ath9k_htc_probe_device+0x1c7/0x1f30 drivers/net/wireless/ath/ath9k/htc_drv_init.c:976
 ath9k_htc_hw_init+0x31/0x60 drivers/net/wireless/ath/ath9k/htc_hst.c:508
 ath9k_hif_usb_firmware_cb+0x274/0x530 drivers/net/wireless/ath/ath9k/hif_usb.c:1245
 request_firmware_work_func+0x12c/0x230 drivers/base/firmware_loader/main.c:1107
 process_one_work+0x996/0x1610 kernel/workqueue.c:2289
 worker_thread+0x665/0x1080 kernel/workqueue.c:2436
 kthread+0x2e9/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306

The buggy address belongs to the object at ffff88806d6a0000
 which belongs to the cache kmalloc-32k of size 32768
The buggy address is located 17140 bytes inside of
 32768-byte region [ffff88806d6a0000, ffff88806d6a8000)

The buggy address belongs to the physical page:
page:ffffea0001b5a800 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x6d6a0
head:ffffea0001b5a800 order:4 compound_mapcount:0 compound_pincount:0
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 ffffea0001b5a408 ffff888011841d50 ffff888011840c00
raw: 0000000000000000 ffff88806d6a0000 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 4, migratetype Unmovable, gfp_mask 0x2420c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_COMP|__GFP_THISNODE), pid 26, tgid 26 (kworker/1:1), ts 52221308230, free_ts 12389396757
 prep_new_page mm/page_alloc.c:2457 [inline]
 get_page_from_freelist+0x1298/0x3b80 mm/page_alloc.c:4203
 __alloc_pages+0x1c7/0x510 mm/page_alloc.c:5431
 __alloc_pages_node include/linux/gfp.h:587 [inline]
 kmem_getpages mm/slab.c:1363 [inline]
 cache_grow_begin+0x75/0x350 mm/slab.c:2569
 cache_alloc_refill+0x27f/0x380 mm/slab.c:2942
 ____cache_alloc mm/slab.c:3024 [inline]
 ____cache_alloc mm/slab.c:3007 [inline]
 __do_cache_alloc mm/slab.c:3253 [inline]
 slab_alloc mm/slab.c:3295 [inline]
 __do_kmalloc mm/slab.c:3694 [inline]
 __kmalloc+0x3ba/0x4e0 mm/slab.c:3705
 kmalloc include/linux/slab.h:605 [inline]
 kzalloc include/linux/slab.h:733 [inline]
 wiphy_new_nm+0x6f0/0x2080 net/wireless/core.c:440
 ieee80211_alloc_hw_nm+0x373/0x2270 net/mac80211/main.c:585
 ieee80211_alloc_hw include/net/mac80211.h:4412 [inline]
 ath9k_htc_probe_device+0x97/0x1f30 drivers/net/wireless/ath/ath9k/htc_drv_init.c:939
 ath9k_htc_hw_init+0x31/0x60 drivers/net/wireless/ath/ath9k/htc_hst.c:508
 ath9k_hif_usb_firmware_cb+0x274/0x530 drivers/net/wireless/ath/ath9k/hif_usb.c:1245
 request_firmware_work_func+0x12c/0x230 drivers/base/firmware_loader/main.c:1107
 process_one_work+0x996/0x1610 kernel/workqueue.c:2289
 worker_thread+0x665/0x1080 kernel/workqueue.c:2436
 kthread+0x2e9/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1371 [inline]
 free_pcp_prepare+0x549/0xd20 mm/page_alloc.c:1421
 free_unref_page_prepare mm/page_alloc.c:3344 [inline]
 free_unref_page+0x19/0x6a0 mm/page_alloc.c:3439
 free_contig_range+0xb1/0x180 mm/page_alloc.c:9319
 destroy_args+0xa8/0x646 mm/debug_vm_pgtable.c:1031
 debug_vm_pgtable+0x2a03/0x2a94 mm/debug_vm_pgtable.c:1354
 do_one_initcall+0x103/0x650 init/main.c:1296
 do_initcall_level init/main.c:1369 [inline]
 do_initcalls init/main.c:1385 [inline]
 do_basic_setup init/main.c:1404 [inline]
 kernel_init_freeable+0x6b1/0x73a init/main.c:1611
 kernel_init+0x1a/0x1d0 init/main.c:1500
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306

Memory state around the buggy address:
 ffff88806d6a4180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88806d6a4200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88806d6a4280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                             ^
 ffff88806d6a4300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88806d6a4380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
----------------
Code disassembly (best guess):
   0:	89 de                	mov    %ebx,%esi
   2:	e8 aa 43 ff f7       	callq  0xf7ff43b1
   7:	84 db                	test   %bl,%bl
   9:	75 98                	jne    0xffffffa3
   b:	e8 a1 47 ff f7       	callq  0xf7ff47b1
  10:	e8 5c 97 05 f8       	callq  0xf8059771
  15:	66 90                	xchg   %ax,%ax
  17:	e8 95 47 ff f7       	callq  0xf7ff47b1
  1c:	0f 00 2d ce 40 b9 00 	verw   0xb940ce(%rip)        # 0xb940f1
  23:	e8 89 47 ff f7       	callq  0xf7ff47b1
  28:	fb                   	sti
  29:	f4                   	hlt
* 2a:	9c                   	pushfq <-- trapping instruction
  2b:	5b                   	pop    %rbx
  2c:	81 e3 00 02 00 00    	and    $0x200,%ebx
  32:	fa                   	cli
  33:	31 ff                	xor    %edi,%edi
  35:	48 89 de             	mov    %rbx,%rsi
  38:	e8 d4 43 ff f7       	callq  0xf7ff4411
  3d:	48 85 db             	test   %rbx,%rbx