syzbot

==================================================================
BUG: KASAN: use-after-free in ath9k_hif_usb_rx_stream drivers/net/wireless/ath/ath9k/hif_usb.c:642 [inline]
BUG: KASAN: use-after-free in ath9k_hif_usb_rx_cb+0xa65/0x1130 drivers/net/wireless/ath/ath9k/hif_usb.c:686
Read of size 4 at addr ffff88807794c2e8 by task swapper/1/0

CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.19.0-rc5-syzkaller-00049-gc1084b6c5620 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/29/2022
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
 print_address_description+0x65/0x4b0 mm/kasan/report.c:313
 print_report+0xf4/0x210 mm/kasan/report.c:429
 kasan_report+0xfb/0x130 mm/kasan/report.c:491
 ath9k_hif_usb_rx_stream drivers/net/wireless/ath/ath9k/hif_usb.c:642 [inline]
 ath9k_hif_usb_rx_cb+0xa65/0x1130 drivers/net/wireless/ath/ath9k/hif_usb.c:686
 __usb_hcd_giveback_urb+0x369/0x530 drivers/usb/core/hcd.c:1670
 dummy_timer+0x86b/0x3110 drivers/usb/gadget/udc/dummy_hcd.c:1988
 call_timer_fn+0xf5/0x210 kernel/time/timer.c:1474
 expire_timers kernel/time/timer.c:1519 [inline]
 __run_timers+0x76a/0x980 kernel/time/timer.c:1790
 run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1803
 __do_softirq+0x382/0x793 kernel/softirq.c:571
 __irq_exit_rcu+0xec/0x170 kernel/softirq.c:650
 irq_exit_rcu+0x5/0x20 kernel/softirq.c:662
 sysvec_apic_timer_interrupt+0x91/0xb0 arch/x86/kernel/apic/apic.c:1106
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1b/0x20
RIP: 0010:native_save_fl arch/x86/include/asm/irqflags.h:22 [inline]
RIP: 0010:arch_local_save_flags arch/x86/include/asm/irqflags.h:70 [inline]
RIP: 0010:arch_irqs_disabled arch/x86/include/asm/irqflags.h:130 [inline]
RIP: 0010:acpi_safe_halt drivers/acpi/processor_idle.c:112 [inline]
RIP: 0010:acpi_idle_do_entry drivers/acpi/processor_idle.c:554 [inline]
RIP: 0010:acpi_idle_enter+0x43d/0x7a0 drivers/acpi/processor_idle.c:691
Code: ff e8 b7 22 f4 fc 48 83 e3 08 44 8b 7c 24 04 0f 85 10 01 00 00 e8 f3 c9 fa fc 66 90 e8 dc 1d f4 fc 0f 00 2d 15 13 62 06 fb f4 <4c> 89 e3 48 c1 eb 03 42 80 3c 2b 00 74 08 4c 89 e7 e8 4d 09 47 fd
RSP: 0018:ffffc90000177c00 EFLAGS: 000002d3
RAX: ffffffff84935fa4 RBX: 0000000000000000 RCX: ffff888011f11d80
RDX: 0000000000000000 RSI: ffffffff8a8d22c0 RDI: ffffffff8ae99700
RBP: ffffc90000177cb0 R08: ffffffff84935f89 R09: ffffed10023e23b1
R10: ffffed10023e23b1 R11: 1ffff110023e23b0 R12: ffffc90000177c40
R13: dffffc0000000000 R14: ffff888145a68800 R15: 0000000000000001
 cpuidle_enter_state+0x517/0xed0 drivers/cpuidle/cpuidle.c:237
 cpuidle_enter+0x59/0x90 drivers/cpuidle/cpuidle.c:351
 call_cpuidle kernel/sched/idle.c:155 [inline]
 cpuidle_idle_call kernel/sched/idle.c:236 [inline]
 do_idle+0x3d2/0x640 kernel/sched/idle.c:303
 cpu_startup_entry+0x15/0x20 kernel/sched/idle.c:400
 start_secondary+0xe4/0xf0 arch/x86/kernel/smpboot.c:266
 secondary_startup_64_no_verify+0xcf/0xdb
 </TASK>

The buggy address belongs to the physical page:
page:ffffea0001de5300 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x7794c
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 0000000000000000 dead000000000122 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x40dc0(GFP_KERNEL|__GFP_COMP|__GFP_ZERO), pid 26, tgid 26 (kworker/1:1), ts 44977335824, free_ts 46032396538
 prep_new_page mm/page_alloc.c:2456 [inline]
 get_page_from_freelist+0x72b/0x7a0 mm/page_alloc.c:4198
 __alloc_pages+0x259/0x560 mm/page_alloc.c:5426
 kmalloc_order+0x41/0x150 mm/slab_common.c:945
 kmalloc_order_trace+0x15/0x70 mm/slab_common.c:961
 kmalloc_large include/linux/slab.h:529 [inline]
 __kmalloc+0x26b/0x370 mm/slub.c:4435
 kmalloc include/linux/slab.h:605 [inline]
 kzalloc include/linux/slab.h:733 [inline]
 wiphy_new_nm+0x617/0x18f0 net/wireless/core.c:440
 ieee80211_alloc_hw_nm+0x338/0x1e60 net/mac80211/main.c:585
 ieee80211_alloc_hw include/net/mac80211.h:4412 [inline]
 ath9k_htc_probe_device+0xaa/0x2090 drivers/net/wireless/ath/ath9k/htc_drv_init.c:939
 ath9k_htc_hw_init+0x30/0x70 drivers/net/wireless/ath/ath9k/htc_hst.c:508
 ath9k_hif_usb_firmware_cb+0x250/0x4d0 drivers/net/wireless/ath/ath9k/hif_usb.c:1245
 request_firmware_work_func+0x198/0x270 drivers/base/firmware_loader/main.c:1107
 process_one_work+0x81c/0xd10 kernel/workqueue.c:2289
 worker_thread+0xb14/0x1330 kernel/workqueue.c:2436
 kthread+0x266/0x300 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1371 [inline]
 free_pcp_prepare+0x812/0x900 mm/page_alloc.c:1421
 free_unref_page_prepare mm/page_alloc.c:3343 [inline]
 free_unref_page+0x7d/0x390 mm/page_alloc.c:3438
 free_large_kmalloc+0xeb/0x1a0 mm/slub.c:3575
 kfree+0x188/0x210 mm/slub.c:4580
 device_release+0x98/0x1c0
 kobject_cleanup+0x235/0x470 lib/kobject.c:673
 ath9k_htc_probe_device+0xfe8/0x2090 drivers/net/wireless/ath/ath9k/htc_drv_init.c:976
 ath9k_htc_hw_init+0x30/0x70 drivers/net/wireless/ath/ath9k/htc_hst.c:508
 ath9k_hif_usb_firmware_cb+0x250/0x4d0 drivers/net/wireless/ath/ath9k/hif_usb.c:1245
 request_firmware_work_func+0x198/0x270 drivers/base/firmware_loader/main.c:1107
 process_one_work+0x81c/0xd10 kernel/workqueue.c:2289
 worker_thread+0xb14/0x1330 kernel/workqueue.c:2436
 kthread+0x266/0x300 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30

Memory state around the buggy address:
 ffff88807794c180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88807794c200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff88807794c280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                          ^
 ffff88807794c300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88807794c380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
----------------
Code disassembly (best guess), 1 bytes skipped:
   0:	e8 b7 22 f4 fc       	callq  0xfcf422bc
   5:	48 83 e3 08          	and    $0x8,%rbx
   9:	44 8b 7c 24 04       	mov    0x4(%rsp),%r15d
   e:	0f 85 10 01 00 00    	jne    0x124
  14:	e8 f3 c9 fa fc       	callq  0xfcfaca0c
  19:	66 90                	xchg   %ax,%ax
  1b:	e8 dc 1d f4 fc       	callq  0xfcf41dfc
  20:	0f 00 2d 15 13 62 06 	verw   0x6621315(%rip)        # 0x662133c
  27:	fb                   	sti
  28:	f4                   	hlt
* 29:	4c 89 e3             	mov    %r12,%rbx <-- trapping instruction
  2c:	48 c1 eb 03          	shr    $0x3,%rbx
  30:	42 80 3c 2b 00       	cmpb   $0x0,(%rbx,%r13,1)
  35:	74 08                	je     0x3f
  37:	4c 89 e7             	mov    %r12,%rdi
  3a:	e8 4d 09 47 fd       	callq  0xfd47098c