syzbot


KASAN: slab-out-of-bounds Read in print_lock

Status: moderation: reported on 2022/07/09 08:47
Reported-by: syzbot+d97742a56cd87b253621@syzkaller.appspotmail.com
First crash: 43d, last: 43d

Sample crash report:
BUG: MAX_LOCK_DEPTH too low!
turning off the locking correctness validator.
depth: 601  max: 48!
601 locks held by dhcpcd-run-hook/17081:
 #0: ffff88810ee5c208 (&sig->cred_guard_mutex){+.+.}-{3:3}, at: prepare_bprm_creds fs/exec.c:1471 [inline]
 #0: ffff88810ee5c208 (&sig->cred_guard_mutex){+.+.}-{3:3}, at: bprm_execve+0xb2/0x1960 fs/exec.c:1806
 #1: ffff88810ee5c2a0 (&sig->exec_update_lock){+.+.}-{3:3}, at: exec_mmap fs/exec.c:994 [inline]
 #1: ffff88810ee5c2a0 (&sig->exec_update_lock){+.+.}-{3:3}, at: begin_new_exec+0xca8/0x2ec0 fs/exec.c:1297
 #2: ffff88811692d528 (&mm->mmap_lock#2){++++}-{3:3}, at: mmap_write_lock include/linux/mmap_lock.h:71 [inline]
 #2: ffff88811692d528 (&mm->mmap_lock#2){++++}-{3:3}, at: exit_mmap+0x112/0x4a0 mm/mmap.c:3147
 #3: ffffffff8ba45218 (&obj_hash[i].lock){-.-.}-{2:2}, at: __debug_check_no_obj_freed lib/debugobjects.c:977 [inline]
 #3: ffffffff8ba45218 (&obj_hash[i].lock){-.-.}-{2:2}, at: debug_check_no_obj_freed+0xc7/0x420 lib/debugobjects.c:1020
 #4: ffffffff8b9b0ca0 (&obj_hash[i].lock){-.-.}-{2:2}, at: __debug_check_no_obj_freed lib/debugobjects.c:977 [inline]
 #4: ffffffff8b9b0ca0 (&obj_hash[i].lock){-.-.}-{2:2}, at: debug_check_no_obj_freed+0xc7/0x420 lib/debugobjects.c:1020
 #5: ffff888100218688 (&memcg->move_lock){..-.}-{2:2}, at: folio_memcg_lock+0x12c/0x6c0 mm/memcontrol.c:2052
 #6: ffff8881f6937b58 (&rq->__lock){-.-.}-{2:2}, at: raw_spin_rq_lock_nested kernel/sched/core.c:544 [inline]
 #6: ffff8881f6937b58 (&rq->__lock){-.-.}-{2:2}, at: raw_spin_rq_lock kernel/sched/sched.h:1304 [inline]
 #6: ffff8881f6937b58 (&rq->__lock){-.-.}-{2:2}, at: rq_lock kernel/sched/sched.h:1602 [inline]
 #6: ffff8881f6937b58 (&rq->__lock){-.-.}-{2:2}, at: ttwu_queue kernel/sched/core.c:3870 [inline]
 #6: ffff8881f6937b58 (&rq->__lock){-.-.}-{2:2}, at: try_to_wake_up+0x4eb/0x1410 kernel/sched/core.c:4195
 #7: ffff8881f6937b58 (&rq->__lock){-.-.}-{2:2}, at: raw_spin_rq_lock_nested kernel/sched/core.c:544 [inline]
 #7: ffff8881f6937b58 (&rq->__lock){-.-.}-{2:2}, at: raw_spin_rq_lock kernel/sched/sched.h:1304 [inline]
 #7: ffff8881f6937b58 (&rq->__lock){-.-.}-{2:2}, at: rq_lock kernel/sched/sched.h:1602 [inline]
 #7: ffff8881f6937b58 (&rq->__lock){-.-.}-{2:2}, at: ttwu_queue kernel/sched/core.c:3870 [inline]
 #7: ffff8881f6937b58 (&rq->__lock){-.-.}-{2:2}, at: try_to_wake_up+0x4eb/0x1410 kernel/sched/core.c:4195
 #8: ffff88810ba8c230 (&p->pi_lock){-.-.}-{2:2}, at: try_to_wake_up+0xa4/0x1410 kernel/sched/core.c:4079
 #9: ffff8881f6937b58 (&rq->__lock){-.-.}-{2:2}, at: raw_spin_rq_lock_nested kernel/sched/core.c:544 [inline]
 #9: ffff8881f6937b58 (&rq->__lock){-.-.}-{2:2}, at: raw_spin_rq_lock kernel/sched/sched.h:1304 [inline]
 #9: ffff8881f6937b58 (&rq->__lock){-.-.}-{2:2}, at: rq_lock kernel/sched/sched.h:1602 [inline]
 #9: ffff8881f6937b58 (&rq->__lock){-.-.}-{2:2}, at: ttwu_queue kernel/sched/core.c:3870 [inline]
 #9: ffff8881f6937b58 (&rq->__lock){-.-.}-{2:2}, at: try_to_wake_up+0x4eb/0x1410 kernel/sched/core.c:4195
 #10: ffff8881f6837cd8 (&cfs_rq->removed.lock){-.-.}-{2:2}, at: update_cfs_rq_load_avg kernel/sched/fair.c:3752 [inline]
 #10: ffff8881f6837cd8 (&cfs_rq->removed.lock){-.-.}-{2:2}, at: update_load_avg+0xa44/0x1d10 kernel/sched/fair.c:3913
 #11: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
 #12: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
 #13: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
 #14: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
 #15: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
 #16: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
 #17: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
 #18: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
 #19: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
 #20: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
 #21: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
 #22: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
 #23: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
 #24: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
 #25: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
 #26: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
 #27: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
 #28: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
 #29: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
 #30: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
 #31: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
 #32: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
 #33: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
 #34: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
 #35: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
 #36: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
 #37: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
 #38: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
 #39: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
 #40: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
 #41: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
 #42: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
 #43: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
 #44: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
 #45: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
 #46: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
 #47: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
 #48: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
 #49: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
 #50: 0000000000000005 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
 #51: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
 #52: ffffffff89c77100 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
 #53: <RELEASED>
 #54: <RELEASED>
 #55: <RELEASED>
 #56: <RELEASED>
 #57: <RELEASED>
 #58: 0000000000000000 (tunnel4_mutex){+.+.}-{3:3}, at: lock_classes+0x17580/0x180020
 #59: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
 #60: ffffffff89c7d120 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0xffffffffffffffff
 #61: <RELEASED>
 #62: <RELEASED>
 #63: ffff888111814cd8 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0xffff888111814cd8
 #64: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
 #65: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x2
 #66: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
 #67: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0xc350
 #68: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
 #69: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
 #70: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
 #71: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
 #72: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
 #73: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
 #74: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
 #75: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
 #76: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
 #77: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
 #78: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
 #79: 0000000000000000 (pool_lock){-.-.}-{2:2}, at: 0x0
 #80: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
 #81: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
 #82: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
 #83: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
 #84: 00007f06ea5b2800 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
 #85: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
 #86: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}
, at: 0x0
 #87: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
 #88: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x1
 #89: 0000000000000007 (&bdev->bd_fsfreeze_mutex){+.+.}-{3:3}, at: 0x34000000340
 #90: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x7
 #91: 000000000000037f (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
 #92: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
 #93: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
 #94: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
 #95: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
 #96: 0000560db1759e00 (kernfs_idr_lock){+.+.}-{2:2}, at: 0x560db1759bd0
 #97: ffff000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x2f2f2f2f2f2f2f2f
 #98: 0000000000000000 (kernfs_idr_lock){+.+.}-{2:2}, at: 0x0
 #99: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
 #100: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
 #101: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
 #102: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
 #103: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
 #104: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x3
 #105: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
 #106: 54415000736b6f6f (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x682d6e75722d6463
 #107: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
 #108: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
 #109: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
 #110: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
 #111: 0000000000000000 (&obj_hash[i].lock){-.-.}-{2:2}, at: 0x0
 #112: 
==================================================================
BUG: KASAN: slab-out-of-bounds in hlock_class kernel/locking/lockdep.c:222 [inline]
BUG: KASAN: slab-out-of-bounds in print_lock+0x118/0x120 kernel/locking/lockdep.c:766
Read of size 4 at addr ffff888111815498 by task dhcpcd-run-hook/17081

CPU: 1 PID: 17081 Comm: dhcpcd-run-hook Not tainted 5.19.0-rc4-syzkaller-00099-g90557fa89d3e #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/29/2022
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
 print_address_description.constprop.0.cold+0xeb/0x495 mm/kasan/report.c:313
 print_report mm/kasan/report.c:429 [inline]
 kasan_report.cold+0xf4/0x1c6 mm/kasan/report.c:491
 hlock_class kernel/locking/lockdep.c:222 [inline]
 print_lock+0x118/0x120 kernel/locking/lockdep.c:766
 lockdep_print_held_locks+0x110/0x119 kernel/locking/lockdep.c:795
 __lock_acquire+0x199b/0x5660 kernel/locking/lockdep.c:5069
 lock_acquire kernel/locking/lockdep.c:5665 [inline]
 lock_acquire+0x1ab/0x570 kernel/locking/lockdep.c:5630
 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
 _raw_spin_lock_irqsave+0x39/0x50 kernel/locking/spinlock.c:162
 __debug_check_no_obj_freed lib/debugobjects.c:977 [inline]
 debug_check_no_obj_freed+0xc7/0x420 lib/debugobjects.c:1020
 free_pages_prepare mm/page_alloc.c:1377 [inline]
 free_pcp_prepare+0x2de/0xb80 mm/page_alloc.c:1421
 free_unref_page_prepare mm/page_alloc.c:3343 [inline]
 free_unref_page_list+0x170/0xd70 mm/page_alloc.c:3475
 release_pages+0x870/0x20f0 mm/swap.c:980
 tlb_batch_pages_flush+0xa8/0x1a0 mm/mmu_gather.c:58
 tlb_flush_mmu_free mm/mmu_gather.c:255 [inline]
 tlb_flush_mmu mm/mmu_gather.c:262 [inline]
 tlb_finish_mmu+0x147/0x7e0 mm/mmu_gather.c:353
 exit_mmap+0x1de/0x4a0 mm/mmap.c:3164
 __mmput kernel/fork.c:1187 [inline]
 mmput+0xcc/0x410 kernel/fork.c:1208
 exec_mmap fs/exec.c:1038 [inline]
 begin_new_exec+0x101b/0x2ec0 fs/exec.c:1297
 load_elf_binary+0x15a3/0x4ec0 fs/binfmt_elf.c:1002
 search_binary_handler fs/exec.c:1728 [inline]
 exec_binprm fs/exec.c:1769 [inline]
 bprm_execve fs/exec.c:1838 [inline]
 bprm_execve+0x7ef/0x1960 fs/exec.c:1800
 do_execveat_common+0x727/0x890 fs/exec.c:1943
 do_execve fs/exec.c:2017 [inline]
 __do_sys_execve fs/exec.c:2093 [inline]
 __se_sys_execve fs/exec.c:2088 [inline]
 __x64_sys_execve+0x8f/0xc0 fs/exec.c:2088
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x7f06ea71c337
Code: Unable to access opcode bytes at RIP 0x7f06ea71c30d.
RSP: 002b:00007ffdf6ea0008 EFLAGS: 00000246 ORIG_RAX: 000000000000003b
RAX: ffffffffffffffda RBX: 0000560db1759e60 RCX: 00007f06ea71c337
RDX: 0000560db1759e80 RSI: 0000560db1759e60 RDI: 0000560db1759f08
RBP: 0000560db1759f08 R08: 0000560db1759f0d R09: 0000000000000000
R10: 0000000000000008 R11: 0000000000000246 R12: 0000560db1759e80
R13: 00007f06ea8c1ff4 R14: 0000560db1759e80 R15: 0000000000000000
 </TASK>

Allocated by task 17070:
 kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:45 [inline]
 set_alloc_info mm/kasan/common.c:436 [inline]
 __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:469
 kasan_slab_alloc include/linux/kasan.h:224 [inline]
 slab_post_alloc_hook mm/slab.h:750 [inline]
 slab_alloc_node mm/slub.c:3243 [inline]
 kmem_cache_alloc_node+0x25e/0x4b0 mm/slub.c:3293
 alloc_task_struct_node kernel/fork.c:172 [inline]
 dup_task_struct kernel/fork.c:969 [inline]
 copy_process+0x5c4/0x6dd0 kernel/fork.c:2071
 kernel_clone+0xe7/0xab0 kernel/fork.c:2655
 __do_sys_clone+0xba/0x100 kernel/fork.c:2789
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x46/0xb0

The buggy address belongs to the object at ffff888111813900
 which belongs to the cache task_struct of size 7040
The buggy address is located 24 bytes to the right of
 7040-byte region [ffff888111813900, ffff888111815480)

The buggy address belongs to the physical page:
page:ffffea0004460400 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x111810
head:ffffea0004460400 order:3 compound_mapcount:0 compound_pincount:0
memcg:ffff888109ebbd81
flags: 0x200000000010200(slab|head|node=0|zone=2)
raw: 0200000000010200 0000000000000000 dead000000000122 ffff88810016b280
raw: 0000000000000000 0000000000040004 00000001ffffffff ffff888109ebbd81
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 17077, tgid 17077 (dhcpcd-run-hook), ts 1050404477757, free_ts 1050392857231
 prep_new_page mm/page_alloc.c:2456 [inline]
 get_page_from_freelist+0x138c/0x27a0 mm/page_alloc.c:4198
 __alloc_pages+0x1c7/0x510 mm/page_alloc.c:5426
 alloc_pages+0x1aa/0x310 mm/mempolicy.c:2272
 alloc_slab_page mm/slub.c:1824 [inline]
 allocate_slab+0x26c/0x3c0 mm/slub.c:1969
 new_slab mm/slub.c:2029 [inline]
 ___slab_alloc+0x98f/0xda0 mm/slub.c:3031
 __slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3118
 slab_alloc_node mm/slub.c:3209 [inline]
 kmem_cache_alloc_node+0x397/0x4b0 mm/slub.c:3293
 alloc_task_struct_node kernel/fork.c:172 [inline]
 dup_task_struct kernel/fork.c:969 [inline]
 copy_process+0x5c4/0x6dd0 kernel/fork.c:2071
 kernel_clone+0xe7/0xab0 kernel/fork.c:2655
 __do_sys_clone+0xba/0x100 kernel/fork.c:2789
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x46/0xb0
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1371 [inline]
 free_pcp_prepare+0x537/0xb80 mm/page_alloc.c:1421
 free_unref_page_prepare mm/page_alloc.c:3343 [inline]
 free_unref_page+0x19/0x5a0 mm/page_alloc.c:3438
 device_release+0x9f/0x240 drivers/base/core.c:2230
 kobject_cleanup lib/kobject.c:673 [inline]
 kobject_release lib/kobject.c:704 [inline]
 kref_put include/linux/kref.h:65 [inline]
 kobject_put+0x1c8/0x540 lib/kobject.c:721
 put_device+0x1b/0x30 drivers/base/core.c:3524
 ath9k_htc_probe_device+0x1c7/0x1f00 drivers/net/wireless/ath/ath9k/htc_drv_init.c:976
 ath9k_htc_hw_init+0x31/0x60 drivers/net/wireless/ath/ath9k/htc_hst.c:508
 ath9k_hif_usb_firmware_cb+0x274/0x530 drivers/net/wireless/ath/ath9k/hif_usb.c:1245
 request_firmware_work_func+0x12c/0x230 drivers/base/firmware_loader/main.c:1107
 process_one_work+0x996/0x1610 kernel/workqueue.c:2289
 worker_thread+0x665/0x1080 kernel/workqueue.c:2436
 kthread+0x2ef/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302

Memory state around the buggy address:
 ffff888111815380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff888111815400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888111815480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                            ^
 ffff888111815500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888111815580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================

Crashes (1):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci2-upstream-usb 2022/07/05 08:44 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 90557fa89d3e bff65f44 .config log report info KASAN: slab-out-of-bounds Read in print_lock