================================================================== BUG: KASAN: use-after-free in htc_process_conn_rsp drivers/net/wireless/ath/ath9k/htc_hst.c:131 [inline] BUG: KASAN: use-after-free in ath9k_htc_rx_msg+0xa25/0xaf0 drivers/net/wireless/ath/ath9k/htc_hst.c:443 Write of size 2 at addr ffff8881cb1b8b20 by task systemd-journal/135 CPU: 0 PID: 135 Comm: systemd-journal Not tainted 5.7.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xef/0x16e lib/dump_stack.c:118 print_address_description.constprop.0.cold+0xd3/0x415 mm/kasan/report.c:382 __kasan_report.cold+0x37/0x7d mm/kasan/report.c:511 kasan_report+0x33/0x50 mm/kasan/common.c:625 htc_process_conn_rsp drivers/net/wireless/ath/ath9k/htc_hst.c:131 [inline] ath9k_htc_rx_msg+0xa25/0xaf0 drivers/net/wireless/ath/ath9k/htc_hst.c:443 ath9k_hif_usb_reg_in_cb+0x1c0/0x630 drivers/net/wireless/ath/ath9k/hif_usb.c:718 __usb_hcd_giveback_urb+0x29a/0x550 drivers/usb/core/hcd.c:1650 usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1716 dummy_timer+0x125e/0x32b4 drivers/usb/gadget/udc/dummy_hcd.c:1967 call_timer_fn+0x1ac/0x700 kernel/time/timer.c:1405 expire_timers kernel/time/timer.c:1450 [inline] __run_timers kernel/time/timer.c:1774 [inline] __run_timers kernel/time/timer.c:1741 [inline] run_timer_softirq+0x5f9/0x1500 kernel/time/timer.c:1787 __do_softirq+0x21e/0x9aa kernel/softirq.c:292 invoke_softirq kernel/softirq.c:373 [inline] irq_exit+0x178/0x1a0 kernel/softirq.c:413 exiting_irq arch/x86/include/asm/apic.h:546 [inline] smp_apic_timer_interrupt+0x141/0x540 arch/x86/kernel/apic/apic.c:1140 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829 RIP: 0010:__sanitizer_cov_trace_pc+0x31/0x60 kernel/kcov.c:197 Code: 02 00 65 8b 15 e8 cf c1 7e f7 c2 00 01 1f 00 48 8b 34 24 74 0f 80 e6 01 74 35 8b 90 2c 13 00 00 85 d2 74 2b 8b 90 08 13 00 00 <83> fa 02 75 20 48 8b 88 10 13 00 00 8b 80 0c 13 00 00 48 8b 11 48 RSP: 0018:ffff8881d2227b18 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13 RAX: ffff8881d31c6300 RBX: dffffc0000000000 RCX: ffffffff814a9ee5 RDX: 0000000000000000 RSI: ffffffff814a6f91 RDI: ffffffff86dea568 RBP: ffff8881d2227be8 R08: ffff8881d31c6300 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffffed103a444f7f R13: 0000000000000000 R14: 0000000000000061 R15: ffffc900008c4068 ___bpf_prog_run+0xbc1/0x6a60 kernel/bpf/core.c:1611 __bpf_prog_run32+0x8f/0xd0 kernel/bpf/core.c:1681 bpf_dispatcher_nop_func include/linux/bpf.h:545 [inline] bpf_prog_run_pin_on_cpu include/linux/filter.h:599 [inline] seccomp_run_filters kernel/seccomp.c:272 [inline] __seccomp_filter+0x156/0x1300 kernel/seccomp.c:817 __secure_computing+0xac/0x280 kernel/seccomp.c:950 syscall_trace_enter+0x2a3/0xcd0 arch/x86/entry/common.c:119 do_syscall_64+0x462/0x5a0 arch/x86/entry/common.c:291 entry_SYSCALL_64_after_hwframe+0x49/0xb3 RIP: 0033:0x7fe830c75840 Code: 73 01 c3 48 8b 0d 68 77 20 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 89 bb 20 00 00 75 10 b8 02 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 1e f6 ff ff 48 89 04 24 RSP: 002b:00007fff7148e138 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 RAX: ffffffffffffffda RBX: 00007fff7148e440 RCX: 00007fe830c75840 RDX: 00000000000001a0 RSI: 0000000000080042 RDI: 000055ab2b4ead60 RBP: 000000000000000d R08: 000000000000ffc0 R09: 00000000ffffffff R10: 0000000000000069 R11: 0000000000000246 R12: 00000000ffffffff R13: 000055ab2b4df040 R14: 00007fff7148e400 R15: 000055ab2b4eb1e0 The buggy address belongs to the page: page:ffffea00072c6e00 refcount:0 mapcount:-128 mapping:000000005ec8bb11 index:0x0 flags: 0x200000000000000() raw: 0200000000000000 ffffea000719a108 ffffea0007215c08 0000000000000000 raw: 0000000000000000 0000000000000002 00000000ffffff7f 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8881cb1b8a00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8881cb1b8a80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff8881cb1b8b00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff8881cb1b8b80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8881cb1b8c00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ==================================================================