BUG: KASAN: out-of-bounds in ath9k_hif_usb_rx_stream drivers/net/wireless/ath/ath9k/hif_usb.c:636 [inline] BUG: KASAN: out-of-bounds in ath9k_hif_usb_rx_cb+0xe36/0x10b0 drivers/net/wireless/ath/ath9k/hif_usb.c:680 Read of size 4 at addr ffff888111a64238 by task kworker/0:7/6589 CPU: 0 PID: 6589 Comm: kworker/0:7 Not tainted 5.15.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: usb_hub_wq hub_event Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description.constprop.0.cold+0x6c/0x309 mm/kasan/report.c:256 __kasan_report mm/kasan/report.c:442 [inline] kasan_report.cold+0x83/0xdf mm/kasan/report.c:459 ath9k_hif_usb_rx_stream drivers/net/wireless/ath/ath9k/hif_usb.c:636 [inline] ath9k_hif_usb_rx_cb+0xe36/0x10b0 drivers/net/wireless/ath/ath9k/hif_usb.c:680 __usb_hcd_giveback_urb+0x2b0/0x5c0 drivers/usb/core/hcd.c:1656 usb_hcd_giveback_urb+0x367/0x410 drivers/usb/core/hcd.c:1726 dummy_timer+0x11f9/0x32b0 drivers/usb/gadget/udc/dummy_hcd.c:1987 call_timer_fn+0x1a5/0x630 kernel/time/timer.c:1421 expire_timers kernel/time/timer.c:1466 [inline] __run_timers.part.0+0x675/0x9e0 kernel/time/timer.c:1734 __run_timers kernel/time/timer.c:1715 [inline] run_timer_softirq+0x80/0x120 kernel/time/timer.c:1747 __do_softirq+0x1b0/0x910 kernel/softirq.c:558 invoke_softirq kernel/softirq.c:432 [inline] __irq_exit_rcu+0xdc/0x120 kernel/softirq.c:636 irq_exit_rcu+0x5/0x10 kernel/softirq.c:648 sysvec_apic_timer_interrupt+0x6a/0x90 arch/x86/kernel/apic/apic.c:1097 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:638 RIP: 0010:variable_test_bit arch/x86/include/asm/bitops.h:214 [inline] RIP: 0010:test_bit include/asm-generic/bitops/instrumented-non-atomic.h:135 [inline] RIP: 0010:tag_get lib/radix-tree.c:113 [inline] RIP: 0010:node_tag_set lib/radix-tree.c:941 [inline] RIP: 0010:__radix_tree_delete+0x254/0x370 lib/radix-tree.c:1372 Code: 00 00 00 48 8d 43 3f 48 85 db 48 0f 49 c3 48 c1 f8 06 4c 8d ac c5 28 02 00 00 4c 89 ef e8 64 a4 61 ff 48 0f a3 9d 28 02 00 00 <41> 0f 92 c7 31 ff 44 89 fe e8 3e 72 32 ff 45 84 ff 0f 84 44 ff ff RSP: 0018:ffffc90010f675e8 EFLAGS: 00000247 RAX: 0000000000000001 RBX: 0000000000000016 RCX: ffffffff820f5cfc RDX: ffffed1029131f7e RSI: 0000000000000008 RDI: ffff88814898fbe8 RBP: ffff88814898f9c0 R08: 0000000000000000 R09: ffff88814898fbef R10: ffffed1029131f7d R11: 0000000000000000 R12: ffff888144feec00 R13: ffff88814898fbe8 R14: ffff8881000c0610 R15: dffffc0000000000 radix_tree_delete_item+0xe7/0x230 lib/radix-tree.c:1429 kernfs_put.part.0+0x294/0x540 fs/kernfs/dir.c:537 kernfs_put+0x42/0x50 fs/kernfs/dir.c:513 __kernfs_remove+0x727/0xab0 fs/kernfs/dir.c:1365 kernfs_remove_by_name_ns+0x4f/0xa0 fs/kernfs/dir.c:1537 kernfs_remove_by_name include/linux/kernfs.h:598 [inline] sysfs_unmerge_group+0xe3/0x160 fs/sysfs/group.c:369 remove_power_attributes drivers/usb/core/sysfs.c:674 [inline] usb_remove_sysfs_dev_files+0x5a/0xe0 drivers/usb/core/sysfs.c:1056 usb_bus_notify+0xe0/0x110 drivers/usb/core/usb.c:1019 notifier_call_chain+0xb5/0x200 kernel/notifier.c:83 blocking_notifier_call_chain kernel/notifier.c:318 [inline] blocking_notifier_call_chain+0x67/0x90 kernel/notifier.c:306 device_del+0x1ff/0xd60 drivers/base/core.c:3556 usb_disconnect.cold+0x4ba/0x78e drivers/usb/core/hub.c:2251 hub_port_connect drivers/usb/core/hub.c:5199 [inline] hub_port_connect_change drivers/usb/core/hub.c:5488 [inline] port_event drivers/usb/core/hub.c:5634 [inline] hub_event+0x1c9c/0x4330 drivers/usb/core/hub.c:5716 process_one_work+0x9bf/0x1620 kernel/workqueue.c:2297 worker_thread+0x658/0x11f0 kernel/workqueue.c:2444 kthread+0x3c2/0x4a0 kernel/kthread.c:319 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 The buggy address belongs to the page: page:ffffea0004469900 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x111a64 flags: 0x200000000000000(node=0|zone=2) raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000 raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x500dc0(GFP_USER|__GFP_ZERO|__GFP_ACCOUNT), pid 3071, ts 392660843010, free_ts 392619494864 prep_new_page mm/page_alloc.c:2424 [inline] get_page_from_freelist+0x11d2/0x28b0 mm/page_alloc.c:4153 __alloc_pages+0x1b2/0x4e0 mm/page_alloc.c:5375 alloc_pages+0x1a7/0x300 mm/mempolicy.c:2197 __get_free_pages mm/page_alloc.c:5412 [inline] get_zeroed_page+0x10/0x40 mm/page_alloc.c:5421 pud_alloc_one include/asm-generic/pgalloc.h:166 [inline] __pud_alloc+0x37/0x170 mm/memory.c:4842 pud_alloc include/linux/mm.h:2167 [inline] copy_pud_range mm/memory.c:1173 [inline] copy_p4d_range mm/memory.c:1217 [inline] copy_page_range+0x278a/0x3360 mm/memory.c:1290 dup_mmap kernel/fork.c:610 [inline] dup_mm+0x95f/0x1240 kernel/fork.c:1453 copy_mm kernel/fork.c:1505 [inline] copy_process+0x5f3b/0x70b0 kernel/fork.c:2194 kernel_clone+0xe7/0xa70 kernel/fork.c:2584 __do_sys_clone+0xc8/0x110 kernel/fork.c:2701 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1338 [inline] free_pcp_prepare+0x2b3/0x670 mm/page_alloc.c:1389 free_unref_page_prepare mm/page_alloc.c:3315 [inline] free_unref_page+0x19/0x490 mm/page_alloc.c:3394 device_release+0x9f/0x240 drivers/base/core.c:2231 kobject_cleanup lib/kobject.c:705 [inline] kobject_release lib/kobject.c:736 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0x1c8/0x540 lib/kobject.c:753 put_device+0x1b/0x30 drivers/base/core.c:3502 ath9k_htc_probe_device+0x1c7/0x1e50 drivers/net/wireless/ath/ath9k/htc_drv_init.c:976 ath9k_htc_hw_init+0x31/0x60 drivers/net/wireless/ath/ath9k/htc_hst.c:503 ath9k_hif_usb_firmware_cb+0x274/0x530 drivers/net/wireless/ath/ath9k/hif_usb.c:1239 request_firmware_work_func+0x12c/0x230 drivers/base/firmware_loader/main.c:1081 process_one_work+0x9bf/0x1620 kernel/workqueue.c:2297 worker_thread+0x658/0x11f0 kernel/workqueue.c:2444 kthread+0x3c2/0x4a0 kernel/kthread.c:319 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 Memory state around the buggy address: ffff888111a64100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888111a64180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff888111a64200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ^ ffff888111a64280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888111a64300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ================================================================== ---------------- Code disassembly (best guess): 0: 00 00 add %al,(%rax) 2: 00 48 8d add %cl,-0x73(%rax) 5: 43 3f rex.XB (bad) 7: 48 85 db test %rbx,%rbx a: 48 0f 49 c3 cmovns %rbx,%rax e: 48 c1 f8 06 sar $0x6,%rax 12: 4c 8d ac c5 28 02 00 lea 0x228(%rbp,%rax,8),%r13 19: 00 1a: 4c 89 ef mov %r13,%rdi 1d: e8 64 a4 61 ff callq 0xff61a486 22: 48 0f a3 9d 28 02 00 bt %rbx,0x228(%rbp) 29: 00 * 2a: 41 0f 92 c7 setb %r15b <-- trapping instruction 2e: 31 ff xor %edi,%edi 30: 44 89 fe mov %r15d,%esi 33: e8 3e 72 32 ff callq 0xff327276 38: 45 84 ff test %r15b,%r15b 3b: 0f .byte 0xf 3c: 84 44 ff ff test %al,-0x1(%rdi,%rdi,8)