================================================================== BUG: KASAN: use-after-free in ath9k_hif_usb_rx_stream drivers/net/wireless/ath/ath9k/hif_usb.c:636 [inline] BUG: KASAN: use-after-free in ath9k_hif_usb_rx_cb+0x9bc/0x1010 drivers/net/wireless/ath/ath9k/hif_usb.c:680 Read of size 4 at addr ffff8880231040b8 by task syz-fuzzer/8484 CPU: 0 PID: 8484 Comm: syz-fuzzer Not tainted 5.10.0-rc2-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x137/0x1be lib/dump_stack.c:118 print_address_description+0x6c/0x660 mm/kasan/report.c:385 __kasan_report mm/kasan/report.c:545 [inline] kasan_report+0x136/0x1e0 mm/kasan/report.c:562 ath9k_hif_usb_rx_stream drivers/net/wireless/ath/ath9k/hif_usb.c:636 [inline] ath9k_hif_usb_rx_cb+0x9bc/0x1010 drivers/net/wireless/ath/ath9k/hif_usb.c:680 __usb_hcd_giveback_urb+0x32a/0x4b0 drivers/usb/core/hcd.c:1650 dummy_timer+0xa82/0x2ec0 drivers/usb/gadget/udc/dummy_hcd.c:1967 call_timer_fn+0x91/0x160 kernel/time/timer.c:1410 expire_timers kernel/time/timer.c:1455 [inline] __run_timers+0x6c0/0x8a0 kernel/time/timer.c:1747 run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1760 __do_softirq+0x307/0x6be kernel/softirq.c:298 asm_call_irq_on_stack+0xf/0x20 __run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline] run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline] do_softirq_own_stack+0x9a/0xe0 arch/x86/kernel/irq_64.c:77 invoke_softirq kernel/softirq.c:393 [inline] __irq_exit_rcu+0x1d6/0x200 kernel/softirq.c:423 irq_exit_rcu+0x5/0x20 kernel/softirq.c:435 sysvec_apic_timer_interrupt+0xe0/0xf0 arch/x86/kernel/apic/apic.c:1091 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:631 RIP: 0033:0x41fdf3 Code: 89 54 24 28 e8 0e 00 00 00 eb b7 e8 c7 53 04 00 e9 62 ff ff ff cc cc 64 48 8b 0c 25 f8 ff ff ff 48 3b 61 10 0f 86 7a 05 00 00 <48> 83 ec 28 48 89 6c 24 20 48 8d 6c 24 20 48 8b 54 24 30 48 f7 c2 RSP: 002b:000000c000355ea0 EFLAGS: 00000202 RAX: 000000c0065cd000 RBX: 00000000000006f8 RCX: 000000c000001b00 RDX: 0000000000000002 RSI: 0000000000000004 RDI: ffffffffffffffff RBP: 000000c000355f28 R08: 00007f05533f9fff R09: 000000c0065cd000 R10: 000000c00002fe98 R11: 00000000000006f8 R12: 000000c006750020 R13: 000000c000001b00 R14: 0000007381fc92d4 R15: 0000000000000000 The buggy address belongs to the page: page:0000000019ef7fb1 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x23104 flags: 0xfff00000000000() raw: 00fff00000000000 0000000000000000 dead000000000122 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888023103f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff888023104000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff888023104080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff888023104100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff888023104180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ==================================================================