usb 1-1: RX USB error -2. usb 1-1: error -1 when submitting rx urb ================================================================== BUG: KASAN: use-after-free in ar5523_cmd_tx_cb+0x1cc/0x1e0 drivers/net/wireless/ath/ar5523/ar5523.c:224 Read of size 8 at addr ffff88801e27b210 by task swapper/1/0 CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.11.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/29/2022 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x9a/0xcc lib/dump_stack.c:120 print_address_description.constprop.0.cold+0x5b/0x2f8 mm/kasan/report.c:230 __kasan_report mm/kasan/report.c:396 [inline] kasan_report.cold+0x79/0xd5 mm/kasan/report.c:413 ar5523_cmd_tx_cb+0x1cc/0x1e0 drivers/net/wireless/ath/ar5523/ar5523.c:224 __usb_hcd_giveback_urb+0x238/0x3f0 drivers/usb/core/hcd.c:1656 dummy_timer+0xeb8/0x2eb0 drivers/usb/gadget/udc/dummy_hcd.c:1971 call_timer_fn+0x163/0x4b0 kernel/time/timer.c:1417 expire_timers kernel/time/timer.c:1462 [inline] __run_timers.part.0+0x52a/0x8b0 kernel/time/timer.c:1731 __run_timers kernel/time/timer.c:1712 [inline] run_timer_softirq+0x9c/0x190 kernel/time/timer.c:1744 __do_softirq+0x29b/0x9f6 kernel/softirq.c:343 asm_call_irq_on_stack+0xf/0x20 __run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline] run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline] do_softirq_own_stack+0xaa/0xd0 arch/x86/kernel/irq_64.c:77 invoke_softirq kernel/softirq.c:226 [inline] __irq_exit_rcu kernel/softirq.c:420 [inline] irq_exit_rcu+0x134/0x200 kernel/softirq.c:432 sysvec_apic_timer_interrupt+0x4d/0x100 arch/x86/kernel/apic/apic.c:1100 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:629 RIP: 0010:native_save_fl arch/x86/include/asm/irqflags.h:29 [inline] RIP: 0010:arch_local_save_flags arch/x86/include/asm/irqflags.h:79 [inline] RIP: 0010:arch_irqs_disabled arch/x86/include/asm/irqflags.h:169 [inline] RIP: 0010:acpi_safe_halt drivers/acpi/processor_idle.c:111 [inline] RIP: 0010:acpi_idle_do_entry+0x161/0x1c0 drivers/acpi/processor_idle.c:516 Code: 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 75 6d 48 8b 45 00 a8 08 75 c9 e8 5d 48 3b f9 e9 07 00 00 00 0f 00 2d 21 bd b5 00 fb f4 <9c> 58 fa f6 c4 02 74 ae 5d e9 b1 44 3b f9 48 89 ef 5d e9 c8 f9 ff RSP: 0018:ffffc90000d47d30 EFLAGS: 00000206 RAX: 00000000002e1d1d RBX: ffff888143bdc065 RCX: 1ffffffff18641e9 RDX: 0000000000000000 RSI: ffffffff888ae7e0 RDI: ffffffff88ddb560 RBP: ffff8880101b3800 R08: 0000000000000001 R09: 0000000000000001 R10: ffffed1002036700 R11: 0000000000000001 R12: 0000000000000001 R13: ffff888143bdc064 R14: ffffffff8b09fcc0 R15: ffff888142bce804 acpi_idle_enter+0x2c0/0x4b0 drivers/acpi/processor_idle.c:647 cpuidle_enter_state+0x152/0xb40 drivers/cpuidle/cpuidle.c:237 cpuidle_enter+0x45/0xa0 drivers/cpuidle/cpuidle.c:351 call_cpuidle kernel/sched/idle.c:158 [inline] cpuidle_idle_call kernel/sched/idle.c:239 [inline] do_idle+0x3e1/0x590 kernel/sched/idle.c:299 cpu_startup_entry+0x14/0x20 kernel/sched/idle.c:396 start_secondary+0x274/0x350 arch/x86/kernel/smpboot.c:272 secondary_startup_64_no_verify+0xb0/0xbb The buggy address belongs to the page: page:00000000b8500c60 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1e27b flags: 0xfff00000000000() raw: 00fff00000000000 0000000000000000 ffffea0000b73508 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 2, migratetype Unmovable, gfp_mask 0x140dc0(GFP_USER|__GFP_COMP|__GFP_ZERO), pid 3620, ts 433683576780 set_page_owner include/linux/page_owner.h:31 [inline] post_alloc_hook+0x144/0x1c0 mm/page_alloc.c:2297 prep_new_page mm/page_alloc.c:2306 [inline] get_page_from_freelist+0x1c6e/0x3f80 mm/page_alloc.c:3945 __alloc_pages_nodemask+0x2d6/0x730 mm/page_alloc.c:4995 alloc_pages include/linux/gfp.h:547 [inline] kmalloc_order+0x32/0xd0 mm/slab_common.c:837 kmalloc_order_trace+0x14/0x130 mm/slab_common.c:853 kmalloc include/linux/slab.h:557 [inline] kzalloc include/linux/slab.h:682 [inline] wiphy_new_nm+0x63a/0x1db0 net/wireless/core.c:427 ieee80211_alloc_hw_nm+0x2f6/0x2230 net/mac80211/main.c:569 ieee80211_alloc_hw include/net/mac80211.h:4241 [inline] ar5523_probe+0xfd/0x1c20 drivers/net/wireless/ath/ar5523/ar5523.c:1592 usb_probe_interface+0x274/0x6a0 drivers/usb/core/driver.c:396 really_probe+0x1fd/0xc60 drivers/base/dd.c:554 driver_probe_device+0x1ed/0x380 drivers/base/dd.c:740 bus_for_each_drv+0x11e/0x1a0 drivers/base/bus.c:431 __device_attach+0x1db/0x400 drivers/base/dd.c:914 bus_probe_device+0x19d/0x250 drivers/base/bus.c:491 device_add+0x99a/0x1ad0 drivers/base/core.c:3109 usb_set_configuration+0x9f9/0x1750 drivers/usb/core/message.c:2164 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1271 [inline] __free_pages_ok+0x4da/0xed0 mm/page_alloc.c:1536 device_release+0x93/0x200 drivers/base/core.c:1980 kobject_cleanup lib/kobject.c:705 [inline] kobject_release lib/kobject.c:736 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0x139/0x410 lib/kobject.c:753 ar5523_probe+0x11a8/0x1c20 drivers/net/wireless/ath/ar5523/ar5523.c:1716 usb_probe_interface+0x274/0x6a0 drivers/usb/core/driver.c:396 really_probe+0x1fd/0xc60 drivers/base/dd.c:554 driver_probe_device+0x1ed/0x380 drivers/base/dd.c:740 bus_for_each_drv+0x11e/0x1a0 drivers/base/bus.c:431 __device_attach+0x1db/0x400 drivers/base/dd.c:914 bus_probe_device+0x19d/0x250 drivers/base/bus.c:491 device_add+0x99a/0x1ad0 drivers/base/core.c:3109 usb_set_configuration+0x9f9/0x1750 drivers/usb/core/message.c:2164 usb_generic_driver_probe+0x74/0xa0 drivers/usb/core/generic.c:238 usb_probe_device+0x98/0x240 drivers/usb/core/driver.c:293 really_probe+0x1fd/0xc60 drivers/base/dd.c:554 driver_probe_device+0x1ed/0x380 drivers/base/dd.c:740 Memory state around the buggy address: ffff88801e27b100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88801e27b180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff88801e27b200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff88801e27b280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88801e27b300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== ---------------- Code disassembly (best guess), 5 bytes skipped: 0: 48 c1 ea 03 shr $0x3,%rdx 4: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) 8: 75 6d jne 0x77 a: 48 8b 45 00 mov 0x0(%rbp),%rax e: a8 08 test $0x8,%al 10: 75 c9 jne 0xffffffdb 12: e8 5d 48 3b f9 callq 0xf93b4874 17: e9 07 00 00 00 jmpq 0x23 1c: 0f 00 2d 21 bd b5 00 verw 0xb5bd21(%rip) # 0xb5bd44 23: fb sti 24: f4 hlt * 25: 9c pushfq <-- trapping instruction 26: 58 pop %rax 27: fa cli 28: f6 c4 02 test $0x2,%ah 2b: 74 ae je 0xffffffdb 2d: 5d pop %rbp 2e: e9 b1 44 3b f9 jmpq 0xf93b44e4 33: 48 89 ef mov %rbp,%rdi 36: 5d pop %rbp 37: e9 .byte 0xe9 38: c8 .byte 0xc8 39: f9 stc 3a: ff .byte 0xff