usb 1-1: RX USB error -2. usb 1-1: error -1 when submitting rx urb ================================================================== BUG: KASAN: use-after-free in ar5523_cmd_tx_cb+0x220/0x240 drivers/net/wireless/ath/ar5523/ar5523.c:228 Read of size 8 at addr ffff88811c3db3f0 by task udevd/1289 CPU: 1 PID: 1289 Comm: udevd Not tainted 5.19.0-rc7-syzkaller-00142-g88a15fbb47db #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/29/2022 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description.constprop.0.cold+0xeb/0x495 mm/kasan/report.c:313 print_report mm/kasan/report.c:429 [inline] kasan_report.cold+0xf4/0x1c6 mm/kasan/report.c:491 ar5523_cmd_tx_cb+0x220/0x240 drivers/net/wireless/ath/ar5523/ar5523.c:228 __usb_hcd_giveback_urb+0x2b0/0x5c0 drivers/usb/core/hcd.c:1670 usb_hcd_giveback_urb+0x367/0x410 drivers/usb/core/hcd.c:1747 dummy_timer+0x11f9/0x32b0 drivers/usb/gadget/udc/dummy_hcd.c:1988 call_timer_fn+0x1a5/0x6b0 kernel/time/timer.c:1474 expire_timers kernel/time/timer.c:1519 [inline] __run_timers.part.0+0x679/0xa80 kernel/time/timer.c:1790 __run_timers kernel/time/timer.c:1768 [inline] run_timer_softirq+0xb3/0x1d0 kernel/time/timer.c:1803 __do_softirq+0x288/0x9a5 kernel/softirq.c:571 invoke_softirq kernel/softirq.c:445 [inline] __irq_exit_rcu+0x113/0x170 kernel/softirq.c:650 irq_exit_rcu+0x5/0x20 kernel/softirq.c:662 sysvec_apic_timer_interrupt+0x40/0xc0 arch/x86/kernel/apic/apic.c:1106 asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:649 RIP: 0033:0x7f3ee98b1815 Code: 89 44 24 10 49 89 54 24 18 48 81 fb ff 03 00 00 0f 87 2f 01 00 00 4c 89 65 70 4c 89 60 18 48 89 d8 48 83 c8 01 49 89 44 24 08 <49> 89 1c 1c 48 81 fb ff ff 00 00 0f 87 e2 01 00 00 8b 44 24 1c 85 RSP: 002b:00007ffe56559490 EFLAGS: 00010206 RAX: 00000000000010b1 RBX: 00000000000010b0 RCX: 00000000000000a1 RDX: 00007f3ee99e6a60 RSI: 0000000000000000 RDI: 000055da6dd021c0 RBP: 00007f3ee99e6a00 R08: 0000000000000007 R09: 000055da6dcf45f0 R10: 00007ffe56559500 R11: 00007ffe56559500 R12: 000055da6dd011b0 R13: 000055da6dd021c0 R14: 00000000000000a0 R15: 000055da6dcd0910 The buggy address belongs to the physical page: page:ffffea000470f6c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11c3db flags: 0x200000000000000(node=0|zone=2) raw: 0200000000000000 0000000000000000 ffffea000470f6c8 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 2, migratetype Unmovable, gfp_mask 0x40dc0(GFP_KERNEL|__GFP_COMP|__GFP_ZERO), pid 1144, tgid 1144 (kworker/1:2), ts 28358197528, free_ts 30468384276 prep_new_page mm/page_alloc.c:2456 [inline] get_page_from_freelist+0x138c/0x27a0 mm/page_alloc.c:4198 __alloc_pages+0x1c7/0x510 mm/page_alloc.c:5426 alloc_pages+0x1aa/0x310 mm/mempolicy.c:2272 kmalloc_order+0x34/0xf0 mm/slab_common.c:945 kmalloc_order_trace+0x14/0x120 mm/slab_common.c:961 kmalloc include/linux/slab.h:605 [inline] kzalloc include/linux/slab.h:733 [inline] wiphy_new_nm+0x6f0/0x2080 net/wireless/core.c:440 ieee80211_alloc_hw_nm+0x373/0x2270 net/mac80211/main.c:585 ieee80211_alloc_hw include/net/mac80211.h:4412 [inline] ar5523_probe+0x121/0x1da0 drivers/net/wireless/ath/ar5523/ar5523.c:1595 usb_probe_interface+0x315/0x7f0 drivers/usb/core/driver.c:396 call_driver_probe drivers/base/dd.c:555 [inline] really_probe+0x23e/0xb90 drivers/base/dd.c:634 __driver_probe_device+0x338/0x4d0 drivers/base/dd.c:764 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:794 __device_attach_driver+0x20b/0x2f0 drivers/base/dd.c:917 bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:427 __device_attach+0x1e4/0x530 drivers/base/dd.c:989 bus_probe_device+0x1e4/0x290 drivers/base/bus.c:487 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1371 [inline] free_pcp_prepare+0x537/0xb80 mm/page_alloc.c:1421 free_unref_page_prepare mm/page_alloc.c:3343 [inline] free_unref_page+0x19/0x5a0 mm/page_alloc.c:3438 device_release+0x9f/0x240 drivers/base/core.c:2241 kobject_cleanup lib/kobject.c:673 [inline] kobject_release lib/kobject.c:704 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0x1c8/0x540 lib/kobject.c:721 put_device+0x1b/0x30 drivers/base/core.c:3535 ar5523_probe+0x1338/0x1da0 drivers/net/wireless/ath/ar5523/ar5523.c:1719 usb_probe_interface+0x315/0x7f0 drivers/usb/core/driver.c:396 call_driver_probe drivers/base/dd.c:555 [inline] really_probe+0x23e/0xb90 drivers/base/dd.c:634 __driver_probe_device+0x338/0x4d0 drivers/base/dd.c:764 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:794 __device_attach_driver+0x20b/0x2f0 drivers/base/dd.c:917 bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:427 __device_attach+0x1e4/0x530 drivers/base/dd.c:989 bus_probe_device+0x1e4/0x290 drivers/base/bus.c:487 device_add+0xbda/0x1ea0 drivers/base/core.c:3428 usb_set_configuration+0x101e/0x1900 drivers/usb/core/message.c:2170 Memory state around the buggy address: ffff88811c3db280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88811c3db300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff88811c3db380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff88811c3db400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88811c3db480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ==================================================================