==================================================================
BUG: KASAN: use-after-free in ath9k_hif_usb_rx_cb+0x1120/0x1130 drivers/net/wireless/ath/ath9k/hif_usb.c:686
Read of size 4 at addr ffff8880736642f4 by task kworker/0:5/3641
CPU: 0 PID: 3641 Comm: kworker/0:5 Not tainted 5.19.0-rc6-syzkaller-00104-g72a8e05d4f66 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/29/2022
Workqueue: events request_firmware_work_func
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
print_address_description+0x65/0x4b0 mm/kasan/report.c:313
print_report+0xf4/0x210 mm/kasan/report.c:429
kasan_report+0xfb/0x130 mm/kasan/report.c:491
ath9k_hif_usb_rx_cb+0x1120/0x1130 drivers/net/wireless/ath/ath9k/hif_usb.c:686
__usb_hcd_giveback_urb+0x369/0x530 drivers/usb/core/hcd.c:1670
dummy_timer+0x86b/0x3110 drivers/usb/gadget/udc/dummy_hcd.c:1988
call_timer_fn+0xf5/0x210 kernel/time/timer.c:1474
expire_timers kernel/time/timer.c:1519 [inline]
__run_timers+0x76a/0x980 kernel/time/timer.c:1790
run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1803
__do_softirq+0x382/0x793 kernel/softirq.c:571
__irq_exit_rcu+0xec/0x170 kernel/softirq.c:650
irq_exit_rcu+0x5/0x20 kernel/softirq.c:662
sysvec_apic_timer_interrupt+0x91/0xb0 arch/x86/kernel/apic/apic.c:1106
asm_sysvec_apic_timer_interrupt+0x16/0x20
RIP: 0010:console_trylock_spinning+0x3af/0x450 kernel/printk/printk.c:1922
Code: 0f 84 4c ff ff ff e8 a0 f2 1b 00 fb 31 db eb 41 e8 96 f2 1b 00 e8 11 b5 bf 08 4d 85 ed 74 cd e8 87 f2 1b 00 fb bb 01 00 00 00 <48> c7 c7 e0 af 9f 8c 31 f6 ba 01 00 00 00 31 c9 41 b8 01 00 00 00
RSP: 0018:ffffc9000326f8a0 EFLAGS: 00000293
RAX: ffffffff816ba3f9 RBX: 0000000000000001 RCX: ffff888022728000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc9000326f968 R08: ffffffff816ba3b2 R09: fffffbfff1fa9814
R10: fffffbfff1fa9814 R11: 1ffffffff1fa9813 R12: 1ffff9200064df14
R13: 0000000000000200 R14: 0000000000000046 R15: dffffc0000000000
vprintk_emit+0xb8/0x1e0 kernel/printk/printk.c:2270
_printk+0xcf/0x10f kernel/printk/printk.c:2292
ath9k_htc_hw_init+0x64/0x70 drivers/net/wireless/ath/ath9k/htc_hst.c:509
ath9k_hif_usb_firmware_cb+0x250/0x4d0 drivers/net/wireless/ath/ath9k/hif_usb.c:1245
request_firmware_work_func+0x198/0x270 drivers/base/firmware_loader/main.c:1107
process_one_work+0x81c/0xd10 kernel/workqueue.c:2289
worker_thread+0xb14/0x1330 kernel/workqueue.c:2436
kthread+0x266/0x300 kernel/kthread.c:376
ret_from_fork+0x1f/0x30
The buggy address belongs to the physical page:
page:ffffea0001cd9900 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x73664
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 0000000000000000 dead000000000122 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x40dc0(GFP_KERNEL|__GFP_COMP|__GFP_ZERO), pid 3641, tgid 3641 (kworker/0:5), ts 57630670107, free_ts 58654842446
prep_new_page mm/page_alloc.c:2456 [inline]
get_page_from_freelist+0x72b/0x7a0 mm/page_alloc.c:4198
__alloc_pages+0x259/0x560 mm/page_alloc.c:5426
kmalloc_order+0x41/0x150 mm/slab_common.c:945
kmalloc_order_trace+0x15/0x70 mm/slab_common.c:961
kmalloc_large include/linux/slab.h:529 [inline]
__kmalloc+0x26b/0x370 mm/slub.c:4435
kmalloc include/linux/slab.h:605 [inline]
kzalloc include/linux/slab.h:733 [inline]
wiphy_new_nm+0x617/0x18f0 net/wireless/core.c:440
ieee80211_alloc_hw_nm+0x338/0x1e60 net/mac80211/main.c:585
ieee80211_alloc_hw include/net/mac80211.h:4412 [inline]
ath9k_htc_probe_device+0xaa/0x2090 drivers/net/wireless/ath/ath9k/htc_drv_init.c:939
ath9k_htc_hw_init+0x30/0x70 drivers/net/wireless/ath/ath9k/htc_hst.c:508
ath9k_hif_usb_firmware_cb+0x250/0x4d0 drivers/net/wireless/ath/ath9k/hif_usb.c:1245
request_firmware_work_func+0x198/0x270 drivers/base/firmware_loader/main.c:1107
process_one_work+0x81c/0xd10 kernel/workqueue.c:2289
worker_thread+0xb14/0x1330 kernel/workqueue.c:2436
kthread+0x266/0x300 kernel/kthread.c:376
ret_from_fork+0x1f/0x30
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1371 [inline]
free_pcp_prepare+0x812/0x900 mm/page_alloc.c:1421
free_unref_page_prepare mm/page_alloc.c:3343 [inline]
free_unref_page+0x7d/0x390 mm/page_alloc.c:3438
free_large_kmalloc+0xeb/0x1a0 mm/slub.c:3575
kfree+0x188/0x210 mm/slub.c:4580
device_release+0x98/0x1c0
kobject_cleanup+0x235/0x470 lib/kobject.c:673
ath9k_htc_probe_device+0xfe8/0x2090 drivers/net/wireless/ath/ath9k/htc_drv_init.c:976
ath9k_htc_hw_init+0x30/0x70 drivers/net/wireless/ath/ath9k/htc_hst.c:508
ath9k_hif_usb_firmware_cb+0x250/0x4d0 drivers/net/wireless/ath/ath9k/hif_usb.c:1245
request_firmware_work_func+0x198/0x270 drivers/base/firmware_loader/main.c:1107
process_one_work+0x81c/0xd10 kernel/workqueue.c:2289
worker_thread+0xb14/0x1330 kernel/workqueue.c:2436
kthread+0x266/0x300 kernel/kthread.c:376
ret_from_fork+0x1f/0x30
Memory state around the buggy address:
ffff888073664180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888073664200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff888073664280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff888073664300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888073664380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
----------------
Code disassembly (best guess):
0: 0f 84 4c ff ff ff je 0xffffff52
6: e8 a0 f2 1b 00 callq 0x1bf2ab
b: fb sti
c: 31 db xor %ebx,%ebx
e: eb 41 jmp 0x51
10: e8 96 f2 1b 00 callq 0x1bf2ab
15: e8 11 b5 bf 08 callq 0x8bfb52b
1a: 4d 85 ed test %r13,%r13
1d: 74 cd je 0xffffffec
1f: e8 87 f2 1b 00 callq 0x1bf2ab
24: fb sti
25: bb 01 00 00 00 mov $0x1,%ebx
* 2a: 48 c7 c7 e0 af 9f 8c mov $0xffffffff8c9fafe0,%rdi <-- trapping instruction
31: 31 f6 xor %esi,%esi
33: ba 01 00 00 00 mov $0x1,%edx
38: 31 c9 xor %ecx,%ecx
3a: 41 b8 01 00 00 00 mov $0x1,%r8d