==================================================================
BUG: KASAN: use-after-free in ath9k_hif_usb_rx_stream drivers/net/wireless/ath/ath9k/hif_usb.c:643 [inline]
BUG: KASAN: use-after-free in ath9k_hif_usb_rx_cb+0xd4c/0x1030 drivers/net/wireless/ath/ath9k/hif_usb.c:687
Read of size 4 at addr ffff888078d74348 by task kworker/1:1/25

CPU: 1 PID: 25 Comm: kworker/1:1 Not tainted 5.16.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events request_firmware_work_func
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x57/0x7d lib/dump_stack.c:106
 print_address_description.constprop.0.cold+0x8d/0x336 mm/kasan/report.c:255
 __kasan_report mm/kasan/report.c:442 [inline]
 kasan_report.cold+0x83/0xdf mm/kasan/report.c:459
 ath9k_hif_usb_rx_stream drivers/net/wireless/ath/ath9k/hif_usb.c:643 [inline]
 ath9k_hif_usb_rx_cb+0xd4c/0x1030 drivers/net/wireless/ath/ath9k/hif_usb.c:687
 __usb_hcd_giveback_urb+0x238/0x3f0 drivers/usb/core/hcd.c:1663
 dummy_timer+0xeb8/0x2eb0 drivers/usb/gadget/udc/dummy_hcd.c:1987
 call_timer_fn+0x163/0x4a0 kernel/time/timer.c:1421
 expire_timers kernel/time/timer.c:1466 [inline]
 __run_timers.part.0+0x52a/0x8a0 kernel/time/timer.c:1734
 __run_timers kernel/time/timer.c:1715 [inline]
 run_timer_softirq+0x9c/0x190 kernel/time/timer.c:1747
 __do_softirq+0x29b/0x9c2 kernel/softirq.c:558
 invoke_softirq kernel/softirq.c:432 [inline]
 __irq_exit_rcu+0x123/0x180 kernel/softirq.c:637
 irq_exit_rcu+0x5/0x20 kernel/softirq.c:649
 sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1097
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:638
RIP: 0010:console_unlock+0x4df/0x870 kernel/printk/printk.c:2715
Code: 67 2a fe ff e8 e2 29 00 00 48 83 3c 24 00 0f 85 e0 01 00 00 9c 58 f6 c4 02 0f 85 d3 02 00 00 48 83 3c 24 00 74 01 fb 45 85 e4 <0f> 85 27 02 00 00 8b 54 24 30 85 d2 0f 84 70 fc ff ff 31 d2 be 9f
RSP: 0018:ffffc90000dff9b8 EFLAGS: 00000246
RAX: 0000000000000002 RBX: dffffc0000000000 RCX: 1ffffffff1dd501e
RDX: 0000000000000000 RSI: ffffffff88cb5900 RDI: ffffffff8921d9a0
RBP: ffffc90000dffa10 R08: 0000000000000001 R09: ffffffff8eea7987
R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000000
R13: ffffffff8b7f9ba8 R14: ffffffff8b7f9b70 R15: 0000000000000000
 vprintk_emit+0x99/0x2f0 kernel/printk/printk.c:2244
 _printk+0xad/0xde kernel/printk/printk.c:2265
 ath9k_htc_hw_init.cold+0xc/0x12 drivers/net/wireless/ath/ath9k/htc_hst.c:504
 ath9k_hif_usb_firmware_cb+0x23b/0x4d0 drivers/net/wireless/ath/ath9k/hif_usb.c:1246
 request_firmware_work_func+0x126/0x230 drivers/base/firmware_loader/main.c:1022
 process_one_work+0x879/0x1410 kernel/workqueue.c:2307
 worker_thread+0x5a0/0xf60 kernel/workqueue.c:2454
 kthread+0x3ab/0x480 kernel/kthread.c:327
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
 </TASK>

The buggy address belongs to the page:
page:ffffea0001e35d00 refcount:0 mapcount:0 mapping:0000000000000000 index:0x100 pfn:0x78d74
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 0000000000000000 dead000000000122 0000000000000000
raw: 0000000000000100 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x140dc0(GFP_USER|__GFP_COMP|__GFP_ZERO), pid 25, ts 423341629378, free_ts 424369980232
 prep_new_page mm/page_alloc.c:2418 [inline]
 get_page_from_freelist+0xa6f/0x2f10 mm/page_alloc.c:4149
 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5369
 kmalloc_order+0x34/0xf0 mm/slab_common.c:949
 kmalloc_order_trace+0x14/0x120 mm/slab_common.c:965
 kmalloc include/linux/slab.h:587 [inline]
 kzalloc include/linux/slab.h:716 [inline]
 wiphy_new_nm+0x63a/0x1fc0 net/wireless/core.c:449
 ieee80211_alloc_hw_nm+0x2f5/0x1fd0 net/mac80211/main.c:585
 ieee80211_alloc_hw include/net/mac80211.h:4327 [inline]
 ath9k_htc_probe_device+0x91/0x1e30 drivers/net/wireless/ath/ath9k/htc_drv_init.c:939
 ath9k_htc_hw_init+0x8/0x20 drivers/net/wireless/ath/ath9k/htc_hst.c:503
 ath9k_hif_usb_firmware_cb+0x23b/0x4d0 drivers/net/wireless/ath/ath9k/hif_usb.c:1246
 request_firmware_work_func+0x126/0x230 drivers/base/firmware_loader/main.c:1022
 process_one_work+0x879/0x1410 kernel/workqueue.c:2307
 worker_thread+0x5a0/0xf60 kernel/workqueue.c:2454
 kthread+0x3ab/0x480 kernel/kthread.c:327
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1338 [inline]
 free_pcp_prepare+0x374/0x870 mm/page_alloc.c:1389
 free_unref_page_prepare mm/page_alloc.c:3309 [inline]
 free_unref_page+0x19/0x690 mm/page_alloc.c:3388
 device_release+0x93/0x200 drivers/base/core.c:2229
 kobject_cleanup lib/kobject.c:705 [inline]
 kobject_release lib/kobject.c:736 [inline]
 kref_put include/linux/kref.h:65 [inline]
 kobject_put+0x139/0x410 lib/kobject.c:753
 ath9k_htc_probe_device+0x1ab/0x1e30 drivers/net/wireless/ath/ath9k/htc_drv_init.c:976
 ath9k_htc_hw_init+0x8/0x20 drivers/net/wireless/ath/ath9k/htc_hst.c:503
 ath9k_hif_usb_firmware_cb+0x23b/0x4d0 drivers/net/wireless/ath/ath9k/hif_usb.c:1246
 request_firmware_work_func+0x126/0x230 drivers/base/firmware_loader/main.c:1022
 process_one_work+0x879/0x1410 kernel/workqueue.c:2307
 worker_thread+0x5a0/0xf60 kernel/workqueue.c:2454
 kthread+0x3ab/0x480 kernel/kthread.c:327
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

Memory state around the buggy address:
 ffff888078d74200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888078d74280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff888078d74300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                              ^
 ffff888078d74380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888078d74400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
----------------
Code disassembly (best guess), 4 bytes skipped:
   0:	e8 e2 29 00 00       	callq  0x29e7
   5:	48 83 3c 24 00       	cmpq   $0x0,(%rsp)
   a:	0f 85 e0 01 00 00    	jne    0x1f0
  10:	9c                   	pushfq
  11:	58                   	pop    %rax
  12:	f6 c4 02             	test   $0x2,%ah
  15:	0f 85 d3 02 00 00    	jne    0x2ee
  1b:	48 83 3c 24 00       	cmpq   $0x0,(%rsp)
  20:	74 01                	je     0x23
  22:	fb                   	sti
  23:	45 85 e4             	test   %r12d,%r12d
* 26:	0f 85 27 02 00 00    	jne    0x253 <-- trapping instruction
  2c:	8b 54 24 30          	mov    0x30(%rsp),%edx
  30:	85 d2                	test   %edx,%edx
  32:	0f 84 70 fc ff ff    	je     0xfffffca8
  38:	31 d2                	xor    %edx,%edx
  3a:	be                   	.byte 0xbe
  3b:	9f                   	lahf