bisecting fixing commit since f5b6eb1e018203913dfefcf6fa988649ad11ad6e building syzkaller on 500c23397f34dde583da6d31f9d9fd21cae289f8 testing commit f5b6eb1e018203913dfefcf6fa988649ad11ad6e compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 8b28291962862615e422b43b8c0d35884f2b47f9838abf68bcf1d121bcd8449b run #0: crashed: KASAN: use-after-free Read in ath9k_hif_usb_rx_cb run #1: crashed: KASAN: use-after-free Read in ath9k_hif_usb_rx_cb run #2: crashed: KASAN: use-after-free Read in ath9k_hif_usb_rx_cb run #3: crashed: KASAN: use-after-free Read in ath9k_hif_usb_rx_cb run #4: crashed: KASAN: use-after-free Read in ath9k_hif_usb_rx_cb run #5: crashed: KASAN: use-after-free Read in ath9k_hif_usb_rx_cb run #6: crashed: KASAN: slab-out-of-bounds Read in ath9k_hif_usb_rx_cb run #7: crashed: KASAN: use-after-free Read in ath9k_hif_usb_rx_cb run #8: crashed: KASAN: use-after-free Read in ath9k_hif_usb_rx_cb run #9: crashed: KASAN: use-after-free Read in ath9k_hif_usb_rx_cb run #10: crashed: KASAN: use-after-free Read in ath9k_hif_usb_rx_cb run #11: crashed: KASAN: use-after-free Read in ath9k_hif_usb_rx_cb run #12: crashed: KASAN: use-after-free Read in ath9k_hif_usb_rx_cb run #13: crashed: KASAN: use-after-free Read in ath9k_hif_usb_rx_cb run #14: crashed: KASAN: use-after-free Read in ath9k_hif_usb_rx_cb run #15: crashed: KASAN: use-after-free Read in ath9k_hif_usb_rx_cb run #16: OK run #17: OK run #18: OK run #19: OK testing current HEAD 9ff50bf2f2ff5fab01cac26d8eed21a89308e6ef testing commit 9ff50bf2f2ff5fab01cac26d8eed21a89308e6ef compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 9fc26bd5dc1a87bf53a0525aebb6804cbe8d2711cf7a3be81b261cde78723f50 run #0: crashed: KASAN: use-after-free Read in ath9k_hif_usb_rx_cb run #1: crashed: KASAN: use-after-free Read in ath9k_hif_usb_rx_cb run #2: crashed: KASAN: use-after-free Read in ath9k_hif_usb_rx_cb run #3: crashed: KASAN: use-after-free Read in ath9k_hif_usb_rx_cb run #4: crashed: KASAN: use-after-free Read in ath9k_hif_usb_rx_cb run #5: crashed: KASAN: use-after-free Read in ath9k_hif_usb_rx_cb run #6: crashed: KASAN: use-after-free Read in ath9k_hif_usb_rx_cb run #7: crashed: KASAN: slab-out-of-bounds Read in ath9k_hif_usb_rx_cb run #8: crashed: KASAN: use-after-free Read in ath9k_hif_usb_rx_cb run #9: OK revisions tested: 2, total time: 36m55.581918028s (build: 13m10.923840581s, test: 23m1.162744487s) the crash still happens on HEAD commit msg: Merge tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux crash: KASAN: use-after-free Read in ath9k_hif_usb_rx_cb ================================================================== BUG: KASAN: use-after-free in ath9k_hif_usb_rx_stream drivers/net/wireless/ath/ath9k/hif_usb.c:636 [inline] BUG: KASAN: use-after-free in ath9k_hif_usb_rx_cb+0xd4d/0x1010 drivers/net/wireless/ath/ath9k/hif_usb.c:680 Read of size 4 at addr ffff888025b74238 by task kworker/u4:2/32 CPU: 1 PID: 32 Comm: kworker/u4:2 Not tainted 5.14.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: netns cleanup_net Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x57/0x7d lib/dump_stack.c:105 print_address_description.constprop.0.cold+0x6c/0x309 mm/kasan/report.c:233 __kasan_report mm/kasan/report.c:419 [inline] kasan_report.cold+0x83/0xdf mm/kasan/report.c:436 ath9k_hif_usb_rx_stream drivers/net/wireless/ath/ath9k/hif_usb.c:636 [inline] ath9k_hif_usb_rx_cb+0xd4d/0x1010 drivers/net/wireless/ath/ath9k/hif_usb.c:680 __usb_hcd_giveback_urb+0x238/0x3f0 drivers/usb/core/hcd.c:1656 dummy_timer+0xeb8/0x2eb0 drivers/usb/gadget/udc/dummy_hcd.c:1987 call_timer_fn+0x163/0x4a0 kernel/time/timer.c:1421 expire_timers kernel/time/timer.c:1466 [inline] __run_timers.part.0+0x524/0x890 kernel/time/timer.c:1734 __run_timers kernel/time/timer.c:1715 [inline] run_timer_softirq+0x9c/0x190 kernel/time/timer.c:1747 __do_softirq+0x29b/0x9c2 kernel/softirq.c:558 do_softirq.part.0+0xde/0x130 kernel/softirq.c:459 do_softirq kernel/softirq.c:451 [inline] __local_bh_enable_ip+0x102/0x120 kernel/softirq.c:383 local_bh_enable include/linux/bottom_half.h:32 [inline] get_next_corpse net/netfilter/nf_conntrack_core.c:2219 [inline] nf_ct_iterate_cleanup+0xd5/0x300 net/netfilter/nf_conntrack_core.c:2242 nf_ct_iterate_cleanup_net net/netfilter/nf_conntrack_core.c:2330 [inline] nf_ct_iterate_cleanup_net+0x1dc/0x320 net/netfilter/nf_conntrack_core.c:2314 masq_device_event+0x8d/0xc0 net/netfilter/nf_nat_masquerade.c:88 notifier_call_chain+0x94/0x170 kernel/notifier.c:83 call_netdevice_notifiers_extack net/core/dev.c:2135 [inline] call_netdevice_notifiers net/core/dev.c:2149 [inline] dev_close_many+0x28c/0x560 net/core/dev.c:1724 unregister_netdevice_many+0x36d/0x1540 net/core/dev.c:11070 default_device_exit_batch+0x2a5/0x360 net/core/dev.c:11623 cleanup_net+0x423/0x990 net/core/net_namespace.c:595 process_one_work+0x84c/0x13d0 kernel/workqueue.c:2276 worker_thread+0x598/0x1040 kernel/workqueue.c:2422 kthread+0x38b/0x460 kernel/kthread.c:319 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 The buggy address belongs to the page: page:ffffea000096dd00 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x25b74 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 0000000000000000 ffffea000096dd08 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 3, migratetype Unmovable, gfp_mask 0x40dc0(GFP_KERNEL|__GFP_COMP|__GFP_ZERO), pid 20, ts 432941979686, free_ts 433981122665 prep_new_page mm/page_alloc.c:2436 [inline] get_page_from_freelist+0xa6f/0x2f50 mm/page_alloc.c:4168 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5390 kmalloc_order+0x34/0xf0 mm/slab_common.c:955 kmalloc_order_trace+0x14/0x120 mm/slab_common.c:971 kmalloc include/linux/slab.h:596 [inline] kzalloc include/linux/slab.h:721 [inline] wiphy_new_nm+0x63a/0x1d50 net/wireless/core.c:449 ieee80211_alloc_hw_nm+0x2f5/0x1fd0 net/mac80211/main.c:585 ieee80211_alloc_hw include/net/mac80211.h:4285 [inline] ath9k_htc_probe_device+0x91/0x1d80 drivers/net/wireless/ath/ath9k/htc_drv_init.c:939 ath9k_htc_hw_init+0x8/0x20 drivers/net/wireless/ath/ath9k/htc_hst.c:503 ath9k_hif_usb_firmware_cb+0x23b/0x4d0 drivers/net/wireless/ath/ath9k/hif_usb.c:1239 request_firmware_work_func+0x126/0x230 drivers/base/firmware_loader/main.c:1083 process_one_work+0x84c/0x13d0 kernel/workqueue.c:2276 worker_thread+0x598/0x1040 kernel/workqueue.c:2422 kthread+0x38b/0x460 kernel/kthread.c:319 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1346 [inline] free_pcp_prepare+0x2c5/0x780 mm/page_alloc.c:1397 free_unref_page_prepare mm/page_alloc.c:3332 [inline] free_unref_page+0x19/0x690 mm/page_alloc.c:3411 device_release+0x93/0x200 drivers/base/core.c:2192 kobject_cleanup lib/kobject.c:705 [inline] kobject_release lib/kobject.c:736 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0x139/0x410 lib/kobject.c:753 ath9k_htc_probe_device+0x1ab/0x1d80 drivers/net/wireless/ath/ath9k/htc_drv_init.c:976 ath9k_htc_hw_init+0x8/0x20 drivers/net/wireless/ath/ath9k/htc_hst.c:503 ath9k_hif_usb_firmware_cb+0x23b/0x4d0 drivers/net/wireless/ath/ath9k/hif_usb.c:1239 request_firmware_work_func+0x126/0x230 drivers/base/firmware_loader/main.c:1083 process_one_work+0x84c/0x13d0 kernel/workqueue.c:2276 worker_thread+0x598/0x1040 kernel/workqueue.c:2422 kthread+0x38b/0x460 kernel/kthread.c:319 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 Memory state around the buggy address: ffff888025b74100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff888025b74180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff888025b74200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff888025b74280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff888025b74300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ==================================================================