bisecting fixing commit since f5b6eb1e018203913dfefcf6fa988649ad11ad6e building syzkaller on 500c23397f34dde583da6d31f9d9fd21cae289f8 testing commit f5b6eb1e018203913dfefcf6fa988649ad11ad6e compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 9092f979444ac1af010ff98cec37a4faca839493e03e285cfe8ebd405e1bf2ee run #0: crashed: KASAN: use-after-free Read in ath9k_hif_usb_rx_cb run #1: crashed: BUG: sleeping function called from invalid context in lock_sock_nested run #2: crashed: KASAN: use-after-free Read in ath9k_hif_usb_rx_cb run #3: crashed: KASAN: use-after-free Read in ath9k_hif_usb_rx_cb run #4: crashed: KASAN: use-after-free Read in ath9k_hif_usb_rx_cb run #5: crashed: KASAN: use-after-free Read in ath9k_hif_usb_rx_cb run #6: crashed: KASAN: use-after-free Read in ath9k_hif_usb_rx_cb run #7: crashed: KASAN: use-after-free Read in ath9k_hif_usb_rx_cb run #8: OK run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK reproducer seems to be flaky testing current HEAD b81b1829e7e39f6cebdf6e4d5484eacbceda8554 testing commit b81b1829e7e39f6cebdf6e4d5484eacbceda8554 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 830a53d0fc4197bfd969733e3c6938ff698ede57dd8585a35179a4539ad75a88 run #0: crashed: KASAN: slab-out-of-bounds Read in ath9k_hif_usb_rx_cb run #1: crashed: KASAN: use-after-free Read in ath9k_hif_usb_rx_cb run #2: crashed: KASAN: slab-out-of-bounds Read in ath9k_hif_usb_rx_cb run #3: crashed: KASAN: use-after-free Read in ath9k_hif_usb_rx_cb run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK Reproducer flagged being flaky revisions tested: 2, total time: 35m57.10484445s (build: 12m19.990695999s, test: 22m59.858957183s) the crash still happens on HEAD commit msg: Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi crash: KASAN: use-after-free Read in ath9k_hif_usb_rx_cb ================================================================== BUG: KASAN: use-after-free in ath9k_hif_usb_rx_stream drivers/net/wireless/ath/ath9k/hif_usb.c:643 [inline] BUG: KASAN: use-after-free in ath9k_hif_usb_rx_cb+0xd4c/0x1030 drivers/net/wireless/ath/ath9k/hif_usb.c:687 Read of size 4 at addr ffff888021944348 by task kworker/1:5/3650 CPU: 1 PID: 3650 Comm: kworker/1:5 Not tainted 5.17.0-rc3-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events request_firmware_work_func Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x57/0x7d lib/dump_stack.c:106 print_address_description.constprop.0.cold+0x8d/0x336 mm/kasan/report.c:255 __kasan_report mm/kasan/report.c:442 [inline] kasan_report.cold+0x83/0xdf mm/kasan/report.c:459 ath9k_hif_usb_rx_stream drivers/net/wireless/ath/ath9k/hif_usb.c:643 [inline] ath9k_hif_usb_rx_cb+0xd4c/0x1030 drivers/net/wireless/ath/ath9k/hif_usb.c:687 __usb_hcd_giveback_urb+0x238/0x3f0 drivers/usb/core/hcd.c:1670 dummy_timer+0xeb8/0x2eb0 drivers/usb/gadget/udc/dummy_hcd.c:1987 call_timer_fn+0x163/0x4a0 kernel/time/timer.c:1421 expire_timers kernel/time/timer.c:1466 [inline] __run_timers.part.0+0x52a/0x8a0 kernel/time/timer.c:1734 __run_timers kernel/time/timer.c:1715 [inline] run_timer_softirq+0x9c/0x190 kernel/time/timer.c:1747 __do_softirq+0x29b/0x9c2 kernel/softirq.c:558 invoke_softirq kernel/softirq.c:432 [inline] __irq_exit_rcu+0x123/0x180 kernel/softirq.c:637 irq_exit_rcu+0x5/0x20 kernel/softirq.c:649 sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1097 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:638 RIP: 0010:console_unlock+0x4df/0x870 kernel/printk/printk.c:2716 Code: a7 2a fe ff e8 e2 29 00 00 48 83 3c 24 00 0f 85 e0 01 00 00 9c 58 f6 c4 02 0f 85 d3 02 00 00 48 83 3c 24 00 74 01 fb 45 85 e4 <0f> 85 27 02 00 00 8b 54 24 30 85 d2 0f 84 70 fc ff ff 31 d2 be a0 RSP: 0018:ffffc9000248f9c0 EFLAGS: 00000246 RAX: 0000000000000006 RBX: dffffc0000000000 RCX: 1ffffffff1e197fe RDX: 0000000000000000 RSI: ffffffff88eba480 RDI: ffffffff89426060 RBP: ffffc9000248fa18 R08: 0000000000000001 R09: ffffffff8f0cb887 R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000000 R13: ffffffff8ba08f08 R14: ffffffff8ba08ed0 R15: 0000000000000000 vprintk_emit+0x99/0x2f0 kernel/printk/printk.c:2245 _printk+0xad/0xde kernel/printk/printk.c:2266 ath9k_htc_hw_init.cold+0xc/0x12 drivers/net/wireless/ath/ath9k/htc_hst.c:504 ath9k_hif_usb_firmware_cb+0x23b/0x4d0 drivers/net/wireless/ath/ath9k/hif_usb.c:1246 request_firmware_work_func+0x126/0x230 drivers/base/firmware_loader/main.c:1022 process_one_work+0x879/0x1410 kernel/workqueue.c:2307 worker_thread+0x5a0/0xf60 kernel/workqueue.c:2454 kthread+0x299/0x340 kernel/kthread.c:377 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 The buggy address belongs to the page: page:ffffea0000865100 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x21944 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 0000000000000000 ffffea0000865108 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 3, migratetype Unmovable, gfp_mask 0x140dc0(GFP_USER|__GFP_COMP|__GFP_ZERO), pid 3650, ts 545071775853, free_ts 546095486212 prep_new_page mm/page_alloc.c:2434 [inline] get_page_from_freelist+0xa6f/0x2f10 mm/page_alloc.c:4165 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5389 kmalloc_order+0x34/0xf0 mm/slab_common.c:944 kmalloc_order_trace+0x14/0x120 mm/slab_common.c:960 kmalloc include/linux/slab.h:586 [inline] kzalloc include/linux/slab.h:715 [inline] wiphy_new_nm+0x63a/0x1fc0 net/wireless/core.c:449 ieee80211_alloc_hw_nm+0x2f5/0x1fd0 net/mac80211/main.c:585 ieee80211_alloc_hw include/net/mac80211.h:4327 [inline] ath9k_htc_probe_device+0x91/0x1e30 drivers/net/wireless/ath/ath9k/htc_drv_init.c:939 ath9k_htc_hw_init+0x8/0x20 drivers/net/wireless/ath/ath9k/htc_hst.c:503 ath9k_hif_usb_firmware_cb+0x23b/0x4d0 drivers/net/wireless/ath/ath9k/hif_usb.c:1246 request_firmware_work_func+0x126/0x230 drivers/base/firmware_loader/main.c:1022 process_one_work+0x879/0x1410 kernel/workqueue.c:2307 worker_thread+0x5a0/0xf60 kernel/workqueue.c:2454 kthread+0x299/0x340 kernel/kthread.c:377 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1352 [inline] free_pcp_prepare+0x374/0x870 mm/page_alloc.c:1404 free_unref_page_prepare mm/page_alloc.c:3325 [inline] free_unref_page+0x19/0x690 mm/page_alloc.c:3404 device_release+0x93/0x200 drivers/base/core.c:2229 kobject_cleanup lib/kobject.c:705 [inline] kobject_release lib/kobject.c:736 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0x139/0x410 lib/kobject.c:753 ath9k_htc_probe_device+0x1ab/0x1e30 drivers/net/wireless/ath/ath9k/htc_drv_init.c:976 ath9k_htc_hw_init+0x8/0x20 drivers/net/wireless/ath/ath9k/htc_hst.c:503 ath9k_hif_usb_firmware_cb+0x23b/0x4d0 drivers/net/wireless/ath/ath9k/hif_usb.c:1246 request_firmware_work_func+0x126/0x230 drivers/base/firmware_loader/main.c:1022 process_one_work+0x879/0x1410 kernel/workqueue.c:2307 worker_thread+0x5a0/0xf60 kernel/workqueue.c:2454 kthread+0x299/0x340 kernel/kthread.c:377 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 Memory state around the buggy address: ffff888021944200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff888021944280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff888021944300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff888021944380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff888021944400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== ---------------- Code disassembly (best guess), 4 bytes skipped: 0: e8 e2 29 00 00 callq 0x29e7 5: 48 83 3c 24 00 cmpq $0x0,(%rsp) a: 0f 85 e0 01 00 00 jne 0x1f0 10: 9c pushfq 11: 58 pop %rax 12: f6 c4 02 test $0x2,%ah 15: 0f 85 d3 02 00 00 jne 0x2ee 1b: 48 83 3c 24 00 cmpq $0x0,(%rsp) 20: 74 01 je 0x23 22: fb sti 23: 45 85 e4 test %r12d,%r12d * 26: 0f 85 27 02 00 00 jne 0x253 <-- trapping instruction 2c: 8b 54 24 30 mov 0x30(%rsp),%edx 30: 85 d2 test %edx,%edx 32: 0f 84 70 fc ff ff je 0xfffffca8 38: 31 d2 xor %edx,%edx 3a: be .byte 0xbe 3b: a0 .byte 0xa0