bisecting fixing commit since f5b6eb1e018203913dfefcf6fa988649ad11ad6e
building syzkaller on 500c23397f34dde583da6d31f9d9fd21cae289f8
testing commit f5b6eb1e018203913dfefcf6fa988649ad11ad6e
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 9092f979444ac1af010ff98cec37a4faca839493e03e285cfe8ebd405e1bf2ee
run #0: crashed: KASAN: use-after-free Read in ath9k_hif_usb_rx_cb
run #1: crashed: BUG: sleeping function called from invalid context in lock_sock_nested
run #2: crashed: KASAN: use-after-free Read in ath9k_hif_usb_rx_cb
run #3: crashed: KASAN: use-after-free Read in ath9k_hif_usb_rx_cb
run #4: crashed: KASAN: use-after-free Read in ath9k_hif_usb_rx_cb
run #5: crashed: KASAN: use-after-free Read in ath9k_hif_usb_rx_cb
run #6: crashed: KASAN: use-after-free Read in ath9k_hif_usb_rx_cb
run #7: crashed: KASAN: use-after-free Read in ath9k_hif_usb_rx_cb
run #8: OK
run #9: OK
run #10: OK
run #11: OK
run #12: OK
run #13: OK
run #14: OK
run #15: OK
run #16: OK
run #17: OK
run #18: OK
run #19: OK
reproducer seems to be flaky
testing current HEAD b81b1829e7e39f6cebdf6e4d5484eacbceda8554
testing commit b81b1829e7e39f6cebdf6e4d5484eacbceda8554
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 830a53d0fc4197bfd969733e3c6938ff698ede57dd8585a35179a4539ad75a88
run #0: crashed: KASAN: slab-out-of-bounds Read in ath9k_hif_usb_rx_cb
run #1: crashed: KASAN: use-after-free Read in ath9k_hif_usb_rx_cb
run #2: crashed: KASAN: slab-out-of-bounds Read in ath9k_hif_usb_rx_cb
run #3: crashed: KASAN: use-after-free Read in ath9k_hif_usb_rx_cb
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
run #10: OK
run #11: OK
run #12: OK
run #13: OK
run #14: OK
run #15: OK
run #16: OK
run #17: OK
run #18: OK
run #19: OK
Reproducer flagged being flaky
revisions tested: 2, total time: 35m57.10484445s (build: 12m19.990695999s, test: 22m59.858957183s)
the crash still happens on HEAD
commit msg: Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi
crash: KASAN: use-after-free Read in ath9k_hif_usb_rx_cb
==================================================================
BUG: KASAN: use-after-free in ath9k_hif_usb_rx_stream drivers/net/wireless/ath/ath9k/hif_usb.c:643 [inline]
BUG: KASAN: use-after-free in ath9k_hif_usb_rx_cb+0xd4c/0x1030 drivers/net/wireless/ath/ath9k/hif_usb.c:687
Read of size 4 at addr ffff888021944348 by task kworker/1:5/3650

CPU: 1 PID: 3650 Comm: kworker/1:5 Not tainted 5.17.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events request_firmware_work_func
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x57/0x7d lib/dump_stack.c:106
 print_address_description.constprop.0.cold+0x8d/0x336 mm/kasan/report.c:255
 __kasan_report mm/kasan/report.c:442 [inline]
 kasan_report.cold+0x83/0xdf mm/kasan/report.c:459
 ath9k_hif_usb_rx_stream drivers/net/wireless/ath/ath9k/hif_usb.c:643 [inline]
 ath9k_hif_usb_rx_cb+0xd4c/0x1030 drivers/net/wireless/ath/ath9k/hif_usb.c:687
 __usb_hcd_giveback_urb+0x238/0x3f0 drivers/usb/core/hcd.c:1670
 dummy_timer+0xeb8/0x2eb0 drivers/usb/gadget/udc/dummy_hcd.c:1987
 call_timer_fn+0x163/0x4a0 kernel/time/timer.c:1421
 expire_timers kernel/time/timer.c:1466 [inline]
 __run_timers.part.0+0x52a/0x8a0 kernel/time/timer.c:1734
 __run_timers kernel/time/timer.c:1715 [inline]
 run_timer_softirq+0x9c/0x190 kernel/time/timer.c:1747
 __do_softirq+0x29b/0x9c2 kernel/softirq.c:558
 invoke_softirq kernel/softirq.c:432 [inline]
 __irq_exit_rcu+0x123/0x180 kernel/softirq.c:637
 irq_exit_rcu+0x5/0x20 kernel/softirq.c:649
 sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1097
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:638
RIP: 0010:console_unlock+0x4df/0x870 kernel/printk/printk.c:2716
Code: a7 2a fe ff e8 e2 29 00 00 48 83 3c 24 00 0f 85 e0 01 00 00 9c 58 f6 c4 02 0f 85 d3 02 00 00 48 83 3c 24 00 74 01 fb 45 85 e4 <0f> 85 27 02 00 00 8b 54 24 30 85 d2 0f 84 70 fc ff ff 31 d2 be a0
RSP: 0018:ffffc9000248f9c0 EFLAGS: 00000246
RAX: 0000000000000006 RBX: dffffc0000000000 RCX: 1ffffffff1e197fe
RDX: 0000000000000000 RSI: ffffffff88eba480 RDI: ffffffff89426060
RBP: ffffc9000248fa18 R08: 0000000000000001 R09: ffffffff8f0cb887
R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000000
R13: ffffffff8ba08f08 R14: ffffffff8ba08ed0 R15: 0000000000000000
 vprintk_emit+0x99/0x2f0 kernel/printk/printk.c:2245
 _printk+0xad/0xde kernel/printk/printk.c:2266
 ath9k_htc_hw_init.cold+0xc/0x12 drivers/net/wireless/ath/ath9k/htc_hst.c:504
 ath9k_hif_usb_firmware_cb+0x23b/0x4d0 drivers/net/wireless/ath/ath9k/hif_usb.c:1246
 request_firmware_work_func+0x126/0x230 drivers/base/firmware_loader/main.c:1022
 process_one_work+0x879/0x1410 kernel/workqueue.c:2307
 worker_thread+0x5a0/0xf60 kernel/workqueue.c:2454
 kthread+0x299/0x340 kernel/kthread.c:377
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
 </TASK>

The buggy address belongs to the page:
page:ffffea0000865100 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x21944
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 0000000000000000 ffffea0000865108 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x140dc0(GFP_USER|__GFP_COMP|__GFP_ZERO), pid 3650, ts 545071775853, free_ts 546095486212
 prep_new_page mm/page_alloc.c:2434 [inline]
 get_page_from_freelist+0xa6f/0x2f10 mm/page_alloc.c:4165
 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5389
 kmalloc_order+0x34/0xf0 mm/slab_common.c:944
 kmalloc_order_trace+0x14/0x120 mm/slab_common.c:960
 kmalloc include/linux/slab.h:586 [inline]
 kzalloc include/linux/slab.h:715 [inline]
 wiphy_new_nm+0x63a/0x1fc0 net/wireless/core.c:449
 ieee80211_alloc_hw_nm+0x2f5/0x1fd0 net/mac80211/main.c:585
 ieee80211_alloc_hw include/net/mac80211.h:4327 [inline]
 ath9k_htc_probe_device+0x91/0x1e30 drivers/net/wireless/ath/ath9k/htc_drv_init.c:939
 ath9k_htc_hw_init+0x8/0x20 drivers/net/wireless/ath/ath9k/htc_hst.c:503
 ath9k_hif_usb_firmware_cb+0x23b/0x4d0 drivers/net/wireless/ath/ath9k/hif_usb.c:1246
 request_firmware_work_func+0x126/0x230 drivers/base/firmware_loader/main.c:1022
 process_one_work+0x879/0x1410 kernel/workqueue.c:2307
 worker_thread+0x5a0/0xf60 kernel/workqueue.c:2454
 kthread+0x299/0x340 kernel/kthread.c:377
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1352 [inline]
 free_pcp_prepare+0x374/0x870 mm/page_alloc.c:1404
 free_unref_page_prepare mm/page_alloc.c:3325 [inline]
 free_unref_page+0x19/0x690 mm/page_alloc.c:3404
 device_release+0x93/0x200 drivers/base/core.c:2229
 kobject_cleanup lib/kobject.c:705 [inline]
 kobject_release lib/kobject.c:736 [inline]
 kref_put include/linux/kref.h:65 [inline]
 kobject_put+0x139/0x410 lib/kobject.c:753
 ath9k_htc_probe_device+0x1ab/0x1e30 drivers/net/wireless/ath/ath9k/htc_drv_init.c:976
 ath9k_htc_hw_init+0x8/0x20 drivers/net/wireless/ath/ath9k/htc_hst.c:503
 ath9k_hif_usb_firmware_cb+0x23b/0x4d0 drivers/net/wireless/ath/ath9k/hif_usb.c:1246
 request_firmware_work_func+0x126/0x230 drivers/base/firmware_loader/main.c:1022
 process_one_work+0x879/0x1410 kernel/workqueue.c:2307
 worker_thread+0x5a0/0xf60 kernel/workqueue.c:2454
 kthread+0x299/0x340 kernel/kthread.c:377
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

Memory state around the buggy address:
 ffff888021944200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888021944280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff888021944300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                              ^
 ffff888021944380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888021944400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
----------------
Code disassembly (best guess), 4 bytes skipped:
   0:	e8 e2 29 00 00       	callq  0x29e7
   5:	48 83 3c 24 00       	cmpq   $0x0,(%rsp)
   a:	0f 85 e0 01 00 00    	jne    0x1f0
  10:	9c                   	pushfq
  11:	58                   	pop    %rax
  12:	f6 c4 02             	test   $0x2,%ah
  15:	0f 85 d3 02 00 00    	jne    0x2ee
  1b:	48 83 3c 24 00       	cmpq   $0x0,(%rsp)
  20:	74 01                	je     0x23
  22:	fb                   	sti
  23:	45 85 e4             	test   %r12d,%r12d
* 26:	0f 85 27 02 00 00    	jne    0x253 <-- trapping instruction
  2c:	8b 54 24 30          	mov    0x30(%rsp),%edx
  30:	85 d2                	test   %edx,%edx
  32:	0f 84 70 fc ff ff    	je     0xfffffca8
  38:	31 d2                	xor    %edx,%edx
  3a:	be                   	.byte 0xbe
  3b:	a0                   	.byte 0xa0