bisecting fixing commit since f5b6eb1e018203913dfefcf6fa988649ad11ad6e building syzkaller on 500c23397f34dde583da6d31f9d9fd21cae289f8 testing commit f5b6eb1e018203913dfefcf6fa988649ad11ad6e compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 9092f979444ac1af010ff98cec37a4faca839493e03e285cfe8ebd405e1bf2ee run #0: crashed: BUG: sleeping function called from invalid context in lock_sock_nested run #1: crashed: KASAN: use-after-free Read in ath9k_hif_usb_rx_cb run #2: crashed: KASAN: use-after-free Read in ath9k_hif_usb_rx_cb run #3: crashed: KASAN: use-after-free Read in ath9k_hif_usb_rx_cb run #4: crashed: KASAN: use-after-free Read in ath9k_hif_usb_rx_cb run #5: crashed: KASAN: use-after-free Read in ath9k_hif_usb_rx_cb run #6: crashed: KASAN: use-after-free Read in ath9k_hif_usb_rx_cb run #7: crashed: KASAN: use-after-free Read in ath9k_hif_usb_rx_cb run #8: crashed: KASAN: use-after-free Read in ath9k_hif_usb_rx_cb run #9: crashed: KASAN: use-after-free Read in ath9k_hif_usb_rx_cb run #10: crashed: KASAN: use-after-free Read in ath9k_hif_usb_rx_cb run #11: OK run #12: crashed: KASAN: use-after-free Read in ath9k_hif_usb_rx_cb run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK testing current HEAD d9fb678414c048e185eaddadd18d75f5e8832ff3 testing commit d9fb678414c048e185eaddadd18d75f5e8832ff3 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: d3bcdfff8d69f5c257c23cdeea3999407525997053ff2ad116a8942b26a115b3 all runs: crashed: KASAN: use-after-free Read in ath9k_hif_usb_rx_cb revisions tested: 2, total time: 35m26.717567463s (build: 13m25.420771605s, test: 21m16.632105745s) the crash still happens on HEAD commit msg: Merge tag 'afs-fixes-20210913' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs crash: KASAN: use-after-free Read in ath9k_hif_usb_rx_cb ================================================================== BUG: KASAN: use-after-free in ath9k_hif_usb_rx_stream drivers/net/wireless/ath/ath9k/hif_usb.c:636 [inline] BUG: KASAN: use-after-free in ath9k_hif_usb_rx_cb+0xd4d/0x1010 drivers/net/wireless/ath/ath9k/hif_usb.c:680 Read of size 4 at addr ffff888077d0c238 by task kworker/u4:3/755 CPU: 0 PID: 755 Comm: kworker/u4:3 Not tainted 5.15.0-rc2-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: netns cleanup_net Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x57/0x7d lib/dump_stack.c:106 print_address_description.constprop.0.cold+0x6c/0x309 mm/kasan/report.c:256 __kasan_report mm/kasan/report.c:442 [inline] kasan_report.cold+0x83/0xdf mm/kasan/report.c:459 ath9k_hif_usb_rx_stream drivers/net/wireless/ath/ath9k/hif_usb.c:636 [inline] ath9k_hif_usb_rx_cb+0xd4d/0x1010 drivers/net/wireless/ath/ath9k/hif_usb.c:680 __usb_hcd_giveback_urb+0x238/0x3f0 drivers/usb/core/hcd.c:1656 dummy_timer+0xeb8/0x2eb0 drivers/usb/gadget/udc/dummy_hcd.c:1987 call_timer_fn+0x163/0x4a0 kernel/time/timer.c:1421 expire_timers kernel/time/timer.c:1466 [inline] __run_timers.part.0+0x524/0x890 kernel/time/timer.c:1734 __run_timers kernel/time/timer.c:1715 [inline] run_timer_softirq+0x9c/0x190 kernel/time/timer.c:1747 __do_softirq+0x29b/0x9c2 kernel/softirq.c:558 do_softirq.part.0+0xde/0x130 kernel/softirq.c:459 do_softirq kernel/softirq.c:451 [inline] __local_bh_enable_ip+0x102/0x120 kernel/softirq.c:383 local_bh_enable include/linux/bottom_half.h:32 [inline] get_next_corpse net/netfilter/nf_conntrack_core.c:2252 [inline] nf_ct_iterate_cleanup+0xd5/0x300 net/netfilter/nf_conntrack_core.c:2275 nf_ct_iterate_cleanup_net net/netfilter/nf_conntrack_core.c:2363 [inline] nf_ct_iterate_cleanup_net+0x1dc/0x320 net/netfilter/nf_conntrack_core.c:2347 masq_device_event+0x8d/0xc0 net/netfilter/nf_nat_masquerade.c:88 notifier_call_chain+0x94/0x170 kernel/notifier.c:83 call_netdevice_notifiers_extack net/core/dev.c:2008 [inline] call_netdevice_notifiers net/core/dev.c:2022 [inline] dev_close_many+0x28c/0x560 net/core/dev.c:1597 unregister_netdevice_many+0x36d/0x1550 net/core/dev.c:11016 unregister_netdevice_queue+0x26b/0x330 net/core/dev.c:10973 unregister_netdevice include/linux/netdevice.h:2988 [inline] nsim_destroy+0x3a/0x160 drivers/net/netdevsim/netdev.c:382 __nsim_dev_port_del+0x161/0x210 drivers/net/netdevsim/dev.c:1349 nsim_dev_port_del_all drivers/net/netdevsim/dev.c:1362 [inline] nsim_dev_reload_destroy+0x170/0x2d0 drivers/net/netdevsim/dev.c:1561 nsim_dev_reload_down+0xbb/0x140 drivers/net/netdevsim/dev.c:883 devlink_reload+0x1e5/0x610 net/core/devlink.c:3963 devlink_pernet_pre_exit+0x209/0x2c0 net/core/devlink.c:11542 ops_pre_exit_list net/core/net_namespace.c:158 [inline] cleanup_net+0x3a4/0x980 net/core/net_namespace.c:579 process_one_work+0x87f/0x1450 kernel/workqueue.c:2297 worker_thread+0x598/0x1040 kernel/workqueue.c:2444 kthread+0x38b/0x460 kernel/kthread.c:319 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 The buggy address belongs to the page: page:ffffea0001df4300 refcount:0 mapcount:0 mapping:0000000000000000 index:0x100 pfn:0x77d0c flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 0000000000000000 dead000000000122 0000000000000000 raw: 0000000000000100 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 3, migratetype Unmovable, gfp_mask 0x40dc0(GFP_KERNEL|__GFP_COMP|__GFP_ZERO), pid 2960, ts 435443943879, free_ts 436473367384 prep_new_page mm/page_alloc.c:2424 [inline] get_page_from_freelist+0xa6f/0x2f50 mm/page_alloc.c:4153 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5375 kmalloc_order+0x34/0xf0 mm/slab_common.c:957 kmalloc_order_trace+0x14/0x120 mm/slab_common.c:973 kmalloc include/linux/slab.h:596 [inline] kzalloc include/linux/slab.h:721 [inline] wiphy_new_nm+0x63a/0x1d50 net/wireless/core.c:449 ieee80211_alloc_hw_nm+0x2f5/0x1fd0 net/mac80211/main.c:585 ieee80211_alloc_hw include/net/mac80211.h:4304 [inline] ath9k_htc_probe_device+0x91/0x1d80 drivers/net/wireless/ath/ath9k/htc_drv_init.c:939 ath9k_htc_hw_init+0x8/0x20 drivers/net/wireless/ath/ath9k/htc_hst.c:503 ath9k_hif_usb_firmware_cb+0x23b/0x4d0 drivers/net/wireless/ath/ath9k/hif_usb.c:1239 request_firmware_work_func+0x126/0x230 drivers/base/firmware_loader/main.c:1081 process_one_work+0x87f/0x1450 kernel/workqueue.c:2297 worker_thread+0x598/0x1040 kernel/workqueue.c:2444 kthread+0x38b/0x460 kernel/kthread.c:319 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1338 [inline] free_pcp_prepare+0x2c5/0x780 mm/page_alloc.c:1389 free_unref_page_prepare mm/page_alloc.c:3315 [inline] free_unref_page+0x19/0x690 mm/page_alloc.c:3394 device_release+0x93/0x200 drivers/base/core.c:2195 kobject_cleanup lib/kobject.c:705 [inline] kobject_release lib/kobject.c:736 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0x139/0x410 lib/kobject.c:753 ath9k_htc_probe_device+0x1ab/0x1d80 drivers/net/wireless/ath/ath9k/htc_drv_init.c:976 ath9k_htc_hw_init+0x8/0x20 drivers/net/wireless/ath/ath9k/htc_hst.c:503 ath9k_hif_usb_firmware_cb+0x23b/0x4d0 drivers/net/wireless/ath/ath9k/hif_usb.c:1239 request_firmware_work_func+0x126/0x230 drivers/base/firmware_loader/main.c:1081 process_one_work+0x87f/0x1450 kernel/workqueue.c:2297 worker_thread+0x598/0x1040 kernel/workqueue.c:2444 kthread+0x38b/0x460 kernel/kthread.c:319 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 Memory state around the buggy address: ffff888077d0c100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff888077d0c180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff888077d0c200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff888077d0c280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff888077d0c300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ==================================================================