KASAN: use-after-free Read in ath9k_wmi_ctrl_rx
23 views
Skip to first unread message
syzbot
Mar 27, 2020, 9:30:16 AM3/27/20
to andre...@google.com, ath9k...@qca.qualcomm.com, da...@davemloft.net, kv...@codeaurora.org, linux-...@vger.kernel.org, linu...@vger.kernel.org, linux-w...@vger.kernel.org, net...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: e17994d1 usb: core: kcov: collect coverage from usb comple..
git tree: https://github.com/google/kasan.git usb-fuzzer
console output: https://syzkaller.appspot.com/x/log.txt?x=1253c9d5e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=5d64370c438bc60
dashboard link: https://syzkaller.appspot.com/bug?extid=5d338854440137ea0fef
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17fd135be00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16436be5e00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+5d3388...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in ath9k_wmi_ctrl_rx+0x416/0x500 drivers/net/wireless/ath/ath9k/wmi.c:215
Read of size 1 at addr ffff8881cef1417c by task swapper/1/0
CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.6.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xef/0x16e lib/dump_stack.c:118
print_address_description.constprop.0.cold+0xd3/0x314 mm/kasan/report.c:374
__kasan_report.cold+0x37/0x77 mm/kasan/report.c:506
kasan_report+0xe/0x20 mm/kasan/common.c:641
ath9k_wmi_ctrl_rx+0x416/0x500 drivers/net/wireless/ath/ath9k/wmi.c:215
ath9k_htc_rx_msg+0x2da/0xaf0 drivers/net/wireless/ath/ath9k/htc_hst.c:459
ath9k_hif_usb_reg_in_cb+0x1ba/0x630 drivers/net/wireless/ath/ath9k/hif_usb.c:718
__usb_hcd_giveback_urb+0x29a/0x550 drivers/usb/core/hcd.c:1650
usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1716
dummy_timer+0x1258/0x32ae drivers/usb/gadget/udc/dummy_hcd.c:1966
call_timer_fn+0x195/0x6f0 kernel/time/timer.c:1404
expire_timers kernel/time/timer.c:1449 [inline]
__run_timers kernel/time/timer.c:1773 [inline]
__run_timers kernel/time/timer.c:1740 [inline]
run_timer_softirq+0x5f9/0x1500 kernel/time/timer.c:1786
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following crash on:
HEAD commit: e17994d1 usb: core: kcov: collect coverage from usb comple..
git tree: https://github.com/google/kasan.git usb-fuzzer
console output: https://syzkaller.appspot.com/x/log.txt?x=1253c9d5e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=5d64370c438bc60
dashboard link: https://syzkaller.appspot.com/bug?extid=5d338854440137ea0fef
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17fd135be00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16436be5e00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+5d3388...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in ath9k_wmi_ctrl_rx+0x416/0x500 drivers/net/wireless/ath/ath9k/wmi.c:215
Read of size 1 at addr ffff8881cef1417c by task swapper/1/0
CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.6.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xef/0x16e lib/dump_stack.c:118
print_address_description.constprop.0.cold+0xd3/0x314 mm/kasan/report.c:374
__kasan_report.cold+0x37/0x77 mm/kasan/report.c:506
kasan_report+0xe/0x20 mm/kasan/common.c:641
ath9k_wmi_ctrl_rx+0x416/0x500 drivers/net/wireless/ath/ath9k/wmi.c:215
ath9k_htc_rx_msg+0x2da/0xaf0 drivers/net/wireless/ath/ath9k/htc_hst.c:459
ath9k_hif_usb_reg_in_cb+0x1ba/0x630 drivers/net/wireless/ath/ath9k/hif_usb.c:718
__usb_hcd_giveback_urb+0x29a/0x550 drivers/usb/core/hcd.c:1650
usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1716
dummy_timer+0x1258/0x32ae drivers/usb/gadget/udc/dummy_hcd.c:1966
call_timer_fn+0x195/0x6f0 kernel/time/timer.c:1404
expire_timers kernel/time/timer.c:1449 [inline]
__run_timers kernel/time/timer.c:1773 [inline]
__run_timers kernel/time/timer.c:1740 [inline]
run_timer_softirq+0x5f9/0x1500 kernel/time/timer.c:1786
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
Qiujun Huang
Apr 2, 2020, 9:51:02 PM4/2/20
to syzbot, Andrey Konovalov, ath9k...@qca.qualcomm.com, da...@davemloft.net, kv...@codeaurora.org, LKML, USB list, linux-w...@vger.kernel.org, net...@vger.kernel.org, syzkaller-bugs
#syz test: https://github.com/google/kasan.git usb-fuzzer
syzbot
Apr 2, 2020, 10:17:04 PM4/2/20
to andre...@google.com, anen...@gmail.com, ath9k...@qca.qualcomm.com, da...@davemloft.net, kv...@codeaurora.org, linux-...@vger.kernel.org, linu...@vger.kernel.org, linux-w...@vger.kernel.org, net...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer still triggered crash:
KASAN: use-after-free Read in ath9k_wmi_ctrl_rx
==================================================================
BUG: KASAN: use-after-free in ath9k_wmi_ctrl_rx+0x416/0x500 drivers/net/wireless/ath/ath9k/wmi.c:229
Read of size 1 at addr ffff8881d335b17c by task swapper/0/0
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.6.0-rc7-syzkaller #0
ath9k_htc_rx_msg+0x2d9/0xac0 drivers/net/wireless/ath/ath9k/htc_hst.c:460
ath9k_hif_usb_reg_in_cb+0x1ba/0x630 drivers/net/wireless/ath/ath9k/hif_usb.c:718
__usb_hcd_giveback_urb+0x1f2/0x470 drivers/usb/core/hcd.c:1648
usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1713
invoke_softirq kernel/softirq.c:373 [inline]
irq_exit+0x178/0x1a0 kernel/softirq.c:413
exiting_irq arch/x86/include/asm/apic.h:546 [inline]
smp_apic_timer_interrupt+0x141/0x540 arch/x86/kernel/apic/apic.c:1146
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829
</IRQ>
RIP: 0010:default_idle+0x28/0x300 arch/x86/kernel/process.c:696
Code: cc cc 41 56 41 55 65 44 8b 2d 04 3b 72 7a 41 54 55 53 0f 1f 44 00 00 e8 b6 27 b5 fb e9 07 00 00 00 0f 00 2d aa d0 52 00 fb f4 <65> 44 8b 2d e0 3a 72 7a 0f 1f 44 00 00 5b 5d 41 5c 41 5d 41 5e c3
RSP: 0018:ffffffff87007d80 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
RAX: 0000000000000007 RBX: ffffffff8702cc40 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000006 RDI: ffffffff8702d48c
RBP: fffffbfff0e05988 R08: ffffffff8702cc40 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: ffffffff87e612c0 R15: 0000000000000000
cpuidle_idle_call kernel/sched/idle.c:154 [inline]
do_idle+0x3e0/0x500 kernel/sched/idle.c:269
cpu_startup_entry+0x14/0x20 kernel/sched/idle.c:361
start_kernel+0xe16/0xe5a init/main.c:998
secondary_startup_64+0xb6/0xc0 arch/x86/kernel/head_64.S:242
Allocated by task 169:
save_stack+0x1b/0x80 mm/kasan/common.c:72
set_track mm/kasan/common.c:80 [inline]
__kasan_kmalloc mm/kasan/common.c:515 [inline]
__kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:488
kmalloc include/linux/slab.h:555 [inline]
kzalloc include/linux/slab.h:669 [inline]
ath9k_init_wmi+0x40/0x310 drivers/net/wireless/ath/ath9k/wmi.c:95
ath9k_htc_probe_device+0x21c/0x1d80 drivers/net/wireless/ath/ath9k/htc_drv_init.c:953
ath9k_htc_hw_init+0x31/0x60 drivers/net/wireless/ath/ath9k/htc_hst.c:502
ath9k_hif_usb_firmware_cb+0x26b/0x500 drivers/net/wireless/ath/ath9k/hif_usb.c:1187
request_firmware_work_func+0x126/0x242 drivers/base/firmware_loader/main.c:976
process_one_work+0x94b/0x1620 kernel/workqueue.c:2266
worker_thread+0x96/0xe20 kernel/workqueue.c:2412
kthread+0x318/0x420 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
Freed by task 169:
save_stack+0x1b/0x80 mm/kasan/common.c:72
set_track mm/kasan/common.c:80 [inline]
kasan_set_free_info mm/kasan/common.c:337 [inline]
__kasan_slab_free+0x117/0x160 mm/kasan/common.c:476
slab_free_hook mm/slub.c:1444 [inline]
slab_free_freelist_hook mm/slub.c:1477 [inline]
slab_free mm/slub.c:3034 [inline]
kfree+0xd5/0x300 mm/slub.c:3995
ath9k_htc_probe_device+0x278/0x1d80 drivers/net/wireless/ath/ath9k/htc_drv_init.c:970
ath9k_htc_hw_init+0x31/0x60 drivers/net/wireless/ath/ath9k/htc_hst.c:502
ath9k_hif_usb_firmware_cb+0x26b/0x500 drivers/net/wireless/ath/ath9k/hif_usb.c:1187
request_firmware_work_func+0x126/0x242 drivers/base/firmware_loader/main.c:976
process_one_work+0x94b/0x1620 kernel/workqueue.c:2266
worker_thread+0x96/0xe20 kernel/workqueue.c:2412
kthread+0x318/0x420 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
The buggy address belongs to the object at ffff8881d335b000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 380 bytes inside of
2048-byte region [ffff8881d335b000, ffff8881d335b800)
The buggy address belongs to the page:
page:ffffea00074cd600 refcount:1 mapcount:0 mapping:ffff8881da00c000 index:0x0 compound_mapcount: 0
flags: 0x200000000010200(slab|head)
raw: 0200000000010200 dead000000000100 dead000000000122 ffff8881da00c000
raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881d335b000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881d335b080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8881d335b100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8881d335b180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881d335b200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Tested on:
commit: 0fa84af8 Merge tag 'usb-serial-5.7-rc1' of https://git.ker..
kernel config: https://syzkaller.appspot.com/x/.config?x=a782c087b1f425c6
syzbot has tested the proposed patch but the reproducer still triggered crash:
KASAN: use-after-free Read in ath9k_wmi_ctrl_rx
==================================================================
BUG: KASAN: use-after-free in ath9k_wmi_ctrl_rx+0x416/0x500 drivers/net/wireless/ath/ath9k/wmi.c:229
Read of size 1 at addr ffff8881d335b17c by task swapper/0/0
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.6.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xef/0x16e lib/dump_stack.c:118
print_address_description.constprop.0.cold+0xd3/0x314 mm/kasan/report.c:374
__kasan_report.cold+0x37/0x77 mm/kasan/report.c:506
kasan_report+0xe/0x20 mm/kasan/common.c:641
ath9k_wmi_ctrl_rx+0x416/0x500 drivers/net/wireless/ath/ath9k/wmi.c:229
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xef/0x16e lib/dump_stack.c:118
print_address_description.constprop.0.cold+0xd3/0x314 mm/kasan/report.c:374
__kasan_report.cold+0x37/0x77 mm/kasan/report.c:506
kasan_report+0xe/0x20 mm/kasan/common.c:641
ath9k_htc_rx_msg+0x2d9/0xac0 drivers/net/wireless/ath/ath9k/htc_hst.c:460
ath9k_hif_usb_reg_in_cb+0x1ba/0x630 drivers/net/wireless/ath/ath9k/hif_usb.c:718
__usb_hcd_giveback_urb+0x1f2/0x470 drivers/usb/core/hcd.c:1648
usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1713
dummy_timer+0x1258/0x32ae drivers/usb/gadget/udc/dummy_hcd.c:1966
call_timer_fn+0x195/0x6f0 kernel/time/timer.c:1404
expire_timers kernel/time/timer.c:1449 [inline]
__run_timers kernel/time/timer.c:1773 [inline]
__run_timers kernel/time/timer.c:1740 [inline]
run_timer_softirq+0x5f9/0x1500 kernel/time/timer.c:1786
__do_softirq+0x21e/0x950 kernel/softirq.c:292
call_timer_fn+0x195/0x6f0 kernel/time/timer.c:1404
expire_timers kernel/time/timer.c:1449 [inline]
__run_timers kernel/time/timer.c:1773 [inline]
__run_timers kernel/time/timer.c:1740 [inline]
run_timer_softirq+0x5f9/0x1500 kernel/time/timer.c:1786
invoke_softirq kernel/softirq.c:373 [inline]
irq_exit+0x178/0x1a0 kernel/softirq.c:413
exiting_irq arch/x86/include/asm/apic.h:546 [inline]
smp_apic_timer_interrupt+0x141/0x540 arch/x86/kernel/apic/apic.c:1146
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829
</IRQ>
RIP: 0010:default_idle+0x28/0x300 arch/x86/kernel/process.c:696
Code: cc cc 41 56 41 55 65 44 8b 2d 04 3b 72 7a 41 54 55 53 0f 1f 44 00 00 e8 b6 27 b5 fb e9 07 00 00 00 0f 00 2d aa d0 52 00 fb f4 <65> 44 8b 2d e0 3a 72 7a 0f 1f 44 00 00 5b 5d 41 5c 41 5d 41 5e c3
RSP: 0018:ffffffff87007d80 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
RAX: 0000000000000007 RBX: ffffffff8702cc40 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000006 RDI: ffffffff8702d48c
RBP: fffffbfff0e05988 R08: ffffffff8702cc40 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: ffffffff87e612c0 R15: 0000000000000000
cpuidle_idle_call kernel/sched/idle.c:154 [inline]
do_idle+0x3e0/0x500 kernel/sched/idle.c:269
cpu_startup_entry+0x14/0x20 kernel/sched/idle.c:361
start_kernel+0xe16/0xe5a init/main.c:998
secondary_startup_64+0xb6/0xc0 arch/x86/kernel/head_64.S:242
Allocated by task 169:
save_stack+0x1b/0x80 mm/kasan/common.c:72
set_track mm/kasan/common.c:80 [inline]
__kasan_kmalloc mm/kasan/common.c:515 [inline]
__kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:488
kmalloc include/linux/slab.h:555 [inline]
kzalloc include/linux/slab.h:669 [inline]
ath9k_init_wmi+0x40/0x310 drivers/net/wireless/ath/ath9k/wmi.c:95
ath9k_htc_probe_device+0x21c/0x1d80 drivers/net/wireless/ath/ath9k/htc_drv_init.c:953
ath9k_htc_hw_init+0x31/0x60 drivers/net/wireless/ath/ath9k/htc_hst.c:502
ath9k_hif_usb_firmware_cb+0x26b/0x500 drivers/net/wireless/ath/ath9k/hif_usb.c:1187
request_firmware_work_func+0x126/0x242 drivers/base/firmware_loader/main.c:976
process_one_work+0x94b/0x1620 kernel/workqueue.c:2266
worker_thread+0x96/0xe20 kernel/workqueue.c:2412
kthread+0x318/0x420 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
Freed by task 169:
save_stack+0x1b/0x80 mm/kasan/common.c:72
set_track mm/kasan/common.c:80 [inline]
kasan_set_free_info mm/kasan/common.c:337 [inline]
__kasan_slab_free+0x117/0x160 mm/kasan/common.c:476
slab_free_hook mm/slub.c:1444 [inline]
slab_free_freelist_hook mm/slub.c:1477 [inline]
slab_free mm/slub.c:3034 [inline]
kfree+0xd5/0x300 mm/slub.c:3995
ath9k_htc_probe_device+0x278/0x1d80 drivers/net/wireless/ath/ath9k/htc_drv_init.c:970
ath9k_htc_hw_init+0x31/0x60 drivers/net/wireless/ath/ath9k/htc_hst.c:502
ath9k_hif_usb_firmware_cb+0x26b/0x500 drivers/net/wireless/ath/ath9k/hif_usb.c:1187
request_firmware_work_func+0x126/0x242 drivers/base/firmware_loader/main.c:976
process_one_work+0x94b/0x1620 kernel/workqueue.c:2266
worker_thread+0x96/0xe20 kernel/workqueue.c:2412
kthread+0x318/0x420 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
The buggy address belongs to the object at ffff8881d335b000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 380 bytes inside of
2048-byte region [ffff8881d335b000, ffff8881d335b800)
The buggy address belongs to the page:
page:ffffea00074cd600 refcount:1 mapcount:0 mapping:ffff8881da00c000 index:0x0 compound_mapcount: 0
flags: 0x200000000010200(slab|head)
raw: 0200000000010200 dead000000000100 dead000000000122 ffff8881da00c000
raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881d335b000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881d335b080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8881d335b100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8881d335b180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881d335b200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Tested on:
commit: 0fa84af8 Merge tag 'usb-serial-5.7-rc1' of https://git.ker..
git tree: https://github.com/google/kasan.git usb-fuzzer
console output: https://syzkaller.appspot.com/x/log.txt?x=1666f28fe00000
kernel config: https://syzkaller.appspot.com/x/.config?x=a782c087b1f425c6
dashboard link: https://syzkaller.appspot.com/bug?extid=5d338854440137ea0fef
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
patch: https://syzkaller.appspot.com/x/patch.diff?x=145bf733e00000
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syzbot
Apr 3, 2020, 3:37:05 AM4/3/20
to anen...@gmail.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer still triggered crash:
INFO: rcu detected stall in dummy_timer
syzbot has tested the proposed patch but the reproducer still triggered crash:
haley: dev 0xffff8881d27af000, urb 0xffff8881d95dbf00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881d95db800. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881d95ceb00. ath9k_hif_usb_reg_in_cb, 707
rcu: INFO: rcu_sched self-detected stall on CPU
rcu: 1-...!: (406 ticks this GP) idle=73e/1/0x4000000000000004 softirq=7226/7226 fqs=7
(t=10528 jiffies g=4045 q=718)
rcu: rcu_sched kthread starved for 10371 jiffies! g4045 f0x0 RCU_GP_WAIT_FQS(5) ->state=0x0 ->cpu=0
rcu: RCU grace-period kthread stack dump:
rcu_sched R running task 29768 10 2 0x80004000
Call Trace:
schedule+0xcd/0x2b0 kernel/sched/core.c:4154
schedule_timeout+0x440/0xb20 kernel/time/timer.c:1895
rcu_gp_fqs_loop kernel/rcu/tree.c:1658 [inline]
rcu_gp_kthread+0xad8/0x1e90 kernel/rcu/tree.c:1818
kthread+0x318/0x420 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
NMI backtrace for cpu 1
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
CPU: 1 PID: 3236 Comm: systemd-udevd Not tainted 5.6.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xef/0x16e lib/dump_stack.c:118
nmi_cpu_backtrace.cold+0x70/0xb1 lib/nmi_backtrace.c:101
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xef/0x16e lib/dump_stack.c:118
nmi_trigger_cpumask_backtrace+0x1db/0x207 lib/nmi_backtrace.c:62
trigger_single_cpu_backtrace include/linux/nmi.h:164 [inline]
rcu_dump_cpu_stacks+0x169/0x1b3 kernel/rcu/tree_stall.h:254
print_cpu_stall kernel/rcu/tree_stall.h:475 [inline]
check_cpu_stall kernel/rcu/tree_stall.h:549 [inline]
rcu_pending kernel/rcu/tree.c:3030 [inline]
rcu_sched_clock_irq.cold+0x4da/0x901 kernel/rcu/tree.c:2276
update_process_times+0x25/0x60 kernel/time/timer.c:1726
tick_sched_handle+0x9b/0x180 kernel/time/tick-sched.c:171
tick_sched_timer+0x42/0x130 kernel/time/tick-sched.c:1314
__run_hrtimer kernel/time/hrtimer.c:1517 [inline]
__hrtimer_run_queues+0x32c/0xd20 kernel/time/hrtimer.c:1579
hrtimer_interrupt+0x2e8/0x730 kernel/time/hrtimer.c:1641
local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1119 [inline]
smp_apic_timer_interrupt+0xfe/0x540 arch/x86/kernel/apic/apic.c:1144
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/irqflags.h:85 [inline]
RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160 [inline]
RIP: 0010:_raw_spin_unlock_irqrestore+0x3b/0x40 kernel/locking/spinlock.c:191
Code: e8 ca ad 96 fb 48 89 ef e8 92 8f 97 fb f6 c7 02 75 11 53 9d e8 16 15 b5 fb 65 ff 0d b7 81 72 7a 5b 5d c3 e8 07 13 b5 fb 53 9d <eb> ed 0f 1f 00 55 48 89 fd 65 ff 05 9d 81 72 7a 45 31 c9 41 b8 01
RSP: 0018:ffff8881db309b10 EFLAGS: 00000206 ORIG_RAX: ffffffffffffff13
RAX: 0000000000000007 RBX: 0000000000000206 RCX: 0000000000000002
RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff8881cc66884c
RBP: ffff8881d4c8c000 R08: ffff8881cc668000 R09: fffffbfff126709a
R10: fffffbfff1267099 R11: ffffffff893384cf R12: dffffc0000000000
R13: ffff8881cc829508 R14: 0000000000000000 R15: ffff8881d95ceb00
spin_unlock_irqrestore include/linux/spinlock.h:393 [inline]
dummy_timer+0x1364/0x32ae drivers/usb/gadget/udc/dummy_hcd.c:1980
call_timer_fn+0x195/0x6f0 kernel/time/timer.c:1404
expire_timers kernel/time/timer.c:1449 [inline]
__run_timers kernel/time/timer.c:1773 [inline]
__run_timers kernel/time/timer.c:1740 [inline]
run_timer_softirq+0x5f9/0x1500 kernel/time/timer.c:1786
__do_softirq+0x21e/0x950 kernel/softirq.c:292
invoke_softirq kernel/softirq.c:373 [inline]
irq_exit+0x178/0x1a0 kernel/softirq.c:413
exiting_irq arch/x86/include/asm/apic.h:546 [inline]
smp_apic_timer_interrupt+0x141/0x540 arch/x86/kernel/apic/apic.c:1146
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829
</IRQ>
RIP: 0010:get_current arch/x86/include/asm/current.h:15 [inline]
expire_timers kernel/time/timer.c:1449 [inline]
__run_timers kernel/time/timer.c:1773 [inline]
__run_timers kernel/time/timer.c:1740 [inline]
run_timer_softirq+0x5f9/0x1500 kernel/time/timer.c:1786
__do_softirq+0x21e/0x950 kernel/softirq.c:292
invoke_softirq kernel/softirq.c:373 [inline]
irq_exit+0x178/0x1a0 kernel/softirq.c:413
exiting_irq arch/x86/include/asm/apic.h:546 [inline]
smp_apic_timer_interrupt+0x141/0x540 arch/x86/kernel/apic/apic.c:1146
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829
</IRQ>
RIP: 0010:__sanitizer_cov_trace_pc+0x0/0x50 kernel/kcov.c:186
Code: 00 00 00 00 e9 e8 e7 ff ff cc 65 48 8b 04 25 00 0f 02 00 48 8b 80 c8 12 00 00 c3 0f 1f 44 00 00 66 2e 0f 1f 84 00 00 00 00 00 <65> 48 8b 04 25 00 0f 02 00 65 8b 15 98 b6 c2 7e 81 e2 00 01 1f 00
RSP: 0018:ffff8881cb207bc8 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff81113277
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000007
RBP: ffff8881cac03300 R08: ffff8881cc668000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 00000001cac03300
R13: ffff8881da11c000 R14: 0000000000000202 R15: ffff8881cb207e88
__phys_addr+0xc1/0x150 arch/x86/mm/physaddr.c:31
virt_to_head_page include/linux/mm.h:721 [inline]
__kasan_slab_free+0x19/0x160 mm/kasan/common.c:453
slab_free_hook mm/slub.c:1444 [inline]
slab_free_freelist_hook mm/slub.c:1477 [inline]
slab_free mm/slub.c:3034 [inline]
kmem_cache_free+0x9b/0x360 mm/slub.c:3050
slab_free_freelist_hook mm/slub.c:1477 [inline]
slab_free mm/slub.c:3034 [inline]
putname+0xe1/0x120 fs/namei.c:259
filename_lookup+0x282/0x3e0 fs/namei.c:2475
do_readlinkat+0xcd/0x300 fs/stat.c:409
__do_sys_readlinkat fs/stat.c:436 [inline]
__se_sys_readlinkat fs/stat.c:433 [inline]
__x64_sys_readlinkat+0x93/0xf0 fs/stat.c:433
do_syscall_64+0xb6/0x5a0 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7fea127f60ba
Code: 48 8b 0d e1 bd 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 0b 01 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ae bd 2b 00 f7 d8 64 89 01 48
RSP: 002b:00007ffc1e22c608 EFLAGS: 00000206 ORIG_RAX: 000000000000010b
RAX: ffffffffffffffda RBX: 00005632a7bf1630 RCX: 00007fea127f60ba
RDX: 00005632a7bf1630 RSI: 00007ffc1e22c690 RDI: 00000000ffffff9c
RBP: 0000000000000064 R08: 00007fea12ab2d38 R09: 0000000000000070
R10: 0000000000000063 R11: 0000000000000206 R12: 00007ffc1e22c690
R13: 00000000ffffff9c R14: 00007ffc1e22c660 R15: 0000000000000063
haley: dev 0xffff8881d887d000, urb 0xffff8881cf3b2900. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881cf3b2b00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881cf3b2d00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881cf3b2f00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881d95d5600. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881d95dbd00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881d95cee00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881c9219000. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321ab00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321a900. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321a700. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321a500. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321a200. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321a000. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2000. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2100. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2600. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2700. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2800. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2a00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2c00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2300. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2400. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2e00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881d95d5d00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881d95dbf00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881d95db800. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881d95ceb00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d887d000, urb 0xffff8881cf3b2900. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881cf3b2b00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881cf3b2d00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881cf3b2f00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881d95d5600. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881d95dbd00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881d95cee00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881c9219000. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321ab00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321a900. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321a700. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321a500. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321a200. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321a000. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2000. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2100. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2600. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2700. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2800. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2a00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2c00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2300. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2400. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2e00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881d95d5d00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881d95dbf00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881d95db800. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881d95ceb00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d887d000, urb 0xffff8881cf3b2900. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881cf3b2b00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881cf3b2d00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881cf3b2f00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881d95d5600. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881d95dbd00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881d95cee00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881c9219000. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321ab00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321a900. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321a700. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321a500. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321a200. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321a000. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2000. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2100. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2600. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2700. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2800. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2a00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2c00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2300. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2400. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2e00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881d95d5d00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881d95dbf00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881d95db800. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881d95ceb00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d887d000, urb 0xffff8881cf3b2900. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881cf3b2b00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881cf3b2d00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881cf3b2f00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881d95d5600. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881d95dbd00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881d95cee00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881c9219000. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321ab00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321a900. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321a700. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321a500. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321a200. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321a000. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2000. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2100. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2600. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2700. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2800. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2a00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2c00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2300. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2400. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2e00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881d95d5d00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881d95dbf00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881d95db800. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881d95ceb00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d887d000, urb 0xffff8881cf3b2900. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881cf3b2b00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881cf3b2d00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881cf3b2f00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881d95d5600. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881d95dbd00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881d95cee00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881c9219000. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321ab00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321a900. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321a700. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321a500. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321a200. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321a000. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2000. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2100. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2600. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2700. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2800. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2a00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2c00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2300. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2400. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2e00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881d95d5d00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881d95dbf00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881d95db800. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881d95ceb00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d887d000, urb 0xffff8881cf3b2900. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881cf3b2b00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881cf3b2d00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881cf3b2f00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881d95d5600. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881d95dbd00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881d95cee00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881c9219000. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321ab00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321a900. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321a700. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321a500. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321a200. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321a000. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2000. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2100. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2600. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2700. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2800. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2a00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2c00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2300. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2400. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2e00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881d95d5d00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881d95dbf00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881d95db800. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881d95ceb00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d887d000, urb 0xffff8881cf3b2900. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881cf3b2b00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881cf3b2d00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881cf3b2f00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881d95d5600. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881d95dbd00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881d95cee00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881c9219000. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321ab00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321a900. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321a700. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321a500. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321a200. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321a000. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2000. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2100. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2600. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2700. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2800. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2a00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2c00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2300. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2400. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2e00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881d95d5d00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881d95dbf00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881d95db800. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881d95ceb00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d887d000, urb 0xffff8881cf3b2900. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881cf3b2b00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881cf3b2d00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881cf3b2f00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881d95d5600. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881d95dbd00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881d95cee00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881c9219000. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321ab00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321a900. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321a700. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321a500. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321a200. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321a000. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2000. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2100. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2600. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2700. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2800. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2a00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2c00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2300. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2400. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2e00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881d95d5d00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881d95dbf00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881d95db800. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881d95ceb00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d887d000, urb 0xffff8881cf3b2900. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881cf3b2b00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881cf3b2d00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881cf3b2f00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881d95d5600. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881d95dbd00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881d95cee00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881c9219000. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321ab00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321a900. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321a700. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321a500. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321a200. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321a000. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2000. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2100. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2600. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2700. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2800. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2a00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2c00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2300. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2400. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2e00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881d95d5d00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881d95dbf00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881d95db800. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881d95ceb00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d887d000, urb 0xffff8881cf3b2900. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881cf3b2b00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881cf3b2d00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881cf3b2f00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881d95d5600. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881d95dbd00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881d95cee00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881c9219000. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321ab00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321a900. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321a700. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321a500. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321a200. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321a000. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2000. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2100. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2600. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2700. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2800. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2a00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2c00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2300. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2400. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2e00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881d95d5d00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881d95dbf00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881d95db800. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881d95ceb00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d887d000, urb 0xffff8881cf3b2900. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881cf3b2b00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881cf3b2d00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881cf3b2f00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881d95d5600. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881d95dbd00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881d95cee00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881c9219000. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321ab00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321a900. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321a700. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321a500. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321a200. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321a000. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2000. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2100. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2600. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2700. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2800. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2a00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2c00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2300. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2400. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2e00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881d95d5d00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881d95dbf00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881d95db800. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881d95ceb00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d887d000, urb 0xffff8881cf3b2900. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881cf3b2b00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881cf3b2d00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881cf3b2f00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881d95d5600. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881d95dbd00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881d95cee00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881c9219000. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321ab00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321a900. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321a700. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321a500. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321a200. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321a000. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2000. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2100. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2600. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2700. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2800. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2a00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2c00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2300. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2400. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2e00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881d95d5d00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881d95dbf00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881d95db800. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881d95ceb00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d887d000, urb 0xffff8881cf3b2900. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881cf3b2b00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881cf3b2d00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881cf3b2f00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881d95d5600. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881d95dbd00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881d95cee00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881c9219000. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321ab00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321a900. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321a700. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321a500. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321a200. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321a000. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2000. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2100. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2600. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2700. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2800. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2a00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2c00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2300. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2400. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2e00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881d95d5d00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881d95dbf00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881d95db800. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881d95ceb00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d887d000, urb 0xffff8881cf3b2900. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881cf3b2b00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881cf3b2d00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881cf3b2f00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881d95d5600. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881d95dbd00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881d95cee00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881c9219000. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321ab00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321a900. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321a700. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321a500. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321a200. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321a000. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2000. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2100. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2600. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2700. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2800. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2a00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2c00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2300. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2400. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2e00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881d95d5d00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881d95dbf00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881d95db800. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881d95ceb00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d887d000, urb 0xffff8881cf3b2900. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881cf3b2b00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881cf3b2d00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881cf3b2f00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881d95d5600. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881d95dbd00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881d95cee00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881c9219000. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321ab00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321a900. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321a700. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321a500. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321a200. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321a000. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2000. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2100. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2600. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2700. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2800. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2a00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2c00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2300. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2400. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2e00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881d95d5d00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881d95dbf00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881d95db800. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881d95ceb00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d887d000, urb 0xffff8881cf3b2900. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881cf3b2b00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881cf3b2d00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881cf3b2f00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881d95d5600. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881d95dbd00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881d95cee00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881c9219000. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321ab00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321a900. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321a700. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321a500. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321a200. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321a000. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2000. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2100. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2600. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2700. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2800. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2a00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2c00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2300. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2400. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2e00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881d95d5d00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881d95dbf00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881d95db800. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881d95ceb00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d887d000, urb 0xffff8881cf3b2900. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881cf3b2b00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881cf3b2d00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881cf3b2f00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881d95d5600. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881d95dbd00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881d95cee00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d887d000, urb 0xffff8881c9219000. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321ab00. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321a900. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321a700. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321a500. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321a200. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881d321a000. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2000. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2100. ath9k_hif_usb_rx_cb, 658
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2600. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2700. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2800. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2a00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2c00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2300. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2400. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881cf3b2e00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881d95d5d00. ath9k_hif_usb_reg_in_cb, 707
haley: dev 0xffff8881d27af000, urb 0xffff8881d95dbf00. ath9k_hif_usb_reg_in_cb, 707
Tested on:
commit: 0fa84af8 Merge tag 'usb-serial-5.7-rc1' of https://git.ker..
git tree: https://github.com/google/kasan.git usb-fuzzer
kernel config: https://syzkaller.appspot.com/x/.config?x=a782c087b1f425c6
dashboard link: https://syzkaller.appspot.com/bug?extid=5d338854440137ea0fef
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
patch: https://syzkaller.appspot.com/x/patch.diff?x=122d2b6de00000
dashboard link: https://syzkaller.appspot.com/bug?extid=5d338854440137ea0fef
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syzbot
Apr 3, 2020, 5:51:04 AM4/3/20
to anen...@gmail.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer still triggered crash:
INFO: rcu detected stall in dummy_timer
haley: catch if null, urb 0xffff8881c4bd0e00. ath9k_hif_usb_reg_in_cb, 718
syzbot has tested the proposed patch but the reproducer still triggered crash:
INFO: rcu detected stall in dummy_timer
rcu: INFO: rcu_sched detected stalls on CPUs/tasks:
(detected by 0, t=10522 jiffies, g=4105, q=959)
rcu: All QSes seen, last rcu_sched kthread activity 10502 (4294951910-4294941408), jiffies_till_next_fqs=1, root ->qsmask 0x0
systemd-udevd R running task 26016 151 1 0x00000108
Call Trace:
<IRQ>
sched_show_task kernel/sched/core.c:5952 [inline]
sched_show_task.cold+0x2e4/0x345 kernel/sched/core.c:5927
print_other_cpu_stall kernel/rcu/tree_stall.h:430 [inline]
check_cpu_stall kernel/rcu/tree_stall.h:558 [inline]
rcu_pending kernel/rcu/tree.c:3030 [inline]
rcu_sched_clock_irq.cold+0x862/0x901 kernel/rcu/tree.c:2276
update_process_times+0x25/0x60 kernel/time/timer.c:1726
tick_sched_handle+0x9b/0x180 kernel/time/tick-sched.c:171
tick_sched_timer+0x42/0x130 kernel/time/tick-sched.c:1314
__run_hrtimer kernel/time/hrtimer.c:1517 [inline]
__hrtimer_run_queues+0x32c/0xd20 kernel/time/hrtimer.c:1579
hrtimer_interrupt+0x2e8/0x730 kernel/time/hrtimer.c:1641
local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1119 [inline]
smp_apic_timer_interrupt+0xfe/0x540 arch/x86/kernel/apic/apic.c:1144
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/irqflags.h:85 [inline]
RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160 [inline]
RIP: 0010:_raw_spin_unlock_irqrestore+0x3b/0x40 kernel/locking/spinlock.c:191
Code: e8 ca ad 96 fb 48 89 ef e8 92 8f 97 fb f6 c7 02 75 11 53 9d e8 16 15 b5 fb 65 ff 0d b7 81 72 7a 5b 5d c3 e8 07 13 b5 fb 53 9d <eb> ed 0f 1f 00 55 48 89 fd 65 ff 05 9d 81 72 7a 45 31 c9 41 b8 01
RSP: 0018:ffff8881db209b10 EFLAGS: 00000206 ORIG_RAX: ffffffffffffff13
tick_sched_handle+0x9b/0x180 kernel/time/tick-sched.c:171
tick_sched_timer+0x42/0x130 kernel/time/tick-sched.c:1314
__run_hrtimer kernel/time/hrtimer.c:1517 [inline]
__hrtimer_run_queues+0x32c/0xd20 kernel/time/hrtimer.c:1579
hrtimer_interrupt+0x2e8/0x730 kernel/time/hrtimer.c:1641
local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1119 [inline]
smp_apic_timer_interrupt+0xfe/0x540 arch/x86/kernel/apic/apic.c:1144
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/irqflags.h:85 [inline]
RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160 [inline]
RIP: 0010:_raw_spin_unlock_irqrestore+0x3b/0x40 kernel/locking/spinlock.c:191
Code: e8 ca ad 96 fb 48 89 ef e8 92 8f 97 fb f6 c7 02 75 11 53 9d e8 16 15 b5 fb 65 ff 0d b7 81 72 7a 5b 5d c3 e8 07 13 b5 fb 53 9d <eb> ed 0f 1f 00 55 48 89 fd 65 ff 05 9d 81 72 7a 45 31 c9 41 b8 01
RAX: 0000000000000007 RBX: 0000000000000206 RCX: 0000000000000002
RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff8881d1f820cc
RBP: ffff8881d4cc8000 R08: ffff8881d1f81880 R09: fffffbfff126709a
R10: fffffbfff1267099 R11: ffffffff893384cf R12: dffffc0000000000
R13: ffff8881c65ead08 R14: 0000000000000000 R15: ffff8881c4bd0e00
spin_unlock_irqrestore include/linux/spinlock.h:393 [inline]
dummy_timer+0x1364/0x32ae drivers/usb/gadget/udc/dummy_hcd.c:1980
call_timer_fn+0x195/0x6f0 kernel/time/timer.c:1404
expire_timers kernel/time/timer.c:1449 [inline]
__run_timers kernel/time/timer.c:1773 [inline]
__run_timers kernel/time/timer.c:1740 [inline]
run_timer_softirq+0x5f9/0x1500 kernel/time/timer.c:1786
__do_softirq+0x21e/0x950 kernel/softirq.c:292
invoke_softirq kernel/softirq.c:373 [inline]
irq_exit+0x178/0x1a0 kernel/softirq.c:413
exiting_irq arch/x86/include/asm/apic.h:546 [inline]
smp_apic_timer_interrupt+0x141/0x540 arch/x86/kernel/apic/apic.c:1146
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829
</IRQ>
RIP: 0010:lock_is_held_type+0x1ce/0x240 kernel/locking/lockdep.c:4526
dummy_timer+0x1364/0x32ae drivers/usb/gadget/udc/dummy_hcd.c:1980
call_timer_fn+0x195/0x6f0 kernel/time/timer.c:1404
expire_timers kernel/time/timer.c:1449 [inline]
__run_timers kernel/time/timer.c:1773 [inline]
__run_timers kernel/time/timer.c:1740 [inline]
run_timer_softirq+0x5f9/0x1500 kernel/time/timer.c:1786
__do_softirq+0x21e/0x950 kernel/softirq.c:292
invoke_softirq kernel/softirq.c:373 [inline]
irq_exit+0x178/0x1a0 kernel/softirq.c:413
exiting_irq arch/x86/include/asm/apic.h:546 [inline]
smp_apic_timer_interrupt+0x141/0x540 arch/x86/kernel/apic/apic.c:1146
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829
</IRQ>
Code: 89 f9 48 c1 e9 03 0f b6 0c 11 48 89 fa 83 e2 07 83 c2 03 38 ca 7c 04 84 c9 75 6e c7 83 4c 08 00 00 00 00 00 00 ff 74 24 08 9d <48> 83 c4 18 5b 5d 41 5c 41 5d 41 5e 41 5f c3 31 c0 eb a8 48 83 c4
RSP: 0018:ffff8881d07a7cd8 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
RAX: 0000000000000001 RBX: ffff8881d1f81880 RCX: 0000000000000000
RDX: 0000000000000007 RSI: ffffffff871e1540 RDI: ffff8881d1f820cc
RBP: ffff8881d1f81880 R08: ffff8881d1f81880 R09: fffffbfff0e3c29d
R10: ffff8881d07a7d70 R11: ffffffff871e14e7 R12: ffff8881d1f820c8
R13: ffffed103a3f0419 R14: ffffffff871e1540 R15: ffff8881d1f820f8
lock_is_held include/linux/lockdep.h:361 [inline]
kernfs_active+0xb3/0xf0 fs/kernfs/dir.c:29
kernfs_dir_pos+0x1a4/0x2a0 fs/kernfs/dir.c:1638
kernfs_fop_readdir+0x451/0x8c0 fs/kernfs/dir.c:1678
iterate_dir+0x472/0x5d0 fs/readdir.c:65
__do_sys_getdents fs/readdir.c:285 [inline]
__se_sys_getdents fs/readdir.c:267 [inline]
__x64_sys_getdents+0x226/0x3d0 fs/readdir.c:267
do_syscall_64+0xb6/0x5a0 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7fb586813f2b
Code: fc ff 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 41 57 41 56 48 63 ff 41 55 41 54 b8 4e 00 00 00 55 53 48 89 f3 48 83 ec 08 0f 05 <48> 3d 00 f0 ff ff 77 55 48 8d 2c 06 49 89 c4 48 39 ee 73 34 90 44
RSP: 002b:00007fff37125700 EFLAGS: 00000206 ORIG_RAX: 000000000000004e
RAX: ffffffffffffffda RBX: 00005618d3d4e070 RCX: 00007fb586813f2b
RDX: 0000000000008000 RSI: 00005618d3d4e070 RDI: 0000000000000010
RBP: 00005618d3d4e070 R08: 0000000000000003 R09: 0000000000008040
R10: 00007fb586af9b58 R11: 0000000000000206 R12: fffffffffffffe50
R13: 0000000000000000 R14: 00000000000000fe R15: 00005618d3d20db0
rcu: rcu_sched kthread starved for 10502 jiffies! g4105 f0x2 RCU_GP_WAIT_FQS(5) ->state=0x0 ->cpu=0
rcu: RCU grace-period kthread stack dump:
rcu_sched R running task 29400 10 2 0x80004000
Call Trace:
schedule+0xcd/0x2b0 kernel/sched/core.c:4154
schedule_timeout+0x440/0xb20 kernel/time/timer.c:1895
rcu_gp_fqs_loop kernel/rcu/tree.c:1658 [inline]
rcu_gp_kthread+0xad8/0x1e90 kernel/rcu/tree.c:1818
kthread+0x318/0x420 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
haley: catch dev null, urb 0xffff8881ce6d3d00. ath9k_hif_usb_rx_cb, 658
schedule+0xcd/0x2b0 kernel/sched/core.c:4154
schedule_timeout+0x440/0xb20 kernel/time/timer.c:1895
rcu_gp_fqs_loop kernel/rcu/tree.c:1658 [inline]
rcu_gp_kthread+0xad8/0x1e90 kernel/rcu/tree.c:1818
kthread+0x318/0x420 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
haley: catch if null, urb 0xffff8881ce6d3d00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446000. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446000. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446600. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446600. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446a00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446a00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446c00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446c00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446f00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446f00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0300. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0300. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0600. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0600. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0c00. ath9k_hif_usb_reg_in_cb, 714
haley: catch if null, urb 0xffff8881c4bd0c00. ath9k_hif_usb_reg_in_cb, 718
haley: catch dev null, urb 0xffff8881d2446800. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446800. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446b00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446b00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446e00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446e00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0100. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0100. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0400. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0400. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0700. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0700. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0900. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0900. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0b00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0b00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0e00. ath9k_hif_usb_reg_in_cb, 714
haley: catch if null, urb 0xffff8881c4bd0e00. ath9k_hif_usb_reg_in_cb, 718
haley: catch dev null, urb 0xffff8881ce6d3d00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881ce6d3d00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446000. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446000. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446600. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446600. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446a00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446a00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446c00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446c00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446f00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446f00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0300. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0300. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0600. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0600. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0c00. ath9k_hif_usb_reg_in_cb, 714
haley: catch if null, urb 0xffff8881c4bd0c00. ath9k_hif_usb_reg_in_cb, 718
haley: catch dev null, urb 0xffff8881d2446800. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446800. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446b00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446b00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446e00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446e00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0100. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0100. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0400. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0400. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0700. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0700. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0900. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0900. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0b00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0b00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0e00. ath9k_hif_usb_reg_in_cb, 714
haley: catch if null, urb 0xffff8881c4bd0e00. ath9k_hif_usb_reg_in_cb, 718
haley: catch dev null, urb 0xffff8881ce6d3d00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881ce6d3d00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446000. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446000. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446600. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446600. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446a00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446a00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446c00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446c00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446f00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446f00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0300. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0300. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0600. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0600. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0c00. ath9k_hif_usb_reg_in_cb, 714
haley: catch if null, urb 0xffff8881c4bd0c00. ath9k_hif_usb_reg_in_cb, 718
haley: catch dev null, urb 0xffff8881d2446800. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446800. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446b00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446b00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446e00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446e00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0100. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0100. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0400. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0400. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0700. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0700. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0900. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0900. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0b00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0b00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0e00. ath9k_hif_usb_reg_in_cb, 714
haley: catch if null, urb 0xffff8881c4bd0e00. ath9k_hif_usb_reg_in_cb, 718
haley: catch dev null, urb 0xffff8881ce6d3d00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881ce6d3d00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446000. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446000. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446600. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446600. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446a00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446a00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446c00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446c00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446f00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446f00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0300. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0300. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0600. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0600. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0c00. ath9k_hif_usb_reg_in_cb, 714
haley: catch if null, urb 0xffff8881c4bd0c00. ath9k_hif_usb_reg_in_cb, 718
haley: catch dev null, urb 0xffff8881d2446800. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446800. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446b00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446b00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446e00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446e00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0100. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0100. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0400. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0400. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0700. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0700. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0900. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0900. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0b00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0b00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0e00. ath9k_hif_usb_reg_in_cb, 714
haley: catch if null, urb 0xffff8881c4bd0e00. ath9k_hif_usb_reg_in_cb, 718
haley: catch dev null, urb 0xffff8881ce6d3d00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881ce6d3d00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446000. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446000. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446600. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446600. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446a00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446a00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446c00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446c00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446f00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446f00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0300. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0300. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0600. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0600. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0c00. ath9k_hif_usb_reg_in_cb, 714
haley: catch if null, urb 0xffff8881c4bd0c00. ath9k_hif_usb_reg_in_cb, 718
haley: catch dev null, urb 0xffff8881d2446800. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446800. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446b00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446b00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446e00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446e00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0100. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0100. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0400. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0400. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0700. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0700. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0900. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0900. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0b00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0b00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0e00. ath9k_hif_usb_reg_in_cb, 714
haley: catch if null, urb 0xffff8881c4bd0e00. ath9k_hif_usb_reg_in_cb, 718
haley: catch dev null, urb 0xffff8881ce6d3d00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881ce6d3d00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446000. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446000. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446600. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446600. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446a00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446a00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446c00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446c00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446f00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446f00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0300. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0300. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0600. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0600. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0c00. ath9k_hif_usb_reg_in_cb, 714
haley: catch if null, urb 0xffff8881c4bd0c00. ath9k_hif_usb_reg_in_cb, 718
haley: catch dev null, urb 0xffff8881d2446800. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446800. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446b00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446b00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446e00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446e00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0100. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0100. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0400. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0400. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0700. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0700. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0900. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0900. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0b00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0b00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0e00. ath9k_hif_usb_reg_in_cb, 714
haley: catch if null, urb 0xffff8881c4bd0e00. ath9k_hif_usb_reg_in_cb, 718
haley: catch dev null, urb 0xffff8881ce6d3d00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881ce6d3d00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446000. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446000. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446600. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446600. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446a00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446a00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446c00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446c00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446f00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446f00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0300. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0300. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0600. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0600. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0c00. ath9k_hif_usb_reg_in_cb, 714
haley: catch if null, urb 0xffff8881c4bd0c00. ath9k_hif_usb_reg_in_cb, 718
haley: catch dev null, urb 0xffff8881d2446800. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446800. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446b00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446b00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446e00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446e00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0100. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0100. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0400. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0400. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0700. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0700. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0900. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0900. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0b00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0b00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0e00. ath9k_hif_usb_reg_in_cb, 714
haley: catch if null, urb 0xffff8881c4bd0e00. ath9k_hif_usb_reg_in_cb, 718
haley: catch dev null, urb 0xffff8881ce6d3d00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881ce6d3d00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446000. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446000. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446600. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446600. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446a00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446a00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446c00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446c00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446f00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446f00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0300. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0300. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0600. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0600. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0c00. ath9k_hif_usb_reg_in_cb, 714
haley: catch if null, urb 0xffff8881c4bd0c00. ath9k_hif_usb_reg_in_cb, 718
haley: catch dev null, urb 0xffff8881d2446800. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446800. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446b00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446b00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446e00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446e00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0100. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0100. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0400. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0400. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0700. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0700. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0900. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0900. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0b00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0b00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0e00. ath9k_hif_usb_reg_in_cb, 714
haley: catch if null, urb 0xffff8881c4bd0e00. ath9k_hif_usb_reg_in_cb, 718
haley: catch dev null, urb 0xffff8881ce6d3d00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881ce6d3d00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446000. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446000. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446600. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446600. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446a00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446a00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446c00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446c00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446f00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446f00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0300. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0300. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0600. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0600. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0c00. ath9k_hif_usb_reg_in_cb, 714
haley: catch if null, urb 0xffff8881c4bd0c00. ath9k_hif_usb_reg_in_cb, 718
haley: catch dev null, urb 0xffff8881d2446800. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446800. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446b00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446b00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446e00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446e00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0100. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0100. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0400. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0400. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0700. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0700. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0900. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0900. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0b00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0b00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0e00. ath9k_hif_usb_reg_in_cb, 714
haley: catch if null, urb 0xffff8881c4bd0e00. ath9k_hif_usb_reg_in_cb, 718
haley: catch dev null, urb 0xffff8881ce6d3d00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881ce6d3d00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446000. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446000. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446600. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446600. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446a00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446a00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446c00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446c00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446f00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446f00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0300. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0300. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0600. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0600. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0c00. ath9k_hif_usb_reg_in_cb, 714
haley: catch if null, urb 0xffff8881c4bd0c00. ath9k_hif_usb_reg_in_cb, 718
haley: catch dev null, urb 0xffff8881d2446800. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446800. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446b00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446b00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446e00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446e00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0100. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0100. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0400. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0400. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0700. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0700. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0900. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0900. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0b00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0b00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0e00. ath9k_hif_usb_reg_in_cb, 714
haley: catch if null, urb 0xffff8881c4bd0e00. ath9k_hif_usb_reg_in_cb, 718
haley: catch dev null, urb 0xffff8881ce6d3d00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881ce6d3d00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446000. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446000. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446600. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446600. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446a00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446a00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446c00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446c00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446f00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446f00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0300. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0300. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0600. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0600. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0c00. ath9k_hif_usb_reg_in_cb, 714
haley: catch if null, urb 0xffff8881c4bd0c00. ath9k_hif_usb_reg_in_cb, 718
haley: catch dev null, urb 0xffff8881d2446800. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446800. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446b00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446b00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446e00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446e00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0100. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0100. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0400. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0400. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0700. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0700. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0900. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0900. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0b00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0b00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0e00. ath9k_hif_usb_reg_in_cb, 714
haley: catch if null, urb 0xffff8881c4bd0e00. ath9k_hif_usb_reg_in_cb, 718
haley: catch dev null, urb 0xffff8881ce6d3d00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881ce6d3d00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446000. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446000. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446600. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446600. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446a00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446a00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446c00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446c00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446f00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446f00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0300. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0300. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0600. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0600. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0c00. ath9k_hif_usb_reg_in_cb, 714
haley: catch if null, urb 0xffff8881c4bd0c00. ath9k_hif_usb_reg_in_cb, 718
haley: catch dev null, urb 0xffff8881d2446800. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446800. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446b00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446b00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446e00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446e00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0100. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0100. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0400. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0400. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0700. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0700. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0900. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0900. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0b00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0b00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0e00. ath9k_hif_usb_reg_in_cb, 714
haley: catch if null, urb 0xffff8881c4bd0e00. ath9k_hif_usb_reg_in_cb, 718
haley: catch dev null, urb 0xffff8881ce6d3d00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881ce6d3d00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446000. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446000. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446600. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446600. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446a00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446a00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446c00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446c00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446f00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446f00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0300. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0300. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0600. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0600. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0c00. ath9k_hif_usb_reg_in_cb, 714
haley: catch if null, urb 0xffff8881c4bd0c00. ath9k_hif_usb_reg_in_cb, 718
haley: catch dev null, urb 0xffff8881d2446800. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446800. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446b00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446b00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446e00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446e00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0100. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0100. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0400. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0400. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0700. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0700. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0900. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0900. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0b00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0b00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0e00. ath9k_hif_usb_reg_in_cb, 714
haley: catch if null, urb 0xffff8881c4bd0e00. ath9k_hif_usb_reg_in_cb, 718
haley: catch dev null, urb 0xffff8881ce6d3d00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881ce6d3d00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446000. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446000. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446600. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446600. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446a00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446a00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446c00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446c00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881d2446f00. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446f00. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0300. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0300. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0600. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881c4bd0600. ath9k_hif_usb_rx_cb, 662
haley: catch dev null, urb 0xffff8881c4bd0c00. ath9k_hif_usb_reg_in_cb, 714
haley: catch if null, urb 0xffff8881c4bd0c00. ath9k_hif_usb_reg_in_cb, 718
haley: catch dev null, urb 0xffff8881d2446800. ath9k_hif_usb_rx_cb, 658
haley: catch if null, urb 0xffff8881d2446800. ath9k_hif_usb_rx_cb, 662
Tested on:
commit: 0fa84af8 Merge tag 'usb-serial-5.7-rc1' of https://git.ker..
git tree: https://github.com/google/kasan.git usb-fuzzer
kernel config: https://syzkaller.appspot.com/x/.config?x=a782c087b1f425c6
dashboard link: https://syzkaller.appspot.com/bug?extid=5d338854440137ea0fef
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
patch: https://syzkaller.appspot.com/x/patch.diff?x=170fcb93e00000
dashboard link: https://syzkaller.appspot.com/bug?extid=5d338854440137ea0fef
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syzbot
Apr 3, 2020, 1:10:05 PM4/3/20
to anen...@gmail.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger crash:
Reported-and-tested-by: syzbot+5d3388...@syzkaller.appspotmail.com
Tested on:
commit: 0fa84af8 Merge tag 'usb-serial-5.7-rc1' of https://git.ker..
git tree: https://github.com/google/kasan.git usb-fuzzer
Note: testing is done by a robot and is best-effort only.
syzbot has tested the proposed patch and the reproducer did not trigger crash:
Reported-and-tested-by: syzbot+5d3388...@syzkaller.appspotmail.com
Tested on:
commit: 0fa84af8 Merge tag 'usb-serial-5.7-rc1' of https://git.ker..
git tree: https://github.com/google/kasan.git usb-fuzzer
kernel config: https://syzkaller.appspot.com/x/.config?x=a782c087b1f425c6
dashboard link: https://syzkaller.appspot.com/bug?extid=5d338854440137ea0fef
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
patch: https://syzkaller.appspot.com/x/patch.diff?x=15e0d8afe00000
dashboard link: https://syzkaller.appspot.com/bug?extid=5d338854440137ea0fef
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Note: testing is done by a robot and is best-effort only.
syzbot
Apr 3, 2020, 5:13:05 PM4/3/20
to andre...@google.com, anen...@gmail.com, ath9k...@qca.qualcomm.com, da...@davemloft.net, kv...@codeaurora.org, linux-...@vger.kernel.org, linu...@vger.kernel.org, linux-w...@vger.kernel.org, net...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer still triggered crash:
CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.6.0-rc7-syzkaller #0
ath9k_hif_usb_reg_in_cb+0x1a6/0x620 drivers/net/wireless/ath/ath9k/hif_usb.c:724
RSP: 0018:ffff8881da22fda8 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
RAX: 0000000000000007 RBX: ffff8881da213100 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000006 RDI: ffff8881da21394c
RBP: ffffed103b442620 R08: ffff8881da213100 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001
R13: 0000000000000001 R14: ffffffff87e61300 R15: 0000000000000000
secondary_startup_64+0xb6/0xc0 arch/x86/kernel/head_64.S:242
Allocated by task 157:
ath9k_hif_usb_firmware_cb+0x26b/0x500 drivers/net/wireless/ath/ath9k/hif_usb.c:1218
ath9k_hif_usb_firmware_cb+0x26b/0x500 drivers/net/wireless/ath/ath9k/hif_usb.c:1218
ffff8881cf89f080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8881cf89f100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8881cf89f180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881cf89f200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Tested on:
commit: 0fa84af8 Merge tag 'usb-serial-5.7-rc1' of https://git.ker..
git tree: https://github.com/google/kasan.git usb-fuzzer
console output: https://syzkaller.appspot.com/x/log.txt?x=139f3b1fe00000
syzbot has tested the proposed patch but the reproducer still triggered crash:
KASAN: use-after-free Read in ath9k_wmi_ctrl_rx
==================================================================
BUG: KASAN: use-after-free in ath9k_wmi_ctrl_rx+0x416/0x500 drivers/net/wireless/ath/ath9k/wmi.c:229
Read of size 1 at addr ffff8881cf89f17c by task swapper/1/0
==================================================================
BUG: KASAN: use-after-free in ath9k_wmi_ctrl_rx+0x416/0x500 drivers/net/wireless/ath/ath9k/wmi.c:229
CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.6.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xef/0x16e lib/dump_stack.c:118
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xef/0x16e lib/dump_stack.c:118
print_address_description.constprop.0.cold+0xd3/0x314 mm/kasan/report.c:374
__kasan_report.cold+0x37/0x77 mm/kasan/report.c:506
kasan_report+0xe/0x20 mm/kasan/common.c:641
ath9k_wmi_ctrl_rx+0x416/0x500 drivers/net/wireless/ath/ath9k/wmi.c:229
ath9k_htc_rx_msg+0x2d9/0xb00 drivers/net/wireless/ath/ath9k/htc_hst.c:459
__kasan_report.cold+0x37/0x77 mm/kasan/report.c:506
kasan_report+0xe/0x20 mm/kasan/common.c:641
ath9k_wmi_ctrl_rx+0x416/0x500 drivers/net/wireless/ath/ath9k/wmi.c:229
ath9k_hif_usb_reg_in_cb+0x1a6/0x620 drivers/net/wireless/ath/ath9k/hif_usb.c:724
__usb_hcd_giveback_urb+0x1f2/0x470 drivers/usb/core/hcd.c:1648
usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1713
dummy_timer+0x1258/0x32ae drivers/usb/gadget/udc/dummy_hcd.c:1966
usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1713
dummy_timer+0x1258/0x32ae drivers/usb/gadget/udc/dummy_hcd.c:1966
call_timer_fn+0x195/0x6f0 kernel/time/timer.c:1404
expire_timers kernel/time/timer.c:1449 [inline]
__run_timers kernel/time/timer.c:1773 [inline]
__run_timers kernel/time/timer.c:1740 [inline]
run_timer_softirq+0x5f9/0x1500 kernel/time/timer.c:1786
__do_softirq+0x21e/0x950 kernel/softirq.c:292
invoke_softirq kernel/softirq.c:373 [inline]
irq_exit+0x178/0x1a0 kernel/softirq.c:413
exiting_irq arch/x86/include/asm/apic.h:546 [inline]
smp_apic_timer_interrupt+0x141/0x540 arch/x86/kernel/apic/apic.c:1146
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829
</IRQ>
expire_timers kernel/time/timer.c:1449 [inline]
__run_timers kernel/time/timer.c:1773 [inline]
__run_timers kernel/time/timer.c:1740 [inline]
run_timer_softirq+0x5f9/0x1500 kernel/time/timer.c:1786
__do_softirq+0x21e/0x950 kernel/softirq.c:292
invoke_softirq kernel/softirq.c:373 [inline]
irq_exit+0x178/0x1a0 kernel/softirq.c:413
exiting_irq arch/x86/include/asm/apic.h:546 [inline]
smp_apic_timer_interrupt+0x141/0x540 arch/x86/kernel/apic/apic.c:1146
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829
</IRQ>
RIP: 0010:default_idle+0x28/0x300 arch/x86/kernel/process.c:696
Code: cc cc 41 56 41 55 65 44 8b 2d 04 3b 72 7a 41 54 55 53 0f 1f 44 00 00 e8 b6 27 b5 fb e9 07 00 00 00 0f 00 2d aa d0 52 00 fb f4 <65> 44 8b 2d e0 3a 72 7a 0f 1f 44 00 00 5b 5d 41 5c 41 5d 41 5e c3
RSP: 0018:ffff8881da22fda8 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
RAX: 0000000000000007 RBX: ffff8881da213100 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000006 RDI: ffff8881da21394c
RBP: ffffed103b442620 R08: ffff8881da213100 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001
R13: 0000000000000001 R14: ffffffff87e61300 R15: 0000000000000000
cpuidle_idle_call kernel/sched/idle.c:154 [inline]
do_idle+0x3e0/0x500 kernel/sched/idle.c:269
cpu_startup_entry+0x14/0x20 kernel/sched/idle.c:361
start_secondary+0x2a4/0x390 arch/x86/kernel/smpboot.c:264
do_idle+0x3e0/0x500 kernel/sched/idle.c:269
cpu_startup_entry+0x14/0x20 kernel/sched/idle.c:361
secondary_startup_64+0xb6/0xc0 arch/x86/kernel/head_64.S:242
Allocated by task 157:
save_stack+0x1b/0x80 mm/kasan/common.c:72
set_track mm/kasan/common.c:80 [inline]
__kasan_kmalloc mm/kasan/common.c:515 [inline]
__kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:488
kmalloc include/linux/slab.h:555 [inline]
kzalloc include/linux/slab.h:669 [inline]
ath9k_init_wmi+0x40/0x310 drivers/net/wireless/ath/ath9k/wmi.c:95
ath9k_htc_probe_device+0x21c/0x1d80 drivers/net/wireless/ath/ath9k/htc_drv_init.c:953
ath9k_htc_hw_init+0x31/0x60 drivers/net/wireless/ath/ath9k/htc_hst.c:501
set_track mm/kasan/common.c:80 [inline]
__kasan_kmalloc mm/kasan/common.c:515 [inline]
__kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:488
kmalloc include/linux/slab.h:555 [inline]
kzalloc include/linux/slab.h:669 [inline]
ath9k_init_wmi+0x40/0x310 drivers/net/wireless/ath/ath9k/wmi.c:95
ath9k_htc_probe_device+0x21c/0x1d80 drivers/net/wireless/ath/ath9k/htc_drv_init.c:953
ath9k_hif_usb_firmware_cb+0x26b/0x500 drivers/net/wireless/ath/ath9k/hif_usb.c:1218
request_firmware_work_func+0x126/0x242 drivers/base/firmware_loader/main.c:976
process_one_work+0x94b/0x1620 kernel/workqueue.c:2266
worker_thread+0x96/0xe20 kernel/workqueue.c:2412
process_one_work+0x94b/0x1620 kernel/workqueue.c:2266
worker_thread+0x96/0xe20 kernel/workqueue.c:2412
kthread+0x318/0x420 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
Freed by task 157:
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
save_stack+0x1b/0x80 mm/kasan/common.c:72
set_track mm/kasan/common.c:80 [inline]
kasan_set_free_info mm/kasan/common.c:337 [inline]
__kasan_slab_free+0x117/0x160 mm/kasan/common.c:476
set_track mm/kasan/common.c:80 [inline]
kasan_set_free_info mm/kasan/common.c:337 [inline]
__kasan_slab_free+0x117/0x160 mm/kasan/common.c:476
slab_free_hook mm/slub.c:1444 [inline]
slab_free_freelist_hook mm/slub.c:1477 [inline]
slab_free mm/slub.c:3034 [inline]
slab_free_freelist_hook mm/slub.c:1477 [inline]
slab_free mm/slub.c:3034 [inline]
kfree+0xd5/0x300 mm/slub.c:3995
ath9k_htc_probe_device+0x278/0x1d80 drivers/net/wireless/ath/ath9k/htc_drv_init.c:970
ath9k_htc_hw_init+0x31/0x60 drivers/net/wireless/ath/ath9k/htc_hst.c:501
ath9k_htc_probe_device+0x278/0x1d80 drivers/net/wireless/ath/ath9k/htc_drv_init.c:970
ath9k_hif_usb_firmware_cb+0x26b/0x500 drivers/net/wireless/ath/ath9k/hif_usb.c:1218
request_firmware_work_func+0x126/0x242 drivers/base/firmware_loader/main.c:976
process_one_work+0x94b/0x1620 kernel/workqueue.c:2266
worker_thread+0x96/0xe20 kernel/workqueue.c:2412
process_one_work+0x94b/0x1620 kernel/workqueue.c:2266
worker_thread+0x96/0xe20 kernel/workqueue.c:2412
kthread+0x318/0x420 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
The buggy address belongs to the object at ffff8881cf89f000
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 380 bytes inside of
2048-byte region [ffff8881cf89f000, ffff8881cf89f800)
The buggy address is located 380 bytes inside of
The buggy address belongs to the page:
page:ffffea00073e2600 refcount:1 mapcount:0 mapping:ffff8881da00c000 index:0x0 compound_mapcount: 0
flags: 0x200000000010200(slab|head)
raw: 0200000000010200 dead000000000100 dead000000000122 ffff8881da00c000
raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881cf89f000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
raw: 0200000000010200 dead000000000100 dead000000000122 ffff8881da00c000
raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881cf89f080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8881cf89f100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8881cf89f180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881cf89f200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Tested on:
commit: 0fa84af8 Merge tag 'usb-serial-5.7-rc1' of https://git.ker..
git tree: https://github.com/google/kasan.git usb-fuzzer
kernel config: https://syzkaller.appspot.com/x/.config?x=a782c087b1f425c6
dashboard link: https://syzkaller.appspot.com/bug?extid=5d338854440137ea0fef
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
patch: https://syzkaller.appspot.com/x/patch.diff?x=17e22ac7e00000
dashboard link: https://syzkaller.appspot.com/bug?extid=5d338854440137ea0fef
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syzbot
Apr 3, 2020, 6:55:05 PM4/3/20
to anen...@gmail.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer still triggered crash:
KASAN: use-after-free Read in ath9k_wmi_ctrl_rx
==================================================================
BUG: KASAN: use-after-free in ath9k_wmi_ctrl_rx+0x416/0x500 drivers/net/wireless/ath/ath9k/wmi.c:231
syzbot has tested the proposed patch but the reproducer still triggered crash:
KASAN: use-after-free Read in ath9k_wmi_ctrl_rx
==================================================================
Read of size 1 at addr ffff8881d42d217c by task swapper/0/0
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.6.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xef/0x16e lib/dump_stack.c:118
print_address_description.constprop.0.cold+0xd3/0x314 mm/kasan/report.c:374
__kasan_report.cold+0x37/0x77 mm/kasan/report.c:506
kasan_report+0xe/0x20 mm/kasan/common.c:641
ath9k_wmi_ctrl_rx+0x416/0x500 drivers/net/wireless/ath/ath9k/wmi.c:231
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xef/0x16e lib/dump_stack.c:118
print_address_description.constprop.0.cold+0xd3/0x314 mm/kasan/report.c:374
__kasan_report.cold+0x37/0x77 mm/kasan/report.c:506
kasan_report+0xe/0x20 mm/kasan/common.c:641
ath9k_htc_rx_msg+0x2d9/0xb00 drivers/net/wireless/ath/ath9k/htc_hst.c:459
ath9k_hif_usb_reg_in_cb+0x1a6/0x620 drivers/net/wireless/ath/ath9k/hif_usb.c:724
__usb_hcd_giveback_urb+0x1f2/0x470 drivers/usb/core/hcd.c:1648
usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1713
dummy_timer+0x1258/0x32ae drivers/usb/gadget/udc/dummy_hcd.c:1966
call_timer_fn+0x195/0x6f0 kernel/time/timer.c:1404
expire_timers kernel/time/timer.c:1449 [inline]
__run_timers kernel/time/timer.c:1773 [inline]
__run_timers kernel/time/timer.c:1740 [inline]
run_timer_softirq+0x5f9/0x1500 kernel/time/timer.c:1786
__do_softirq+0x21e/0x950 kernel/softirq.c:292
invoke_softirq kernel/softirq.c:373 [inline]
irq_exit+0x178/0x1a0 kernel/softirq.c:413
exiting_irq arch/x86/include/asm/apic.h:546 [inline]
smp_apic_timer_interrupt+0x141/0x540 arch/x86/kernel/apic/apic.c:1146
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829
</IRQ>
RIP: 0010:default_idle+0x28/0x300 arch/x86/kernel/process.c:696
Code: cc cc 41 56 41 55 65 44 8b 2d 04 3b 72 7a 41 54 55 53 0f 1f 44 00 00 e8 b6 27 b5 fb e9 07 00 00 00 0f 00 2d aa d0 52 00 fb f4 <65> 44 8b 2d e0 3a 72 7a 0f 1f 44 00 00 5b 5d 41 5c 41 5d 41 5e c3
ath9k_hif_usb_reg_in_cb+0x1a6/0x620 drivers/net/wireless/ath/ath9k/hif_usb.c:724
__usb_hcd_giveback_urb+0x1f2/0x470 drivers/usb/core/hcd.c:1648
usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1713
dummy_timer+0x1258/0x32ae drivers/usb/gadget/udc/dummy_hcd.c:1966
call_timer_fn+0x195/0x6f0 kernel/time/timer.c:1404
expire_timers kernel/time/timer.c:1449 [inline]
__run_timers kernel/time/timer.c:1773 [inline]
__run_timers kernel/time/timer.c:1740 [inline]
run_timer_softirq+0x5f9/0x1500 kernel/time/timer.c:1786
__do_softirq+0x21e/0x950 kernel/softirq.c:292
invoke_softirq kernel/softirq.c:373 [inline]
irq_exit+0x178/0x1a0 kernel/softirq.c:413
exiting_irq arch/x86/include/asm/apic.h:546 [inline]
smp_apic_timer_interrupt+0x141/0x540 arch/x86/kernel/apic/apic.c:1146
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829
</IRQ>
RIP: 0010:default_idle+0x28/0x300 arch/x86/kernel/process.c:696
Code: cc cc 41 56 41 55 65 44 8b 2d 04 3b 72 7a 41 54 55 53 0f 1f 44 00 00 e8 b6 27 b5 fb e9 07 00 00 00 0f 00 2d aa d0 52 00 fb f4 <65> 44 8b 2d e0 3a 72 7a 0f 1f 44 00 00 5b 5d 41 5c 41 5d 41 5e c3
RSP: 0018:ffffffff87007d80 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
RAX: 0000000000000007 RBX: ffffffff8702cc40 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000006 RDI: ffffffff8702d48c
RBP: fffffbfff0e05988 R08: ffffffff8702cc40 R09: 0000000000000000
RAX: 0000000000000007 RBX: ffffffff8702cc40 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000006 RDI: ffffffff8702d48c
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: ffffffff87e61300 R15: 0000000000000000
cpuidle_idle_call kernel/sched/idle.c:154 [inline]
do_idle+0x3e0/0x500 kernel/sched/idle.c:269
cpu_startup_entry+0x14/0x20 kernel/sched/idle.c:361
start_kernel+0xe16/0xe5a init/main.c:998
do_idle+0x3e0/0x500 kernel/sched/idle.c:269
cpu_startup_entry+0x14/0x20 kernel/sched/idle.c:361
secondary_startup_64+0xb6/0xc0 arch/x86/kernel/head_64.S:242
Allocated by task 12:
save_stack+0x1b/0x80 mm/kasan/common.c:72
set_track mm/kasan/common.c:80 [inline]
__kasan_kmalloc mm/kasan/common.c:515 [inline]
__kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:488
kmalloc include/linux/slab.h:555 [inline]
kzalloc include/linux/slab.h:669 [inline]
ath9k_init_wmi+0x40/0x310 drivers/net/wireless/ath/ath9k/wmi.c:95
ath9k_htc_probe_device+0x21c/0x1d80 drivers/net/wireless/ath/ath9k/htc_drv_init.c:953
ath9k_htc_hw_init+0x31/0x60 drivers/net/wireless/ath/ath9k/htc_hst.c:501
ath9k_hif_usb_firmware_cb+0x26b/0x500 drivers/net/wireless/ath/ath9k/hif_usb.c:1218
request_firmware_work_func+0x126/0x242 drivers/base/firmware_loader/main.c:976
process_one_work+0x94b/0x1620 kernel/workqueue.c:2266
worker_thread+0x96/0xe20 kernel/workqueue.c:2412
kthread+0x318/0x420 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
Freed by task 12:
set_track mm/kasan/common.c:80 [inline]
__kasan_kmalloc mm/kasan/common.c:515 [inline]
__kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:488
kmalloc include/linux/slab.h:555 [inline]
kzalloc include/linux/slab.h:669 [inline]
ath9k_init_wmi+0x40/0x310 drivers/net/wireless/ath/ath9k/wmi.c:95
ath9k_htc_probe_device+0x21c/0x1d80 drivers/net/wireless/ath/ath9k/htc_drv_init.c:953
ath9k_htc_hw_init+0x31/0x60 drivers/net/wireless/ath/ath9k/htc_hst.c:501
ath9k_hif_usb_firmware_cb+0x26b/0x500 drivers/net/wireless/ath/ath9k/hif_usb.c:1218
request_firmware_work_func+0x126/0x242 drivers/base/firmware_loader/main.c:976
process_one_work+0x94b/0x1620 kernel/workqueue.c:2266
worker_thread+0x96/0xe20 kernel/workqueue.c:2412
kthread+0x318/0x420 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
save_stack+0x1b/0x80 mm/kasan/common.c:72
set_track mm/kasan/common.c:80 [inline]
kasan_set_free_info mm/kasan/common.c:337 [inline]
__kasan_slab_free+0x117/0x160 mm/kasan/common.c:476
slab_free_hook mm/slub.c:1444 [inline]
slab_free_freelist_hook mm/slub.c:1477 [inline]
slab_free mm/slub.c:3034 [inline]
kfree+0xd5/0x300 mm/slub.c:3995
ath9k_htc_probe_device+0x278/0x1d80 drivers/net/wireless/ath/ath9k/htc_drv_init.c:970
ath9k_htc_hw_init+0x31/0x60 drivers/net/wireless/ath/ath9k/htc_hst.c:501
ath9k_hif_usb_firmware_cb+0x26b/0x500 drivers/net/wireless/ath/ath9k/hif_usb.c:1218
request_firmware_work_func+0x126/0x242 drivers/base/firmware_loader/main.c:976
process_one_work+0x94b/0x1620 kernel/workqueue.c:2266
worker_thread+0x96/0xe20 kernel/workqueue.c:2412
kthread+0x318/0x420 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
The buggy address belongs to the object at ffff8881d42d2000
set_track mm/kasan/common.c:80 [inline]
kasan_set_free_info mm/kasan/common.c:337 [inline]
__kasan_slab_free+0x117/0x160 mm/kasan/common.c:476
slab_free_hook mm/slub.c:1444 [inline]
slab_free_freelist_hook mm/slub.c:1477 [inline]
slab_free mm/slub.c:3034 [inline]
kfree+0xd5/0x300 mm/slub.c:3995
ath9k_htc_probe_device+0x278/0x1d80 drivers/net/wireless/ath/ath9k/htc_drv_init.c:970
ath9k_htc_hw_init+0x31/0x60 drivers/net/wireless/ath/ath9k/htc_hst.c:501
ath9k_hif_usb_firmware_cb+0x26b/0x500 drivers/net/wireless/ath/ath9k/hif_usb.c:1218
request_firmware_work_func+0x126/0x242 drivers/base/firmware_loader/main.c:976
process_one_work+0x94b/0x1620 kernel/workqueue.c:2266
worker_thread+0x96/0xe20 kernel/workqueue.c:2412
kthread+0x318/0x420 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 380 bytes inside of
2048-byte region [ffff8881d42d2000, ffff8881d42d2800)
The buggy address is located 380 bytes inside of
The buggy address belongs to the page:
page:ffffea000750b400 refcount:1 mapcount:0 mapping:ffff8881da00c000 index:0x0 compound_mapcount: 0
flags: 0x200000000010200(slab|head)
raw: 0200000000010200 dead000000000100 dead000000000122 ffff8881da00c000
raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881d42d2000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
raw: 0200000000010200 dead000000000100 dead000000000122 ffff8881da00c000
raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881d42d2080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8881d42d2100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8881d42d2180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881d42d2200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Tested on:
commit: 0fa84af8 Merge tag 'usb-serial-5.7-rc1' of https://git.ker..
git tree: https://github.com/google/kasan.git usb-fuzzer
console output: https://syzkaller.appspot.com/x/log.txt?x=161fdacde00000
Tested on:
commit: 0fa84af8 Merge tag 'usb-serial-5.7-rc1' of https://git.ker..
git tree: https://github.com/google/kasan.git usb-fuzzer
kernel config: https://syzkaller.appspot.com/x/.config?x=a782c087b1f425c6
dashboard link: https://syzkaller.appspot.com/bug?extid=5d338854440137ea0fef
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
patch: https://syzkaller.appspot.com/x/patch.diff?x=1132abdbe00000
dashboard link: https://syzkaller.appspot.com/bug?extid=5d338854440137ea0fef
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syzbot
Apr 3, 2020, 7:23:05 PM4/3/20
to anen...@gmail.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer still triggered crash:
KASAN: use-after-free Read in ath9k_wmi_ctrl_rx
==================================================================
BUG: KASAN: use-after-free in ath9k_wmi_ctrl_rx+0x416/0x500 drivers/net/wireless/ath/ath9k/wmi.c:235
syzbot has tested the proposed patch but the reproducer still triggered crash:
KASAN: use-after-free Read in ath9k_wmi_ctrl_rx
==================================================================
Read of size 1 at addr ffff8881d2a6b17c by task swapper/0/0
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.6.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xef/0x16e lib/dump_stack.c:118
print_address_description.constprop.0.cold+0xd3/0x314 mm/kasan/report.c:374
__kasan_report.cold+0x37/0x77 mm/kasan/report.c:506
kasan_report+0xe/0x20 mm/kasan/common.c:641
ath9k_htc_rx_msg+0x2d9/0xb00 drivers/net/wireless/ath/ath9k/htc_hst.c:459
ath9k_hif_usb_reg_in_cb+0x1a6/0x620 drivers/net/wireless/ath/ath9k/hif_usb.c:724
__usb_hcd_giveback_urb+0x1f2/0x470 drivers/usb/core/hcd.c:1648
usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1713
dummy_timer+0x1258/0x32ae drivers/usb/gadget/udc/dummy_hcd.c:1966
call_timer_fn+0x195/0x6f0 kernel/time/timer.c:1404
expire_timers kernel/time/timer.c:1449 [inline]
__run_timers kernel/time/timer.c:1773 [inline]
__run_timers kernel/time/timer.c:1740 [inline]
run_timer_softirq+0x5f9/0x1500 kernel/time/timer.c:1786
__do_softirq+0x21e/0x950 kernel/softirq.c:292
invoke_softirq kernel/softirq.c:373 [inline]
irq_exit+0x178/0x1a0 kernel/softirq.c:413
exiting_irq arch/x86/include/asm/apic.h:546 [inline]
smp_apic_timer_interrupt+0x141/0x540 arch/x86/kernel/apic/apic.c:1146
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829
</IRQ>
RIP: 0010:default_idle+0x28/0x300 arch/x86/kernel/process.c:696
Code: cc cc 41 56 41 55 65 44 8b 2d 04 3b 72 7a 41 54 55 53 0f 1f 44 00 00 e8 b6 27 b5 fb e9 07 00 00 00 0f 00 2d aa d0 52 00 fb f4 <65> 44 8b 2d e0 3a 72 7a 0f 1f 44 00 00 5b 5d 41 5c 41 5d 41 5e c3
RSP: 0018:ffffffff87007d80 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
RAX: 0000000000000007 RBX: ffffffff8702cc40 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000006 RDI: ffffffff8702d48c
RBP: fffffbfff0e05988 R08: ffffffff8702cc40 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: ffffffff87e61480 R15: 0000000000000000
ath9k_hif_usb_reg_in_cb+0x1a6/0x620 drivers/net/wireless/ath/ath9k/hif_usb.c:724
__usb_hcd_giveback_urb+0x1f2/0x470 drivers/usb/core/hcd.c:1648
usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1713
dummy_timer+0x1258/0x32ae drivers/usb/gadget/udc/dummy_hcd.c:1966
call_timer_fn+0x195/0x6f0 kernel/time/timer.c:1404
expire_timers kernel/time/timer.c:1449 [inline]
__run_timers kernel/time/timer.c:1773 [inline]
__run_timers kernel/time/timer.c:1740 [inline]
run_timer_softirq+0x5f9/0x1500 kernel/time/timer.c:1786
__do_softirq+0x21e/0x950 kernel/softirq.c:292
invoke_softirq kernel/softirq.c:373 [inline]
irq_exit+0x178/0x1a0 kernel/softirq.c:413
exiting_irq arch/x86/include/asm/apic.h:546 [inline]
smp_apic_timer_interrupt+0x141/0x540 arch/x86/kernel/apic/apic.c:1146
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829
</IRQ>
RIP: 0010:default_idle+0x28/0x300 arch/x86/kernel/process.c:696
Code: cc cc 41 56 41 55 65 44 8b 2d 04 3b 72 7a 41 54 55 53 0f 1f 44 00 00 e8 b6 27 b5 fb e9 07 00 00 00 0f 00 2d aa d0 52 00 fb f4 <65> 44 8b 2d e0 3a 72 7a 0f 1f 44 00 00 5b 5d 41 5c 41 5d 41 5e c3
RSP: 0018:ffffffff87007d80 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
RAX: 0000000000000007 RBX: ffffffff8702cc40 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000006 RDI: ffffffff8702d48c
RBP: fffffbfff0e05988 R08: ffffffff8702cc40 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
cpuidle_idle_call kernel/sched/idle.c:154 [inline]
do_idle+0x3e0/0x500 kernel/sched/idle.c:269
cpu_startup_entry+0x14/0x20 kernel/sched/idle.c:361
start_kernel+0xe16/0xe5a init/main.c:998
secondary_startup_64+0xb6/0xc0 arch/x86/kernel/head_64.S:242
Allocated by task 12:
save_stack+0x1b/0x80 mm/kasan/common.c:72
set_track mm/kasan/common.c:80 [inline]
__kasan_kmalloc mm/kasan/common.c:515 [inline]
__kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:488
kmalloc include/linux/slab.h:555 [inline]
kzalloc include/linux/slab.h:669 [inline]
ath9k_init_wmi+0x40/0x310 drivers/net/wireless/ath/ath9k/wmi.c:95
ath9k_htc_probe_device+0x21b/0x300 drivers/net/wireless/ath/ath9k/htc_drv_init.c:953
do_idle+0x3e0/0x500 kernel/sched/idle.c:269
cpu_startup_entry+0x14/0x20 kernel/sched/idle.c:361
start_kernel+0xe16/0xe5a init/main.c:998
secondary_startup_64+0xb6/0xc0 arch/x86/kernel/head_64.S:242
Allocated by task 12:
save_stack+0x1b/0x80 mm/kasan/common.c:72
set_track mm/kasan/common.c:80 [inline]
__kasan_kmalloc mm/kasan/common.c:515 [inline]
__kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:488
kmalloc include/linux/slab.h:555 [inline]
kzalloc include/linux/slab.h:669 [inline]
ath9k_init_wmi+0x40/0x310 drivers/net/wireless/ath/ath9k/wmi.c:95
ath9k_htc_hw_init+0x31/0x60 drivers/net/wireless/ath/ath9k/htc_hst.c:501
ath9k_hif_usb_firmware_cb+0x26b/0x500 drivers/net/wireless/ath/ath9k/hif_usb.c:1218
request_firmware_work_func+0x126/0x242 drivers/base/firmware_loader/main.c:976
process_one_work+0x94b/0x1620 kernel/workqueue.c:2266
worker_thread+0x96/0xe20 kernel/workqueue.c:2412
kthread+0x318/0x420 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
Freed by task 12:
save_stack+0x1b/0x80 mm/kasan/common.c:72
set_track mm/kasan/common.c:80 [inline]
kasan_set_free_info mm/kasan/common.c:337 [inline]
__kasan_slab_free+0x117/0x160 mm/kasan/common.c:476
slab_free_hook mm/slub.c:1444 [inline]
slab_free_freelist_hook mm/slub.c:1477 [inline]
slab_free mm/slub.c:3034 [inline]
kfree+0xd5/0x300 mm/slub.c:3995
ath9k_htc_probe_device.cold+0x46/0x20f0 drivers/net/wireless/ath/ath9k/htc_drv_init.c:975
ath9k_hif_usb_firmware_cb+0x26b/0x500 drivers/net/wireless/ath/ath9k/hif_usb.c:1218
request_firmware_work_func+0x126/0x242 drivers/base/firmware_loader/main.c:976
process_one_work+0x94b/0x1620 kernel/workqueue.c:2266
worker_thread+0x96/0xe20 kernel/workqueue.c:2412
kthread+0x318/0x420 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
Freed by task 12:
save_stack+0x1b/0x80 mm/kasan/common.c:72
set_track mm/kasan/common.c:80 [inline]
kasan_set_free_info mm/kasan/common.c:337 [inline]
__kasan_slab_free+0x117/0x160 mm/kasan/common.c:476
slab_free_hook mm/slub.c:1444 [inline]
slab_free_freelist_hook mm/slub.c:1477 [inline]
slab_free mm/slub.c:3034 [inline]
kfree+0xd5/0x300 mm/slub.c:3995
ath9k_htc_hw_init+0x31/0x60 drivers/net/wireless/ath/ath9k/htc_hst.c:501
ath9k_hif_usb_firmware_cb+0x26b/0x500 drivers/net/wireless/ath/ath9k/hif_usb.c:1218
request_firmware_work_func+0x126/0x242 drivers/base/firmware_loader/main.c:976
process_one_work+0x94b/0x1620 kernel/workqueue.c:2266
worker_thread+0x96/0xe20 kernel/workqueue.c:2412
kthread+0x318/0x420 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
The buggy address belongs to the object at ffff8881d2a6b000
ath9k_hif_usb_firmware_cb+0x26b/0x500 drivers/net/wireless/ath/ath9k/hif_usb.c:1218
request_firmware_work_func+0x126/0x242 drivers/base/firmware_loader/main.c:976
process_one_work+0x94b/0x1620 kernel/workqueue.c:2266
worker_thread+0x96/0xe20 kernel/workqueue.c:2412
kthread+0x318/0x420 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 380 bytes inside of
2048-byte region [ffff8881d2a6b000, ffff8881d2a6b800)
The buggy address is located 380 bytes inside of
The buggy address belongs to the page:
page:ffffea00074a9a00 refcount:1 mapcount:0 mapping:ffff8881da00c000 index:0x0 compound_mapcount: 0
flags: 0x200000000010200(slab|head)
raw: 0200000000010200 dead000000000100 dead000000000122 ffff8881da00c000
raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
raw: 0200000000010200 dead000000000100 dead000000000122 ffff8881da00c000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881d2a6b000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
Memory state around the buggy address:
ffff8881d2a6b080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8881d2a6b100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8881d2a6b180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881d2a6b200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Tested on:
commit: 0fa84af8 Merge tag 'usb-serial-5.7-rc1' of https://git.ker..
git tree: https://github.com/google/kasan.git usb-fuzzer
console output: https://syzkaller.appspot.com/x/log.txt?x=15756bb7e00000
Tested on:
commit: 0fa84af8 Merge tag 'usb-serial-5.7-rc1' of https://git.ker..
git tree: https://github.com/google/kasan.git usb-fuzzer
kernel config: https://syzkaller.appspot.com/x/.config?x=a782c087b1f425c6
dashboard link: https://syzkaller.appspot.com/bug?extid=5d338854440137ea0fef
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
patch: https://syzkaller.appspot.com/x/patch.diff?x=1250441be00000
dashboard link: https://syzkaller.appspot.com/bug?extid=5d338854440137ea0fef
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syzbot
Apr 3, 2020, 7:44:05 PM4/3/20
to anen...@gmail.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer still triggered crash:
KASAN: use-after-free Read in ath9k_wmi_ctrl_rx
==================================================================
BUG: KASAN: use-after-free in ath9k_wmi_ctrl_rx+0x416/0x500 drivers/net/wireless/ath/ath9k/wmi.c:235
Read of size 1 at addr ffff8881ce8ec17c by task swapper/1/0
syzbot has tested the proposed patch but the reproducer still triggered crash:
KASAN: use-after-free Read in ath9k_wmi_ctrl_rx
==================================================================
BUG: KASAN: use-after-free in ath9k_wmi_ctrl_rx+0x416/0x500 drivers/net/wireless/ath/ath9k/wmi.c:235
CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.6.0-rc7-syzkaller #0
RSP: 0018:ffff8881da22fda8 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
RAX: 0000000000000007 RBX: ffff8881da213100 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000006 RDI: ffff8881da21394c
RBP: ffffed103b442620 R08: ffff8881da213100 R09: 0000000000000000
RAX: 0000000000000007 RBX: ffff8881da213100 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000006 RDI: ffff8881da21394c
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001
R13: 0000000000000001 R14: ffffffff87e61500 R15: 0000000000000000
cpuidle_idle_call kernel/sched/idle.c:154 [inline]
do_idle+0x3e0/0x500 kernel/sched/idle.c:269
cpu_startup_entry+0x14/0x20 kernel/sched/idle.c:361
start_secondary+0x2a4/0x390 arch/x86/kernel/smpboot.c:264
do_idle+0x3e0/0x500 kernel/sched/idle.c:269
cpu_startup_entry+0x14/0x20 kernel/sched/idle.c:361
secondary_startup_64+0xb6/0xc0 arch/x86/kernel/head_64.S:242
Allocated by task 286:
save_stack+0x1b/0x80 mm/kasan/common.c:72
set_track mm/kasan/common.c:80 [inline]
__kasan_kmalloc mm/kasan/common.c:515 [inline]
__kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:488
kmalloc include/linux/slab.h:555 [inline]
kzalloc include/linux/slab.h:669 [inline]
ath9k_init_wmi+0x40/0x310 drivers/net/wireless/ath/ath9k/wmi.c:95
ath9k_htc_probe_device+0x21b/0x300 drivers/net/wireless/ath/ath9k/htc_drv_init.c:953
ath9k_htc_hw_init+0x31/0x60 drivers/net/wireless/ath/ath9k/htc_hst.c:501
ath9k_hif_usb_firmware_cb+0x26b/0x500 drivers/net/wireless/ath/ath9k/hif_usb.c:1218
request_firmware_work_func+0x126/0x242 drivers/base/firmware_loader/main.c:976
process_one_work+0x94b/0x1620 kernel/workqueue.c:2266
worker_thread+0x96/0xe20 kernel/workqueue.c:2412
kthread+0x318/0x420 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
Freed by task 286:
set_track mm/kasan/common.c:80 [inline]
__kasan_kmalloc mm/kasan/common.c:515 [inline]
__kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:488
kmalloc include/linux/slab.h:555 [inline]
kzalloc include/linux/slab.h:669 [inline]
ath9k_init_wmi+0x40/0x310 drivers/net/wireless/ath/ath9k/wmi.c:95
ath9k_htc_probe_device+0x21b/0x300 drivers/net/wireless/ath/ath9k/htc_drv_init.c:953
ath9k_htc_hw_init+0x31/0x60 drivers/net/wireless/ath/ath9k/htc_hst.c:501
ath9k_hif_usb_firmware_cb+0x26b/0x500 drivers/net/wireless/ath/ath9k/hif_usb.c:1218
request_firmware_work_func+0x126/0x242 drivers/base/firmware_loader/main.c:976
process_one_work+0x94b/0x1620 kernel/workqueue.c:2266
worker_thread+0x96/0xe20 kernel/workqueue.c:2412
kthread+0x318/0x420 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
save_stack+0x1b/0x80 mm/kasan/common.c:72
set_track mm/kasan/common.c:80 [inline]
kasan_set_free_info mm/kasan/common.c:337 [inline]
__kasan_slab_free+0x117/0x160 mm/kasan/common.c:476
slab_free_hook mm/slub.c:1444 [inline]
slab_free_freelist_hook mm/slub.c:1477 [inline]
slab_free mm/slub.c:3034 [inline]
kfree+0xd5/0x300 mm/slub.c:3995
ath9k_htc_probe_device.cold+0x53/0x2103 drivers/net/wireless/ath/ath9k/htc_drv_init.c:975
set_track mm/kasan/common.c:80 [inline]
kasan_set_free_info mm/kasan/common.c:337 [inline]
__kasan_slab_free+0x117/0x160 mm/kasan/common.c:476
slab_free_hook mm/slub.c:1444 [inline]
slab_free_freelist_hook mm/slub.c:1477 [inline]
slab_free mm/slub.c:3034 [inline]
kfree+0xd5/0x300 mm/slub.c:3995
ath9k_htc_hw_init+0x31/0x60 drivers/net/wireless/ath/ath9k/htc_hst.c:501
ath9k_hif_usb_firmware_cb+0x26b/0x500 drivers/net/wireless/ath/ath9k/hif_usb.c:1218
request_firmware_work_func+0x126/0x242 drivers/base/firmware_loader/main.c:976
process_one_work+0x94b/0x1620 kernel/workqueue.c:2266
worker_thread+0x96/0xe20 kernel/workqueue.c:2412
kthread+0x318/0x420 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
The buggy address belongs to the object at ffff8881ce8ec000
ath9k_hif_usb_firmware_cb+0x26b/0x500 drivers/net/wireless/ath/ath9k/hif_usb.c:1218
request_firmware_work_func+0x126/0x242 drivers/base/firmware_loader/main.c:976
process_one_work+0x94b/0x1620 kernel/workqueue.c:2266
worker_thread+0x96/0xe20 kernel/workqueue.c:2412
kthread+0x318/0x420 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 380 bytes inside of
2048-byte region [ffff8881ce8ec000, ffff8881ce8ec800)
The buggy address is located 380 bytes inside of
The buggy address belongs to the page:
page:ffffea00073a3a00 refcount:1 mapcount:0 mapping:ffff8881da00c000 index:0x0 compound_mapcount: 0
flags: 0x200000000010200(slab|head)
raw: 0200000000010200 dead000000000100 dead000000000122 ffff8881da00c000
raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881ce8ec000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
raw: 0200000000010200 dead000000000100 dead000000000122 ffff8881da00c000
raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881ce8ec080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8881ce8ec100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8881ce8ec180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881ce8ec200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Tested on:
commit: 0fa84af8 Merge tag 'usb-serial-5.7-rc1' of https://git.ker..
git tree: https://github.com/google/kasan.git usb-fuzzer
console output: https://syzkaller.appspot.com/x/log.txt?x=17781b1fe00000
Tested on:
commit: 0fa84af8 Merge tag 'usb-serial-5.7-rc1' of https://git.ker..
git tree: https://github.com/google/kasan.git usb-fuzzer
kernel config: https://syzkaller.appspot.com/x/.config?x=a782c087b1f425c6
dashboard link: https://syzkaller.appspot.com/bug?extid=5d338854440137ea0fef
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
patch: https://syzkaller.appspot.com/x/patch.diff?x=17338bb7e00000
dashboard link: https://syzkaller.appspot.com/bug?extid=5d338854440137ea0fef
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syzbot
Apr 3, 2020, 8:14:06 PM4/3/20
to anen...@gmail.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer still triggered crash:
KASAN: use-after-free Read in ath9k_wmi_ctrl_rx
==================================================================
BUG: KASAN: use-after-free in ath9k_wmi_ctrl_rx+0x416/0x500 drivers/net/wireless/ath/ath9k/wmi.c:235
Read of size 1 at addr ffff8881d33c817c by task kworker/0:7/3248
syzbot has tested the proposed patch but the reproducer still triggered crash:
KASAN: use-after-free Read in ath9k_wmi_ctrl_rx
==================================================================
BUG: KASAN: use-after-free in ath9k_wmi_ctrl_rx+0x416/0x500 drivers/net/wireless/ath/ath9k/wmi.c:235
CPU: 0 PID: 3248 Comm: kworker/0:7 Not tainted 5.6.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events request_firmware_work_func
RIP: 0010:unwind_next_frame+0x20c/0x19e0 arch/x86/kernel/unwind_orc.c:407
Code: 53 ff 39 d0 0f 83 91 04 00 00 48 ba 00 00 00 00 00 fc ff df 89 c6 48 8d 3c b5 78 76 89 88 49 89 f8 49 c1 e8 03 45 0f b6 04 10 <48> 89 fa 83 e2 07 83 c2 03 44 38 c2 7c 32 45 84 c0 74 2d 48 89 74
RSP: 0018:ffff8881cc6a7738 EFLAGS: 00000a07 ORIG_RAX: ffffffffffffff13
RAX: 0000000000002f45 RBX: ffff8881cc6a7810 RCX: ffffffff812f451b
RDX: dffffc0000000000 RSI: 0000000000002f45 RDI: ffffffff888a338c
RBP: 1ffff110398d4eef R08: 0000000000000000 R09: 0000000000000001
R10: 000000000000322d R11: 000000000004c01a R12: ffff8881cc6a7845
R13: ffff8881cc6a7860 R14: ffff8881cc6a7858 R15: 0000000000000001
arch_stack_walk+0x74/0xd0 arch/x86/kernel/stacktrace.c:25
stack_trace_save+0x8c/0xc0 kernel/stacktrace.c:123
save_stack+0x1b/0x80 mm/kasan/common.c:72
set_track mm/kasan/common.c:80 [inline]
__kasan_kmalloc mm/kasan/common.c:515 [inline]
__kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:488
slab_post_alloc_hook mm/slab.h:584 [inline]
set_track mm/kasan/common.c:80 [inline]
__kasan_kmalloc mm/kasan/common.c:515 [inline]
__kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:488
slab_alloc_node mm/slub.c:2786 [inline]
slab_alloc mm/slub.c:2794 [inline]
__kmalloc+0xfe/0x370 mm/slub.c:3837
kmalloc include/linux/slab.h:560 [inline]
usb_alloc_urb+0x65/0xb0 drivers/usb/core/urb.c:74
ath9k_hif_usb_alloc_reg_in_urbs drivers/net/wireless/ath/ath9k/hif_usb.c:929 [inline]
ath9k_hif_usb_alloc_urbs+0xb2c/0x1030 drivers/net/wireless/ath/ath9k/hif_usb.c:995
ath9k_hif_usb_dev_init drivers/net/wireless/ath/ath9k/hif_usb.c:1081 [inline]
ath9k_hif_usb_firmware_cb+0x142/0x500 drivers/net/wireless/ath/ath9k/hif_usb.c:1214
request_firmware_work_func+0x126/0x242 drivers/base/firmware_loader/main.c:976
process_one_work+0x94b/0x1620 kernel/workqueue.c:2266
worker_thread+0x96/0xe20 kernel/workqueue.c:2412
kthread+0x318/0x420 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
Allocated by task 173:
process_one_work+0x94b/0x1620 kernel/workqueue.c:2266
worker_thread+0x96/0xe20 kernel/workqueue.c:2412
kthread+0x318/0x420 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
save_stack+0x1b/0x80 mm/kasan/common.c:72
set_track mm/kasan/common.c:80 [inline]
__kasan_kmalloc mm/kasan/common.c:515 [inline]
__kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:488
kmalloc include/linux/slab.h:555 [inline]
kzalloc include/linux/slab.h:669 [inline]
ath9k_init_wmi+0x40/0x310 drivers/net/wireless/ath/ath9k/wmi.c:95
ath9k_htc_probe_device+0x21b/0x300 drivers/net/wireless/ath/ath9k/htc_drv_init.c:953
ath9k_htc_hw_init+0x31/0x60 drivers/net/wireless/ath/ath9k/htc_hst.c:501
ath9k_hif_usb_firmware_cb+0x26b/0x500 drivers/net/wireless/ath/ath9k/hif_usb.c:1218
request_firmware_work_func+0x126/0x242 drivers/base/firmware_loader/main.c:976
process_one_work+0x94b/0x1620 kernel/workqueue.c:2266
worker_thread+0x96/0xe20 kernel/workqueue.c:2412
kthread+0x318/0x420 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
Freed by task 173:
set_track mm/kasan/common.c:80 [inline]
__kasan_kmalloc mm/kasan/common.c:515 [inline]
__kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:488
kmalloc include/linux/slab.h:555 [inline]
kzalloc include/linux/slab.h:669 [inline]
ath9k_init_wmi+0x40/0x310 drivers/net/wireless/ath/ath9k/wmi.c:95
ath9k_htc_probe_device+0x21b/0x300 drivers/net/wireless/ath/ath9k/htc_drv_init.c:953
ath9k_htc_hw_init+0x31/0x60 drivers/net/wireless/ath/ath9k/htc_hst.c:501
ath9k_hif_usb_firmware_cb+0x26b/0x500 drivers/net/wireless/ath/ath9k/hif_usb.c:1218
request_firmware_work_func+0x126/0x242 drivers/base/firmware_loader/main.c:976
process_one_work+0x94b/0x1620 kernel/workqueue.c:2266
worker_thread+0x96/0xe20 kernel/workqueue.c:2412
kthread+0x318/0x420 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
save_stack+0x1b/0x80 mm/kasan/common.c:72
set_track mm/kasan/common.c:80 [inline]
kasan_set_free_info mm/kasan/common.c:337 [inline]
__kasan_slab_free+0x117/0x160 mm/kasan/common.c:476
slab_free_hook mm/slub.c:1444 [inline]
slab_free_freelist_hook mm/slub.c:1477 [inline]
slab_free mm/slub.c:3034 [inline]
kfree+0xd5/0x300 mm/slub.c:3995
ath9k_htc_probe_device.cold+0x53/0x2103 drivers/net/wireless/ath/ath9k/htc_drv_init.c:975
ath9k_htc_hw_init+0x31/0x60 drivers/net/wireless/ath/ath9k/htc_hst.c:501
ath9k_hif_usb_firmware_cb+0x26b/0x500 drivers/net/wireless/ath/ath9k/hif_usb.c:1218
request_firmware_work_func+0x126/0x242 drivers/base/firmware_loader/main.c:976
process_one_work+0x94b/0x1620 kernel/workqueue.c:2266
worker_thread+0x96/0xe20 kernel/workqueue.c:2412
kthread+0x318/0x420 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
The buggy address belongs to the object at ffff8881d33c8000
set_track mm/kasan/common.c:80 [inline]
kasan_set_free_info mm/kasan/common.c:337 [inline]
__kasan_slab_free+0x117/0x160 mm/kasan/common.c:476
slab_free_hook mm/slub.c:1444 [inline]
slab_free_freelist_hook mm/slub.c:1477 [inline]
slab_free mm/slub.c:3034 [inline]
kfree+0xd5/0x300 mm/slub.c:3995
ath9k_htc_probe_device.cold+0x53/0x2103 drivers/net/wireless/ath/ath9k/htc_drv_init.c:975
ath9k_htc_hw_init+0x31/0x60 drivers/net/wireless/ath/ath9k/htc_hst.c:501
ath9k_hif_usb_firmware_cb+0x26b/0x500 drivers/net/wireless/ath/ath9k/hif_usb.c:1218
request_firmware_work_func+0x126/0x242 drivers/base/firmware_loader/main.c:976
process_one_work+0x94b/0x1620 kernel/workqueue.c:2266
worker_thread+0x96/0xe20 kernel/workqueue.c:2412
kthread+0x318/0x420 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 380 bytes inside of
2048-byte region [ffff8881d33c8000, ffff8881d33c8800)
The buggy address is located 380 bytes inside of
The buggy address belongs to the page:
page:ffffea00074cf200 refcount:1 mapcount:0 mapping:ffff8881da00c000 index:0x0 compound_mapcount: 0
flags: 0x200000000010200(slab|head)
raw: 0200000000010200 0000000000000000 0000000300000001 ffff8881da00c000
raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881d33c8000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
Memory state around the buggy address:
ffff8881d33c8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8881d33c8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8881d33c8180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881d33c8200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Tested on:
commit: 0fa84af8 Merge tag 'usb-serial-5.7-rc1' of https://git.ker..
git tree: https://github.com/google/kasan.git usb-fuzzer
console output: https://syzkaller.appspot.com/x/log.txt?x=10e27563e00000
Tested on:
commit: 0fa84af8 Merge tag 'usb-serial-5.7-rc1' of https://git.ker..
git tree: https://github.com/google/kasan.git usb-fuzzer
kernel config: https://syzkaller.appspot.com/x/.config?x=a782c087b1f425c6
dashboard link: https://syzkaller.appspot.com/bug?extid=5d338854440137ea0fef
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
patch: https://syzkaller.appspot.com/x/patch.diff?x=16deb98fe00000
dashboard link: https://syzkaller.appspot.com/bug?extid=5d338854440137ea0fef
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syzbot
Apr 3, 2020, 8:36:05 PM4/3/20
to anen...@gmail.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer still triggered crash:
KASAN: use-after-free Read in ath9k_wmi_ctrl_rx
==================================================================
BUG: KASAN: use-after-free in ath9k_wmi_ctrl_rx+0x416/0x500 drivers/net/wireless/ath/ath9k/wmi.c:235
Read of size 1 at addr ffff8881d4aad17c by task swapper/0/0
syzbot has tested the proposed patch but the reproducer still triggered crash:
KASAN: use-after-free Read in ath9k_wmi_ctrl_rx
==================================================================
BUG: KASAN: use-after-free in ath9k_wmi_ctrl_rx+0x416/0x500 drivers/net/wireless/ath/ath9k/wmi.c:235
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.6.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:default_idle+0x28/0x300 arch/x86/kernel/process.c:696
Code: cc cc 41 56 41 55 65 44 8b 2d 04 3b 72 7a 41 54 55 53 0f 1f 44 00 00 e8 b6 27 b5 fb e9 07 00 00 00 0f 00 2d aa d0 52 00 fb f4 <65> 44 8b 2d e0 3a 72 7a 0f 1f 44 00 00 5b 5d 41 5c 41 5d 41 5e c3
Code: cc cc 41 56 41 55 65 44 8b 2d 04 3b 72 7a 41 54 55 53 0f 1f 44 00 00 e8 b6 27 b5 fb e9 07 00 00 00 0f 00 2d aa d0 52 00 fb f4 <65> 44 8b 2d e0 3a 72 7a 0f 1f 44 00 00 5b 5d 41 5c 41 5d 41 5e c3
RSP: 0018:ffffffff87007d80 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
RAX: 0000000000000007 RBX: ffffffff8702cc40 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000006 RDI: ffffffff8702d48c
RBP: fffffbfff0e05988 R08: ffffffff8702cc40 R09: 0000000000000000
RAX: 0000000000000007 RBX: ffffffff8702cc40 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000006 RDI: ffffffff8702d48c
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: ffffffff87e615c0 R15: 0000000000000000
cpuidle_idle_call kernel/sched/idle.c:154 [inline]
do_idle+0x3e0/0x500 kernel/sched/idle.c:269
cpu_startup_entry+0x14/0x20 kernel/sched/idle.c:361
start_kernel+0xe16/0xe5a init/main.c:998
do_idle+0x3e0/0x500 kernel/sched/idle.c:269
cpu_startup_entry+0x14/0x20 kernel/sched/idle.c:361
secondary_startup_64+0xb6/0xc0 arch/x86/kernel/head_64.S:242
Allocated by task 12:
save_stack+0x1b/0x80 mm/kasan/common.c:72
set_track mm/kasan/common.c:80 [inline]
__kasan_kmalloc mm/kasan/common.c:515 [inline]
__kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:488
kmalloc include/linux/slab.h:555 [inline]
kzalloc include/linux/slab.h:669 [inline]
ath9k_init_wmi+0x40/0x310 drivers/net/wireless/ath/ath9k/wmi.c:95
ath9k_htc_probe_device+0x21b/0x300 drivers/net/wireless/ath/ath9k/htc_drv_init.c:953
ath9k_htc_hw_init+0x31/0x60 drivers/net/wireless/ath/ath9k/htc_hst.c:501
ath9k_hif_usb_firmware_cb+0x26b/0x500 drivers/net/wireless/ath/ath9k/hif_usb.c:1218
request_firmware_work_func+0x126/0x242 drivers/base/firmware_loader/main.c:976
process_one_work+0x94b/0x1620 kernel/workqueue.c:2266
worker_thread+0x96/0xe20 kernel/workqueue.c:2412
kthread+0x318/0x420 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
Freed by task 12:
set_track mm/kasan/common.c:80 [inline]
__kasan_kmalloc mm/kasan/common.c:515 [inline]
__kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:488
kmalloc include/linux/slab.h:555 [inline]
kzalloc include/linux/slab.h:669 [inline]
ath9k_init_wmi+0x40/0x310 drivers/net/wireless/ath/ath9k/wmi.c:95
ath9k_htc_probe_device+0x21b/0x300 drivers/net/wireless/ath/ath9k/htc_drv_init.c:953
ath9k_htc_hw_init+0x31/0x60 drivers/net/wireless/ath/ath9k/htc_hst.c:501
ath9k_hif_usb_firmware_cb+0x26b/0x500 drivers/net/wireless/ath/ath9k/hif_usb.c:1218
request_firmware_work_func+0x126/0x242 drivers/base/firmware_loader/main.c:976
process_one_work+0x94b/0x1620 kernel/workqueue.c:2266
worker_thread+0x96/0xe20 kernel/workqueue.c:2412
kthread+0x318/0x420 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
save_stack+0x1b/0x80 mm/kasan/common.c:72
set_track mm/kasan/common.c:80 [inline]
kasan_set_free_info mm/kasan/common.c:337 [inline]
__kasan_slab_free+0x117/0x160 mm/kasan/common.c:476
slab_free_hook mm/slub.c:1444 [inline]
slab_free_freelist_hook mm/slub.c:1477 [inline]
slab_free mm/slub.c:3034 [inline]
kfree+0xd5/0x300 mm/slub.c:3995
ath9k_htc_probe_device.cold+0x53/0x2103 drivers/net/wireless/ath/ath9k/htc_drv_init.c:975
ath9k_htc_hw_init+0x31/0x60 drivers/net/wireless/ath/ath9k/htc_hst.c:501
ath9k_hif_usb_firmware_cb+0x26b/0x500 drivers/net/wireless/ath/ath9k/hif_usb.c:1218
request_firmware_work_func+0x126/0x242 drivers/base/firmware_loader/main.c:976
process_one_work+0x94b/0x1620 kernel/workqueue.c:2266
worker_thread+0x96/0xe20 kernel/workqueue.c:2412
kthread+0x318/0x420 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
The buggy address belongs to the object at ffff8881d4aad000
set_track mm/kasan/common.c:80 [inline]
kasan_set_free_info mm/kasan/common.c:337 [inline]
__kasan_slab_free+0x117/0x160 mm/kasan/common.c:476
slab_free_hook mm/slub.c:1444 [inline]
slab_free_freelist_hook mm/slub.c:1477 [inline]
slab_free mm/slub.c:3034 [inline]
kfree+0xd5/0x300 mm/slub.c:3995
ath9k_htc_probe_device.cold+0x53/0x2103 drivers/net/wireless/ath/ath9k/htc_drv_init.c:975
ath9k_htc_hw_init+0x31/0x60 drivers/net/wireless/ath/ath9k/htc_hst.c:501
ath9k_hif_usb_firmware_cb+0x26b/0x500 drivers/net/wireless/ath/ath9k/hif_usb.c:1218
request_firmware_work_func+0x126/0x242 drivers/base/firmware_loader/main.c:976
process_one_work+0x94b/0x1620 kernel/workqueue.c:2266
worker_thread+0x96/0xe20 kernel/workqueue.c:2412
kthread+0x318/0x420 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 380 bytes inside of
2048-byte region [ffff8881d4aad000, ffff8881d4aad800)
The buggy address is located 380 bytes inside of
The buggy address belongs to the page:
page:ffffea000752aa00 refcount:1 mapcount:0 mapping:ffff8881da00c000 index:0x0 compound_mapcount: 0
flags: 0x200000000010200(slab|head)
raw: 0200000000010200 dead000000000100 dead000000000122 ffff8881da00c000
raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881d4aad000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881d4aad080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8881d4aad100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8881d4aad180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881d4aad200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Tested on:
commit: 0fa84af8 Merge tag 'usb-serial-5.7-rc1' of https://git.ker..
git tree: https://github.com/google/kasan.git usb-fuzzer
console output: https://syzkaller.appspot.com/x/log.txt?x=111b42b3e00000
Tested on:
commit: 0fa84af8 Merge tag 'usb-serial-5.7-rc1' of https://git.ker..
git tree: https://github.com/google/kasan.git usb-fuzzer
kernel config: https://syzkaller.appspot.com/x/.config?x=a782c087b1f425c6
dashboard link: https://syzkaller.appspot.com/bug?extid=5d338854440137ea0fef
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
patch: https://syzkaller.appspot.com/x/patch.diff?x=15cfbc2be00000
dashboard link: https://syzkaller.appspot.com/bug?extid=5d338854440137ea0fef
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syzbot
Apr 3, 2020, 9:14:05 PM4/3/20
to anen...@gmail.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer still triggered crash:
KASAN: use-after-free Read in ath9k_wmi_ctrl_rx
haley: skb 0xffff8881d25cc500, ath9k_wmi_ctrl_rx, 235
syzbot has tested the proposed patch but the reproducer still triggered crash:
KASAN: use-after-free Read in ath9k_wmi_ctrl_rx
==================================================================
BUG: KASAN: use-after-free in ath9k_wmi_ctrl_rx+0x5e/0x444 drivers/net/wireless/ath/ath9k/wmi.c:237
Read of size 1 at addr ffff8881d26ca17c by task kworker/0:1/12
CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.6.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events request_firmware_work_func
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xef/0x16e lib/dump_stack.c:118
print_address_description.constprop.0.cold+0xd3/0x314 mm/kasan/report.c:374
__kasan_report.cold+0x37/0x77 mm/kasan/report.c:506
kasan_report+0xe/0x20 mm/kasan/common.c:641
ath9k_wmi_ctrl_rx+0x5e/0x444 drivers/net/wireless/ath/ath9k/wmi.c:237
<IRQ>
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xef/0x16e lib/dump_stack.c:118
print_address_description.constprop.0.cold+0xd3/0x314 mm/kasan/report.c:374
__kasan_report.cold+0x37/0x77 mm/kasan/report.c:506
kasan_report+0xe/0x20 mm/kasan/common.c:641
ath9k_htc_rx_msg+0x2d9/0xb00 drivers/net/wireless/ath/ath9k/htc_hst.c:462
ath9k_hif_usb_reg_in_cb+0x1a6/0x620 drivers/net/wireless/ath/ath9k/hif_usb.c:724
__usb_hcd_giveback_urb+0x1f2/0x470 drivers/usb/core/hcd.c:1648
usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1713
dummy_timer+0x1258/0x32ae drivers/usb/gadget/udc/dummy_hcd.c:1966
call_timer_fn+0x195/0x6f0 kernel/time/timer.c:1404
expire_timers kernel/time/timer.c:1449 [inline]
__run_timers kernel/time/timer.c:1773 [inline]
__run_timers kernel/time/timer.c:1740 [inline]
run_timer_softirq+0x5f9/0x1500 kernel/time/timer.c:1786
__do_softirq+0x21e/0x950 kernel/softirq.c:292
invoke_softirq kernel/softirq.c:373 [inline]
irq_exit+0x178/0x1a0 kernel/softirq.c:413
exiting_irq arch/x86/include/asm/apic.h:546 [inline]
smp_apic_timer_interrupt+0x141/0x540 arch/x86/kernel/apic/apic.c:1146
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829
</IRQ>
__usb_hcd_giveback_urb+0x1f2/0x470 drivers/usb/core/hcd.c:1648
usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1713
dummy_timer+0x1258/0x32ae drivers/usb/gadget/udc/dummy_hcd.c:1966
call_timer_fn+0x195/0x6f0 kernel/time/timer.c:1404
expire_timers kernel/time/timer.c:1449 [inline]
__run_timers kernel/time/timer.c:1773 [inline]
__run_timers kernel/time/timer.c:1740 [inline]
run_timer_softirq+0x5f9/0x1500 kernel/time/timer.c:1786
__do_softirq+0x21e/0x950 kernel/softirq.c:292
invoke_softirq kernel/softirq.c:373 [inline]
irq_exit+0x178/0x1a0 kernel/softirq.c:413
exiting_irq arch/x86/include/asm/apic.h:546 [inline]
smp_apic_timer_interrupt+0x141/0x540 arch/x86/kernel/apic/apic.c:1146
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829
</IRQ>
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/irqflags.h:85 [inline]
RIP: 0010:console_unlock+0xa6b/0xca0 kernel/printk/printk.c:2481
Code: 00 89 ee 48 c7 c7 60 43 14 87 e8 10 c3 03 00 65 ff 0d c1 ed d8 7e e9 b5 f9 ff ff e8 0f 37 16 00 e8 0a 7f 1b 00 ff 74 24 30 9d <e9> fd fd ff ff e8 fb 36 16 00 48 8d 7d 08 48 89 f8 48 c1 e8 03 42
RSP: 0018:ffff8881da2277e0 EFLAGS: 00000293 ORIG_RAX: ffffffffffffff13
RAX: 0000000000000007 RBX: 0000000000000200 RCX: 0000000000000006
RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff8881da2120cc
RBP: 0000000000000000 R08: ffff8881da211880 R09: fffffbfff1267085
R10: fffffbfff1267084 R11: ffffffff89338427 R12: ffffffff82a092f0
R13: ffffffff874d4830 R14: 000000000000004f R15: dffffc0000000000
vprintk_emit+0x171/0x3d0 kernel/printk/printk.c:1996
vprintk_func+0x75/0x113 kernel/printk/printk_safe.c:386
printk+0xba/0xed kernel/printk/printk.c:2056
htc_connect_service+0x5a1/0x840 drivers/net/wireless/ath/ath9k/htc_hst.c:275
ath9k_wmi_connect+0xec/0x22b drivers/net/wireless/ath/ath9k/wmi.c:289
ath9k_init_htc_services.constprop.0+0x5b/0xa0 drivers/net/wireless/ath/ath9k/htc_drv_init.c:146
ath9k_htc_probe_device.cold+0x35/0x2103 drivers/net/wireless/ath/ath9k/htc_drv_init.c:961
ath9k_htc_hw_init+0x31/0x60 drivers/net/wireless/ath/ath9k/htc_hst.c:504
ath9k_hif_usb_firmware_cb+0x26b/0x500 drivers/net/wireless/ath/ath9k/hif_usb.c:1218
request_firmware_work_func+0x126/0x242 drivers/base/firmware_loader/main.c:976
process_one_work+0x94b/0x1620 kernel/workqueue.c:2266
worker_thread+0x96/0xe20 kernel/workqueue.c:2412
kthread+0x318/0x420 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
Allocated by task 164:
request_firmware_work_func+0x126/0x242 drivers/base/firmware_loader/main.c:976
process_one_work+0x94b/0x1620 kernel/workqueue.c:2266
worker_thread+0x96/0xe20 kernel/workqueue.c:2412
kthread+0x318/0x420 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
save_stack+0x1b/0x80 mm/kasan/common.c:72
set_track mm/kasan/common.c:80 [inline]
__kasan_kmalloc mm/kasan/common.c:515 [inline]
__kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:488
kmalloc include/linux/slab.h:555 [inline]
kzalloc include/linux/slab.h:669 [inline]
ath9k_init_wmi+0x40/0x310 drivers/net/wireless/ath/ath9k/wmi.c:95
ath9k_htc_probe_device+0x21b/0x300 drivers/net/wireless/ath/ath9k/htc_drv_init.c:953
ath9k_htc_hw_init+0x31/0x60 drivers/net/wireless/ath/ath9k/htc_hst.c:504
set_track mm/kasan/common.c:80 [inline]
__kasan_kmalloc mm/kasan/common.c:515 [inline]
__kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:488
kmalloc include/linux/slab.h:555 [inline]
kzalloc include/linux/slab.h:669 [inline]
ath9k_init_wmi+0x40/0x310 drivers/net/wireless/ath/ath9k/wmi.c:95
ath9k_htc_probe_device+0x21b/0x300 drivers/net/wireless/ath/ath9k/htc_drv_init.c:953
ath9k_hif_usb_firmware_cb+0x26b/0x500 drivers/net/wireless/ath/ath9k/hif_usb.c:1218
request_firmware_work_func+0x126/0x242 drivers/base/firmware_loader/main.c:976
process_one_work+0x94b/0x1620 kernel/workqueue.c:2266
worker_thread+0x96/0xe20 kernel/workqueue.c:2412
kthread+0x318/0x420 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
Freed by task 164:
request_firmware_work_func+0x126/0x242 drivers/base/firmware_loader/main.c:976
process_one_work+0x94b/0x1620 kernel/workqueue.c:2266
worker_thread+0x96/0xe20 kernel/workqueue.c:2412
kthread+0x318/0x420 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
save_stack+0x1b/0x80 mm/kasan/common.c:72
set_track mm/kasan/common.c:80 [inline]
kasan_set_free_info mm/kasan/common.c:337 [inline]
__kasan_slab_free+0x117/0x160 mm/kasan/common.c:476
slab_free_hook mm/slub.c:1444 [inline]
slab_free_freelist_hook mm/slub.c:1477 [inline]
slab_free mm/slub.c:3034 [inline]
kfree+0xd5/0x300 mm/slub.c:3995
ath9k_htc_probe_device.cold+0x53/0x2103 drivers/net/wireless/ath/ath9k/htc_drv_init.c:975
ath9k_htc_hw_init+0x31/0x60 drivers/net/wireless/ath/ath9k/htc_hst.c:504
set_track mm/kasan/common.c:80 [inline]
kasan_set_free_info mm/kasan/common.c:337 [inline]
__kasan_slab_free+0x117/0x160 mm/kasan/common.c:476
slab_free_hook mm/slub.c:1444 [inline]
slab_free_freelist_hook mm/slub.c:1477 [inline]
slab_free mm/slub.c:3034 [inline]
kfree+0xd5/0x300 mm/slub.c:3995
ath9k_htc_probe_device.cold+0x53/0x2103 drivers/net/wireless/ath/ath9k/htc_drv_init.c:975
ath9k_hif_usb_firmware_cb+0x26b/0x500 drivers/net/wireless/ath/ath9k/hif_usb.c:1218
request_firmware_work_func+0x126/0x242 drivers/base/firmware_loader/main.c:976
process_one_work+0x94b/0x1620 kernel/workqueue.c:2266
worker_thread+0x96/0xe20 kernel/workqueue.c:2412
kthread+0x318/0x420 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
The buggy address belongs to the object at ffff8881d26ca000
request_firmware_work_func+0x126/0x242 drivers/base/firmware_loader/main.c:976
process_one_work+0x94b/0x1620 kernel/workqueue.c:2266
worker_thread+0x96/0xe20 kernel/workqueue.c:2412
kthread+0x318/0x420 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 380 bytes inside of
2048-byte region [ffff8881d26ca000, ffff8881d26ca800)
The buggy address is located 380 bytes inside of
The buggy address belongs to the page:
page:ffffea000749b200 refcount:1 mapcount:0 mapping:ffff8881da00c000 index:0x0 compound_mapcount: 0
flags: 0x200000000010200(slab|head)
raw: 0200000000010200 0000000000000000 0000000400000001 ffff8881da00c000
raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881d26ca000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
Memory state around the buggy address:
ffff8881d26ca080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8881d26ca100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8881d26ca180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881d26ca200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Tested on:
commit: 0fa84af8 Merge tag 'usb-serial-5.7-rc1' of https://git.ker..
git tree: https://github.com/google/kasan.git usb-fuzzer
console output: https://syzkaller.appspot.com/x/log.txt?x=110bd41be00000
Tested on:
commit: 0fa84af8 Merge tag 'usb-serial-5.7-rc1' of https://git.ker..
git tree: https://github.com/google/kasan.git usb-fuzzer
kernel config: https://syzkaller.appspot.com/x/.config?x=a782c087b1f425c6
dashboard link: https://syzkaller.appspot.com/bug?extid=5d338854440137ea0fef
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
patch: https://syzkaller.appspot.com/x/patch.diff?x=1370441be00000
dashboard link: https://syzkaller.appspot.com/bug?extid=5d338854440137ea0fef
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syzbot
Apr 3, 2020, 10:03:04 PM4/3/20
to anen...@gmail.com, syzkall...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but build/boot failed:
b/uvc/uvc_entity.o
CC drivers/media/usb/gspca/m5602/m5602_s5k83a.o
CC drivers/media/usb/gspca/m5602/m5602_s5k4aa.o
CC drivers/media/dvb-frontends/si21xx.o
CC drivers/media/dvb-frontends/si2168.o
CC drivers/media/rc/keymaps/rc-snapstream-firefly.o
CC drivers/gpu/drm/i915/display/intel_overlay.o
CC drivers/media/usb/pwc/pwc-uncompress.o
CC drivers/media/usb/cpia2/cpia2_v4l.o
CC drivers/media/usb/pwc/pwc-dec1.o
AR drivers/media/usb/hackrf/built-in.a
AR drivers/media/usb/msi2500/built-in.a
CC drivers/media/usb/pwc/pwc-dec23.o
CC drivers/media/usb/pwc/pwc-kiara.o
CC drivers/gpu/drm/drm_atomic.o
CC drivers/gpu/drm/drm_bridge.o
CC drivers/gpu/drm/i915/display/intel_psr.o
CC drivers/media/usb/dvb-usb/pctv452e.o
CC drivers/gpu/drm/i915/display/intel_quirks.o
CC drivers/media/usb/pwc/pwc-timon.o
AR drivers/isdn/mISDN/built-in.a
AR drivers/isdn/built-in.a
AR drivers/media/usb/gspca/gl860/built-in.a
CC drivers/media/rc/keymaps/rc-streamzap.o
CC drivers/media/usb/gspca/conex.o
CC drivers/media/usb/dvb-usb/dw2102.o
CC drivers/media/usb/cpia2/cpia2_usb.o
CC drivers/media/usb/gspca/cpia1.o
CC drivers/media/usb/gspca/dtcs033.o
AR drivers/media/usb/dvb-usb-v2/built-in.a
CC drivers/gpu/drm/drm_framebuffer.o
CC drivers/media/usb/dvb-usb/dtv5100.o
AR drivers/media/usb/uvc/built-in.a
CC drivers/gpu/drm/drm_connector.o
CC drivers/media/dvb-frontends/stv0288.o
CC drivers/media/usb/dvb-usb/cinergyT2-core.o
CC drivers/gpu/drm/i915/display/intel_sprite.o
CC drivers/media/usb/dvb-usb/cinergyT2-fe.o
CC drivers/media/dvb-frontends/stb6000.o
CC drivers/media/dvb-frontends/s921.o
CC drivers/gpu/drm/i915/display/intel_tc.o
AR drivers/media/usb/gspca/m5602/built-in.a
CC drivers/gpu/drm/i915/display/intel_vga.o
CC drivers/gpu/drm/drm_blend.o
CC drivers/media/dvb-frontends/stv6110.o
CC drivers/media/rc/keymaps/rc-tango.o
CC drivers/media/dvb-frontends/stv0900_core.o
CC drivers/gpu/drm/drm_encoder.o
CC drivers/media/usb/dvb-usb/az6027.o
CC drivers/gpu/drm/drm_mode_object.o
CC drivers/media/rc/keymaps/rc-tanix-tx3mini.o
CC drivers/media/dvb-frontends/stv0900_sw.o
CC drivers/media/dvb-frontends/stv090x.o
CC drivers/media/usb/au0828/au0828-core.o
CC drivers/media/rc/keymaps/rc-tanix-tx5max.o
AR drivers/media/usb/pwc/built-in.a
CC drivers/media/rc/keymaps/rc-tbs-nec.o
CC drivers/media/usb/gspca/etoms.o
CC drivers/media/rc/keymaps/rc-technisat-ts35.o
CC drivers/media/usb/dvb-usb/technisat-usb2.o
CC drivers/gpu/drm/i915/display/intel_acpi.o
CC drivers/media/rc/keymaps/rc-technisat-usb2.o
CC drivers/media/rc/keymaps/rc-terratec-cinergy-c-pci.o
CC drivers/media/usb/hdpvr/hdpvr-control.o
CC drivers/media/usb/hdpvr/hdpvr-core.o
CC drivers/media/usb/hdpvr/hdpvr-video.o
CC drivers/media/usb/hdpvr/hdpvr-i2c.o
CC drivers/media/usb/cpia2/cpia2_core.o
CC drivers/gpu/drm/i915/display/intel_opregion.o
CC drivers/gpu/drm/drm_property.o
CC drivers/gpu/drm/i915/display/intel_fbdev.o
CC drivers/gpu/drm/drm_plane.o
CC drivers/gpu/drm/i915/display/dvo_ch7017.o
CC drivers/gpu/drm/i915/display/dvo_ch7xxx.o
CC drivers/media/usb/gspca/finepix.o
CC drivers/media/dvb-frontends/stv6110x.o
CC drivers/media/rc/keymaps/rc-terratec-cinergy-s2-hd.o
CC drivers/media/usb/pvrusb2/pvrusb2-i2c-core.o
CC drivers/gpu/drm/i915/display/dvo_ivch.o
CC drivers/media/rc/keymaps/rc-terratec-cinergy-xs.o
CC drivers/media/dvb-frontends/m88ds3103.o
CC drivers/gpu/drm/drm_color_mgmt.o
CC drivers/gpu/drm/drm_print.o
CC drivers/media/usb/usbvision/usbvision-core.o
CC drivers/media/usb/gspca/jeilinj.o
CC drivers/media/usb/pvrusb2/pvrusb2-audio.o
CC drivers/media/usb/stk1160/stk1160-core.o
CC drivers/media/usb/pvrusb2/pvrusb2-encoder.o
CC drivers/gpu/drm/drm_dumb_buffers.o
CC drivers/media/usb/au0828/au0828-i2c.o
CC drivers/media/dvb-frontends/mn88472.o
CC drivers/media/rc/keymaps/rc-terratec-slim.o
CC drivers/media/usb/gspca/jl2005bcd.o
CC drivers/media/usb/gspca/kinect.o
AR drivers/media/usb/dvb-usb/built-in.a
CC drivers/media/usb/gspca/konica.o
CC drivers/media/usb/pvrusb2/pvrusb2-video-v4l.o
CC drivers/media/usb/pvrusb2/pvrusb2-eeprom.o
CC drivers/gpu/drm/i915/display/dvo_ns2501.o
CC drivers/gpu/drm/i915/display/dvo_sil164.o
CC drivers/gpu/drm/i915/display/dvo_tfp410.o
CC drivers/gpu/drm/i915/display/icl_dsi.o
CC drivers/media/rc/keymaps/rc-terratec-slim-2.o
CC drivers/gpu/drm/i915/display/intel_crt.o
CC drivers/gpu/drm/i915/display/intel_ddi.o
CC drivers/media/dvb-frontends/mn88473.o
AR drivers/media/usb/cpia2/built-in.a
CC drivers/media/usb/gspca/mars.o
CC drivers/gpu/drm/drm_mode_config.o
AR drivers/media/usb/hdpvr/built-in.a
CC drivers/media/usb/stk1160/stk1160-v4l.o
CC drivers/media/usb/pvrusb2/pvrusb2-main.o
CC drivers/media/dvb-frontends/isl6423.o
CC drivers/media/usb/cx231xx/cx231xx-video.o
CC drivers/media/usb/gspca/mr97310a.o
CC drivers/media/usb/au0828/au0828-cards.o
CC drivers/media/usb/tm6000/tm6000-cards.o
CC drivers/gpu/drm/i915/display/intel_dp.o
CC drivers/gpu/drm/i915/display/intel_dp_aux_backlight.o
CC drivers/media/dvb-frontends/ec100.o
CC drivers/media/rc/keymaps/rc-tevii-nec.o
CC drivers/media/usb/tm6000/tm6000-core.o
CC drivers/media/usb/tm6000/tm6000-i2c.o
CC drivers/media/usb/gspca/nw80x.o
CC drivers/media/rc/keymaps/rc-tivo.o
CC drivers/media/usb/pvrusb2/pvrusb2-hdw.o
CC drivers/media/usb/em28xx/em28xx-core.o
CC drivers/media/usb/em28xx/em28xx-i2c.o
CC drivers/gpu/drm/drm_vblank.o
CC drivers/media/usb/em28xx/em28xx-cards.o
CC drivers/media/usb/em28xx/em28xx-camera.o
CC drivers/media/usb/usbvision/usbvision-video.o
CC drivers/media/rc/keymaps/rc-total-media-in-hand.o
CC drivers/media/rc/keymaps/rc-total-media-in-hand-02.o
CC drivers/media/dvb-frontends/ds3000.o
CC drivers/media/usb/pvrusb2/pvrusb2-v4l2.o
CC drivers/media/usb/tm6000/tm6000-video.o
CC drivers/media/usb/pvrusb2/pvrusb2-ctrl.o
CC drivers/media/dvb-frontends/ts2020.o
CC drivers/media/usb/tm6000/tm6000-stds.o
CC drivers/media/usb/usbtv/usbtv-core.o
CC drivers/media/usb/au0828/au0828-dvb.o
CC drivers/media/usb/stk1160/stk1160-video.o
CC drivers/media/usb/usbtv/usbtv-video.o
CC drivers/gpu/drm/drm_syncobj.o
CC drivers/media/usb/cx231xx/cx231xx-i2c.o
CC drivers/media/usb/gspca/ov519.o
CC drivers/media/usb/go7007/go7007-v4l2.o
CC drivers/media/rc/keymaps/rc-trekstor.o
CC drivers/media/usb/gspca/ov534.o
CC drivers/gpu/drm/i915/display/intel_dp_link_training.o
CC drivers/media/usb/em28xx/em28xx-video.o
CC drivers/gpu/drm/drm_lease.o
CC drivers/gpu/drm/drm_writeback.o
CC drivers/media/usb/go7007/go7007-driver.o
CC drivers/media/usb/as102/as102_drv.o
CC drivers/media/rc/keymaps/rc-tt-1500.o
CC drivers/media/rc/keymaps/rc-twinhan-dtv-cab-ci.o
CC drivers/media/rc/keymaps/rc-twinhan1027.o
CC drivers/media/usb/pulse8-cec/pulse8-cec.o
CC drivers/media/usb/cx231xx/cx231xx-cards.o
CC drivers/media/usb/cx231xx/cx231xx-core.o
CC drivers/media/usb/stk1160/stk1160-i2c.o
CC drivers/media/usb/stk1160/stk1160-ac97.o
CC drivers/media/usb/pvrusb2/pvrusb2-std.o
CC drivers/media/usb/usbvision/usbvision-i2c.o
CC drivers/media/usb/usbvision/usbvision-cards.o
CC drivers/media/usb/au0828/au0828-video.o
CC drivers/media/usb/usbtv/usbtv-audio.o
CC drivers/media/usb/au0828/au0828-vbi.o
CC drivers/media/rc/keymaps/rc-vega-s9x.o
CC drivers/media/usb/cx231xx/cx231xx-avcore.o
CC drivers/media/dvb-frontends/mb86a20s.o
CC drivers/media/usb/go7007/go7007-i2c.o
CC drivers/media/usb/as102/as102_fw.o
CC drivers/media/usb/go7007/go7007-fw.o
CC drivers/media/usb/pvrusb2/pvrusb2-devattr.o
CC drivers/media/dvb-frontends/ix2505v.o
CC drivers/media/usb/as102/as10x_cmd.o
CC drivers/media/usb/as102/as10x_cmd_stream.o
CC drivers/media/rc/keymaps/rc-videomate-m1f.o
CC drivers/media/usb/tm6000/tm6000-input.o
CC drivers/gpu/drm/i915/display/intel_dp_mst.o
CC drivers/gpu/drm/drm_client.o
CC drivers/gpu/drm/i915/display/intel_dsi.o
AR drivers/media/usb/stk1160/built-in.a
CC drivers/gpu/drm/drm_client_modeset.o
CC drivers/media/usb/tm6000/tm6000-alsa.o
CC drivers/media/usb/rainshadow-cec/rainshadow-cec.o
AR drivers/media/usb/pulse8-cec/built-in.a
CC drivers/media/usb/tm6000/tm6000-dvb.o
AR drivers/media/usb/usbvision/built-in.a
CC drivers/media/usb/au0828/au0828-input.o
AR drivers/media/usb/usbtv/built-in.a
CC drivers/gpu/drm/drm_atomic_uapi.o
CC drivers/media/rc/keymaps/rc-videomate-s350.o
CC drivers/media/usb/as102/as102_usb_drv.o
CC drivers/media/usb/go7007/snd-go7007.o
CC drivers/media/usb/as102/as10x_cmd_cfg.o
CC drivers/media/usb/em28xx/em28xx-vbi.o
CC drivers/media/usb/em28xx/em28xx-audio.o
CC drivers/gpu/drm/i915/display/intel_dsi_dcs_backlight.o
CC drivers/media/usb/cx231xx/cx231xx-417.o
CC drivers/media/usb/gspca/ov534_9.o
CC drivers/media/usb/cx231xx/cx231xx-pcb-cfg.o
CC drivers/media/rc/keymaps/rc-videomate-tv-pvr.o
AR drivers/media/usb/rainshadow-cec/built-in.a
CC drivers/gpu/drm/i915/display/intel_dsi_vbt.o
CC drivers/media/usb/gspca/pac207.o
CC drivers/media/usb/gspca/pac7302.o
CC drivers/media/usb/go7007/go7007-usb.o
CC drivers/media/usb/go7007/go7007-loader.o
CC drivers/media/usb/em28xx/em28xx-dvb.o
AR drivers/media/usb/tm6000/built-in.a
CC drivers/media/usb/go7007/s2250-board.o
CC drivers/media/usb/cx231xx/cx231xx-vbi.o
CC drivers/gpu/drm/i915/display/intel_dvo.o
CC drivers/media/usb/em28xx/em28xx-input.o
AR drivers/media/usb/as102/built-in.a
CC drivers/media/rc/keymaps/rc-wetek-play2.o
CC drivers/media/rc/keymaps/rc-wetek-hub.o
CC drivers/gpu/drm/i915/display/intel_gmbus.o
CC drivers/media/usb/pvrusb2/pvrusb2-context.o
CC drivers/media/rc/keymaps/rc-winfast.o
CC drivers/media/usb/cx231xx/cx231xx-input.o
CC drivers/media/usb/cx231xx/cx231xx-audio.o
CC drivers/media/usb/gspca/pac7311.o
CC drivers/media/usb/gspca/se401.o
CC drivers/media/usb/pvrusb2/pvrusb2-io.o
CC drivers/media/usb/gspca/sn9c2028.o
CC drivers/media/rc/keymaps/rc-winfast-usbii-deluxe.o
CC drivers/media/usb/cx231xx/cx231xx-dvb.o
CC drivers/gpu/drm/drm_hdcp.o
CC drivers/media/usb/gspca/sn9c20x.o
CC drivers/media/usb/pvrusb2/pvrusb2-ioread.o
CC drivers/media/dvb-frontends/cxd2820r_core.o
CC drivers/gpu/drm/drm_ioc32.o
CC drivers/media/usb/pvrusb2/pvrusb2-cx2584x-v4l.o
AR drivers/media/usb/au0828/built-in.a
CC drivers/media/usb/gspca/sonixb.o
CC drivers/media/usb/gspca/sonixj.o
CC drivers/media/dvb-frontends/cxd2820r_c.o
CC drivers/media/rc/keymaps/rc-su3000.o
CC drivers/gpu/drm/drm_gem_shmem_helper.o
CC drivers/media/usb/pvrusb2/pvrusb2-wm8775.o
CC drivers/media/usb/gspca/spca500.o
AR drivers/media/usb/go7007/built-in.a
CC drivers/gpu/drm/i915/display/intel_hdmi.o
CC drivers/media/dvb-frontends/cxd2820r_t.o
CC drivers/media/usb/gspca/spca501.o
CC drivers/media/usb/gspca/spca505.o
CC drivers/media/dvb-frontends/cxd2820r_t2.o
CC drivers/gpu/drm/drm_panel.o
CC drivers/media/usb/gspca/spca506.o
CC drivers/media/rc/keymaps/rc-xbox-dvd.o
CC drivers/media/rc/keymaps/rc-x96max.o
CC drivers/media/dvb-frontends/cxd2841er.o
CC drivers/media/dvb-frontends/drxk_hard.o
CC drivers/media/rc/keymaps/rc-zx-irdec.o
CC drivers/gpu/drm/drm_agpsupport.o
CC drivers/media/dvb-frontends/tda18271c2dd.o
CC drivers/media/usb/gspca/spca508.o
CC drivers/gpu/drm/i915/display/intel_lspcon.o
CC drivers/gpu/drm/i915/display/intel_lvds.o
CC drivers/media/dvb-frontends/si2165.o
CC drivers/gpu/drm/drm_pci.o
CC drivers/gpu/drm/drm_debugfs.o
CC drivers/gpu/drm/drm_debugfs_crc.o
CC drivers/gpu/drm/drm_mipi_dsi.o
CC drivers/media/usb/gspca/spca561.o
CC drivers/gpu/drm/i915/display/intel_panel.o
AR drivers/media/rc/keymaps/built-in.a
AR drivers/media/rc/built-in.a
CC drivers/media/usb/gspca/spca1528.o
CC drivers/media/usb/pvrusb2/pvrusb2-cs53l32a.o
CC drivers/gpu/drm/drm_panel_orientation_quirks.o
CC drivers/gpu/drm/i915/display/intel_sdvo.o
CC drivers/media/usb/pvrusb2/pvrusb2-dvb.o
CC drivers/media/usb/gspca/sq905.o
CC drivers/gpu/drm/i915/display/intel_tv.o
CC drivers/media/dvb-frontends/a8293.o
CC drivers/media/usb/gspca/sq905c.o
CC drivers/gpu/drm/i915/display/intel_vdsc.o
CC drivers/media/usb/gspca/sq930x.o
CC drivers/media/usb/gspca/sunplus.o
AR drivers/media/usb/cx231xx/built-in.a
CC drivers/media/dvb-frontends/sp2.o
AR drivers/media/usb/em28xx/built-in.a
CC drivers/media/usb/gspca/stk014.o
CC drivers/media/usb/pvrusb2/pvrusb2-sysfs.o
CC drivers/media/usb/gspca/stk1135.o
CC drivers/media/dvb-frontends/tda10071.o
CC drivers/media/dvb-frontends/rtl2830.o
CC drivers/gpu/drm/i915/display/vlv_dsi.o
CC drivers/media/usb/gspca/stv0680.o
CC drivers/media/dvb-frontends/rtl2832.o
CC drivers/media/dvb-frontends/rtl2832_sdr.o
CC drivers/media/dvb-frontends/m88rs2000.o
CC drivers/media/usb/gspca/t613.o
CC drivers/media/dvb-frontends/af9033.o
CC drivers/media/dvb-frontends/as102_fe.o
CC drivers/media/usb/gspca/topro.o
CC drivers/gpu/drm/i915/display/vlv_dsi_pll.o
CC drivers/media/usb/gspca/touptek.o
CC drivers/gpu/drm/i915/oa/i915_oa_hsw.o
CC drivers/media/usb/gspca/tv8532.o
CC drivers/media/dvb-frontends/gp8psk-fe.o
CC drivers/media/usb/gspca/vc032x.o
CC drivers/media/dvb-frontends/tc90522.o
CC drivers/media/dvb-frontends/zd1301_demod.o
CC drivers/gpu/drm/i915/oa/i915_oa_bdw.o
CC drivers/media/usb/gspca/vicam.o
CC drivers/media/usb/gspca/xirlink_cit.o
CC drivers/gpu/drm/i915/oa/i915_oa_chv.o
AR drivers/media/usb/pvrusb2/built-in.a
CC drivers/gpu/drm/i915/oa/i915_oa_sklgt2.o
CC drivers/media/usb/gspca/zc3xx.o
CC drivers/gpu/drm/i915/oa/i915_oa_sklgt3.o
CC drivers/gpu/drm/i915/oa/i915_oa_sklgt4.o
CC drivers/gpu/drm/i915/oa/i915_oa_bxt.o
CC drivers/gpu/drm/i915/oa/i915_oa_kblgt2.o
CC drivers/gpu/drm/i915/oa/i915_oa_kblgt3.o
CC drivers/gpu/drm/i915/oa/i915_oa_glk.o
CC drivers/gpu/drm/i915/oa/i915_oa_cflgt2.o
CC drivers/gpu/drm/i915/oa/i915_oa_cflgt3.o
CC drivers/gpu/drm/i915/oa/i915_oa_icl.o
CC drivers/gpu/drm/i915/oa/i915_oa_cnl.o
CC drivers/gpu/drm/i915/oa/i915_oa_tgl.o
CC drivers/gpu/drm/i915/i915_perf.o
CC drivers/gpu/drm/i915/i915_gpu_error.o
CC drivers/gpu/drm/i915/i915_vgpu.o
AR drivers/media/dvb-frontends/built-in.a
AR drivers/media/usb/gspca/built-in.a
AR drivers/media/usb/built-in.a
AR drivers/media/built-in.a
AR drivers/gpu/drm/i915/built-in.a
AR drivers/gpu/drm/built-in.a
AR drivers/gpu/built-in.a
Makefile:1683: recipe for target 'drivers' failed
make: *** [drivers] Error 2
Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=14bc4acde00000
Tested on:
commit: 0fa84af8 Merge tag 'usb-serial-5.7-rc1' of https://git.ker..
git tree: https://github.com/google/kasan.git usb-fuzzer
syzbot tried to test the proposed patch but build/boot failed:
b/uvc/uvc_entity.o
CC drivers/media/usb/gspca/m5602/m5602_s5k83a.o
CC drivers/media/usb/gspca/m5602/m5602_s5k4aa.o
CC drivers/media/dvb-frontends/si21xx.o
CC drivers/media/dvb-frontends/si2168.o
CC drivers/media/rc/keymaps/rc-snapstream-firefly.o
CC drivers/gpu/drm/i915/display/intel_overlay.o
CC drivers/media/usb/pwc/pwc-uncompress.o
CC drivers/media/usb/cpia2/cpia2_v4l.o
CC drivers/media/usb/pwc/pwc-dec1.o
AR drivers/media/usb/hackrf/built-in.a
AR drivers/media/usb/msi2500/built-in.a
CC drivers/media/usb/pwc/pwc-dec23.o
CC drivers/media/usb/pwc/pwc-kiara.o
CC drivers/gpu/drm/drm_atomic.o
CC drivers/gpu/drm/drm_bridge.o
CC drivers/gpu/drm/i915/display/intel_psr.o
CC drivers/media/usb/dvb-usb/pctv452e.o
CC drivers/gpu/drm/i915/display/intel_quirks.o
CC drivers/media/usb/pwc/pwc-timon.o
AR drivers/isdn/mISDN/built-in.a
AR drivers/isdn/built-in.a
AR drivers/media/usb/gspca/gl860/built-in.a
CC drivers/media/rc/keymaps/rc-streamzap.o
CC drivers/media/usb/gspca/conex.o
CC drivers/media/usb/dvb-usb/dw2102.o
CC drivers/media/usb/cpia2/cpia2_usb.o
CC drivers/media/usb/gspca/cpia1.o
CC drivers/media/usb/gspca/dtcs033.o
AR drivers/media/usb/dvb-usb-v2/built-in.a
CC drivers/gpu/drm/drm_framebuffer.o
CC drivers/media/usb/dvb-usb/dtv5100.o
AR drivers/media/usb/uvc/built-in.a
CC drivers/gpu/drm/drm_connector.o
CC drivers/media/dvb-frontends/stv0288.o
CC drivers/media/usb/dvb-usb/cinergyT2-core.o
CC drivers/gpu/drm/i915/display/intel_sprite.o
CC drivers/media/usb/dvb-usb/cinergyT2-fe.o
CC drivers/media/dvb-frontends/stb6000.o
CC drivers/media/dvb-frontends/s921.o
CC drivers/gpu/drm/i915/display/intel_tc.o
AR drivers/media/usb/gspca/m5602/built-in.a
CC drivers/gpu/drm/i915/display/intel_vga.o
CC drivers/gpu/drm/drm_blend.o
CC drivers/media/dvb-frontends/stv6110.o
CC drivers/media/rc/keymaps/rc-tango.o
CC drivers/media/dvb-frontends/stv0900_core.o
CC drivers/gpu/drm/drm_encoder.o
CC drivers/media/usb/dvb-usb/az6027.o
CC drivers/gpu/drm/drm_mode_object.o
CC drivers/media/rc/keymaps/rc-tanix-tx3mini.o
CC drivers/media/dvb-frontends/stv0900_sw.o
CC drivers/media/dvb-frontends/stv090x.o
CC drivers/media/usb/au0828/au0828-core.o
CC drivers/media/rc/keymaps/rc-tanix-tx5max.o
AR drivers/media/usb/pwc/built-in.a
CC drivers/media/rc/keymaps/rc-tbs-nec.o
CC drivers/media/usb/gspca/etoms.o
CC drivers/media/rc/keymaps/rc-technisat-ts35.o
CC drivers/media/usb/dvb-usb/technisat-usb2.o
CC drivers/gpu/drm/i915/display/intel_acpi.o
CC drivers/media/rc/keymaps/rc-technisat-usb2.o
CC drivers/media/rc/keymaps/rc-terratec-cinergy-c-pci.o
CC drivers/media/usb/hdpvr/hdpvr-control.o
CC drivers/media/usb/hdpvr/hdpvr-core.o
CC drivers/media/usb/hdpvr/hdpvr-video.o
CC drivers/media/usb/hdpvr/hdpvr-i2c.o
CC drivers/media/usb/cpia2/cpia2_core.o
CC drivers/gpu/drm/i915/display/intel_opregion.o
CC drivers/gpu/drm/drm_property.o
CC drivers/gpu/drm/i915/display/intel_fbdev.o
CC drivers/gpu/drm/drm_plane.o
CC drivers/gpu/drm/i915/display/dvo_ch7017.o
CC drivers/gpu/drm/i915/display/dvo_ch7xxx.o
CC drivers/media/usb/gspca/finepix.o
CC drivers/media/dvb-frontends/stv6110x.o
CC drivers/media/rc/keymaps/rc-terratec-cinergy-s2-hd.o
CC drivers/media/usb/pvrusb2/pvrusb2-i2c-core.o
CC drivers/gpu/drm/i915/display/dvo_ivch.o
CC drivers/media/rc/keymaps/rc-terratec-cinergy-xs.o
CC drivers/media/dvb-frontends/m88ds3103.o
CC drivers/gpu/drm/drm_color_mgmt.o
CC drivers/gpu/drm/drm_print.o
CC drivers/media/usb/usbvision/usbvision-core.o
CC drivers/media/usb/gspca/jeilinj.o
CC drivers/media/usb/pvrusb2/pvrusb2-audio.o
CC drivers/media/usb/stk1160/stk1160-core.o
CC drivers/media/usb/pvrusb2/pvrusb2-encoder.o
CC drivers/gpu/drm/drm_dumb_buffers.o
CC drivers/media/usb/au0828/au0828-i2c.o
CC drivers/media/dvb-frontends/mn88472.o
CC drivers/media/rc/keymaps/rc-terratec-slim.o
CC drivers/media/usb/gspca/jl2005bcd.o
CC drivers/media/usb/gspca/kinect.o
AR drivers/media/usb/dvb-usb/built-in.a
CC drivers/media/usb/gspca/konica.o
CC drivers/media/usb/pvrusb2/pvrusb2-video-v4l.o
CC drivers/media/usb/pvrusb2/pvrusb2-eeprom.o
CC drivers/gpu/drm/i915/display/dvo_ns2501.o
CC drivers/gpu/drm/i915/display/dvo_sil164.o
CC drivers/gpu/drm/i915/display/dvo_tfp410.o
CC drivers/gpu/drm/i915/display/icl_dsi.o
CC drivers/media/rc/keymaps/rc-terratec-slim-2.o
CC drivers/gpu/drm/i915/display/intel_crt.o
CC drivers/gpu/drm/i915/display/intel_ddi.o
CC drivers/media/dvb-frontends/mn88473.o
AR drivers/media/usb/cpia2/built-in.a
CC drivers/media/usb/gspca/mars.o
CC drivers/gpu/drm/drm_mode_config.o
AR drivers/media/usb/hdpvr/built-in.a
CC drivers/media/usb/stk1160/stk1160-v4l.o
CC drivers/media/usb/pvrusb2/pvrusb2-main.o
CC drivers/media/dvb-frontends/isl6423.o
CC drivers/media/usb/cx231xx/cx231xx-video.o
CC drivers/media/usb/gspca/mr97310a.o
CC drivers/media/usb/au0828/au0828-cards.o
CC drivers/media/usb/tm6000/tm6000-cards.o
CC drivers/gpu/drm/i915/display/intel_dp.o
CC drivers/gpu/drm/i915/display/intel_dp_aux_backlight.o
CC drivers/media/dvb-frontends/ec100.o
CC drivers/media/rc/keymaps/rc-tevii-nec.o
CC drivers/media/usb/tm6000/tm6000-core.o
CC drivers/media/usb/tm6000/tm6000-i2c.o
CC drivers/media/usb/gspca/nw80x.o
CC drivers/media/rc/keymaps/rc-tivo.o
CC drivers/media/usb/pvrusb2/pvrusb2-hdw.o
CC drivers/media/usb/em28xx/em28xx-core.o
CC drivers/media/usb/em28xx/em28xx-i2c.o
CC drivers/gpu/drm/drm_vblank.o
CC drivers/media/usb/em28xx/em28xx-cards.o
CC drivers/media/usb/em28xx/em28xx-camera.o
CC drivers/media/usb/usbvision/usbvision-video.o
CC drivers/media/rc/keymaps/rc-total-media-in-hand.o
CC drivers/media/rc/keymaps/rc-total-media-in-hand-02.o
CC drivers/media/dvb-frontends/ds3000.o
CC drivers/media/usb/pvrusb2/pvrusb2-v4l2.o
CC drivers/media/usb/tm6000/tm6000-video.o
CC drivers/media/usb/pvrusb2/pvrusb2-ctrl.o
CC drivers/media/dvb-frontends/ts2020.o
CC drivers/media/usb/tm6000/tm6000-stds.o
CC drivers/media/usb/usbtv/usbtv-core.o
CC drivers/media/usb/au0828/au0828-dvb.o
CC drivers/media/usb/stk1160/stk1160-video.o
CC drivers/media/usb/usbtv/usbtv-video.o
CC drivers/gpu/drm/drm_syncobj.o
CC drivers/media/usb/cx231xx/cx231xx-i2c.o
CC drivers/media/usb/gspca/ov519.o
CC drivers/media/usb/go7007/go7007-v4l2.o
CC drivers/media/rc/keymaps/rc-trekstor.o
CC drivers/media/usb/gspca/ov534.o
CC drivers/gpu/drm/i915/display/intel_dp_link_training.o
CC drivers/media/usb/em28xx/em28xx-video.o
CC drivers/gpu/drm/drm_lease.o
CC drivers/gpu/drm/drm_writeback.o
CC drivers/media/usb/go7007/go7007-driver.o
CC drivers/media/usb/as102/as102_drv.o
CC drivers/media/rc/keymaps/rc-tt-1500.o
CC drivers/media/rc/keymaps/rc-twinhan-dtv-cab-ci.o
CC drivers/media/rc/keymaps/rc-twinhan1027.o
CC drivers/media/usb/pulse8-cec/pulse8-cec.o
CC drivers/media/usb/cx231xx/cx231xx-cards.o
CC drivers/media/usb/cx231xx/cx231xx-core.o
CC drivers/media/usb/stk1160/stk1160-i2c.o
CC drivers/media/usb/stk1160/stk1160-ac97.o
CC drivers/media/usb/pvrusb2/pvrusb2-std.o
CC drivers/media/usb/usbvision/usbvision-i2c.o
CC drivers/media/usb/usbvision/usbvision-cards.o
CC drivers/media/usb/au0828/au0828-video.o
CC drivers/media/usb/usbtv/usbtv-audio.o
CC drivers/media/usb/au0828/au0828-vbi.o
CC drivers/media/rc/keymaps/rc-vega-s9x.o
CC drivers/media/usb/cx231xx/cx231xx-avcore.o
CC drivers/media/dvb-frontends/mb86a20s.o
CC drivers/media/usb/go7007/go7007-i2c.o
CC drivers/media/usb/as102/as102_fw.o
CC drivers/media/usb/go7007/go7007-fw.o
CC drivers/media/usb/pvrusb2/pvrusb2-devattr.o
CC drivers/media/dvb-frontends/ix2505v.o
CC drivers/media/usb/as102/as10x_cmd.o
CC drivers/media/usb/as102/as10x_cmd_stream.o
CC drivers/media/rc/keymaps/rc-videomate-m1f.o
CC drivers/media/usb/tm6000/tm6000-input.o
CC drivers/gpu/drm/i915/display/intel_dp_mst.o
CC drivers/gpu/drm/drm_client.o
CC drivers/gpu/drm/i915/display/intel_dsi.o
AR drivers/media/usb/stk1160/built-in.a
CC drivers/gpu/drm/drm_client_modeset.o
CC drivers/media/usb/tm6000/tm6000-alsa.o
CC drivers/media/usb/rainshadow-cec/rainshadow-cec.o
AR drivers/media/usb/pulse8-cec/built-in.a
CC drivers/media/usb/tm6000/tm6000-dvb.o
AR drivers/media/usb/usbvision/built-in.a
CC drivers/media/usb/au0828/au0828-input.o
AR drivers/media/usb/usbtv/built-in.a
CC drivers/gpu/drm/drm_atomic_uapi.o
CC drivers/media/rc/keymaps/rc-videomate-s350.o
CC drivers/media/usb/as102/as102_usb_drv.o
CC drivers/media/usb/go7007/snd-go7007.o
CC drivers/media/usb/as102/as10x_cmd_cfg.o
CC drivers/media/usb/em28xx/em28xx-vbi.o
CC drivers/media/usb/em28xx/em28xx-audio.o
CC drivers/gpu/drm/i915/display/intel_dsi_dcs_backlight.o
CC drivers/media/usb/cx231xx/cx231xx-417.o
CC drivers/media/usb/gspca/ov534_9.o
CC drivers/media/usb/cx231xx/cx231xx-pcb-cfg.o
CC drivers/media/rc/keymaps/rc-videomate-tv-pvr.o
AR drivers/media/usb/rainshadow-cec/built-in.a
CC drivers/gpu/drm/i915/display/intel_dsi_vbt.o
CC drivers/media/usb/gspca/pac207.o
CC drivers/media/usb/gspca/pac7302.o
CC drivers/media/usb/go7007/go7007-usb.o
CC drivers/media/usb/go7007/go7007-loader.o
CC drivers/media/usb/em28xx/em28xx-dvb.o
AR drivers/media/usb/tm6000/built-in.a
CC drivers/media/usb/go7007/s2250-board.o
CC drivers/media/usb/cx231xx/cx231xx-vbi.o
CC drivers/gpu/drm/i915/display/intel_dvo.o
CC drivers/media/usb/em28xx/em28xx-input.o
AR drivers/media/usb/as102/built-in.a
CC drivers/media/rc/keymaps/rc-wetek-play2.o
CC drivers/media/rc/keymaps/rc-wetek-hub.o
CC drivers/gpu/drm/i915/display/intel_gmbus.o
CC drivers/media/usb/pvrusb2/pvrusb2-context.o
CC drivers/media/rc/keymaps/rc-winfast.o
CC drivers/media/usb/cx231xx/cx231xx-input.o
CC drivers/media/usb/cx231xx/cx231xx-audio.o
CC drivers/media/usb/gspca/pac7311.o
CC drivers/media/usb/gspca/se401.o
CC drivers/media/usb/pvrusb2/pvrusb2-io.o
CC drivers/media/usb/gspca/sn9c2028.o
CC drivers/media/rc/keymaps/rc-winfast-usbii-deluxe.o
CC drivers/media/usb/cx231xx/cx231xx-dvb.o
CC drivers/gpu/drm/drm_hdcp.o
CC drivers/media/usb/gspca/sn9c20x.o
CC drivers/media/usb/pvrusb2/pvrusb2-ioread.o
CC drivers/media/dvb-frontends/cxd2820r_core.o
CC drivers/gpu/drm/drm_ioc32.o
CC drivers/media/usb/pvrusb2/pvrusb2-cx2584x-v4l.o
AR drivers/media/usb/au0828/built-in.a
CC drivers/media/usb/gspca/sonixb.o
CC drivers/media/usb/gspca/sonixj.o
CC drivers/media/dvb-frontends/cxd2820r_c.o
CC drivers/media/rc/keymaps/rc-su3000.o
CC drivers/gpu/drm/drm_gem_shmem_helper.o
CC drivers/media/usb/pvrusb2/pvrusb2-wm8775.o
CC drivers/media/usb/gspca/spca500.o
AR drivers/media/usb/go7007/built-in.a
CC drivers/gpu/drm/i915/display/intel_hdmi.o
CC drivers/media/dvb-frontends/cxd2820r_t.o
CC drivers/media/usb/gspca/spca501.o
CC drivers/media/usb/gspca/spca505.o
CC drivers/media/dvb-frontends/cxd2820r_t2.o
CC drivers/gpu/drm/drm_panel.o
CC drivers/media/usb/gspca/spca506.o
CC drivers/media/rc/keymaps/rc-xbox-dvd.o
CC drivers/media/rc/keymaps/rc-x96max.o
CC drivers/media/dvb-frontends/cxd2841er.o
CC drivers/media/dvb-frontends/drxk_hard.o
CC drivers/media/rc/keymaps/rc-zx-irdec.o
CC drivers/gpu/drm/drm_agpsupport.o
CC drivers/media/dvb-frontends/tda18271c2dd.o
CC drivers/media/usb/gspca/spca508.o
CC drivers/gpu/drm/i915/display/intel_lspcon.o
CC drivers/gpu/drm/i915/display/intel_lvds.o
CC drivers/media/dvb-frontends/si2165.o
CC drivers/gpu/drm/drm_pci.o
CC drivers/gpu/drm/drm_debugfs.o
CC drivers/gpu/drm/drm_debugfs_crc.o
CC drivers/gpu/drm/drm_mipi_dsi.o
CC drivers/media/usb/gspca/spca561.o
CC drivers/gpu/drm/i915/display/intel_panel.o
AR drivers/media/rc/keymaps/built-in.a
AR drivers/media/rc/built-in.a
CC drivers/media/usb/gspca/spca1528.o
CC drivers/media/usb/pvrusb2/pvrusb2-cs53l32a.o
CC drivers/gpu/drm/drm_panel_orientation_quirks.o
CC drivers/gpu/drm/i915/display/intel_sdvo.o
CC drivers/media/usb/pvrusb2/pvrusb2-dvb.o
CC drivers/media/usb/gspca/sq905.o
CC drivers/gpu/drm/i915/display/intel_tv.o
CC drivers/media/dvb-frontends/a8293.o
CC drivers/media/usb/gspca/sq905c.o
CC drivers/gpu/drm/i915/display/intel_vdsc.o
CC drivers/media/usb/gspca/sq930x.o
CC drivers/media/usb/gspca/sunplus.o
AR drivers/media/usb/cx231xx/built-in.a
CC drivers/media/dvb-frontends/sp2.o
AR drivers/media/usb/em28xx/built-in.a
CC drivers/media/usb/gspca/stk014.o
CC drivers/media/usb/pvrusb2/pvrusb2-sysfs.o
CC drivers/media/usb/gspca/stk1135.o
CC drivers/media/dvb-frontends/tda10071.o
CC drivers/media/dvb-frontends/rtl2830.o
CC drivers/gpu/drm/i915/display/vlv_dsi.o
CC drivers/media/usb/gspca/stv0680.o
CC drivers/media/dvb-frontends/rtl2832.o
CC drivers/media/dvb-frontends/rtl2832_sdr.o
CC drivers/media/dvb-frontends/m88rs2000.o
CC drivers/media/usb/gspca/t613.o
CC drivers/media/dvb-frontends/af9033.o
CC drivers/media/dvb-frontends/as102_fe.o
CC drivers/media/usb/gspca/topro.o
CC drivers/gpu/drm/i915/display/vlv_dsi_pll.o
CC drivers/media/usb/gspca/touptek.o
CC drivers/gpu/drm/i915/oa/i915_oa_hsw.o
CC drivers/media/usb/gspca/tv8532.o
CC drivers/media/dvb-frontends/gp8psk-fe.o
CC drivers/media/usb/gspca/vc032x.o
CC drivers/media/dvb-frontends/tc90522.o
CC drivers/media/dvb-frontends/zd1301_demod.o
CC drivers/gpu/drm/i915/oa/i915_oa_bdw.o
CC drivers/media/usb/gspca/vicam.o
CC drivers/media/usb/gspca/xirlink_cit.o
CC drivers/gpu/drm/i915/oa/i915_oa_chv.o
AR drivers/media/usb/pvrusb2/built-in.a
CC drivers/gpu/drm/i915/oa/i915_oa_sklgt2.o
CC drivers/media/usb/gspca/zc3xx.o
CC drivers/gpu/drm/i915/oa/i915_oa_sklgt3.o
CC drivers/gpu/drm/i915/oa/i915_oa_sklgt4.o
CC drivers/gpu/drm/i915/oa/i915_oa_bxt.o
CC drivers/gpu/drm/i915/oa/i915_oa_kblgt2.o
CC drivers/gpu/drm/i915/oa/i915_oa_kblgt3.o
CC drivers/gpu/drm/i915/oa/i915_oa_glk.o
CC drivers/gpu/drm/i915/oa/i915_oa_cflgt2.o
CC drivers/gpu/drm/i915/oa/i915_oa_cflgt3.o
CC drivers/gpu/drm/i915/oa/i915_oa_icl.o
CC drivers/gpu/drm/i915/oa/i915_oa_cnl.o
CC drivers/gpu/drm/i915/oa/i915_oa_tgl.o
CC drivers/gpu/drm/i915/i915_perf.o
CC drivers/gpu/drm/i915/i915_gpu_error.o
CC drivers/gpu/drm/i915/i915_vgpu.o
AR drivers/media/dvb-frontends/built-in.a
AR drivers/media/usb/gspca/built-in.a
AR drivers/media/usb/built-in.a
AR drivers/media/built-in.a
AR drivers/gpu/drm/i915/built-in.a
AR drivers/gpu/drm/built-in.a
AR drivers/gpu/built-in.a
Makefile:1683: recipe for target 'drivers' failed
make: *** [drivers] Error 2
Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=14bc4acde00000
Tested on:
commit: 0fa84af8 Merge tag 'usb-serial-5.7-rc1' of https://git.ker..
git tree: https://github.com/google/kasan.git usb-fuzzer
dashboard link: https://syzkaller.appspot.com/bug?extid=5d338854440137ea0fef
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
patch: https://syzkaller.appspot.com/x/patch.diff?x=117746c7e00000
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syzbot
Apr 3, 2020, 10:36:06 PM4/3/20
to anen...@gmail.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger crash:
Reported-and-tested-by: syzbot+5d3388...@syzkaller.appspotmail.com
syzbot has tested the proposed patch and the reproducer did not trigger crash:
Reported-and-tested-by: syzbot+5d3388...@syzkaller.appspotmail.com
Tested on:
commit: 0fa84af8 Merge tag 'usb-serial-5.7-rc1' of https://git.ker..
git tree: https://github.com/google/kasan.git usb-fuzzer
kernel config: https://syzkaller.appspot.com/x/.config?x=a782c087b1f425c6
commit: 0fa84af8 Merge tag 'usb-serial-5.7-rc1' of https://git.ker..
git tree: https://github.com/google/kasan.git usb-fuzzer
dashboard link: https://syzkaller.appspot.com/bug?extid=5d338854440137ea0fef
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
patch: https://syzkaller.appspot.com/x/patch.diff?x=139911fbe00000
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syzbot
Apr 4, 2020, 12:09:05 AM4/4/20
to andre...@google.com, anen...@gmail.com, ath9k...@qca.qualcomm.com, da...@davemloft.net, kv...@codeaurora.org, linux-...@vger.kernel.org, linu...@vger.kernel.org, linux-w...@vger.kernel.org, net...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger crash:
Reported-and-tested-by: syzbot+5d3388...@syzkaller.appspotmail.com
Tested on:
commit: 0fa84af8 Merge tag 'usb-serial-5.7-rc1' of https://git.ker..
git tree: https://github.com/google/kasan.git usb-fuzzer
kernel config: https://syzkaller.appspot.com/x/.config?x=a782c087b1f425c6
dashboard link: https://syzkaller.appspot.com/bug?extid=5d338854440137ea0fef
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
patch: https://syzkaller.appspot.com/x/patch.diff?x=11646f93e00000
syzbot has tested the proposed patch and the reproducer did not trigger crash:
Reported-and-tested-by: syzbot+5d3388...@syzkaller.appspotmail.com
Tested on:
commit: 0fa84af8 Merge tag 'usb-serial-5.7-rc1' of https://git.ker..
git tree: https://github.com/google/kasan.git usb-fuzzer
kernel config: https://syzkaller.appspot.com/x/.config?x=a782c087b1f425c6
dashboard link: https://syzkaller.appspot.com/bug?extid=5d338854440137ea0fef
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Reply all
Reply to author
Forward
0 new messages