Warning: Permanently added '10.128.0.32' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [   21.623675][   T95] usb 1-1: new high-speed USB device number 2 using dummy_hcd
[   22.143165][   T95] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08
[   22.152304][   T95] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[   22.160505][   T95] usb 1-1: Product: syz
[   22.164735][   T95] usb 1-1: Manufacturer: syz
[   22.169314][   T95] usb 1-1: SerialNumber: syz
[   22.213955][   T95] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested
[   22.812261][   T95] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008
executing program
[   23.224097][   T21] usb 1-1: USB disconnect, device number 2
[   24.110770][   T95] usb 1-1: Service connection timeout for: 256
[   24.117420][   T95] ==================================================================
[   24.132852][   T95] BUG: KASAN: use-after-free in kfree_skb+0x32/0x3d0
[   24.139598][   T95] Read of size 4 at addr ffff8881c75b10d4 by task kworker/1:2/95
[   24.147298][   T95] 
[   24.149607][   T95] CPU: 1 PID: 95 Comm: kworker/1:2 Not tainted 5.7.0-rc6-syzkaller #0
[   24.157734][   T95] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   24.168760][   T95] Workqueue: events request_firmware_work_func
[   24.174897][   T95] Call Trace:
[   24.178453][   T95]  dump_stack+0xef/0x16e
[   24.182755][   T95]  print_address_description.constprop.0.cold+0xd3/0x415
[   24.191712][   T95]  ? vprintk_func+0x7d/0x113
[   24.196302][   T95]  ? kfree_skb+0x32/0x3d0
[   24.200629][   T95]  __kasan_report.cold+0x37/0x7d
[   24.205548][   T95]  ? kfree_skb+0x32/0x3d0
[   24.209856][   T95]  ? kfree_skb+0x32/0x3d0
[   24.214183][   T95]  kasan_report+0x33/0x50
[   24.218509][   T95]  check_memory_region+0x173/0x1d0
[   24.223839][   T95]  kfree_skb+0x32/0x3d0
[   24.228129][   T95]  htc_connect_service.cold+0xa9/0x109
[   24.233766][   T95]  ath9k_wmi_connect+0xd2/0x1a0
[   24.238859][   T95]  ? ath9k_fatal_work+0x20/0x20
[   24.243692][   T95]  ? ath9k_hif_usb_firmware_cb.cold+0xde/0xde
[   24.249827][   T95]  ? ath9k_wmi_event_tasklet+0x440/0x440
[   24.255537][   T95]  ath9k_init_htc_services.constprop.0+0xb4/0x650
[   24.262021][   T95]  ? ath9k_reg_rmw_flush+0x2d0/0x2d0
[   24.268682][   T95]  ? lockdep_init_map_waits+0x26a/0x7c0
[   24.275354][   T95]  ? __raw_spin_lock_init+0x34/0x100
[   24.281170][   T95]  ? tasklet_init+0x69/0x110
[   24.286379][   T95]  ath9k_htc_probe_device+0x25a/0x1da0
[   24.292011][   T95]  ? ath9k_init_htc_services.constprop.0+0x650/0x650
[   24.299460][   T95]  ? usb_submit_urb+0x6ed/0x1460
[   24.304389][   T95]  ? usb_free_urb.part.0+0x52/0x110
[   24.309768][   T95]  ? usb_free_urb+0x1b/0x30
[   24.314529][   T95]  ath9k_htc_hw_init+0x31/0x60
[   24.319376][   T95]  ath9k_hif_usb_firmware_cb+0x274/0x510
[   24.325619][   T95]  ? ath9k_hif_usb_resume+0x320/0x320
[   24.331944][   T95]  request_firmware_work_func+0x126/0x242
[   24.337951][   T95]  ? request_firmware_into_buf+0x90/0x90
[   24.343588][   T95]  ? rcu_read_lock_sched_held+0x9c/0xd0
[   24.349492][   T95]  ? rcu_read_lock_bh_held+0xb0/0xb0
[   24.355069][   T95]  ? _raw_spin_unlock_irq+0x1f/0x30
[   24.360341][   T95]  process_one_work+0x965/0x1630
[   24.365261][   T95]  ? lock_release+0x720/0x720
[   24.369929][   T95]  ? pwq_dec_nr_in_flight+0x310/0x310
[   24.375497][   T95]  ? rwlock_bug.part.0+0x90/0x90
[   24.380657][   T95]  worker_thread+0x96/0xe20
[   24.385169][   T95]  ? process_one_work+0x1630/0x1630
[   24.390689][   T95]  kthread+0x326/0x430
[   24.395127][   T95]  ? kthread_create_on_node+0xf0/0xf0
[   24.400510][   T95]  ret_from_fork+0x24/0x30
[   24.404927][   T95] 
[   24.407283][   T95] Allocated by task 95:
[   24.411601][   T95]  save_stack+0x1b/0x40
[   24.415965][   T95]  __kasan_kmalloc.constprop.0+0xbf/0xd0
[   24.421662][   T95]  kmem_cache_alloc_node+0xdc/0x330
[   24.426852][   T95]  __alloc_skb+0xba/0x5a0
[   24.431203][   T95]  htc_connect_service+0x2cc/0x840
[   24.442820][   T95]  ath9k_wmi_connect+0xd2/0x1a0
[   24.447832][   T95]  ath9k_init_htc_services.constprop.0+0xb4/0x650
[   24.454236][   T95]  ath9k_htc_probe_device+0x25a/0x1da0
[   24.459677][   T95]  ath9k_htc_hw_init+0x31/0x60
[   24.464523][   T95]  ath9k_hif_usb_firmware_cb+0x274/0x510
[   24.470394][   T95]  request_firmware_work_func+0x126/0x242
[   24.476113][   T95]  process_one_work+0x965/0x1630
[   24.481058][   T95]  worker_thread+0x96/0xe20
[   24.485630][   T95]  kthread+0x326/0x430
[   24.490050][   T95]  ret_from_fork+0x24/0x30
[   24.494437][   T95] 
[   24.496743][   T95] Freed by task 0:
[   24.500446][   T95]  save_stack+0x1b/0x40
[   24.504578][   T95]  __kasan_slab_free+0x117/0x160
[   24.509491][   T95]  kmem_cache_free+0x9b/0x360
[   24.514148][   T95]  kfree_skbmem+0xef/0x1b0
[   24.518541][   T95]  kfree_skb+0x102/0x3d0
[   24.522863][   T95]  ath9k_htc_txcompletion_cb+0x1f8/0x2b0
[   24.528487][   T95]  hif_usb_regout_cb+0x115/0x1c0
[   24.533492][   T95]  __usb_hcd_giveback_urb+0x29a/0x550
[   24.539191][   T95]  usb_hcd_giveback_urb+0x368/0x420
[   24.544394][   T95]  dummy_timer+0x125e/0x32b4
[   24.548988][   T95]  call_timer_fn+0x1ac/0x700
[   24.553655][   T95]  run_timer_softirq+0x5f9/0x1500
[   24.558855][   T95]  __do_softirq+0x21e/0x9aa
[   24.563453][   T95] 
[   24.565760][   T95] The buggy address belongs to the object at ffff8881c75b1000
[   24.565760][   T95]  which belongs to the cache skbuff_head_cache of size 224
[   24.580329][   T95] The buggy address is located 212 bytes inside of
[   24.580329][   T95]  224-byte region [ffff8881c75b1000, ffff8881c75b10e0)
[   24.593616][   T95] The buggy address belongs to the page:
[   24.599232][   T95] page:ffffea00071d6c40 refcount:1 mapcount:0 mapping:00000000e72fd705 index:0x0
[   24.608737][   T95] flags: 0x200000000000200(slab)
[   24.613654][   T95] raw: 0200000000000200 dead000000000100 dead000000000122 ffff8881da175400
[   24.622492][   T95] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
[   24.631046][   T95] page dumped because: kasan: bad access detected
[   24.637448][   T95] 
[   24.639773][   T95] Memory state around the buggy address:
[   24.645406][   T95]  ffff8881c75b0f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   24.653717][   T95]  ffff8881c75b1000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   24.661755][   T95] >ffff8881c75b1080: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
[   24.670582][   T95]                                                  ^
[   24.677242][   T95]  ffff8881c75b1100: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   24.685295][   T95]  ffff8881c75b1180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   24.693517][   T95] ==================================================================
[   24.701587][   T95] Disabling lock debugging due to kernel taint
[   24.707801][   T95] Kernel panic - not syncing: panic_on_warn set ...
[   24.714483][   T95] CPU: 1 PID: 95 Comm: kworker/1:2 Tainted: G    B             5.7.0-rc6-syzkaller #0
[   24.724045][   T95] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   24.735844][   T95] Workqueue: events request_firmware_work_func
[   24.741989][   T95] Call Trace:
[   24.745265][   T95]  dump_stack+0xef/0x16e
[   24.749491][   T95]  panic+0x2aa/0x6e1
[   24.753383][   T95]  ? add_taint.cold+0x16/0x16
[   24.758035][   T95]  ? retint_kernel+0x10/0x10
[   24.762598][   T95]  ? kfree_skb+0x32/0x3d0
[   24.766903][   T95]  ? trace_hardirqs_on+0x55/0x200
[   24.771914][   T95]  ? kfree_skb+0x32/0x3d0
[   24.776227][   T95]  end_report+0x4d/0x53
[   24.780366][   T95]  __kasan_report.cold+0x72/0x7d
[   24.785284][   T95]  ? kfree_skb+0x32/0x3d0
[   24.789590][   T95]  ? kfree_skb+0x32/0x3d0
[   24.793946][   T95]  kasan_report+0x33/0x50
[   24.798257][   T95]  check_memory_region+0x173/0x1d0
[   24.803428][   T95]  kfree_skb+0x32/0x3d0
[   24.807573][   T95]  htc_connect_service.cold+0xa9/0x109
[   24.813015][   T95]  ath9k_wmi_connect+0xd2/0x1a0
[   24.817845][   T95]  ? ath9k_fatal_work+0x20/0x20
[   24.822680][   T95]  ? ath9k_hif_usb_firmware_cb.cold+0xde/0xde
[   24.828729][   T95]  ? ath9k_wmi_event_tasklet+0x440/0x440
[   24.834346][   T95]  ath9k_init_htc_services.constprop.0+0xb4/0x650
[   24.840738][   T95]  ? ath9k_reg_rmw_flush+0x2d0/0x2d0
[   24.846005][   T95]  ? lockdep_init_map_waits+0x26a/0x7c0
[   24.851527][   T95]  ? __raw_spin_lock_init+0x34/0x100
[   24.856802][   T95]  ? tasklet_init+0x69/0x110
[   24.862330][   T95]  ath9k_htc_probe_device+0x25a/0x1da0
[   24.867768][   T95]  ? ath9k_init_htc_services.constprop.0+0x650/0x650
[   24.874418][   T95]  ? usb_submit_urb+0x6ed/0x1460
[   24.879337][   T95]  ? usb_free_urb.part.0+0x52/0x110
[   24.884528][   T95]  ? usb_free_urb+0x1b/0x30
[   24.889020][   T95]  ath9k_htc_hw_init+0x31/0x60
[   24.893777][   T95]  ath9k_hif_usb_firmware_cb+0x274/0x510
[   24.899392][   T95]  ? ath9k_hif_usb_resume+0x320/0x320
[   24.904768][   T95]  request_firmware_work_func+0x126/0x242
[   24.910486][   T95]  ? request_firmware_into_buf+0x90/0x90
[   24.916117][   T95]  ? rcu_read_lock_sched_held+0x9c/0xd0
[   24.921636][   T95]  ? rcu_read_lock_bh_held+0xb0/0xb0
[   24.926896][   T95]  ? _raw_spin_unlock_irq+0x1f/0x30
[   24.932072][   T95]  process_one_work+0x965/0x1630
[   24.937604][   T95]  ? lock_release+0x720/0x720
[   24.942265][   T95]  ? pwq_dec_nr_in_flight+0x310/0x310
[   24.947620][   T95]  ? rwlock_bug.part.0+0x90/0x90
[   24.952530][   T95]  worker_thread+0x96/0xe20
[   24.957005][   T95]  ? process_one_work+0x1630/0x1630
[   24.962189][   T95]  kthread+0x326/0x430
[   24.966244][   T95]  ? kthread_create_on_node+0xf0/0xf0
[   24.971600][   T95]  ret_from_fork+0x24/0x30
[   24.976680][   T95] Kernel Offset: disabled
[   24.981003][   T95] Rebooting in 86400 seconds..