Warning: Permanently added '10.128.1.39' (ECDSA) to the list of known hosts. executing program [ 39.088665][ T83] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 39.368723][ T83] usb 1-1: too many configurations: 123, using maximum allowed: 8 [ 40.168372][ T83] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08 [ 40.177420][ T83] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 40.185459][ T83] usb 1-1: Product: syz [ 40.189678][ T83] usb 1-1: Manufacturer: syz [ 40.194262][ T83] usb 1-1: SerialNumber: syz [ 40.239607][ T83] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested [ 40.858179][ T83] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008 executing program [ 41.260203][ T95] usb 1-1: USB disconnect, device number 2 [ 42.087731][ T83] usb 1-1: Service connection timeout for: 256 [ 42.094043][ T83] ================================================================== [ 42.102169][ T83] BUG: KASAN: use-after-free in kfree_skb+0x32/0x3d0 [ 42.108832][ T83] Read of size 4 at addr ffff8881c5f7f214 by task kworker/1:2/83 [ 42.116527][ T83] [ 42.118846][ T83] CPU: 1 PID: 83 Comm: kworker/1:2 Not tainted 5.7.0-rc6-syzkaller #0 [ 42.126979][ T83] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 42.137028][ T83] Workqueue: events request_firmware_work_func [ 42.143150][ T83] Call Trace: [ 42.146427][ T83] dump_stack+0xef/0x16e [ 42.150657][ T83] print_address_description.constprop.0.cold+0xd3/0x415 [ 42.157659][ T83] ? vprintk_func+0x7d/0x113 [ 42.162230][ T83] ? kfree_skb+0x32/0x3d0 [ 42.166532][ T83] __kasan_report.cold+0x37/0x7d [ 42.171439][ T83] ? kfree_skb+0x32/0x3d0 [ 42.175740][ T83] ? kfree_skb+0x32/0x3d0 [ 42.180040][ T83] kasan_report+0x33/0x50 [ 42.184456][ T83] check_memory_region+0x173/0x1d0 [ 42.189553][ T83] kfree_skb+0x32/0x3d0 [ 42.193691][ T83] htc_connect_service.cold+0xa9/0x109 [ 42.199135][ T83] ath9k_wmi_connect+0xd2/0x1a0 [ 42.203973][ T83] ? ath9k_fatal_work+0x20/0x20 [ 42.208799][ T83] ? ath9k_hif_usb_firmware_cb.cold+0xde/0xde [ 42.214839][ T83] ? ath9k_wmi_event_tasklet+0x440/0x440 [ 42.220445][ T83] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 42.226852][ T83] ? ath9k_reg_rmw_flush+0x2d0/0x2d0 [ 42.232123][ T83] ? lockdep_init_map_waits+0x26a/0x7c0 [ 42.237646][ T83] ? __raw_spin_lock_init+0x34/0x100 [ 42.242904][ T83] ? tasklet_init+0x69/0x110 [ 42.247470][ T83] ath9k_htc_probe_device+0x25a/0x1da0 [ 42.252905][ T83] ? ath9k_init_htc_services.constprop.0+0x650/0x650 [ 42.259559][ T83] ? usb_submit_urb+0x6ed/0x1460 [ 42.264472][ T83] ? usb_free_urb.part.0+0x52/0x110 [ 42.269641][ T83] ? usb_free_urb+0x1b/0x30 [ 42.274117][ T83] ath9k_htc_hw_init+0x31/0x60 [ 42.278856][ T83] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 42.284466][ T83] ? ath9k_hif_usb_resume+0x320/0x320 [ 42.289811][ T83] request_firmware_work_func+0x126/0x242 [ 42.295502][ T83] ? request_firmware_into_buf+0x90/0x90 [ 42.301108][ T83] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 42.306635][ T83] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 42.311893][ T83] ? _raw_spin_unlock_irq+0x1f/0x30 [ 42.317074][ T83] process_one_work+0x965/0x1630 [ 42.321996][ T83] ? lock_release+0x720/0x720 [ 42.326649][ T83] ? pwq_dec_nr_in_flight+0x310/0x310 [ 42.332006][ T83] ? rwlock_bug.part.0+0x90/0x90 [ 42.336912][ T83] worker_thread+0x96/0xe20 [ 42.341396][ T83] ? process_one_work+0x1630/0x1630 [ 42.346576][ T83] kthread+0x326/0x430 [ 42.350618][ T83] ? kthread_create_on_node+0xf0/0xf0 [ 42.355981][ T83] ret_from_fork+0x24/0x30 [ 42.360369][ T83] [ 42.362670][ T83] Allocated by task 83: [ 42.366800][ T83] save_stack+0x1b/0x40 [ 42.370928][ T83] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 42.376533][ T83] kmem_cache_alloc_node+0xdc/0x330 [ 42.381714][ T83] __alloc_skb+0xba/0x5a0 [ 42.386029][ T83] htc_connect_service+0x2cc/0x840 [ 42.391110][ T83] ath9k_wmi_connect+0xd2/0x1a0 [ 42.395934][ T83] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 42.402327][ T83] ath9k_htc_probe_device+0x25a/0x1da0 [ 42.407756][ T83] ath9k_htc_hw_init+0x31/0x60 [ 42.412502][ T83] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 42.418106][ T83] request_firmware_work_func+0x126/0x242 [ 42.423813][ T83] process_one_work+0x965/0x1630 [ 42.428873][ T83] worker_thread+0x96/0xe20 [ 42.433377][ T83] kthread+0x326/0x430 [ 42.437437][ T83] ret_from_fork+0x24/0x30 [ 42.441825][ T83] [ 42.444134][ T83] Freed by task 0: [ 42.447836][ T83] save_stack+0x1b/0x40 [ 42.451975][ T83] __kasan_slab_free+0x117/0x160 [ 42.456885][ T83] kmem_cache_free+0x9b/0x360 [ 42.461536][ T83] kfree_skbmem+0xef/0x1b0 [ 42.465924][ T83] kfree_skb+0x102/0x3d0 [ 42.470141][ T83] ath9k_htc_txcompletion_cb+0x1f8/0x2b0 [ 42.475755][ T83] hif_usb_regout_cb+0x115/0x1c0 [ 42.480664][ T83] __usb_hcd_giveback_urb+0x29a/0x550 [ 42.486007][ T83] usb_hcd_giveback_urb+0x368/0x420 [ 42.491177][ T83] dummy_timer+0x125e/0x32b4 [ 42.495739][ T83] call_timer_fn+0x1ac/0x700 [ 42.500311][ T83] run_timer_softirq+0x5f9/0x1500 [ 42.505317][ T83] __do_softirq+0x21e/0x9aa [ 42.509787][ T83] [ 42.512105][ T83] The buggy address belongs to the object at ffff8881c5f7f140 [ 42.512105][ T83] which belongs to the cache skbuff_head_cache of size 224 [ 42.526649][ T83] The buggy address is located 212 bytes inside of [ 42.526649][ T83] 224-byte region [ffff8881c5f7f140, ffff8881c5f7f220) [ 42.539983][ T83] The buggy address belongs to the page: [ 42.545601][ T83] page:ffffea000717dfc0 refcount:1 mapcount:0 mapping:00000000937ee8b4 index:0x0 [ 42.554678][ T83] flags: 0x200000000000200(slab) [ 42.559601][ T83] raw: 0200000000000200 dead000000000100 dead000000000122 ffff8881da175400 [ 42.568186][ T83] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000 [ 42.577185][ T83] page dumped because: kasan: bad access detected [ 42.583678][ T83] [ 42.585997][ T83] Memory state around the buggy address: [ 42.591603][ T83] ffff8881c5f7f100: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 42.599639][ T83] ffff8881c5f7f180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 42.607673][ T83] >ffff8881c5f7f200: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 42.615704][ T83] ^ [ 42.620322][ T83] ffff8881c5f7f280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 42.628368][ T83] ffff8881c5f7f300: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 42.636448][ T83] ================================================================== [ 42.644509][ T83] Disabling lock debugging due to kernel taint [ 42.650796][ T83] Kernel panic - not syncing: panic_on_warn set ... [ 42.657395][ T83] CPU: 1 PID: 83 Comm: kworker/1:2 Tainted: G B 5.7.0-rc6-syzkaller #0 [ 42.666920][ T83] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 42.676982][ T83] Workqueue: events request_firmware_work_func [ 42.683126][ T83] Call Trace: [ 42.686392][ T83] dump_stack+0xef/0x16e [ 42.690826][ T83] panic+0x2aa/0x6e1 [ 42.694710][ T83] ? add_taint.cold+0x16/0x16 [ 42.699359][ T83] ? retint_kernel+0x10/0x10 [ 42.703920][ T83] ? kfree_skb+0x32/0x3d0 [ 42.708239][ T83] ? trace_hardirqs_on+0x55/0x200 [ 42.713235][ T83] ? kfree_skb+0x32/0x3d0 [ 42.717537][ T83] end_report+0x4d/0x53 [ 42.721667][ T83] __kasan_report.cold+0x72/0x7d [ 42.726592][ T83] ? kfree_skb+0x32/0x3d0 [ 42.730889][ T83] ? kfree_skb+0x32/0x3d0 [ 42.735204][ T83] kasan_report+0x33/0x50 [ 42.739509][ T83] check_memory_region+0x173/0x1d0 [ 42.744600][ T83] kfree_skb+0x32/0x3d0 [ 42.748743][ T83] htc_connect_service.cold+0xa9/0x109 [ 42.754189][ T83] ath9k_wmi_connect+0xd2/0x1a0 [ 42.759016][ T83] ? ath9k_fatal_work+0x20/0x20 [ 42.763847][ T83] ? ath9k_hif_usb_firmware_cb.cold+0xde/0xde [ 42.770007][ T83] ? ath9k_wmi_event_tasklet+0x440/0x440 [ 42.775623][ T83] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 42.782034][ T83] ? ath9k_reg_rmw_flush+0x2d0/0x2d0 [ 42.787322][ T83] ? lockdep_init_map_waits+0x26a/0x7c0 [ 42.792854][ T83] ? __raw_spin_lock_init+0x34/0x100 [ 42.798116][ T83] ? tasklet_init+0x69/0x110 [ 42.802686][ T83] ath9k_htc_probe_device+0x25a/0x1da0 [ 42.808120][ T83] ? ath9k_init_htc_services.constprop.0+0x650/0x650 [ 42.814763][ T83] ? usb_submit_urb+0x6ed/0x1460 [ 42.819684][ T83] ? usb_free_urb.part.0+0x52/0x110 [ 42.824861][ T83] ? usb_free_urb+0x1b/0x30 [ 42.829350][ T83] ath9k_htc_hw_init+0x31/0x60 [ 42.834151][ T83] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 42.839764][ T83] ? ath9k_hif_usb_resume+0x320/0x320 [ 42.845111][ T83] request_firmware_work_func+0x126/0x242 [ 42.850805][ T83] ? request_firmware_into_buf+0x90/0x90 [ 42.856412][ T83] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 42.861958][ T83] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 42.867337][ T83] ? _raw_spin_unlock_irq+0x1f/0x30 [ 42.872521][ T83] process_one_work+0x965/0x1630 [ 42.877456][ T83] ? lock_release+0x720/0x720 [ 42.882124][ T83] ? pwq_dec_nr_in_flight+0x310/0x310 [ 42.887472][ T83] ? rwlock_bug.part.0+0x90/0x90 [ 42.892486][ T83] worker_thread+0x96/0xe20 [ 42.896973][ T83] ? process_one_work+0x1630/0x1630 [ 42.902154][ T83] kthread+0x326/0x430 [ 42.906205][ T83] ? kthread_create_on_node+0xf0/0xf0 [ 42.911566][ T83] ret_from_fork+0x24/0x30 [ 42.916663][ T83] Kernel Offset: disabled [ 42.920973][ T83] Rebooting in 86400 seconds..