Starting Update UTMP about System Runlevel Changes...
[�[0;32m OK �[0m] Started Load/Save RF Kill Switch Status.
[�[0;32m OK �[0m] Started Update UTMP about System Runlevel Changes.
[ 12.637172][ C1] random: crng init done
[ 12.638195][ C1] random: 7 urandom warning(s) missed due to ratelimiting
Debian GNU/Linux 9 syzkaller ttyS0
Warning: Permanently added '10.128.0.141' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [ 23.689168][ T151] usb 1-1: new high-speed USB device number 2 using dummy_hcd
[ 24.208724][ T151] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08
[ 24.217811][ T151] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 24.225863][ T151] usb 1-1: Product: syz
[ 24.230265][ T151] usb 1-1: Manufacturer: syz
[ 24.234870][ T151] usb 1-1: SerialNumber: syz
[ 24.279528][ T151] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested
[ 24.888211][ T151] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008
[ 25.108042][ C0] ==================================================================
[ 25.116218][ C0] BUG: KASAN: use-after-free in ath9k_htc_rx_msg+0xa25/0xaf0
[ 25.123558][ C0] Write of size 2 at addr ffff8881cce6e6a0 by task swapper/0/0
[ 25.131064][ C0]
[ 25.133369][ C0] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.7.0-rc6-syzkaller #0
[ 25.141225][ C0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 25.151249][ C0] Call Trace:
[ 25.154516][ C0]
[ 25.157343][ C0] dump_stack+0xef/0x16e
[ 25.161558][ C0] print_address_description.constprop.0.cold+0xd3/0x415
[ 25.168564][ C0] ? vprintk_func+0x7d/0x113
[ 25.173124][ C0] ? ath9k_htc_rx_msg+0xa25/0xaf0
[ 25.178120][ C0] __kasan_report.cold+0x37/0x7d
[ 25.183028][ C0] ? ath9k_htc_rx_msg+0xa25/0xaf0
[ 25.188039][ C0] ? ath9k_htc_rx_msg+0xa25/0xaf0
[ 25.193033][ C0] kasan_report+0x33/0x50
[ 25.197332][ C0] ath9k_htc_rx_msg+0xa25/0xaf0
[ 25.202154][ C0] ath9k_hif_usb_reg_in_cb+0x1c0/0x630
[ 25.207598][ C0] ? _raw_read_unlock+0x1a/0x30
[ 25.212428][ C0] ? led_trigger_blink_oneshot+0xb4/0xe0
[ 25.218066][ C0] __usb_hcd_giveback_urb+0x1f2/0x470
[ 25.223414][ C0] usb_hcd_giveback_urb+0x368/0x420
[ 25.228590][ C0] dummy_timer+0x125e/0x32b4
[ 25.233153][ C0] ? dummy_udc_probe+0x980/0x980
[ 25.238061][ C0] ? rcu_read_lock_sched_held+0x9c/0xd0
[ 25.243580][ C0] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 25.248849][ C0] call_timer_fn+0x1ac/0x700
[ 25.253413][ C0] ? dummy_udc_probe+0x980/0x980
[ 25.258320][ C0] ? timer_fixup_init+0x60/0x60
[ 25.263151][ C0] ? lock_downgrade+0x720/0x720
[ 25.267973][ C0] ? rcu_read_lock_sched_held+0x9c/0xd0
[ 25.273488][ C0] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 25.278763][ C0] ? _raw_spin_unlock_irq+0x1f/0x30
[ 25.283929][ C0] ? dummy_udc_probe+0x980/0x980
[ 25.288849][ C0] run_timer_softirq+0x5f9/0x1500
[ 25.293843][ C0] ? add_timer+0x7a0/0x7a0
[ 25.298229][ C0] ? rcu_read_lock_sched_held+0x9c/0xd0
[ 25.303745][ C0] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 25.309000][ C0] __do_softirq+0x21e/0x9aa
[ 25.313510][ C0] irq_exit+0x178/0x1a0
[ 25.324349][ C0] smp_apic_timer_interrupt+0x141/0x540
[ 25.329868][ C0] apic_timer_interrupt+0xf/0x20
[ 25.334772][ C0]
[ 25.337685][ C0] RIP: 0010:default_idle+0x28/0x300
[ 25.342855][ C0] Code: cc cc 41 56 41 55 65 44 8b 2d 94 3f 6b 7a 41 54 55 53 0f 1f 44 00 00 e8 06 27 af fb e9 07 00 00 00 0f 00 2d 7a e1 4b 00 fb f4 <65> 44 8b 2d 70 3f 6b 7a 0f 1f 44 00 00 5b 5d 41 5c 41 5d 41 5e c3
[ 25.362449][ C0] RSP: 0018:ffffffff87007da0 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
[ 25.370839][ C0] RAX: 0000000000000007 RBX: ffffffff8702f800 RCX: 0000000000000000
[ 25.378783][ C0] RDX: 0000000000000000 RSI: 0000000000000006 RDI: ffffffff8703007c
[ 25.386742][ C0] RBP: fffffbfff0e05f00 R08: ffffffff8702f800 R09: 0000000000000000
[ 25.394691][ C0] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[ 25.402634][ C0] R13: 0000000000000000 R14: ffffffff87e88e00 R15: 0000000000000000
[ 25.410597][ C0] do_idle+0x3e0/0x500
[ 25.414653][ C0] ? rcu_read_lock_held+0x9c/0xb0
[ 25.419659][ C0] ? arch_cpu_idle_exit+0x40/0x40
[ 25.424653][ C0] ? schedule+0xe1/0x2b0
[ 25.428864][ C0] cpu_startup_entry+0x14/0x20
[ 25.433598][ C0] start_kernel+0x9bb/0x9f8
[ 25.438095][ C0] ? mem_encrypt_init+0x5/0x5
[ 25.442751][ C0] ? x86_family+0x3d/0x50
[ 25.447053][ C0] ? load_ucode_bsp+0x23d/0x27d
[ 25.451879][ C0] secondary_startup_64+0xb6/0xc0
[ 25.456883][ C0]
[ 25.459185][ C0] Allocated by task 361:
[ 25.463402][ C0] save_stack+0x1b/0x40
[ 25.467528][ C0] __kasan_kmalloc.constprop.0+0xbf/0xd0
[ 25.473131][ C0] raw_alloc_io_data+0x157/0x1c0
[ 25.478039][ C0] raw_ioctl+0xf13/0x2570
[ 25.482349][ C0] ksys_ioctl+0x11a/0x180
[ 25.486648][ C0] __x64_sys_ioctl+0x6f/0xb0
[ 25.491220][ C0] do_syscall_64+0xb6/0x5a0
[ 25.495696][ C0] entry_SYSCALL_64_after_hwframe+0x49/0xb3
[ 25.501554][ C0]
[ 25.503854][ C0] Freed by task 361:
[ 25.507719][ C0] save_stack+0x1b/0x40
[ 25.511843][ C0] __kasan_slab_free+0x117/0x160
[ 25.516751][ C0] kfree+0xd5/0x300
[ 25.520570][ C0] raw_ioctl+0x23e/0x2570
[ 25.524870][ C0] ksys_ioctl+0x11a/0x180
[ 25.529176][ C0] __x64_sys_ioctl+0x6f/0xb0
[ 25.533736][ C0] do_syscall_64+0xb6/0x5a0
[ 25.538220][ C0] entry_SYSCALL_64_after_hwframe+0x49/0xb3
[ 25.544091][ C0]
[ 25.546398][ C0] The buggy address belongs to the object at ffff8881cce6e000
[ 25.546398][ C0] which belongs to the cache kmalloc-2k of size 2048
[ 25.560508][ C0] The buggy address is located 1696 bytes inside of
[ 25.560508][ C0] 2048-byte region [ffff8881cce6e000, ffff8881cce6e800)
[ 25.573970][ C0] The buggy address belongs to the page:
[ 25.579627][ C0] page:ffffea0007339a00 refcount:1 mapcount:0 mapping:000000003ff02707 index:0x0 head:ffffea0007339a00 order:3 compound_mapcount:0 compound_pincount:0
[ 25.594809][ C0] flags: 0x200000000010200(slab|head)
[ 25.600162][ C0] raw: 0200000000010200 dead000000000100 dead000000000122 ffff8881da00c000
[ 25.608732][ C0] raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
[ 25.617290][ C0] page dumped because: kasan: bad access detected
[ 25.623779][ C0]
[ 25.626101][ C0] Memory state around the buggy address:
[ 25.632527][ C0] ffff8881cce6e580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 25.640580][ C0] ffff8881cce6e600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 25.648620][ C0] >ffff8881cce6e680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 25.656660][ C0] ^
[ 25.662263][ C0] ffff8881cce6e700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 25.670305][ C0] ffff8881cce6e780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 25.678335][ C0] ==================================================================
[ 25.687316][ C0] Disabling lock debugging due to kernel taint
[ 25.693433][ C0] Kernel panic - not syncing: panic_on_warn set ...
[ 25.700011][ C0] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G B 5.7.0-rc6-syzkaller #0
[ 25.709257][ C0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 25.719277][ C0] Call Trace:
[ 25.722580][ C0]
[ 25.725419][ C0] dump_stack+0xef/0x16e
[ 25.729629][ C0] panic+0x2aa/0x6e1
[ 25.733491][ C0] ? add_taint.cold+0x16/0x16
[ 25.738136][ C0] ? trace_hardirqs_off+0x50/0x200
[ 25.743215][ C0] ? ath9k_htc_rx_msg+0xa25/0xaf0
[ 25.748216][ C0] end_report+0x4d/0x53
[ 25.752350][ C0] __kasan_report.cold+0x72/0x7d
[ 25.757255][ C0] ? ath9k_htc_rx_msg+0xa25/0xaf0
[ 25.762272][ C0] ? ath9k_htc_rx_msg+0xa25/0xaf0
[ 25.767272][ C0] kasan_report+0x33/0x50
[ 25.771576][ C0] ath9k_htc_rx_msg+0xa25/0xaf0
[ 25.776397][ C0] ath9k_hif_usb_reg_in_cb+0x1c0/0x630
[ 25.781826][ C0] ? _raw_read_unlock+0x1a/0x30
[ 25.786645][ C0] ? led_trigger_blink_oneshot+0xb4/0xe0
[ 25.792249][ C0] __usb_hcd_giveback_urb+0x1f2/0x470
[ 25.797587][ C0] usb_hcd_giveback_urb+0x368/0x420
[ 25.802765][ C0] dummy_timer+0x125e/0x32b4
[ 25.807323][ C0] ? dummy_udc_probe+0x980/0x980
[ 25.812238][ C0] ? rcu_read_lock_sched_held+0x9c/0xd0
[ 25.817782][ C0] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 25.823050][ C0] call_timer_fn+0x1ac/0x700
[ 25.827622][ C0] ? dummy_udc_probe+0x980/0x980
[ 25.832526][ C0] ? timer_fixup_init+0x60/0x60
[ 25.837343][ C0] ? lock_downgrade+0x720/0x720
[ 25.842172][ C0] ? rcu_read_lock_sched_held+0x9c/0xd0
[ 25.847703][ C0] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 25.852955][ C0] ? _raw_spin_unlock_irq+0x1f/0x30
[ 25.858119][ C0] ? dummy_udc_probe+0x980/0x980
[ 25.863023][ C0] run_timer_softirq+0x5f9/0x1500
[ 25.868027][ C0] ? add_timer+0x7a0/0x7a0
[ 25.872420][ C0] ? rcu_read_lock_sched_held+0x9c/0xd0
[ 25.877940][ C0] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 25.883212][ C0] __do_softirq+0x21e/0x9aa
[ 25.887774][ C0] irq_exit+0x178/0x1a0
[ 25.891899][ C0] smp_apic_timer_interrupt+0x141/0x540
[ 25.897413][ C0] apic_timer_interrupt+0xf/0x20
[ 25.902313][ C0]
[ 25.905222][ C0] RIP: 0010:default_idle+0x28/0x300
[ 25.910389][ C0] Code: cc cc 41 56 41 55 65 44 8b 2d 94 3f 6b 7a 41 54 55 53 0f 1f 44 00 00 e8 06 27 af fb e9 07 00 00 00 0f 00 2d 7a e1 4b 00 fb f4 <65> 44 8b 2d 70 3f 6b 7a 0f 1f 44 00 00 5b 5d 41 5c 41 5d 41 5e c3
[ 25.929970][ C0] RSP: 0018:ffffffff87007da0 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
[ 25.938348][ C0] RAX: 0000000000000007 RBX: ffffffff8702f800 RCX: 0000000000000000
[ 25.946288][ C0] RDX: 0000000000000000 RSI: 0000000000000006 RDI: ffffffff8703007c
[ 25.954239][ C0] RBP: fffffbfff0e05f00 R08: ffffffff8702f800 R09: 0000000000000000
[ 25.962177][ C0] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[ 25.970115][ C0] R13: 0000000000000000 R14: ffffffff87e88e00 R15: 0000000000000000
[ 25.978061][ C0] do_idle+0x3e0/0x500
[ 25.982110][ C0] ? rcu_read_lock_held+0x9c/0xb0
[ 25.987100][ C0] ? arch_cpu_idle_exit+0x40/0x40
[ 25.992094][ C0] ? schedule+0xe1/0x2b0
[ 25.996302][ C0] cpu_startup_entry+0x14/0x20
[ 26.001033][ C0] start_kernel+0x9bb/0x9f8
[ 26.005503][ C0] ? mem_encrypt_init+0x5/0x5
[ 26.010148][ C0] ? x86_family+0x3d/0x50
[ 26.014530][ C0] ? load_ucode_bsp+0x23d/0x27d
[ 26.019367][ C0] secondary_startup_64+0xb6/0xc0
[ 26.024995][ C0] Kernel Offset: disabled
[ 26.029299][ C0] Rebooting in 86400 seconds..