[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Load/Save RF Kill Switch Status. [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 syzkaller login: [ 16.065170][ C1] random: crng init done [ 16.069463][ C1] random: 7 urandom warning(s) missed due to ratelimiting Warning: Permanently added '10.128.1.42' (ECDSA) to the list of known hosts. executing program [ 25.676936][ T21] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 26.206309][ T21] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08 [ 26.215435][ T21] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 26.223615][ T21] usb 1-1: Product: syz [ 26.227834][ T21] usb 1-1: Manufacturer: syz [ 26.232407][ T21] usb 1-1: SerialNumber: syz [ 26.277076][ T21] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested [ 26.916008][ T21] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008 executing program [ 27.317201][ T95] usb 1-1: USB disconnect, device number 2 [ 28.204541][ T21] usb 1-1: Service connection timeout for: 256 [ 28.210842][ T21] ================================================================== [ 28.219020][ T21] BUG: KASAN: use-after-free in kfree_skb+0x32/0x3d0 [ 28.225671][ T21] Read of size 4 at addr ffff8881c5c455d4 by task kworker/1:1/21 [ 28.233393][ T21] [ 28.235704][ T21] CPU: 1 PID: 21 Comm: kworker/1:1 Not tainted 5.7.0-rc6-syzkaller #0 [ 28.243827][ T21] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.253873][ T21] Workqueue: events request_firmware_work_func [ 28.260010][ T21] Call Trace: [ 28.263288][ T21] dump_stack+0xef/0x16e [ 28.267510][ T21] print_address_description.constprop.0.cold+0xd3/0x415 [ 28.274507][ T21] ? vprintk_func+0x7d/0x113 [ 28.279077][ T21] ? kfree_skb+0x32/0x3d0 [ 28.283400][ T21] __kasan_report.cold+0x37/0x7d [ 28.288312][ T21] ? kfree_skb+0x32/0x3d0 [ 28.292628][ T21] ? kfree_skb+0x32/0x3d0 [ 28.296942][ T21] kasan_report+0x33/0x50 [ 28.301263][ T21] check_memory_region+0x173/0x1d0 [ 28.306359][ T21] kfree_skb+0x32/0x3d0 [ 28.310491][ T21] htc_connect_service.cold+0xa9/0x109 [ 28.315927][ T21] ath9k_wmi_connect+0xd2/0x1a0 [ 28.320751][ T21] ? ath9k_fatal_work+0x20/0x20 [ 28.325590][ T21] ? ath9k_hif_usb_firmware_cb.cold+0xde/0xde [ 28.331631][ T21] ? ath9k_wmi_event_tasklet+0x440/0x440 [ 28.337239][ T21] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 28.343629][ T21] ? ath9k_reg_rmw_flush+0x2d0/0x2d0 [ 28.348900][ T21] ? lockdep_init_map_waits+0x26a/0x7c0 [ 28.354423][ T21] ? __raw_spin_lock_init+0x34/0x100 [ 28.359690][ T21] ? tasklet_init+0x69/0x110 [ 28.364275][ T21] ath9k_htc_probe_device+0x25a/0x1da0 [ 28.369711][ T21] ? ath9k_init_htc_services.constprop.0+0x650/0x650 [ 28.376360][ T21] ? usb_submit_urb+0x6ed/0x1460 [ 28.381283][ T21] ? usb_free_urb.part.0+0x52/0x110 [ 28.386455][ T21] ? usb_free_urb+0x1b/0x30 [ 28.390949][ T21] ath9k_htc_hw_init+0x31/0x60 [ 28.395709][ T21] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 28.401326][ T21] ? ath9k_hif_usb_resume+0x320/0x320 [ 28.406677][ T21] request_firmware_work_func+0x126/0x242 [ 28.412385][ T21] ? request_firmware_into_buf+0x90/0x90 [ 28.418006][ T21] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 28.423793][ T21] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 28.429053][ T21] ? _raw_spin_unlock_irq+0x1f/0x30 [ 28.434226][ T21] process_one_work+0x965/0x1630 [ 28.439152][ T21] ? lock_release+0x720/0x720 [ 28.443800][ T21] ? pwq_dec_nr_in_flight+0x310/0x310 [ 28.449158][ T21] ? rwlock_bug.part.0+0x90/0x90 [ 28.454068][ T21] worker_thread+0x96/0xe20 [ 28.458559][ T21] ? process_one_work+0x1630/0x1630 [ 28.463735][ T21] kthread+0x326/0x430 [ 28.467795][ T21] ? kthread_create_on_node+0xf0/0xf0 [ 28.473141][ T21] ret_from_fork+0x24/0x30 [ 28.477527][ T21] [ 28.479830][ T21] Allocated by task 21: [ 28.483962][ T21] save_stack+0x1b/0x40 [ 28.488091][ T21] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 28.493699][ T21] kmem_cache_alloc_node+0xdc/0x330 [ 28.498871][ T21] __alloc_skb+0xba/0x5a0 [ 28.503176][ T21] htc_connect_service+0x2cc/0x840 [ 28.508261][ T21] ath9k_wmi_connect+0xd2/0x1a0 [ 28.513096][ T21] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 28.519486][ T21] ath9k_htc_probe_device+0x25a/0x1da0 [ 28.524921][ T21] ath9k_htc_hw_init+0x31/0x60 [ 28.529658][ T21] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 28.535265][ T21] request_firmware_work_func+0x126/0x242 [ 28.540967][ T21] process_one_work+0x965/0x1630 [ 28.545881][ T21] worker_thread+0x96/0xe20 [ 28.550357][ T21] kthread+0x326/0x430 [ 28.554401][ T21] ret_from_fork+0x24/0x30 [ 28.558783][ T21] [ 28.561084][ T21] Freed by task 0: [ 28.564790][ T21] save_stack+0x1b/0x40 [ 28.568932][ T21] __kasan_slab_free+0x117/0x160 [ 28.573863][ T21] kmem_cache_free+0x9b/0x360 [ 28.578531][ T21] kfree_skbmem+0xef/0x1b0 [ 28.583019][ T21] kfree_skb+0x102/0x3d0 [ 28.587251][ T21] ath9k_htc_txcompletion_cb+0x1f8/0x2b0 [ 28.592864][ T21] hif_usb_regout_cb+0x115/0x1c0 [ 28.597786][ T21] __usb_hcd_giveback_urb+0x29a/0x550 [ 28.603129][ T21] usb_hcd_giveback_urb+0x368/0x420 [ 28.608302][ T21] dummy_timer+0x125e/0x32b4 [ 28.612865][ T21] call_timer_fn+0x1ac/0x700 [ 28.617429][ T21] run_timer_softirq+0x5f9/0x1500 [ 28.622454][ T21] __do_softirq+0x21e/0x9aa [ 28.627021][ T21] [ 28.629337][ T21] The buggy address belongs to the object at ffff8881c5c45500 [ 28.629337][ T21] which belongs to the cache skbuff_head_cache of size 224 [ 28.643885][ T21] The buggy address is located 212 bytes inside of [ 28.643885][ T21] 224-byte region [ffff8881c5c45500, ffff8881c5c455e0) [ 28.657134][ T21] The buggy address belongs to the page: [ 28.662757][ T21] page:ffffea0007171140 refcount:1 mapcount:0 mapping:00000000a17ba317 index:0x0 [ 28.671842][ T21] flags: 0x200000000000200(slab) [ 28.676762][ T21] raw: 0200000000000200 dead000000000100 dead000000000122 ffff8881da175400 [ 28.685322][ T21] raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000 [ 28.693931][ T21] page dumped because: kasan: bad access detected [ 28.700407][ T21] [ 28.702755][ T21] Memory state around the buggy address: [ 28.708377][ T21] ffff8881c5c45480: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 28.716426][ T21] ffff8881c5c45500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.724471][ T21] >ffff8881c5c45580: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 28.732512][ T21] ^ [ 28.739159][ T21] ffff8881c5c45600: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 28.747281][ T21] ffff8881c5c45680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.755327][ T21] ================================================================== [ 28.763360][ T21] Disabling lock debugging due to kernel taint [ 28.769607][ T21] Kernel panic - not syncing: panic_on_warn set ... [ 28.776194][ T21] CPU: 1 PID: 21 Comm: kworker/1:1 Tainted: G B 5.7.0-rc6-syzkaller #0 [ 28.785724][ T21] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.795785][ T21] Workqueue: events request_firmware_work_func [ 28.801931][ T21] Call Trace: [ 28.805206][ T21] dump_stack+0xef/0x16e [ 28.809424][ T21] panic+0x2aa/0x6e1 [ 28.813292][ T21] ? add_taint.cold+0x16/0x16 [ 28.817944][ T21] ? retint_kernel+0x10/0x10 [ 28.822505][ T21] ? kfree_skb+0x32/0x3d0 [ 28.826805][ T21] ? trace_hardirqs_on+0x55/0x200 [ 28.831801][ T21] ? kfree_skb+0x32/0x3d0 [ 28.836115][ T21] end_report+0x4d/0x53 [ 28.840258][ T21] __kasan_report.cold+0x72/0x7d [ 28.845167][ T21] ? kfree_skb+0x32/0x3d0 [ 28.849481][ T21] ? kfree_skb+0x32/0x3d0 [ 28.853794][ T21] kasan_report+0x33/0x50 [ 28.858100][ T21] check_memory_region+0x173/0x1d0 [ 28.863181][ T21] kfree_skb+0x32/0x3d0 [ 28.867312][ T21] htc_connect_service.cold+0xa9/0x109 [ 28.872744][ T21] ath9k_wmi_connect+0xd2/0x1a0 [ 28.877567][ T21] ? ath9k_fatal_work+0x20/0x20 [ 28.882399][ T21] ? ath9k_hif_usb_firmware_cb.cold+0xde/0xde [ 28.888439][ T21] ? ath9k_wmi_event_tasklet+0x440/0x440 [ 28.894060][ T21] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 28.900457][ T21] ? ath9k_reg_rmw_flush+0x2d0/0x2d0 [ 28.905769][ T21] ? lockdep_init_map_waits+0x26a/0x7c0 [ 28.911308][ T21] ? __raw_spin_lock_init+0x34/0x100 [ 28.916583][ T21] ? tasklet_init+0x69/0x110 [ 28.921155][ T21] ath9k_htc_probe_device+0x25a/0x1da0 [ 28.926684][ T21] ? ath9k_init_htc_services.constprop.0+0x650/0x650 [ 28.933344][ T21] ? usb_submit_urb+0x6ed/0x1460 [ 28.938254][ T21] ? usb_free_urb.part.0+0x52/0x110 [ 28.943433][ T21] ? usb_free_urb+0x1b/0x30 [ 28.947910][ T21] ath9k_htc_hw_init+0x31/0x60 [ 28.952725][ T21] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 28.958853][ T21] ? ath9k_hif_usb_resume+0x320/0x320 [ 28.964207][ T21] request_firmware_work_func+0x126/0x242 [ 28.969908][ T21] ? request_firmware_into_buf+0x90/0x90 [ 28.975520][ T21] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 28.981041][ T21] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 28.986312][ T21] ? _raw_spin_unlock_irq+0x1f/0x30 [ 28.991496][ T21] process_one_work+0x965/0x1630 [ 28.996409][ T21] ? lock_release+0x720/0x720 [ 29.001069][ T21] ? pwq_dec_nr_in_flight+0x310/0x310 [ 29.006427][ T21] ? rwlock_bug.part.0+0x90/0x90 [ 29.011347][ T21] worker_thread+0x96/0xe20 [ 29.015830][ T21] ? process_one_work+0x1630/0x1630 [ 29.020998][ T21] kthread+0x326/0x430 [ 29.025054][ T21] ? kthread_create_on_node+0xf0/0xf0 [ 29.030398][ T21] ret_from_fork+0x24/0x30 [ 29.035457][ T21] Kernel Offset: disabled [ 29.039764][ T21] Rebooting in 86400 seconds..