forked to background, child pid 3174
no interfaces have a carrier
[   25.685848][ T3175] 8021q: adding VLAN 0 to HW filter on device bond0
[   25.697451][ T3175] eql: remember to turn off Van-Jacobson compression on your slave devices
Starting sshd: OK

syzkaller
Warning: Permanently added '10.128.1.61' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [   59.008912][  T140] usb 1-1: new high-speed USB device number 2 using dummy_hcd
[   59.529038][  T140] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08
[   59.538214][  T140] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[   59.546277][  T140] usb 1-1: Product: syz
[   59.550480][  T140] usb 1-1: Manufacturer: syz
[   59.555058][  T140] usb 1-1: SerialNumber: syz
[   59.601224][  T140] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested
[   60.178982][  T140] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008
[   61.228934][  T140] ath9k_htc 1-1:1.0: ath9k_htc: Target is unresponsive
[   61.236063][  T140] ath9k_htc: Failed to initialize the device
[   61.349033][    C1] ==================================================================
[   61.357107][    C1] BUG: KASAN: use-after-free in ath9k_hif_usb_rx_cb+0xa65/0x1130
[   61.364829][    C1] Read of size 4 at addr ffff88807690c348 by task swapper/1/0
[   61.372263][    C1] 
[   61.374564][    C1] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.18.0-rc4-syzkaller-00050-g46cf2c613f4b #0
[   61.384251][    C1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   61.394283][    C1] Call Trace:
[   61.397544][    C1]  <IRQ>
[   61.400370][    C1]  dump_stack_lvl+0x1e3/0x2cb
[   61.405033][    C1]  ? bfq_pos_tree_add_move+0x436/0x436
[   61.410468][    C1]  ? _printk+0xcf/0x10f
[   61.414595][    C1]  ? wake_up_klogd+0xb2/0xf0
[   61.419161][    C1]  ? panic+0x76e/0x76e
[   61.423202][    C1]  ? _printk+0xcf/0x10f
[   61.427333][    C1]  print_address_description+0x65/0x4b0
[   61.432853][    C1]  print_report+0xf4/0x210
[   61.437242][    C1]  ? __netdev_alloc_skb+0x103/0x4d0
[   61.442413][    C1]  ? ath9k_hif_usb_rx_cb+0xa65/0x1130
[   61.447758][    C1]  kasan_report+0xfb/0x130
[   61.452146][    C1]  ? ath9k_hif_usb_rx_cb+0xa65/0x1130
[   61.457492][    C1]  ath9k_hif_usb_rx_cb+0xa65/0x1130
[   61.462663][    C1]  ? ath9k_hif_usb_alloc_urbs+0xe90/0xe90
[   61.468355][    C1]  __usb_hcd_giveback_urb+0x369/0x530
[   61.473712][    C1]  dummy_timer+0x86b/0x3110
[   61.478197][    C1]  ? dummy_free_streams+0x320/0x320
[   61.483367][    C1]  ? dummy_free_streams+0x320/0x320
[   61.488535][    C1]  call_timer_fn+0xf5/0x210
[   61.493013][    C1]  ? dummy_free_streams+0x320/0x320
[   61.498186][    C1]  ? dummy_free_streams+0x320/0x320
[   61.503357][    C1]  ? __run_timers+0x980/0x980
[   61.508007][    C1]  ? do_raw_spin_unlock+0x134/0x8a0
[   61.513182][    C1]  ? dummy_free_streams+0x320/0x320
[   61.518352][    C1]  ? _raw_spin_unlock_irq+0x1f/0x40
[   61.523524][    C1]  ? lockdep_hardirqs_on+0x95/0x140
[   61.528693][    C1]  ? dummy_free_streams+0x320/0x320
[   61.533870][    C1]  __run_timers+0x76a/0x980
[   61.538371][    C1]  ? trace_timer_cancel+0x210/0x210
[   61.543550][    C1]  run_timer_softirq+0x63/0xf0
[   61.548312][    C1]  __do_softirq+0x382/0x793
[   61.552810][    C1]  ? __irq_exit_rcu+0xec/0x170
[   61.557558][    C1]  ? __entry_text_end+0x1fecc5/0x1fecc5
[   61.563089][    C1]  __irq_exit_rcu+0xec/0x170
[   61.567657][    C1]  ? irq_exit_rcu+0x20/0x20
[   61.572138][    C1]  irq_exit_rcu+0x5/0x20
[   61.576359][    C1]  sysvec_apic_timer_interrupt+0x91/0xb0
[   61.581974][    C1]  </IRQ>
[   61.584883][    C1]  <TASK>
[   61.587799][    C1]  asm_sysvec_apic_timer_interrupt+0x12/0x20
[   61.593760][    C1] RIP: 0010:acpi_idle_enter+0x42d/0x790
[   61.599288][    C1] Code: fc 48 83 e3 08 44 8b 7c 24 04 0f 85 22 01 00 00 4c 8d 74 24 40 e8 13 00 01 fd eb 0c e8 2c 5c fa fc 0f 00 2d 95 a3 68 06 fb f4 <4c> 89 f3 48 c1 eb 03 42 80 3c 23 00 74 08 4c 89 f7 e8 ed 42 4b fd
[   61.618870][    C1] RSP: 0018:ffffc90000177c00 EFLAGS: 00000286
[   61.624931][    C1] RAX: 95c366dec0b65d00 RBX: 0000000000000000 RCX: ffffffff90b7a603
[   61.632880][    C1] RDX: dffffc0000000000 RSI: ffffffff8a8d0480 RDI: ffffffff8ae88b60
[   61.640832][    C1] RBP: ffffc90000177cb0 R08: ffffffff818ca300 R09: ffffed1027fd73b1
[   61.648781][    C1] R10: ffffed1027fd73b1 R11: 1ffff11027fd73b0 R12: dffffc0000000000
[   61.656744][    C1] R13: ffff8880173c1064 R14: ffffc90000177c40 R15: 0000000000000001
[   61.664694][    C1]  ? trace_hardirqs_on+0x30/0x80
[   61.669619][    C1]  ? acpi_idle_lpi_enter+0xe0/0xe0
[   61.674713][    C1]  ? kvm_sched_clock_read+0x14/0x40
[   61.679902][    C1]  cpuidle_enter_state+0x517/0xed0
[   61.685083][    C1]  ? _raw_spin_unlock+0x40/0x40
[   61.689912][    C1]  ? cpuidle_enter_s2idle+0x6b0/0x6b0
[   61.695259][    C1]  cpuidle_enter+0x59/0x90
[   61.699663][    C1]  do_idle+0x3d2/0x640
[   61.703721][    C1]  ? idle_inject_timer_fn+0x60/0x60
[   61.708910][    C1]  ? _raw_spin_unlock_irqrestore+0xd9/0x130
[   61.714786][    C1]  ? complete+0xb9/0x1c0
[   61.719017][    C1]  cpu_startup_entry+0x15/0x20
[   61.723759][    C1]  secondary_startup_64_no_verify+0xc4/0xcb
[   61.729641][    C1]  </TASK>
[   61.732640][    C1] 
[   61.734943][    C1] The buggy address belongs to the physical page:
[   61.741326][    C1] page:ffffea0001da4300 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x7690c
[   61.751449][    C1] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[   61.758542][    C1] raw: 00fff00000000000 0000000000000000 dead000000000122 0000000000000000
[   61.767116][    C1] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
[   61.775678][    C1] page dumped because: kasan: bad access detected
[   61.782072][    C1] page_owner tracks the page as freed
[   61.787420][    C1] page last allocated via order 3, migratetype Unmovable, gfp_mask 0x40dc0(GFP_KERNEL|__GFP_COMP|__GFP_ZERO), pid 140, tgid 140 (kworker/1:2), ts 60190112626, free_ts 61236036271
[   61.805045][    C1]  get_page_from_freelist+0x72e/0x7a0
[   61.810414][    C1]  __alloc_pages+0x26c/0x5f0
[   61.814995][    C1]  kmalloc_order+0x41/0x150
[   61.819499][    C1]  kmalloc_order_trace+0x15/0x70
[   61.824430][    C1]  __kmalloc+0x26b/0x370
[   61.828668][    C1]  wiphy_new_nm+0x617/0x18f0
[   61.833244][    C1]  ieee80211_alloc_hw_nm+0x338/0x1e60
[   61.838600][    C1]  ath9k_htc_probe_device+0xaa/0x2090
[   61.843953][    C1]  ath9k_htc_hw_init+0x30/0x70
[   61.848699][    C1]  ath9k_hif_usb_firmware_cb+0x250/0x4e0
[   61.854312][    C1]  request_firmware_work_func+0x198/0x270
[   61.860012][    C1]  process_one_work+0x81c/0xd10
[   61.864842][    C1]  worker_thread+0xb14/0x1330
[   61.869496][    C1]  kthread+0x266/0x300
[   61.873541][    C1]  ret_from_fork+0x1f/0x30
[   61.877939][    C1] page last free stack trace:
[   61.882586][    C1]  free_pcp_prepare+0x812/0x900
[   61.887416][    C1]  free_unref_page+0x7d/0x390
[   61.892082][    C1]  free_large_kmalloc+0xeb/0x1a0
[   61.897001][    C1]  kfree+0x188/0x210
[   61.900875][    C1]  device_release+0x98/0x1c0
[   61.905445][    C1]  kobject_cleanup+0x235/0x470
[   61.910195][    C1]  ath9k_htc_probe_device+0xfe8/0x2090
[   61.915642][    C1]  ath9k_htc_hw_init+0x30/0x70
[   61.920387][    C1]  ath9k_hif_usb_firmware_cb+0x250/0x4e0
[   61.925998][    C1]  request_firmware_work_func+0x198/0x270
[   61.931696][    C1]  process_one_work+0x81c/0xd10
[   61.936525][    C1]  worker_thread+0xb14/0x1330
[   61.941179][    C1]  kthread+0x266/0x300
[   61.945223][    C1]  ret_from_fork+0x1f/0x30
[   61.949621][    C1] 
[   61.951924][    C1] Memory state around the buggy address:
[   61.957538][    C1]  ffff88807690c200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   61.965585][    C1]  ffff88807690c280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   61.973635][    C1] >ffff88807690c300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   61.981680][    C1]                                               ^
[   61.988084][    C1]  ffff88807690c380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   61.996127][    C1]  ffff88807690c400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   62.004167][    C1] ==================================================================
[   62.012207][    C1] Kernel panic - not syncing: panic_on_warn set ...
[   62.018961][    C1] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.18.0-rc4-syzkaller-00050-g46cf2c613f4b #0
[   62.028656][    C1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   62.038689][    C1] Call Trace:
[   62.041951][    C1]  <IRQ>
[   62.044777][    C1]  dump_stack_lvl+0x1e3/0x2cb
[   62.049444][    C1]  ? bfq_pos_tree_add_move+0x436/0x436
[   62.054881][    C1]  ? panic+0x76e/0x76e
[   62.058930][    C1]  ? irq_work_queue+0xbb/0x120
[   62.063679][    C1]  ? vscnprintf+0x59/0x80
[   62.068008][    C1]  panic+0x312/0x76e
[   62.071884][    C1]  ? fb_is_primary_device+0xcc/0xcc
[   62.077060][    C1]  ? _raw_spin_unlock_irqrestore+0xd9/0x130
[   62.082937][    C1]  ? ath9k_hif_usb_rx_cb+0xa65/0x1130
[   62.088292][    C1]  end_report+0x91/0xa0
[   62.092424][    C1]  kasan_report+0x108/0x130
[   62.096907][    C1]  ? ath9k_hif_usb_rx_cb+0xa65/0x1130
[   62.102261][    C1]  ath9k_hif_usb_rx_cb+0xa65/0x1130
[   62.107449][    C1]  ? ath9k_hif_usb_alloc_urbs+0xe90/0xe90
[   62.113154][    C1]  __usb_hcd_giveback_urb+0x369/0x530
[   62.118512][    C1]  dummy_timer+0x86b/0x3110
[   62.123013][    C1]  ? dummy_free_streams+0x320/0x320
[   62.128194][    C1]  ? dummy_free_streams+0x320/0x320
[   62.133372][    C1]  call_timer_fn+0xf5/0x210
[   62.137853][    C1]  ? dummy_free_streams+0x320/0x320
[   62.143037][    C1]  ? dummy_free_streams+0x320/0x320
[   62.148734][    C1]  ? __run_timers+0x980/0x980
[   62.153394][    C1]  ? do_raw_spin_unlock+0x134/0x8a0
[   62.158662][    C1]  ? dummy_free_streams+0x320/0x320
[   62.163838][    C1]  ? _raw_spin_unlock_irq+0x1f/0x40
[   62.169015][    C1]  ? lockdep_hardirqs_on+0x95/0x140
[   62.174192][    C1]  ? dummy_free_streams+0x320/0x320
[   62.179368][    C1]  __run_timers+0x76a/0x980
[   62.183854][    C1]  ? trace_timer_cancel+0x210/0x210
[   62.189035][    C1]  run_timer_softirq+0x63/0xf0
[   62.193778][    C1]  __do_softirq+0x382/0x793
[   62.198269][    C1]  ? __irq_exit_rcu+0xec/0x170
[   62.203022][    C1]  ? __entry_text_end+0x1fecc5/0x1fecc5
[   62.208552][    C1]  __irq_exit_rcu+0xec/0x170
[   62.213120][    C1]  ? irq_exit_rcu+0x20/0x20
[   62.217604][    C1]  irq_exit_rcu+0x5/0x20
[   62.221823][    C1]  sysvec_apic_timer_interrupt+0x91/0xb0
[   62.227433][    C1]  </IRQ>
[   62.230346][    C1]  <TASK>
[   62.233256][    C1]  asm_sysvec_apic_timer_interrupt+0x12/0x20
[   62.239217][    C1] RIP: 0010:acpi_idle_enter+0x42d/0x790
[   62.244741][    C1] Code: fc 48 83 e3 08 44 8b 7c 24 04 0f 85 22 01 00 00 4c 8d 74 24 40 e8 13 00 01 fd eb 0c e8 2c 5c fa fc 0f 00 2d 95 a3 68 06 fb f4 <4c> 89 f3 48 c1 eb 03 42 80 3c 23 00 74 08 4c 89 f7 e8 ed 42 4b fd
[   62.264327][    C1] RSP: 0018:ffffc90000177c00 EFLAGS: 00000286
[   62.270374][    C1] RAX: 95c366dec0b65d00 RBX: 0000000000000000 RCX: ffffffff90b7a603
[   62.278329][    C1] RDX: dffffc0000000000 RSI: ffffffff8a8d0480 RDI: ffffffff8ae88b60
[   62.286281][    C1] RBP: ffffc90000177cb0 R08: ffffffff818ca300 R09: ffffed1027fd73b1
[   62.294235][    C1] R10: ffffed1027fd73b1 R11: 1ffff11027fd73b0 R12: dffffc0000000000
[   62.302185][    C1] R13: ffff8880173c1064 R14: ffffc90000177c40 R15: 0000000000000001
[   62.310139][    C1]  ? trace_hardirqs_on+0x30/0x80
[   62.315061][    C1]  ? acpi_idle_lpi_enter+0xe0/0xe0
[   62.320150][    C1]  ? kvm_sched_clock_read+0x14/0x40
[   62.325332][    C1]  cpuidle_enter_state+0x517/0xed0
[   62.330424][    C1]  ? _raw_spin_unlock+0x40/0x40
[   62.335251][    C1]  ? cpuidle_enter_s2idle+0x6b0/0x6b0
[   62.340606][    C1]  cpuidle_enter+0x59/0x90
[   62.345006][    C1]  do_idle+0x3d2/0x640
[   62.349067][    C1]  ? idle_inject_timer_fn+0x60/0x60
[   62.354245][    C1]  ? _raw_spin_unlock_irqrestore+0xd9/0x130
[   62.360120][    C1]  ? complete+0xb9/0x1c0
[   62.364340][    C1]  cpu_startup_entry+0x15/0x20
[   62.369102][    C1]  secondary_startup_64_no_verify+0xc4/0xcb
[   62.374982][    C1]  </TASK>
[   62.378152][    C1] Kernel Offset: disabled
[   62.382460][    C1] Rebooting in 86400 seconds..