syzkaller login: [ 19.225227][ C0] random: crng init done [ 19.230061][ C0] random: 7 urandom warning(s) missed due to ratelimiting Warning: Permanently added '10.128.0.172' (ECDSA) to the list of known hosts. executing program [ 19.668069][ T94] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 20.187570][ T94] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08 [ 20.196690][ T94] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 20.204769][ T94] usb 1-1: Product: syz [ 20.209082][ T94] usb 1-1: Manufacturer: syz [ 20.213655][ T94] usb 1-1: SerialNumber: syz [ 20.258390][ T94] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested [ 20.836866][ T94] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008 executing program [ 21.238655][ T12] usb 1-1: USB disconnect, device number 2 [ 22.095629][ T94] usb 1-1: Service connection timeout for: 256 [ 22.102047][ T94] ================================================================== [ 22.110162][ T94] BUG: KASAN: use-after-free in kfree_skb+0x32/0x3d0 [ 22.116824][ T94] Read of size 4 at addr ffff8881c62c8d54 by task kworker/0:2/94 [ 22.124879][ T94] [ 22.127198][ T94] CPU: 0 PID: 94 Comm: kworker/0:2 Not tainted 5.7.0-rc6-syzkaller #0 [ 22.135491][ T94] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 22.145614][ T94] Workqueue: events request_firmware_work_func [ 22.151750][ T94] Call Trace: [ 22.155116][ T94] dump_stack+0xef/0x16e [ 22.159336][ T94] print_address_description.constprop.0.cold+0xd3/0x415 [ 22.166528][ T94] ? vprintk_func+0x7d/0x113 [ 22.172059][ T94] ? kfree_skb+0x32/0x3d0 [ 22.176372][ T94] __kasan_report.cold+0x37/0x7d [ 22.181371][ T94] ? kfree_skb+0x32/0x3d0 [ 22.185673][ T94] ? kfree_skb+0x32/0x3d0 [ 22.189977][ T94] kasan_report+0x33/0x50 [ 22.194281][ T94] check_memory_region+0x173/0x1d0 [ 22.199373][ T94] kfree_skb+0x32/0x3d0 [ 22.203505][ T94] htc_connect_service.cold+0xa9/0x109 [ 22.208934][ T94] ath9k_wmi_connect+0xd2/0x1a0 [ 22.213760][ T94] ? ath9k_fatal_work+0x20/0x20 [ 22.218595][ T94] ? ath9k_hif_usb_firmware_cb.cold+0xde/0xde [ 22.224635][ T94] ? ath9k_wmi_event_tasklet+0x440/0x440 [ 22.230263][ T94] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 22.236672][ T94] ? ath9k_reg_rmw_flush+0x2d0/0x2d0 [ 22.241969][ T94] ? lockdep_init_map_waits+0x26a/0x7c0 [ 22.247512][ T94] ? __raw_spin_lock_init+0x34/0x100 [ 22.252965][ T94] ? tasklet_init+0x69/0x110 [ 22.257542][ T94] ath9k_htc_probe_device+0x25a/0x1da0 [ 22.263000][ T94] ? ath9k_init_htc_services.constprop.0+0x650/0x650 [ 22.269673][ T94] ? usb_submit_urb+0x6ed/0x1460 [ 22.274588][ T94] ? usb_free_urb.part.0+0x52/0x110 [ 22.279760][ T94] ? usb_free_urb+0x1b/0x30 [ 22.284259][ T94] ath9k_htc_hw_init+0x31/0x60 [ 22.289011][ T94] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 22.295054][ T94] ? ath9k_hif_usb_resume+0x320/0x320 [ 22.300781][ T94] request_firmware_work_func+0x126/0x242 [ 22.306503][ T94] ? request_firmware_into_buf+0x90/0x90 [ 22.312114][ T94] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 22.317650][ T94] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 22.322914][ T94] ? _raw_spin_unlock_irq+0x1f/0x30 [ 22.328100][ T94] process_one_work+0x965/0x1630 [ 22.333099][ T94] ? lock_release+0x720/0x720 [ 22.337780][ T94] ? pwq_dec_nr_in_flight+0x310/0x310 [ 22.343142][ T94] ? rwlock_bug.part.0+0x90/0x90 [ 22.349106][ T94] worker_thread+0x96/0xe20 [ 22.353587][ T94] ? process_one_work+0x1630/0x1630 [ 22.358765][ T94] kthread+0x326/0x430 [ 22.362811][ T94] ? kthread_create_on_node+0xf0/0xf0 [ 22.368157][ T94] ret_from_fork+0x24/0x30 [ 22.372542][ T94] [ 22.374856][ T94] Allocated by task 94: [ 22.378992][ T94] save_stack+0x1b/0x40 [ 22.383121][ T94] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 22.389160][ T94] kmem_cache_alloc_node+0xdc/0x330 [ 22.394348][ T94] __alloc_skb+0xba/0x5a0 [ 22.398666][ T94] htc_connect_service+0x2cc/0x840 [ 22.403772][ T94] ath9k_wmi_connect+0xd2/0x1a0 [ 22.408626][ T94] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 22.415016][ T94] ath9k_htc_probe_device+0x25a/0x1da0 [ 22.420482][ T94] ath9k_htc_hw_init+0x31/0x60 [ 22.425234][ T94] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 22.430849][ T94] request_firmware_work_func+0x126/0x242 [ 22.436540][ T94] process_one_work+0x965/0x1630 [ 22.441450][ T94] worker_thread+0x96/0xe20 [ 22.445931][ T94] kthread+0x326/0x430 [ 22.449973][ T94] ret_from_fork+0x24/0x30 [ 22.454367][ T94] [ 22.456678][ T94] Freed by task 12: [ 22.460495][ T94] save_stack+0x1b/0x40 [ 22.464659][ T94] __kasan_slab_free+0x117/0x160 [ 22.469657][ T94] kmem_cache_free+0x9b/0x360 [ 22.474312][ T94] kfree_skbmem+0xef/0x1b0 [ 22.478699][ T94] kfree_skb+0x102/0x3d0 [ 22.482929][ T94] ath9k_htc_txcompletion_cb+0x1f8/0x2b0 [ 22.488544][ T94] hif_usb_regout_cb+0x115/0x1c0 [ 22.493721][ T94] __usb_hcd_giveback_urb+0x29a/0x550 [ 22.499074][ T94] usb_hcd_giveback_urb+0x368/0x420 [ 22.504246][ T94] dummy_timer+0x125e/0x32b4 [ 22.508808][ T94] call_timer_fn+0x1ac/0x700 [ 22.513370][ T94] run_timer_softirq+0x5f9/0x1500 [ 22.518367][ T94] __do_softirq+0x21e/0x9aa [ 22.522848][ T94] [ 22.525152][ T94] The buggy address belongs to the object at ffff8881c62c8c80 [ 22.525152][ T94] which belongs to the cache skbuff_head_cache of size 224 [ 22.539696][ T94] The buggy address is located 212 bytes inside of [ 22.539696][ T94] 224-byte region [ffff8881c62c8c80, ffff8881c62c8d60) [ 22.552946][ T94] The buggy address belongs to the page: [ 22.558578][ T94] page:ffffea000718b200 refcount:1 mapcount:0 mapping:0000000040269b31 index:0x0 [ 22.567670][ T94] flags: 0x200000000000200(slab) [ 22.572603][ T94] raw: 0200000000000200 ffffea00074049c0 0000000200000002 ffff8881da175400 [ 22.581159][ T94] raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000 [ 22.589713][ T94] page dumped because: kasan: bad access detected [ 22.596104][ T94] [ 22.598425][ T94] Memory state around the buggy address: [ 22.604042][ T94] ffff8881c62c8c00: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 22.612089][ T94] ffff8881c62c8c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 22.620128][ T94] >ffff8881c62c8d00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 22.628174][ T94] ^ [ 22.634868][ T94] ffff8881c62c8d80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 22.643267][ T94] ffff8881c62c8e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 22.651297][ T94] ================================================================== [ 22.659336][ T94] Disabling lock debugging due to kernel taint [ 22.665584][ T94] Kernel panic - not syncing: panic_on_warn set ... [ 22.672171][ T94] CPU: 0 PID: 94 Comm: kworker/0:2 Tainted: G B 5.7.0-rc6-syzkaller #0 [ 22.681700][ T94] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 22.691792][ T94] Workqueue: events request_firmware_work_func [ 22.697931][ T94] Call Trace: [ 22.701219][ T94] dump_stack+0xef/0x16e [ 22.705436][ T94] panic+0x2aa/0x6e1 [ 22.709314][ T94] ? add_taint.cold+0x16/0x16 [ 22.713976][ T94] ? retint_kernel+0x10/0x10 [ 22.718556][ T94] ? kfree_skb+0x32/0x3d0 [ 22.722872][ T94] ? trace_hardirqs_on+0x55/0x200 [ 22.727888][ T94] ? kfree_skb+0x32/0x3d0 [ 22.732212][ T94] end_report+0x4d/0x53 [ 22.736370][ T94] __kasan_report.cold+0x72/0x7d [ 22.741280][ T94] ? kfree_skb+0x32/0x3d0 [ 22.745594][ T94] ? kfree_skb+0x32/0x3d0 [ 22.749896][ T94] kasan_report+0x33/0x50 [ 22.754213][ T94] check_memory_region+0x173/0x1d0 [ 22.759299][ T94] kfree_skb+0x32/0x3d0 [ 22.763630][ T94] htc_connect_service.cold+0xa9/0x109 [ 22.769076][ T94] ath9k_wmi_connect+0xd2/0x1a0 [ 22.773921][ T94] ? ath9k_fatal_work+0x20/0x20 [ 22.778867][ T94] ? ath9k_hif_usb_firmware_cb.cold+0xde/0xde [ 22.784918][ T94] ? ath9k_wmi_event_tasklet+0x440/0x440 [ 22.790538][ T94] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 22.796942][ T94] ? ath9k_reg_rmw_flush+0x2d0/0x2d0 [ 22.802250][ T94] ? lockdep_init_map_waits+0x26a/0x7c0 [ 22.807780][ T94] ? __raw_spin_lock_init+0x34/0x100 [ 22.813039][ T94] ? tasklet_init+0x69/0x110 [ 22.817606][ T94] ath9k_htc_probe_device+0x25a/0x1da0 [ 22.823042][ T94] ? ath9k_init_htc_services.constprop.0+0x650/0x650 [ 22.829691][ T94] ? usb_submit_urb+0x6ed/0x1460 [ 22.834950][ T94] ? usb_free_urb.part.0+0x52/0x110 [ 22.840383][ T94] ? usb_free_urb+0x1b/0x30 [ 22.844859][ T94] ath9k_htc_hw_init+0x31/0x60 [ 22.849613][ T94] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 22.855233][ T94] ? ath9k_hif_usb_resume+0x320/0x320 [ 22.860606][ T94] request_firmware_work_func+0x126/0x242 [ 22.866320][ T94] ? request_firmware_into_buf+0x90/0x90 [ 22.871942][ T94] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 22.877463][ T94] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 22.882726][ T94] ? _raw_spin_unlock_irq+0x1f/0x30 [ 22.887916][ T94] process_one_work+0x965/0x1630 [ 22.892829][ T94] ? lock_release+0x720/0x720 [ 22.897507][ T94] ? pwq_dec_nr_in_flight+0x310/0x310 [ 22.902851][ T94] ? rwlock_bug.part.0+0x90/0x90 [ 22.907773][ T94] worker_thread+0x96/0xe20 [ 22.912339][ T94] ? process_one_work+0x1630/0x1630 [ 22.917530][ T94] kthread+0x326/0x430 [ 22.921574][ T94] ? kthread_create_on_node+0xf0/0xf0 [ 22.927021][ T94] ret_from_fork+0x24/0x30 [ 22.932166][ T94] Kernel Offset: disabled [ 22.936497][ T94] Rebooting in 86400 seconds..