Warning: Permanently added '10.128.0.4' (ECDSA) to the list of known hosts. executing program [ 21.359508][ T83] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 21.879118][ T83] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08 [ 21.888244][ T83] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 21.896323][ T83] usb 1-1: Product: syz [ 21.900597][ T83] usb 1-1: Manufacturer: syz [ 21.905184][ T83] usb 1-1: SerialNumber: syz [ 21.949890][ T83] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested [ 22.588547][ T83] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008 [ 22.808345][ C1] ================================================================== [ 22.816622][ C1] BUG: KASAN: slab-out-of-bounds in ath9k_htc_rx_msg+0xa25/0xaf0 [ 22.824329][ C1] Write of size 2 at addr ffff8881cc84cbf0 by task swapper/1/0 [ 22.831844][ C1] [ 22.834157][ C1] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.7.0-rc6-syzkaller #0 [ 22.842024][ C1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 22.852250][ C1] Call Trace: [ 22.855531][ C1] <IRQ> [ 22.858390][ C1] dump_stack+0xef/0x16e [ 22.862631][ C1] print_address_description.constprop.0.cold+0xd3/0x415 [ 22.869654][ C1] ? vprintk_func+0x7d/0x113 [ 22.874231][ C1] ? ath9k_htc_rx_msg+0xa25/0xaf0 [ 22.879298][ C1] __kasan_report.cold+0x37/0x7d [ 22.884233][ C1] ? ath9k_htc_rx_msg+0xa25/0xaf0 [ 22.889259][ C1] ? ath9k_htc_rx_msg+0xa25/0xaf0 [ 22.894297][ C1] kasan_report+0x33/0x50 [ 22.898614][ C1] ath9k_htc_rx_msg+0xa25/0xaf0 [ 22.903445][ C1] ath9k_hif_usb_reg_in_cb+0x1c0/0x630 [ 22.908908][ C1] ? _raw_read_unlock+0x1a/0x30 [ 22.913757][ C1] ? led_trigger_blink_oneshot+0xb4/0xe0 [ 22.919379][ C1] __usb_hcd_giveback_urb+0x1f2/0x470 [ 22.924729][ C1] usb_hcd_giveback_urb+0x368/0x420 [ 22.929916][ C1] dummy_timer+0x125e/0x32b4 [ 22.934485][ C1] ? dummy_udc_probe+0x980/0x980 [ 22.939402][ C1] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 22.944924][ C1] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 22.950186][ C1] call_timer_fn+0x1ac/0x700 [ 22.954754][ C1] ? dummy_udc_probe+0x980/0x980 [ 22.959681][ C1] ? timer_fixup_init+0x60/0x60 [ 22.964509][ C1] ? lock_downgrade+0x720/0x720 [ 22.969352][ C1] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 22.974877][ C1] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 22.980166][ C1] ? _raw_spin_unlock_irq+0x1f/0x30 [ 22.985355][ C1] ? dummy_udc_probe+0x980/0x980 [ 22.990282][ C1] run_timer_softirq+0x5f9/0x1500 [ 22.995328][ C1] ? add_timer+0x7a0/0x7a0 [ 22.999773][ C1] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 23.005319][ C1] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 23.010589][ C1] __do_softirq+0x21e/0x9aa [ 23.015092][ C1] irq_exit+0x178/0x1a0 [ 23.019247][ C1] smp_apic_timer_interrupt+0x141/0x540 [ 23.024778][ C1] apic_timer_interrupt+0xf/0x20 [ 23.029718][ C1] </IRQ> [ 23.032685][ C1] RIP: 0010:default_idle+0x28/0x300 [ 23.037878][ C1] Code: cc cc 41 56 41 55 65 44 8b 2d 94 3f 6b 7a 41 54 55 53 0f 1f 44 00 00 e8 06 27 af fb e9 07 00 00 00 0f 00 2d 7a e1 4b 00 fb f4 <65> 44 8b 2d 70 3f 6b 7a 0f 1f 44 00 00 5b 5d 41 5c 41 5d 41 5e c3 [ 23.057861][ C1] RSP: 0018:ffff8881da227da8 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13 [ 23.066273][ C1] RAX: 0000000000000007 RBX: ffff8881da20b180 RCX: 0000000000000000 [ 23.074269][ C1] RDX: 0000000000000000 RSI: 0000000000000006 RDI: ffff8881da20b9fc [ 23.082273][ C1] RBP: ffffed103b441630 R08: ffff8881da20b180 R09: 0000000000000000 [ 23.090236][ C1] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001 [ 23.098193][ C1] R13: 0000000000000001 R14: ffffffff87e88e00 R15: 0000000000000000 [ 23.106168][ C1] ? default_idle+0x1a/0x300 [ 23.110746][ C1] do_idle+0x3e0/0x500 [ 23.114951][ C1] ? arch_cpu_idle_exit+0x40/0x40 [ 23.119962][ C1] cpu_startup_entry+0x14/0x20 [ 23.124713][ C1] start_secondary+0x2ae/0x390 [ 23.129464][ C1] ? set_cpu_sibling_map+0x1e90/0x1e90 [ 23.134912][ C1] secondary_startup_64+0xb6/0xc0 [ 23.139951][ C1] [ 23.142282][ C1] Allocated by task 83: [ 23.146424][ C1] save_stack+0x1b/0x40 [ 23.150572][ C1] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 23.156195][ C1] ath9k_htc_hw_alloc+0x49/0x2e0 [ 23.161168][ C1] ath9k_hif_usb_firmware_cb+0x62/0x510 [ 23.166721][ C1] request_firmware_work_func+0x126/0x242 [ 23.172470][ C1] process_one_work+0x965/0x1630 [ 23.177394][ C1] worker_thread+0x96/0xe20 [ 23.181907][ C1] kthread+0x326/0x430 [ 23.185966][ C1] ret_from_fork+0x24/0x30 [ 23.190364][ C1] [ 23.192687][ C1] Freed by task 0: [ 23.196386][ C1] (stack is not available) [ 23.201333][ C1] [ 23.203644][ C1] The buggy address belongs to the object at ffff8881cc84c000 [ 23.203644][ C1] which belongs to the cache kmalloc-2k of size 2048 [ 23.217682][ C1] The buggy address is located 1008 bytes to the right of [ 23.217682][ C1] 2048-byte region [ffff8881cc84c000, ffff8881cc84c800) [ 23.231670][ C1] The buggy address belongs to the page: [ 23.237293][ C1] page:ffffea0007321200 refcount:1 mapcount:0 mapping:00000000df08c687 index:0x0 head:ffffea0007321200 order:3 compound_mapcount:0 compound_pincount:0 [ 23.252916][ C1] flags: 0x200000000010200(slab|head) [ 23.258287][ C1] raw: 0200000000010200 dead000000000100 dead000000000122 ffff8881da00c000 [ 23.267721][ C1] raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000 [ 23.276286][ C1] page dumped because: kasan: bad access detected [ 23.282719][ C1] [ 23.285027][ C1] Memory state around the buggy address: [ 23.290640][ C1] ffff8881cc84ca80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.298699][ C1] ffff8881cc84cb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.306741][ C1] >ffff8881cc84cb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.314820][ C1] ^ [ 23.322574][ C1] ffff8881cc84cc00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.330676][ C1] ffff8881cc84cc80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.338723][ C1] ================================================================== [ 23.347140][ C1] Disabling lock debugging due to kernel taint [ 23.353271][ C1] Kernel panic - not syncing: panic_on_warn set ... [ 23.359840][ C1] CPU: 1 PID: 0 Comm: swapper/1 Tainted: G B 5.7.0-rc6-syzkaller #0 [ 23.369094][ C1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 23.379161][ C1] Call Trace: [ 23.382449][ C1] <IRQ> [ 23.385287][ C1] dump_stack+0xef/0x16e [ 23.389537][ C1] panic+0x2aa/0x6e1 [ 23.393408][ C1] ? add_taint.cold+0x16/0x16 [ 23.398062][ C1] ? trace_hardirqs_off+0x50/0x200 [ 23.403151][ C1] ? ath9k_htc_rx_msg+0xa25/0xaf0 [ 23.408152][ C1] end_report+0x4d/0x53 [ 23.412284][ C1] __kasan_report.cold+0x72/0x7d [ 23.417198][ C1] ? ath9k_htc_rx_msg+0xa25/0xaf0 [ 23.422208][ C1] ? ath9k_htc_rx_msg+0xa25/0xaf0 [ 23.427209][ C1] kasan_report+0x33/0x50 [ 23.431519][ C1] ath9k_htc_rx_msg+0xa25/0xaf0 [ 23.436347][ C1] ath9k_hif_usb_reg_in_cb+0x1c0/0x630 [ 23.441796][ C1] ? _raw_read_unlock+0x1a/0x30 [ 23.446665][ C1] ? led_trigger_blink_oneshot+0xb4/0xe0 [ 23.452276][ C1] __usb_hcd_giveback_urb+0x1f2/0x470 [ 23.457665][ C1] usb_hcd_giveback_urb+0x368/0x420 [ 23.462850][ C1] dummy_timer+0x125e/0x32b4 [ 23.467416][ C1] ? dummy_udc_probe+0x980/0x980 [ 23.472330][ C1] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 23.477851][ C1] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 23.483118][ C1] call_timer_fn+0x1ac/0x700 [ 23.487691][ C1] ? dummy_udc_probe+0x980/0x980 [ 23.492616][ C1] ? timer_fixup_init+0x60/0x60 [ 23.497489][ C1] ? lock_downgrade+0x720/0x720 [ 23.502493][ C1] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 23.508016][ C1] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 23.513279][ C1] ? _raw_spin_unlock_irq+0x1f/0x30 [ 23.518463][ C1] ? dummy_udc_probe+0x980/0x980 [ 23.523377][ C1] run_timer_softirq+0x5f9/0x1500 [ 23.528382][ C1] ? add_timer+0x7a0/0x7a0 [ 23.532799][ C1] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 23.538319][ C1] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 23.543669][ C1] __do_softirq+0x21e/0x9aa [ 23.548169][ C1] irq_exit+0x178/0x1a0 [ 23.552304][ C1] smp_apic_timer_interrupt+0x141/0x540 [ 23.558889][ C1] apic_timer_interrupt+0xf/0x20 [ 23.563811][ C1] </IRQ> [ 23.566730][ C1] RIP: 0010:default_idle+0x28/0x300 [ 23.571930][ C1] Code: cc cc 41 56 41 55 65 44 8b 2d 94 3f 6b 7a 41 54 55 53 0f 1f 44 00 00 e8 06 27 af fb e9 07 00 00 00 0f 00 2d 7a e1 4b 00 fb f4 <65> 44 8b 2d 70 3f 6b 7a 0f 1f 44 00 00 5b 5d 41 5c 41 5d 41 5e c3 [ 23.591541][ C1] RSP: 0018:ffff8881da227da8 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13 [ 23.599939][ C1] RAX: 0000000000000007 RBX: ffff8881da20b180 RCX: 0000000000000000 [ 23.607896][ C1] RDX: 0000000000000000 RSI: 0000000000000006 RDI: ffff8881da20b9fc [ 23.615890][ C1] RBP: ffffed103b441630 R08: ffff8881da20b180 R09: 0000000000000000 [ 23.623843][ C1] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001 [ 23.631794][ C1] R13: 0000000000000001 R14: ffffffff87e88e00 R15: 0000000000000000 [ 23.639772][ C1] ? default_idle+0x1a/0x300 [ 23.644341][ C1] do_idle+0x3e0/0x500 [ 23.648389][ C1] ? arch_cpu_idle_exit+0x40/0x40 [ 23.653392][ C1] cpu_startup_entry+0x14/0x20 [ 23.658136][ C1] start_secondary+0x2ae/0x390 [ 23.662892][ C1] ? set_cpu_sibling_map+0x1e90/0x1e90 [ 23.668331][ C1] secondary_startup_64+0xb6/0xc0 [ 23.673822][ C1] Kernel Offset: disabled [ 23.678155][ C1] Rebooting in 86400 seconds..