Warning: Permanently added '10.128.0.87' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [   30.908579][   T95] usb 1-1: new high-speed USB device number 2 using dummy_hcd
[   31.428501][   T95] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08
[   31.437647][   T95] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[   31.445720][   T95] usb 1-1: Product: syz
[   31.449961][   T95] usb 1-1: Manufacturer: syz
[   31.454540][   T95] usb 1-1: SerialNumber: syz
[   31.499439][   T95] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested
[   32.098192][   T95] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008
executing program
[   32.501037][    T5] usb 1-1: USB disconnect, device number 2
[   33.377918][   T95] usb 1-1: Service connection timeout for: 256
[   33.384420][   T95] ==================================================================
[   33.392684][   T95] BUG: KASAN: use-after-free in kfree_skb+0x32/0x3d0
[   33.399341][   T95] Read of size 4 at addr ffff8881cd3030d4 by task kworker/1:2/95
[   33.407055][   T95] 
[   33.409539][   T95] CPU: 1 PID: 95 Comm: kworker/1:2 Not tainted 5.7.0-rc6-syzkaller #0
[   33.418051][   T95] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   33.428243][   T95] Workqueue: events request_firmware_work_func
[   33.434406][   T95] Call Trace:
[   33.437798][   T95]  dump_stack+0xef/0x16e
[   33.442048][   T95]  print_address_description.constprop.0.cold+0xd3/0x415
[   33.449566][   T95]  ? vprintk_func+0x7d/0x113
[   33.454145][   T95]  ? kfree_skb+0x32/0x3d0
[   33.458489][   T95]  __kasan_report.cold+0x37/0x7d
[   33.463422][   T95]  ? kfree_skb+0x32/0x3d0
[   33.467864][   T95]  ? kfree_skb+0x32/0x3d0
[   33.472196][   T95]  kasan_report+0x33/0x50
[   33.476588][   T95]  check_memory_region+0x173/0x1d0
[   33.481788][   T95]  kfree_skb+0x32/0x3d0
[   33.485995][   T95]  htc_connect_service.cold+0xa9/0x109
[   33.491529][   T95]  ath9k_wmi_connect+0xd2/0x1a0
[   33.496685][   T95]  ? ath9k_fatal_work+0x20/0x20
[   33.501540][   T95]  ? ath9k_hif_usb_firmware_cb.cold+0xde/0xde
[   33.507624][   T95]  ? ath9k_wmi_event_tasklet+0x440/0x440
[   33.513635][   T95]  ath9k_init_htc_services.constprop.0+0xb4/0x650
[   33.520042][   T95]  ? ath9k_reg_rmw_flush+0x2d0/0x2d0
[   33.526776][   T95]  ? lockdep_init_map_waits+0x26a/0x7c0
[   33.532483][   T95]  ? __raw_spin_lock_init+0x34/0x100
[   33.537797][   T95]  ? tasklet_init+0x69/0x110
[   33.542465][   T95]  ath9k_htc_probe_device+0x25a/0x1da0
[   33.548016][   T95]  ? ath9k_init_htc_services.constprop.0+0x650/0x650
[   33.554972][   T95]  ? usb_submit_urb+0x6ed/0x1460
[   33.561090][   T95]  ? usb_free_urb.part.0+0x52/0x110
[   33.570475][   T95]  ? usb_free_urb+0x1b/0x30
[   33.574999][   T95]  ath9k_htc_hw_init+0x31/0x60
[   33.581004][   T95]  ath9k_hif_usb_firmware_cb+0x274/0x510
[   33.587388][   T95]  ? ath9k_hif_usb_resume+0x320/0x320
[   33.594376][   T95]  request_firmware_work_func+0x126/0x242
[   33.600422][   T95]  ? request_firmware_into_buf+0x90/0x90
[   33.606928][   T95]  ? rcu_read_lock_sched_held+0x9c/0xd0
[   33.612724][   T95]  ? rcu_read_lock_bh_held+0xb0/0xb0
[   33.619560][   T95]  ? _raw_spin_unlock_irq+0x1f/0x30
[   33.625778][   T95]  process_one_work+0x965/0x1630
[   33.633165][   T95]  ? lock_release+0x720/0x720
[   33.639507][   T95]  ? pwq_dec_nr_in_flight+0x310/0x310
[   33.645396][   T95]  ? rwlock_bug.part.0+0x90/0x90
[   33.650338][   T95]  worker_thread+0x96/0xe20
[   33.655323][   T95]  ? process_one_work+0x1630/0x1630
[   33.660818][   T95]  kthread+0x326/0x430
[   33.664889][   T95]  ? kthread_create_on_node+0xf0/0xf0
[   33.670254][   T95]  ret_from_fork+0x24/0x30
[   33.674651][   T95] 
[   33.676960][   T95] Allocated by task 95:
[   33.681172][   T95]  save_stack+0x1b/0x40
[   33.685323][   T95]  __kasan_kmalloc.constprop.0+0xbf/0xd0
[   33.690943][   T95]  kmem_cache_alloc_node+0xdc/0x330
[   33.696132][   T95]  __alloc_skb+0xba/0x5a0
[   33.700464][   T95]  htc_connect_service+0x2cc/0x840
[   33.705640][   T95]  ath9k_wmi_connect+0xd2/0x1a0
[   33.710469][   T95]  ath9k_init_htc_services.constprop.0+0xb4/0x650
[   33.716883][   T95]  ath9k_htc_probe_device+0x25a/0x1da0
[   33.722330][   T95]  ath9k_htc_hw_init+0x31/0x60
[   33.727075][   T95]  ath9k_hif_usb_firmware_cb+0x274/0x510
[   33.732873][   T95]  request_firmware_work_func+0x126/0x242
[   33.738574][   T95]  process_one_work+0x965/0x1630
[   33.743494][   T95]  worker_thread+0x96/0xe20
[   33.747975][   T95]  kthread+0x326/0x430
[   33.752041][   T95]  ret_from_fork+0x24/0x30
[   33.756455][   T95] 
[   33.758851][   T95] Freed by task 383:
[   33.762728][   T95]  save_stack+0x1b/0x40
[   33.766874][   T95]  __kasan_slab_free+0x117/0x160
[   33.771791][   T95]  kmem_cache_free+0x9b/0x360
[   33.776468][   T95]  kfree_skbmem+0xef/0x1b0
[   33.780867][   T95]  kfree_skb+0x102/0x3d0
[   33.785107][   T95]  ath9k_htc_txcompletion_cb+0x1f8/0x2b0
[   33.790734][   T95]  hif_usb_regout_cb+0x115/0x1c0
[   33.795649][   T95]  __usb_hcd_giveback_urb+0x29a/0x550
[   33.800997][   T95]  usb_hcd_giveback_urb+0x368/0x420
[   33.806177][   T95]  dummy_timer+0x125e/0x32b4
[   33.810748][   T95]  call_timer_fn+0x1ac/0x700
[   33.815505][   T95]  run_timer_softirq+0x5f9/0x1500
[   33.820515][   T95]  __do_softirq+0x21e/0x9aa
[   33.824991][   T95] 
[   33.827303][   T95] The buggy address belongs to the object at ffff8881cd303000
[   33.827303][   T95]  which belongs to the cache skbuff_head_cache of size 224
[   33.841984][   T95] The buggy address is located 212 bytes inside of
[   33.841984][   T95]  224-byte region [ffff8881cd303000, ffff8881cd3030e0)
[   33.855239][   T95] The buggy address belongs to the page:
[   33.860921][   T95] page:ffffea000734c0c0 refcount:1 mapcount:0 mapping:00000000d18be20a index:0x0
[   33.870177][   T95] flags: 0x200000000000200(slab)
[   33.875111][   T95] raw: 0200000000000200 dead000000000100 dead000000000122 ffff8881da175400
[   33.883763][   T95] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
[   33.892332][   T95] page dumped because: kasan: bad access detected
[   33.898753][   T95] 
[   33.901061][   T95] Memory state around the buggy address:
[   33.906671][   T95]  ffff8881cd302f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   33.915237][   T95]  ffff8881cd303000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   33.923301][   T95] >ffff8881cd303080: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
[   33.931353][   T95]                                                  ^
[   33.938012][   T95]  ffff8881cd303100: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   33.946061][   T95]  ffff8881cd303180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   33.954359][   T95] ==================================================================
[   33.962419][   T95] Disabling lock debugging due to kernel taint
[   33.968644][   T95] Kernel panic - not syncing: panic_on_warn set ...
[   33.975273][   T95] CPU: 1 PID: 95 Comm: kworker/1:2 Tainted: G    B             5.7.0-rc6-syzkaller #0
[   33.984809][   T95] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   33.994909][   T95] Workqueue: events request_firmware_work_func
[   34.001226][   T95] Call Trace:
[   34.004509][   T95]  dump_stack+0xef/0x16e
[   34.008737][   T95]  panic+0x2aa/0x6e1
[   34.012618][   T95]  ? add_taint.cold+0x16/0x16
[   34.017288][   T95]  ? retint_kernel+0x10/0x10
[   34.021857][   T95]  ? kfree_skb+0x32/0x3d0
[   34.026177][   T95]  ? trace_hardirqs_on+0x55/0x200
[   34.031176][   T95]  ? kfree_skb+0x32/0x3d0
[   34.035499][   T95]  end_report+0x4d/0x53
[   34.039641][   T95]  __kasan_report.cold+0x72/0x7d
[   34.044629][   T95]  ? kfree_skb+0x32/0x3d0
[   34.051293][   T95]  ? kfree_skb+0x32/0x3d0
[   34.055603][   T95]  kasan_report+0x33/0x50
[   34.059942][   T95]  check_memory_region+0x173/0x1d0
[   34.065066][   T95]  kfree_skb+0x32/0x3d0
[   34.069214][   T95]  htc_connect_service.cold+0xa9/0x109
[   34.074726][   T95]  ath9k_wmi_connect+0xd2/0x1a0
[   34.079584][   T95]  ? ath9k_fatal_work+0x20/0x20
[   34.084429][   T95]  ? ath9k_hif_usb_firmware_cb.cold+0xde/0xde
[   34.090485][   T95]  ? ath9k_wmi_event_tasklet+0x440/0x440
[   34.096104][   T95]  ath9k_init_htc_services.constprop.0+0xb4/0x650
[   34.102508][   T95]  ? ath9k_reg_rmw_flush+0x2d0/0x2d0
[   34.107777][   T95]  ? lockdep_init_map_waits+0x26a/0x7c0
[   34.113469][   T95]  ? __raw_spin_lock_init+0x34/0x100
[   34.118741][   T95]  ? tasklet_init+0x69/0x110
[   34.123322][   T95]  ath9k_htc_probe_device+0x25a/0x1da0
[   34.128786][   T95]  ? ath9k_init_htc_services.constprop.0+0x650/0x650
[   34.135440][   T95]  ? usb_submit_urb+0x6ed/0x1460
[   34.140371][   T95]  ? usb_free_urb.part.0+0x52/0x110
[   34.145549][   T95]  ? usb_free_urb+0x1b/0x30
[   34.150230][   T95]  ath9k_htc_hw_init+0x31/0x60
[   34.154998][   T95]  ath9k_hif_usb_firmware_cb+0x274/0x510
[   34.160613][   T95]  ? ath9k_hif_usb_resume+0x320/0x320
[   34.166059][   T95]  request_firmware_work_func+0x126/0x242
[   34.171766][   T95]  ? request_firmware_into_buf+0x90/0x90
[   34.178585][   T95]  ? rcu_read_lock_sched_held+0x9c/0xd0
[   34.184136][   T95]  ? rcu_read_lock_bh_held+0xb0/0xb0
[   34.189413][   T95]  ? _raw_spin_unlock_irq+0x1f/0x30
[   34.194590][   T95]  process_one_work+0x965/0x1630
[   34.199507][   T95]  ? lock_release+0x720/0x720
[   34.204158][   T95]  ? pwq_dec_nr_in_flight+0x310/0x310
[   34.209505][   T95]  ? rwlock_bug.part.0+0x90/0x90
[   34.214488][   T95]  worker_thread+0x96/0xe20
[   34.218985][   T95]  ? process_one_work+0x1630/0x1630
[   34.224173][   T95]  kthread+0x326/0x430
[   34.228233][   T95]  ? kthread_create_on_node+0xf0/0xf0
[   34.233662][   T95]  ret_from_fork+0x24/0x30
[   34.238775][   T95] Kernel Offset: disabled
[   34.243305][   T95] Rebooting in 86400 seconds..