Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 syzkaller login: [ 17.807722][ C0] random: crng init done [ 17.812003][ C0] random: 7 urandom warning(s) missed due to ratelimiting Warning: Permanently added '10.128.0.18' (ECDSA) to the list of known hosts. executing program [ 49.484932][ T67] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 49.775034][ T67] usb 1-1: too many configurations: 160, using maximum allowed: 8 [ 49.854938][ T67] usb 1-1: config index 0 descriptor too short (expected 65204, got 72) [ 49.934877][ T67] usb 1-1: config index 1 descriptor too short (expected 65204, got 72) [ 50.014844][ T67] usb 1-1: config index 2 descriptor too short (expected 65204, got 72) [ 50.094813][ T67] usb 1-1: config index 3 descriptor too short (expected 65204, got 72) [ 50.174805][ T67] usb 1-1: config index 4 descriptor too short (expected 65204, got 72) [ 50.254784][ T67] usb 1-1: config index 5 descriptor too short (expected 65204, got 72) [ 50.334781][ T67] usb 1-1: config index 6 descriptor too short (expected 65204, got 72) [ 50.424721][ T67] usb 1-1: config index 7 descriptor too short (expected 65204, got 72) [ 50.584729][ T67] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08 [ 50.593841][ T67] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 50.601920][ T67] usb 1-1: Product: syz [ 50.606145][ T67] usb 1-1: Manufacturer: syz [ 50.610730][ T67] usb 1-1: SerialNumber: syz [ 50.655731][ T67] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested [ 51.304548][ T67] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008 [ 52.105007][ T336] udc-core: couldn't find an available UDC or it's busy [ 52.112080][ T336] misc raw-gadget: fail, usb_gadget_probe_driver returned -16 [ 52.324315][ T67] ath9k_htc 1-1:1.0: ath9k_htc: Target is unresponsive [ 52.331385][ T67] ath9k_htc: Failed to initialize the device [ 52.337608][ C0] ================================================================== [ 52.337682][ C0] BUG: KASAN: use-after-free in ath9k_hif_usb_rx_cb+0xe82/0xf80 [ 52.337693][ C0] Read of size 4 at addr ffff8881cc894098 by task kworker/0:2/67 [ 52.337696][ C0] [ 52.337710][ C0] CPU: 0 PID: 67 Comm: kworker/0:2 Not tainted 5.8.0-rc7-syzkaller #0 [ 52.337716][ C0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 52.337732][ C0] Workqueue: events request_firmware_work_func [ 52.337739][ C0] Call Trace: [ 52.337744][ C0] [ 52.337759][ C0] dump_stack+0xf6/0x16e [ 52.337773][ C0] ? ath9k_hif_usb_rx_cb+0xe82/0xf80 [ 52.337785][ C0] ? ath9k_hif_usb_rx_cb+0xe82/0xf80 [ 52.337800][ C0] print_address_description.constprop.0+0x1a/0x210 [ 52.337813][ C0] ? vprintk_func+0x93/0x133 [ 52.337831][ C0] ? ath9k_hif_usb_rx_cb+0xe82/0xf80 [ 52.337843][ C0] kasan_report.cold+0x37/0x7c [ 52.337858][ C0] ? ath9k_hif_usb_rx_cb+0xe82/0xf80 [ 52.337872][ C0] ath9k_hif_usb_rx_cb+0xe82/0xf80 [ 52.337887][ C0] ? __usb_hcd_giveback_urb+0x302/0x560 [ 52.337899][ C0] ? hif_usb_start+0xa0/0xa0 [ 52.337912][ C0] ? lock_downgrade+0x730/0x730 [ 52.337925][ C0] ? trace_hardirqs_off+0x27/0x1f0 [ 52.337943][ C0] __usb_hcd_giveback_urb+0x32d/0x560 [ 52.337956][ C0] usb_hcd_giveback_urb+0x367/0x410 [ 52.337970][ C0] dummy_timer+0x11f2/0x3240 [ 52.337993][ C0] ? lock_downgrade+0x730/0x730 [ 52.338003][ C0] ? dummy_dequeue+0x490/0x490 [ 52.338016][ C0] call_timer_fn+0x1ac/0x6e0 [ 52.338027][ C0] ? dummy_dequeue+0x490/0x490 [ 52.338037][ C0] ? msleep_interruptible+0x130/0x130 [ 52.338050][ C0] ? _raw_spin_unlock_irq+0x1f/0x30 [ 52.338062][ C0] ? lockdep_hardirqs_on_prepare+0x1bc/0x550 [ 52.338075][ C0] ? trace_hardirqs_on+0x5f/0x200 [ 52.338086][ C0] ? dummy_dequeue+0x490/0x490 [ 52.338097][ C0] __run_timers.part.0+0x54c/0x9e0 [ 52.338109][ C0] ? call_timer_fn+0x6e0/0x6e0 [ 52.338121][ C0] ? mark_lock+0xbc/0x1590 [ 52.338136][ C0] ? clockevents_program_event+0x12b/0x350 [ 52.338149][ C0] ? mark_held_locks+0x9f/0xe0 [ 52.338160][ C0] run_timer_softirq+0x80/0x120 [ 52.338182][ C0] __do_softirq+0x222/0x95b [ 52.338194][ C0] asm_call_on_stack+0xf/0x20 [ 52.338199][ C0] [ 52.338215][ C0] do_softirq_own_stack+0xed/0x140 [ 52.338230][ C0] irq_exit_rcu+0x150/0x1f0 [ 52.338244][ C0] sysvec_apic_timer_interrupt+0x49/0xc0 [ 52.338258][ C0] asm_sysvec_apic_timer_interrupt+0x12/0x20 [ 52.338274][ C0] RIP: 0010:console_unlock+0xa99/0xcd0 [ 52.338307][ C0] Code: 00 89 ee 48 c7 c7 20 ec 34 87 e8 c2 b8 03 00 65 ff 0d 4b 77 d8 7e e9 87 f9 ff ff e8 41 32 16 00 e8 8c bd 1b 00 ff 74 24 30 9d 20 fe ff ff e8 2d 32 16 00 48 8d 7d 08 48 89 f8 48 c1 e8 03 42 [ 52.338315][ C0] RSP: 0018:ffff8881d5837a18 EFLAGS: 00000293 [ 52.338326][ C0] RAX: 000000000000d387 RBX: 0000000000000200 RCX: 0000000000000006 [ 52.338335][ C0] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff812977c4 [ 52.338343][ C0] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 52.338352][ C0] R10: 0000000000000001 R11: 0000000000000000 R12: ffffffff82b05a80 [ 52.338360][ C0] R13: ffffffff876f53b0 R14: 0000000000000042 R15: dffffc0000000000 [ 52.338375][ C0] ? netconsole_netdev_event+0x2b0/0x2b0 [ 52.338388][ C0] ? console_unlock+0xa94/0xcd0 [ 52.338400][ C0] vprintk_emit+0x1b2/0x460 [ 52.338411][ C0] vprintk_func+0x8b/0x133 [ 52.338422][ C0] printk+0xba/0xed [ 52.338434][ C0] ? log_store.cold+0x16/0x16 [ 52.338446][ C0] ? usb_submit_urb+0xb56/0x13e0 [ 52.338458][ C0] ? usb_free_urb+0x5c/0x110 [ 52.338472][ C0] ? ath9k_htc_hw_init.cold+0x5/0x2a [ 52.338486][ C0] ? ath9k_htc_hw_init+0x3d/0x60 [ 52.338500][ C0] ath9k_htc_hw_init.cold+0x17/0x2a [ 52.338516][ C0] ath9k_hif_usb_firmware_cb+0x274/0x530 [ 52.338532][ C0] ? ath9k_hif_usb_alloc_urbs+0x1010/0x1010 [ 52.338546][ C0] request_firmware_work_func+0x126/0x250 [ 52.338558][ C0] ? do_raw_spin_lock+0x120/0x260 [ 52.338573][ C0] ? request_firmware_into_buf+0x90/0x90 [ 52.338587][ C0] ? lockdep_hardirqs_on_prepare+0x370/0x550 [ 52.338601][ C0] process_one_work+0x94c/0x15f0 [ 52.338614][ C0] ? lock_release+0x7e0/0x7e0 [ 52.338626][ C0] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 52.338642][ C0] ? rwlock_bug.part.0+0x90/0x90 [ 52.338653][ C0] worker_thread+0x64c/0x1120 [ 52.338668][ C0] ? __kthread_parkme+0x118/0x1d0 [ 52.338681][ C0] ? process_one_work+0x15f0/0x15f0 [ 52.338694][ C0] kthread+0x392/0x470 [ 52.338709][ C0] ? kthread_create_worker_on_cpu+0xf0/0xf0 [ 52.338723][ C0] ? kthread_create_worker_on_cpu+0xf0/0xf0 [ 52.338736][ C0] ret_from_fork+0x1f/0x30 [ 52.338742][ C0] [ 52.338747][ C0] The buggy address belongs to the page: [ 52.338761][ C0] page:ffffea0007322500 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 [ 52.338771][ C0] flags: 0x200000000000000() [ 52.338788][ C0] raw: 0200000000000000 0000000000000000 ffffea0007322508 0000000000000000 [ 52.338803][ C0] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 [ 52.338809][ C0] page dumped because: kasan: bad access detected [ 52.338813][ C0] [ 52.338818][ C0] Memory state around the buggy address: [ 52.338829][ C0] ffff8881cc893f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 52.338847][ C0] ffff8881cc894000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 52.338857][ C0] >ffff8881cc894080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 52.338863][ C0] ^ [ 52.338874][ C0] ffff8881cc894100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 52.338884][ C0] ffff8881cc894180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 52.338890][ C0] ================================================================== [ 52.338894][ C0] Disabling lock debugging due to kernel taint [ 52.338901][ C0] Kernel panic - not syncing: panic_on_warn set ... [ 52.338915][ C0] CPU: 0 PID: 67 Comm: kworker/0:2 Tainted: G B 5.8.0-rc7-syzkaller #0 [ 52.338920][ C0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 52.338933][ C0] Workqueue: events request_firmware_work_func [ 52.338938][ C0] Call Trace: [ 52.338941][ C0] [ 52.338952][ C0] dump_stack+0xf6/0x16e [ 52.338964][ C0] ? ath9k_hif_usb_rx_cb+0xd90/0xf80 [ 52.338974][ C0] panic+0x2aa/0x6e1 [ 52.338984][ C0] ? __warn_printk+0xf3/0xf3 [ 52.338997][ C0] ? _raw_spin_unlock_irqrestore+0x2a/0x40 [ 52.339009][ C0] ? trace_hardirqs_off+0x27/0x1f0 [ 52.339021][ C0] ? ath9k_hif_usb_rx_cb+0xe82/0xf80 [ 52.339032][ C0] ? ath9k_hif_usb_rx_cb+0xe82/0xf80 [ 52.339043][ C0] end_report+0x4d/0x53 [ 52.339055][ C0] kasan_report.cold+0x72/0x7c [ 52.339068][ C0] ? ath9k_hif_usb_rx_cb+0xe82/0xf80 [ 52.339080][ C0] ath9k_hif_usb_rx_cb+0xe82/0xf80 [ 52.339092][ C0] ? __usb_hcd_giveback_urb+0x302/0x560 [ 52.339104][ C0] ? hif_usb_start+0xa0/0xa0 [ 52.339115][ C0] ? lock_downgrade+0x730/0x730 [ 52.339128][ C0] ? trace_hardirqs_off+0x27/0x1f0 [ 52.339142][ C0] __usb_hcd_giveback_urb+0x32d/0x560 [ 52.339155][ C0] usb_hcd_giveback_urb+0x367/0x410 [ 52.339166][ C0] dummy_timer+0x11f2/0x3240 [ 52.339178][ C0] ? lock_downgrade+0x730/0x730 [ 52.339189][ C0] ? dummy_dequeue+0x490/0x490 [ 52.339200][ C0] call_timer_fn+0x1ac/0x6e0 [ 52.339210][ C0] ? dummy_dequeue+0x490/0x490 [ 52.339221][ C0] ? msleep_interruptible+0x130/0x130 [ 52.339231][ C0] ? _raw_spin_unlock_irq+0x1f/0x30 [ 52.339243][ C0] ? lockdep_hardirqs_on_prepare+0x1bc/0x550 [ 52.339256][ C0] ? trace_hardirqs_on+0x5f/0x200 [ 52.339267][ C0] ? dummy_dequeue+0x490/0x490 [ 52.339278][ C0] __run_timers.part.0+0x54c/0x9e0 [ 52.339299][ C0] ? call_timer_fn+0x6e0/0x6e0 [ 52.339311][ C0] ? mark_lock+0xbc/0x1590 [ 52.339322][ C0] ? clockevents_program_event+0x12b/0x350 [ 52.339333][ C0] ? mark_held_locks+0x9f/0xe0 [ 52.339344][ C0] run_timer_softirq+0x80/0x120 [ 52.339355][ C0] __do_softirq+0x222/0x95b [ 52.339368][ C0] asm_call_on_stack+0xf/0x20 [ 52.339373][ C0] [ 52.339385][ C0] do_softirq_own_stack+0xed/0x140 [ 52.339397][ C0] irq_exit_rcu+0x150/0x1f0 [ 52.339410][ C0] sysvec_apic_timer_interrupt+0x49/0xc0 [ 52.339423][ C0] asm_sysvec_apic_timer_interrupt+0x12/0x20 [ 52.339437][ C0] RIP: 0010:console_unlock+0xa99/0xcd0 [ 52.339447][ C0] Code: 00 89 ee 48 c7 c7 20 ec 34 87 e8 c2 b8 03 00 65 ff 0d 4b 77 d8 7e e9 87 f9 ff ff e8 41 32 16 00 e8 8c bd 1b 00 ff 74 24 30 9d 20 fe ff ff e8 2d 32 16 00 48 8d 7d 08 48 89 f8 48 c1 e8 03 42 [ 52.339453][ C0] RSP: 0018:ffff8881d5837a18 EFLAGS: 00000293 [ 52.339463][ C0] RAX: 000000000000d387 RBX: 0000000000000200 RCX: 0000000000000006 [ 52.339470][ C0] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff812977c4 [ 52.339477][ C0] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 52.339484][ C0] R10: 0000000000000001 R11: 0000000000000000 R12: ffffffff82b05a80 [ 52.339491][ C0] R13: ffffffff876f53b0 R14: 0000000000000042 R15: dffffc0000000000 [ 52.339504][ C0] ? netconsole_netdev_event+0x2b0/0x2b0 [ 52.339516][ C0] ? console_unlock+0xa94/0xcd0 [ 52.339526][ C0] vprintk_emit+0x1b2/0x460 [ 52.339536][ C0] vprintk_func+0x8b/0x133 [ 52.339546][ C0] printk+0xba/0xed [ 52.339556][ C0] ? log_store.cold+0x16/0x16 [ 52.339566][ C0] ? usb_submit_urb+0xb56/0x13e0 [ 52.339576][ C0] ? usb_free_urb+0x5c/0x110 [ 52.339590][ C0] ? ath9k_htc_hw_init.cold+0x5/0x2a [ 52.339602][ C0] ? ath9k_htc_hw_init+0x3d/0x60 [ 52.339615][ C0] ath9k_htc_hw_init.cold+0x17/0x2a [ 52.339630][ C0] ath9k_hif_usb_firmware_cb+0x274/0x530 [ 52.339643][ C0] ? ath9k_hif_usb_alloc_urbs+0x1010/0x1010 [ 52.339654][ C0] request_firmware_work_func+0x126/0x250 [ 52.339662][ C0] ? do_raw_spin_lock+0x120/0x260 [ 52.339673][ C0] ? request_firmware_into_buf+0x90/0x90 [ 52.339685][ C0] ? lockdep_hardirqs_on_prepare+0x370/0x550 [ 52.339695][ C0] process_one_work+0x94c/0x15f0 [ 52.339708][ C0] ? lock_release+0x7e0/0x7e0 [ 52.339718][ C0] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 52.339732][ C0] ? rwlock_bug.part.0+0x90/0x90 [ 52.339742][ C0] worker_thread+0x64c/0x1120 [ 52.339764][ C0] ? __kthread_parkme+0x118/0x1d0 [ 52.339775][ C0] ? process_one_work+0x15f0/0x15f0 [ 52.339785][ C0] kthread+0x392/0x470 [ 52.339797][ C0] ? kthread_create_worker_on_cpu+0xf0/0xf0 [ 52.339810][ C0] ? kthread_create_worker_on_cpu+0xf0/0xf0 [ 52.339821][ C0] ret_from_fork+0x1f/0x30 [ 52.340204][ C0] Kernel Offset: disabled [ 53.386579][ C0] Rebooting in 86400 seconds..