Debian GNU/Linux 9 syzkaller ttyS0
Warning: Permanently added '10.128.0.88' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [ 20.791997][ T21] usb 1-1: new high-speed USB device number 2 using dummy_hcd
[ 21.161504][ T21] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08
[ 21.171386][ T21] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 21.179512][ T21] usb 1-1: Product: syz
[ 21.183739][ T21] usb 1-1: Manufacturer: syz
[ 21.188520][ T21] usb 1-1: SerialNumber: syz
[ 21.232264][ T21] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested
[ 21.841152][ T21] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008
[ 22.061070][ C1] ==================================================================
[ 22.069959][ C1] BUG: KASAN: use-after-free in ath9k_htc_rx_msg+0xa25/0xaf0
[ 22.078063][ C1] Write of size 2 at addr ffff8881cec481b0 by task swapper/1/0
[ 22.085875][ C1]
[ 22.088331][ C1] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.6.0-rc7-syzkaller #0
[ 22.096797][ C1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 22.107099][ C1] Call Trace:
[ 22.110729][ C1]
[ 22.113917][ C1] dump_stack+0xef/0x16e
[ 22.118159][ C1] ? ath9k_htc_rx_msg+0xa25/0xaf0
[ 22.124012][ C1] ? ath9k_htc_rx_msg+0xa25/0xaf0
[ 22.129034][ C1] print_address_description.constprop.0.cold+0xd3/0x314
[ 22.136251][ C1] ? ath9k_htc_rx_msg+0xa25/0xaf0
[ 22.141767][ C1] ? ath9k_htc_rx_msg+0xa25/0xaf0
[ 22.146888][ C1] __kasan_report.cold+0x37/0x77
[ 22.151861][ C1] ? ath9k_htc_rx_msg+0xa25/0xaf0
[ 22.157001][ C1] kasan_report+0xe/0x20
[ 22.161261][ C1] ath9k_htc_rx_msg+0xa25/0xaf0
[ 22.166412][ C1] ath9k_hif_usb_reg_in_cb+0x1ba/0x630
[ 22.172620][ C1] ? _raw_read_unlock+0x1a/0x30
[ 22.179147][ C1] ? led_trigger_blink_oneshot+0xb4/0xe0
[ 22.185893][ C1] __usb_hcd_giveback_urb+0x1f2/0x470
[ 22.191253][ C1] usb_hcd_giveback_urb+0x368/0x420
[ 22.197167][ C1] dummy_timer+0x1258/0x32ae
[ 22.202026][ C1] ? dummy_udc_probe+0x930/0x930
[ 22.207367][ C1] ? rcu_read_lock_sched_held+0x9c/0xd0
[ 22.213529][ C1] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 22.218932][ C1] call_timer_fn+0x195/0x6f0
[ 22.223732][ C1] ? dummy_udc_probe+0x930/0x930
[ 22.228791][ C1] ? msleep_interruptible+0x130/0x130
[ 22.234512][ C1] ? rcu_read_lock_sched_held+0x9c/0xd0
[ 22.240637][ C1] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 22.246053][ C1] ? _raw_spin_unlock_irq+0x1f/0x30
[ 22.251391][ C1] ? dummy_udc_probe+0x930/0x930
[ 22.256410][ C1] run_timer_softirq+0x5f9/0x1500
[ 22.261516][ C1] ? add_timer+0x7a0/0x7a0
[ 22.266058][ C1] ? rcu_read_lock_sched_held+0x9c/0xd0
[ 22.271596][ C1] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 22.277223][ C1] __do_softirq+0x21e/0x950
[ 22.282321][ C1] irq_exit+0x178/0x1a0
[ 22.286559][ C1] smp_apic_timer_interrupt+0x141/0x540
[ 22.292299][ C1] apic_timer_interrupt+0xf/0x20
[ 22.297322][ C1]
[ 22.300625][ C1] RIP: 0010:default_idle+0x28/0x300
[ 22.305814][ C1] Code: cc cc 41 56 41 55 65 44 8b 2d 04 3b 72 7a 41 54 55 53 0f 1f 44 00 00 e8 b6 27 b5 fb e9 07 00 00 00 0f 00 2d aa d0 52 00 fb f4 <65> 44 8b 2d e0 3a 72 7a 0f 1f 44 00 00 5b 5d 41 5c 41 5d 41 5e c3
[ 22.326126][ C1] RSP: 0018:ffff8881da22fda8 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
[ 22.335077][ C1] RAX: 0000000000000007 RBX: ffff8881da213100 RCX: 0000000000000000
[ 22.343612][ C1] RDX: 0000000000000000 RSI: 0000000000000006 RDI: ffff8881da21394c
[ 22.352016][ C1] RBP: ffffed103b442620 R08: ffff8881da213100 R09: 0000000000000000
[ 22.360255][ C1] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001
[ 22.368283][ C1] R13: 0000000000000001 R14: ffffffff87e612c0 R15: 0000000000000000
[ 22.376956][ C1] ? default_idle+0x1a/0x300
[ 22.381545][ C1] do_idle+0x3e0/0x500
[ 22.385687][ C1] ? __wake_up_common+0x147/0x650
[ 22.391285][ C1] ? arch_cpu_idle_exit+0x40/0x40
[ 22.396913][ C1] ? _raw_spin_unlock_irqrestore+0x39/0x40
[ 22.403164][ C1] ? lockdep_hardirqs_on+0x382/0x580
[ 22.409381][ C1] cpu_startup_entry+0x14/0x20
[ 22.414486][ C1] start_secondary+0x2a4/0x390
[ 22.419948][ C1] ? set_cpu_sibling_map+0x1e90/0x1e90
[ 22.425573][ C1] secondary_startup_64+0xb6/0xc0
[ 22.430641][ C1]
[ 22.433063][ C1] Allocated by task 373:
[ 22.437574][ C1] save_stack+0x1b/0x80
[ 22.441892][ C1] __kasan_kmalloc.constprop.0+0xbf/0xd0
[ 22.447655][ C1] kvmalloc_node+0x61/0xf0
[ 22.452064][ C1] seq_read+0x82e/0x1160
[ 22.456503][ C1] proc_reg_read+0x1c1/0x280
[ 22.461498][ C1] __vfs_read+0x76/0x100
[ 22.465983][ C1] vfs_read+0x1ea/0x430
[ 22.470982][ C1] ksys_read+0x127/0x250
[ 22.475357][ C1] do_syscall_64+0xb6/0x5a0
[ 22.480276][ C1] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 22.486627][ C1]
[ 22.488949][ C1] Freed by task 373:
[ 22.492936][ C1] save_stack+0x1b/0x80
[ 22.497080][ C1] __kasan_slab_free+0x117/0x160
[ 22.502003][ C1] kfree+0xd5/0x300
[ 22.505837][ C1] kvfree+0x42/0x50
[ 22.509644][ C1] single_release+0x75/0xb0
[ 22.514307][ C1] close_pdeo.part.0+0xdc/0x2e0
[ 22.519418][ C1] close_pdeo+0x14c/0x170
[ 22.523752][ C1] proc_reg_release+0xbf/0x110
[ 22.528834][ C1] __fput+0x2d7/0x840
[ 22.532838][ C1] task_work_run+0x13f/0x1c0
[ 22.537600][ C1] exit_to_usermode_loop+0x1d2/0x200
[ 22.543057][ C1] do_syscall_64+0x4e0/0x5a0
[ 22.547942][ C1] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 22.554215][ C1]
[ 22.556551][ C1] The buggy address belongs to the object at ffff8881cec48000
[ 22.556551][ C1] which belongs to the cache kmalloc-4k of size 4096
[ 22.571577][ C1] The buggy address is located 432 bytes inside of
[ 22.571577][ C1] 4096-byte region [ffff8881cec48000, ffff8881cec49000)
[ 22.585070][ C1] The buggy address belongs to the page:
[ 22.590698][ C1] page:ffffea00073b1200 refcount:1 mapcount:0 mapping:ffff8881da00c280 index:0x0 compound_mapcount: 0
[ 22.601887][ C1] flags: 0x200000000010200(slab|head)
[ 22.607252][ C1] raw: 0200000000010200 dead000000000100 dead000000000122 ffff8881da00c280
[ 22.615824][ C1] raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000
[ 22.624558][ C1] page dumped because: kasan: bad access detected
[ 22.631041][ C1]
[ 22.633365][ C1] Memory state around the buggy address:
[ 22.639027][ C1] ffff8881cec48080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 22.647131][ C1] ffff8881cec48100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 22.655211][ C1] >ffff8881cec48180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 22.663386][ C1] ^
[ 22.669011][ C1] ffff8881cec48200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 22.677298][ C1] ffff8881cec48280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 22.685692][ C1] ==================================================================
[ 22.693756][ C1] Disabling lock debugging due to kernel taint
[ 22.699914][ C1] Kernel panic - not syncing: panic_on_warn set ...
[ 22.706671][ C1] CPU: 1 PID: 0 Comm: swapper/1 Tainted: G B 5.6.0-rc7-syzkaller #0
[ 22.716400][ C1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 22.726787][ C1] Call Trace:
[ 22.730065][ C1]
[ 22.732915][ C1] dump_stack+0xef/0x16e
[ 22.737144][ C1] panic+0x2aa/0x6e1
[ 22.741077][ C1] ? add_taint.cold+0x16/0x16
[ 22.745780][ C1] ? print_shadow_for_address+0xb8/0x114
[ 22.751498][ C1] ? trace_hardirqs_off+0x50/0x200
[ 22.756593][ C1] ? ath9k_htc_rx_msg+0xa25/0xaf0
[ 22.761601][ C1] end_report+0x43/0x49
[ 22.765739][ C1] ? ath9k_htc_rx_msg+0xa25/0xaf0
[ 22.770834][ C1] __kasan_report.cold+0x55/0x77
[ 22.775756][ C1] ? ath9k_htc_rx_msg+0xa25/0xaf0
[ 22.780764][ C1] kasan_report+0xe/0x20
[ 22.785338][ C1] ath9k_htc_rx_msg+0xa25/0xaf0
[ 22.790180][ C1] ath9k_hif_usb_reg_in_cb+0x1ba/0x630
[ 22.795848][ C1] ? _raw_read_unlock+0x1a/0x30
[ 22.800702][ C1] ? led_trigger_blink_oneshot+0xb4/0xe0
[ 22.806329][ C1] __usb_hcd_giveback_urb+0x1f2/0x470
[ 22.811918][ C1] usb_hcd_giveback_urb+0x368/0x420
[ 22.817148][ C1] dummy_timer+0x1258/0x32ae
[ 22.821738][ C1] ? dummy_udc_probe+0x930/0x930
[ 22.826751][ C1] ? rcu_read_lock_sched_held+0x9c/0xd0
[ 22.832359][ C1] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 22.837745][ C1] call_timer_fn+0x195/0x6f0
[ 22.842376][ C1] ? dummy_udc_probe+0x930/0x930
[ 22.847328][ C1] ? msleep_interruptible+0x130/0x130
[ 22.852685][ C1] ? rcu_read_lock_sched_held+0x9c/0xd0
[ 22.858220][ C1] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 22.863540][ C1] ? _raw_spin_unlock_irq+0x1f/0x30
[ 22.868723][ C1] ? dummy_udc_probe+0x930/0x930
[ 22.873677][ C1] run_timer_softirq+0x5f9/0x1500
[ 22.878685][ C1] ? add_timer+0x7a0/0x7a0
[ 22.883147][ C1] ? rcu_read_lock_sched_held+0x9c/0xd0
[ 22.888762][ C1] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 22.894033][ C1] __do_softirq+0x21e/0x950
[ 22.898529][ C1] irq_exit+0x178/0x1a0
[ 22.902699][ C1] smp_apic_timer_interrupt+0x141/0x540
[ 22.908467][ C1] apic_timer_interrupt+0xf/0x20
[ 22.913510][ C1]
[ 22.916443][ C1] RIP: 0010:default_idle+0x28/0x300
[ 22.921630][ C1] Code: cc cc 41 56 41 55 65 44 8b 2d 04 3b 72 7a 41 54 55 53 0f 1f 44 00 00 e8 b6 27 b5 fb e9 07 00 00 00 0f 00 2d aa d0 52 00 fb f4 <65> 44 8b 2d e0 3a 72 7a 0f 1f 44 00 00 5b 5d 41 5c 41 5d 41 5e c3
[ 22.942300][ C1] RSP: 0018:ffff8881da22fda8 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
[ 22.951029][ C1] RAX: 0000000000000007 RBX: ffff8881da213100 RCX: 0000000000000000
[ 22.959422][ C1] RDX: 0000000000000000 RSI: 0000000000000006 RDI: ffff8881da21394c
[ 22.967510][ C1] RBP: ffffed103b442620 R08: ffff8881da213100 R09: 0000000000000000
[ 22.975817][ C1] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001
[ 22.983790][ C1] R13: 0000000000000001 R14: ffffffff87e612c0 R15: 0000000000000000
[ 22.991768][ C1] ? default_idle+0x1a/0x300
[ 22.996350][ C1] do_idle+0x3e0/0x500
[ 23.000407][ C1] ? __wake_up_common+0x147/0x650
[ 23.005496][ C1] ? arch_cpu_idle_exit+0x40/0x40
[ 23.010514][ C1] ? _raw_spin_unlock_irqrestore+0x39/0x40
[ 23.016457][ C1] ? lockdep_hardirqs_on+0x382/0x580
[ 23.021729][ C1] cpu_startup_entry+0x14/0x20
[ 23.026704][ C1] start_secondary+0x2a4/0x390
[ 23.031809][ C1] ? set_cpu_sibling_map+0x1e90/0x1e90
[ 23.037566][ C1] secondary_startup_64+0xb6/0xc0
[ 23.043939][ C1] Kernel Offset: disabled
[ 23.048269][ C1] Rebooting in 86400 seconds..