Starting Load/Save RF Kill Switch Status... [ 12.269465][ C1] random: crng init done [ 12.273775][ C1] random: 7 urandom warning(s) missed due to ratelimiting [ OK ] Started Load/Save RF Kill Switch Status. [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.50' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 22.855336][ T95] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 23.374969][ T95] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08 [ 23.384089][ T95] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 23.392139][ T95] usb 1-1: Product: syz [ 23.396368][ T95] usb 1-1: Manufacturer: syz [ 23.400938][ T95] usb 1-1: SerialNumber: syz [ 23.445834][ T95] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested [ 24.034345][ T95] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008 [ 24.434536][ T367] udc-core: couldn't find an available UDC or it's busy [ 24.441558][ T367] misc raw-gadget: fail, usb_gadget_probe_driver returned -16 executing program [ 24.636906][ T292] usb 1-1: USB disconnect, device number 2 [ 25.323425][ T95] usb 1-1: Service connection timeout for: 256 [ 25.329769][ T95] ================================================================== [ 25.337904][ T95] BUG: KASAN: use-after-free in kfree_skb+0x32/0x3d0 [ 25.344553][ T95] Read of size 4 at addr ffff8881cc1f9d54 by task kworker/0:2/95 [ 25.352236][ T95] [ 25.354546][ T95] CPU: 0 PID: 95 Comm: kworker/0:2 Not tainted 5.7.0-rc6-syzkaller #0 [ 25.362677][ T95] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 25.372716][ T95] Workqueue: events request_firmware_work_func [ 25.378840][ T95] Call Trace: [ 25.382123][ T95] dump_stack+0xef/0x16e [ 25.386360][ T95] print_address_description.constprop.0.cold+0xd3/0x415 [ 25.393372][ T95] ? vprintk_func+0x7d/0x113 [ 25.397964][ T95] ? kfree_skb+0x32/0x3d0 [ 25.402283][ T95] __kasan_report.cold+0x37/0x7d [ 25.407197][ T95] ? kfree_skb+0x32/0x3d0 [ 25.411500][ T95] ? kfree_skb+0x32/0x3d0 [ 25.415803][ T95] kasan_report+0x33/0x50 [ 25.420109][ T95] check_memory_region+0x173/0x1d0 [ 25.425194][ T95] kfree_skb+0x32/0x3d0 [ 25.429328][ T95] htc_connect_service.cold+0xa9/0x109 [ 25.434771][ T95] ath9k_wmi_connect+0xd2/0x1a0 [ 25.439605][ T95] ? ath9k_fatal_work+0x20/0x20 [ 25.444432][ T95] ? ath9k_hif_usb_firmware_cb.cold+0xde/0xde [ 25.450474][ T95] ? ath9k_wmi_event_tasklet+0x440/0x440 [ 25.456088][ T95] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 25.462476][ T95] ? ath9k_reg_rmw_flush+0x2d0/0x2d0 [ 25.467736][ T95] ? lockdep_init_map_waits+0x26a/0x7c0 [ 25.473269][ T95] ? __raw_spin_lock_init+0x34/0x100 [ 25.478528][ T95] ? tasklet_init+0x69/0x110 [ 25.483092][ T95] ath9k_htc_probe_device+0x25a/0x1da0 [ 25.488526][ T95] ? ath9k_init_htc_services.constprop.0+0x650/0x650 [ 25.495184][ T95] ? usb_submit_urb+0x6ed/0x1460 [ 25.500096][ T95] ? usb_free_urb.part.0+0x52/0x110 [ 25.505267][ T95] ? usb_free_urb+0x1b/0x30 [ 25.509773][ T95] ath9k_htc_hw_init+0x31/0x60 [ 25.514523][ T95] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 25.520141][ T95] ? ath9k_hif_usb_resume+0x320/0x320 [ 25.525502][ T95] request_firmware_work_func+0x126/0x242 [ 25.531194][ T95] ? request_firmware_into_buf+0x90/0x90 [ 25.536813][ T95] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 25.542347][ T95] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 25.547607][ T95] ? _raw_spin_unlock_irq+0x1f/0x30 [ 25.552796][ T95] process_one_work+0x965/0x1630 [ 25.557709][ T95] ? lock_release+0x720/0x720 [ 25.562373][ T95] ? pwq_dec_nr_in_flight+0x310/0x310 [ 25.567726][ T95] ? rwlock_bug.part.0+0x90/0x90 [ 25.572658][ T95] worker_thread+0x96/0xe20 [ 25.577141][ T95] ? process_one_work+0x1630/0x1630 [ 25.582311][ T95] kthread+0x326/0x430 [ 25.586363][ T95] ? kthread_create_on_node+0xf0/0xf0 [ 25.591711][ T95] ret_from_fork+0x24/0x30 [ 25.596097][ T95] [ 25.598402][ T95] Allocated by task 95: [ 25.602533][ T95] save_stack+0x1b/0x40 [ 25.606665][ T95] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 25.612270][ T95] kmem_cache_alloc_node+0xdc/0x330 [ 25.617441][ T95] __alloc_skb+0xba/0x5a0 [ 25.621759][ T95] htc_connect_service+0x2cc/0x840 [ 25.626859][ T95] ath9k_wmi_connect+0xd2/0x1a0 [ 25.631690][ T95] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 25.638077][ T95] ath9k_htc_probe_device+0x25a/0x1da0 [ 25.643521][ T95] ath9k_htc_hw_init+0x31/0x60 [ 25.648271][ T95] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 25.653878][ T95] request_firmware_work_func+0x126/0x242 [ 25.659581][ T95] process_one_work+0x965/0x1630 [ 25.664491][ T95] worker_thread+0x96/0xe20 [ 25.668968][ T95] kthread+0x326/0x430 [ 25.673011][ T95] ret_from_fork+0x24/0x30 [ 25.677404][ T95] [ 25.679707][ T95] Freed by task 158: [ 25.683584][ T95] save_stack+0x1b/0x40 [ 25.687717][ T95] __kasan_slab_free+0x117/0x160 [ 25.692630][ T95] kmem_cache_free+0x9b/0x360 [ 25.697283][ T95] kfree_skbmem+0xef/0x1b0 [ 25.701672][ T95] kfree_skb+0x102/0x3d0 [ 25.705903][ T95] ath9k_htc_txcompletion_cb+0x1f8/0x2b0 [ 25.711605][ T95] hif_usb_regout_cb+0x115/0x1c0 [ 25.716532][ T95] __usb_hcd_giveback_urb+0x29a/0x550 [ 25.721878][ T95] usb_hcd_giveback_urb+0x368/0x420 [ 25.727051][ T95] dummy_timer+0x125e/0x32b4 [ 25.731628][ T95] call_timer_fn+0x1ac/0x700 [ 25.736201][ T95] run_timer_softirq+0x5f9/0x1500 [ 25.741213][ T95] __do_softirq+0x21e/0x9aa [ 25.745695][ T95] [ 25.748000][ T95] The buggy address belongs to the object at ffff8881cc1f9c80 [ 25.748000][ T95] which belongs to the cache skbuff_head_cache of size 224 [ 25.762559][ T95] The buggy address is located 212 bytes inside of [ 25.762559][ T95] 224-byte region [ffff8881cc1f9c80, ffff8881cc1f9d60) [ 25.775977][ T95] The buggy address belongs to the page: [ 25.781589][ T95] page:ffffea0007307e40 refcount:1 mapcount:0 mapping:000000000d8ed53a index:0x0 [ 25.790678][ T95] flags: 0x200000000000200(slab) [ 25.795592][ T95] raw: 0200000000000200 dead000000000100 dead000000000122 ffff8881da175400 [ 25.804214][ T95] raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000 [ 25.812823][ T95] page dumped because: kasan: bad access detected [ 25.819344][ T95] [ 25.821663][ T95] Memory state around the buggy address: [ 25.827284][ T95] ffff8881cc1f9c00: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 25.835341][ T95] ffff8881cc1f9c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.843380][ T95] >ffff8881cc1f9d00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 25.851414][ T95] ^ [ 25.858061][ T95] ffff8881cc1f9d80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 25.866108][ T95] ffff8881cc1f9e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.874146][ T95] ================================================================== [ 25.882177][ T95] Disabling lock debugging due to kernel taint [ 25.888372][ T95] Kernel panic - not syncing: panic_on_warn set ... [ 25.894965][ T95] CPU: 0 PID: 95 Comm: kworker/0:2 Tainted: G B 5.7.0-rc6-syzkaller #0 [ 25.904496][ T95] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 25.914555][ T95] Workqueue: events request_firmware_work_func [ 25.920691][ T95] Call Trace: [ 25.923958][ T95] dump_stack+0xef/0x16e [ 25.928173][ T95] panic+0x2aa/0x6e1 [ 25.932041][ T95] ? add_taint.cold+0x16/0x16 [ 25.936691][ T95] ? retint_kernel+0x10/0x10 [ 25.941252][ T95] ? kfree_skb+0x32/0x3d0 [ 25.945556][ T95] ? trace_hardirqs_on+0x55/0x200 [ 25.950550][ T95] ? kfree_skb+0x32/0x3d0 [ 25.954851][ T95] end_report+0x4d/0x53 [ 25.958993][ T95] __kasan_report.cold+0x72/0x7d [ 25.963901][ T95] ? kfree_skb+0x32/0x3d0 [ 25.968201][ T95] ? kfree_skb+0x32/0x3d0 [ 25.972502][ T95] kasan_report+0x33/0x50 [ 25.976811][ T95] check_memory_region+0x173/0x1d0 [ 25.981899][ T95] kfree_skb+0x32/0x3d0 [ 25.986028][ T95] htc_connect_service.cold+0xa9/0x109 [ 25.991527][ T95] ath9k_wmi_connect+0xd2/0x1a0 [ 25.996361][ T95] ? ath9k_fatal_work+0x20/0x20 [ 26.001192][ T95] ? ath9k_hif_usb_firmware_cb.cold+0xde/0xde [ 26.007232][ T95] ? ath9k_wmi_event_tasklet+0x440/0x440 [ 26.012853][ T95] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 26.019406][ T95] ? ath9k_reg_rmw_flush+0x2d0/0x2d0 [ 26.024708][ T95] ? lockdep_init_map_waits+0x26a/0x7c0 [ 26.030238][ T95] ? __raw_spin_lock_init+0x34/0x100 [ 26.035511][ T95] ? tasklet_init+0x69/0x110 [ 26.040083][ T95] ath9k_htc_probe_device+0x25a/0x1da0 [ 26.045514][ T95] ? ath9k_init_htc_services.constprop.0+0x650/0x650 [ 26.052160][ T95] ? usb_submit_urb+0x6ed/0x1460 [ 26.057068][ T95] ? usb_free_urb.part.0+0x52/0x110 [ 26.062235][ T95] ? usb_free_urb+0x1b/0x30 [ 26.066728][ T95] ath9k_htc_hw_init+0x31/0x60 [ 26.071485][ T95] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 26.077094][ T95] ? ath9k_hif_usb_resume+0x320/0x320 [ 26.082438][ T95] request_firmware_work_func+0x126/0x242 [ 26.088135][ T95] ? request_firmware_into_buf+0x90/0x90 [ 26.093741][ T95] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 26.099261][ T95] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 26.104519][ T95] ? _raw_spin_unlock_irq+0x1f/0x30 [ 26.109707][ T95] process_one_work+0x965/0x1630 [ 26.114624][ T95] ? lock_release+0x720/0x720 [ 26.119298][ T95] ? pwq_dec_nr_in_flight+0x310/0x310 [ 26.124641][ T95] ? rwlock_bug.part.0+0x90/0x90 [ 26.129565][ T95] worker_thread+0x96/0xe20 [ 26.134046][ T95] ? process_one_work+0x1630/0x1630 [ 26.139231][ T95] kthread+0x326/0x430 [ 26.143292][ T95] ? kthread_create_on_node+0xf0/0xf0 [ 26.148658][ T95] ret_from_fork+0x24/0x30 [ 26.153676][ T95] Kernel Offset: disabled [ 26.157983][ T95] Rebooting in 86400 seconds..