[ OK ] Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch. Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 syzkaller login: [ 15.644029][ C1] random: crng init done [ 15.648334][ C1] random: 7 urandom warning(s) missed due to ratelimiting Warning: Permanently added '10.128.0.89' (ECDSA) to the list of known hosts. executing program [ 22.682549][ T95] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 23.202055][ T95] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08 [ 23.211160][ T95] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 23.219209][ T95] usb 1-1: Product: syz [ 23.223433][ T95] usb 1-1: Manufacturer: syz [ 23.228011][ T95] usb 1-1: SerialNumber: syz [ 23.273049][ T95] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested [ 23.891446][ T95] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008 executing program [ 24.293316][ T12] usb 1-1: USB disconnect, device number 2 [ 25.180366][ T95] usb 1-1: Service connection timeout for: 256 [ 25.186644][ T95] ================================================================== [ 25.194781][ T95] BUG: KASAN: use-after-free in kfree_skb+0x32/0x3d0 [ 25.201445][ T95] Read of size 4 at addr ffff8881d33aed54 by task kworker/0:2/95 [ 25.209165][ T95] [ 25.211474][ T95] CPU: 0 PID: 95 Comm: kworker/0:2 Not tainted 5.7.0-rc6-syzkaller #0 [ 25.219593][ T95] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 25.229626][ T95] Workqueue: events request_firmware_work_func [ 25.235746][ T95] Call Trace: [ 25.239008][ T95] dump_stack+0xef/0x16e [ 25.243226][ T95] print_address_description.constprop.0.cold+0xd3/0x415 [ 25.250230][ T95] ? vprintk_func+0x7d/0x113 [ 25.254802][ T95] ? kfree_skb+0x32/0x3d0 [ 25.259102][ T95] __kasan_report.cold+0x37/0x7d [ 25.264010][ T95] ? kfree_skb+0x32/0x3d0 [ 25.268311][ T95] ? kfree_skb+0x32/0x3d0 [ 25.272612][ T95] kasan_report+0x33/0x50 [ 25.277001][ T95] check_memory_region+0x173/0x1d0 [ 25.282083][ T95] kfree_skb+0x32/0x3d0 [ 25.286305][ T95] htc_connect_service.cold+0xa9/0x109 [ 25.291735][ T95] ath9k_wmi_connect+0xd2/0x1a0 [ 25.296560][ T95] ? ath9k_fatal_work+0x20/0x20 [ 25.301400][ T95] ? ath9k_hif_usb_firmware_cb.cold+0xde/0xde [ 25.307439][ T95] ? ath9k_wmi_event_tasklet+0x440/0x440 [ 25.313060][ T95] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 25.319451][ T95] ? ath9k_reg_rmw_flush+0x2d0/0x2d0 [ 25.324717][ T95] ? lockdep_init_map_waits+0x26a/0x7c0 [ 25.330242][ T95] ? __raw_spin_lock_init+0x34/0x100 [ 25.335506][ T95] ? tasklet_init+0x69/0x110 [ 25.340105][ T95] ath9k_htc_probe_device+0x25a/0x1da0 [ 25.345541][ T95] ? ath9k_init_htc_services.constprop.0+0x650/0x650 [ 25.352189][ T95] ? usb_submit_urb+0x6ed/0x1460 [ 25.357098][ T95] ? usb_free_urb.part.0+0x52/0x110 [ 25.362268][ T95] ? usb_free_urb+0x1b/0x30 [ 25.366744][ T95] ath9k_htc_hw_init+0x31/0x60 [ 25.371570][ T95] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 25.377202][ T95] ? ath9k_hif_usb_resume+0x320/0x320 [ 25.382544][ T95] request_firmware_work_func+0x126/0x242 [ 25.388249][ T95] ? request_firmware_into_buf+0x90/0x90 [ 25.393855][ T95] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 25.399406][ T95] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 25.404667][ T95] ? _raw_spin_unlock_irq+0x1f/0x30 [ 25.409839][ T95] process_one_work+0x965/0x1630 [ 25.414754][ T95] ? lock_release+0x720/0x720 [ 25.419401][ T95] ? pwq_dec_nr_in_flight+0x310/0x310 [ 25.424743][ T95] ? rwlock_bug.part.0+0x90/0x90 [ 25.429658][ T95] worker_thread+0x96/0xe20 [ 25.434146][ T95] ? process_one_work+0x1630/0x1630 [ 25.439329][ T95] kthread+0x326/0x430 [ 25.443373][ T95] ? kthread_create_on_node+0xf0/0xf0 [ 25.448717][ T95] ret_from_fork+0x24/0x30 [ 25.453102][ T95] [ 25.455404][ T95] Allocated by task 95: [ 25.459551][ T95] save_stack+0x1b/0x40 [ 25.463693][ T95] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 25.469318][ T95] kmem_cache_alloc_node+0xdc/0x330 [ 25.474498][ T95] __alloc_skb+0xba/0x5a0 [ 25.478798][ T95] htc_connect_service+0x2cc/0x840 [ 25.483877][ T95] ath9k_wmi_connect+0xd2/0x1a0 [ 25.488700][ T95] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 25.495083][ T95] ath9k_htc_probe_device+0x25a/0x1da0 [ 25.500513][ T95] ath9k_htc_hw_init+0x31/0x60 [ 25.505262][ T95] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 25.510871][ T95] request_firmware_work_func+0x126/0x242 [ 25.516567][ T95] process_one_work+0x965/0x1630 [ 25.521479][ T95] worker_thread+0x96/0xe20 [ 25.525996][ T95] kthread+0x326/0x430 [ 25.530042][ T95] ret_from_fork+0x24/0x30 [ 25.534429][ T95] [ 25.536732][ T95] Freed by task 361: [ 25.540603][ T95] save_stack+0x1b/0x40 [ 25.544738][ T95] __kasan_slab_free+0x117/0x160 [ 25.549650][ T95] kmem_cache_free+0x9b/0x360 [ 25.554300][ T95] kfree_skbmem+0xef/0x1b0 [ 25.558694][ T95] kfree_skb+0x102/0x3d0 [ 25.562912][ T95] ath9k_htc_txcompletion_cb+0x1f8/0x2b0 [ 25.568519][ T95] hif_usb_regout_cb+0x115/0x1c0 [ 25.573429][ T95] __usb_hcd_giveback_urb+0x29a/0x550 [ 25.578788][ T95] usb_hcd_giveback_urb+0x368/0x420 [ 25.583961][ T95] dummy_timer+0x125e/0x32b4 [ 25.588525][ T95] call_timer_fn+0x1ac/0x700 [ 25.593087][ T95] run_timer_softirq+0x5f9/0x1500 [ 25.598087][ T95] __do_softirq+0x21e/0x9aa [ 25.602732][ T95] [ 25.605039][ T95] The buggy address belongs to the object at ffff8881d33aec80 [ 25.605039][ T95] which belongs to the cache skbuff_head_cache of size 224 [ 25.619584][ T95] The buggy address is located 212 bytes inside of [ 25.619584][ T95] 224-byte region [ffff8881d33aec80, ffff8881d33aed60) [ 25.632823][ T95] The buggy address belongs to the page: [ 25.638430][ T95] page:ffffea00074ceb80 refcount:1 mapcount:0 mapping:00000000cec8bbe8 index:0x0 [ 25.647527][ T95] flags: 0x200000000000200(slab) [ 25.652442][ T95] raw: 0200000000000200 ffffea00073ea240 0000000200000002 ffff8881da175400 [ 25.661010][ T95] raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000 [ 25.669561][ T95] page dumped because: kasan: bad access detected [ 25.675952][ T95] [ 25.678263][ T95] Memory state around the buggy address: [ 25.683869][ T95] ffff8881d33aec00: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 25.691901][ T95] ffff8881d33aec80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.699940][ T95] >ffff8881d33aed00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 25.708059][ T95] ^ [ 25.714714][ T95] ffff8881d33aed80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 25.722757][ T95] ffff8881d33aee00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 25.730790][ T95] ================================================================== [ 25.738834][ T95] Disabling lock debugging due to kernel taint [ 25.745044][ T95] Kernel panic - not syncing: panic_on_warn set ... [ 25.751625][ T95] CPU: 0 PID: 95 Comm: kworker/0:2 Tainted: G B 5.7.0-rc6-syzkaller #0 [ 25.761150][ T95] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 25.771292][ T95] Workqueue: events request_firmware_work_func [ 25.777426][ T95] Call Trace: [ 25.780692][ T95] dump_stack+0xef/0x16e [ 25.784904][ T95] panic+0x2aa/0x6e1 [ 25.788769][ T95] ? add_taint.cold+0x16/0x16 [ 25.793419][ T95] ? retint_kernel+0x10/0x10 [ 25.797979][ T95] ? kfree_skb+0x32/0x3d0 [ 25.802280][ T95] ? trace_hardirqs_on+0x55/0x200 [ 25.807275][ T95] ? kfree_skb+0x32/0x3d0 [ 25.811587][ T95] end_report+0x4d/0x53 [ 25.815714][ T95] __kasan_report.cold+0x72/0x7d [ 25.820639][ T95] ? kfree_skb+0x32/0x3d0 [ 25.824937][ T95] ? kfree_skb+0x32/0x3d0 [ 25.829236][ T95] kasan_report+0x33/0x50 [ 25.833546][ T95] check_memory_region+0x173/0x1d0 [ 25.838629][ T95] kfree_skb+0x32/0x3d0 [ 25.842757][ T95] htc_connect_service.cold+0xa9/0x109 [ 25.848186][ T95] ath9k_wmi_connect+0xd2/0x1a0 [ 25.853017][ T95] ? ath9k_fatal_work+0x20/0x20 [ 25.857846][ T95] ? ath9k_hif_usb_firmware_cb.cold+0xde/0xde [ 25.863895][ T95] ? ath9k_wmi_event_tasklet+0x440/0x440 [ 25.869499][ T95] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 25.875897][ T95] ? ath9k_reg_rmw_flush+0x2d0/0x2d0 [ 25.881154][ T95] ? lockdep_init_map_waits+0x26a/0x7c0 [ 25.886686][ T95] ? __raw_spin_lock_init+0x34/0x100 [ 25.891940][ T95] ? tasklet_init+0x69/0x110 [ 25.896501][ T95] ath9k_htc_probe_device+0x25a/0x1da0 [ 25.901942][ T95] ? ath9k_init_htc_services.constprop.0+0x650/0x650 [ 25.908587][ T95] ? usb_submit_urb+0x6ed/0x1460 [ 25.913495][ T95] ? usb_free_urb.part.0+0x52/0x110 [ 25.918663][ T95] ? usb_free_urb+0x1b/0x30 [ 25.923137][ T95] ath9k_htc_hw_init+0x31/0x60 [ 25.927885][ T95] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 25.933494][ T95] ? ath9k_hif_usb_resume+0x320/0x320 [ 25.938836][ T95] request_firmware_work_func+0x126/0x242 [ 25.944548][ T95] ? request_firmware_into_buf+0x90/0x90 [ 25.950172][ T95] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 25.955689][ T95] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 25.960944][ T95] ? _raw_spin_unlock_irq+0x1f/0x30 [ 25.966214][ T95] process_one_work+0x965/0x1630 [ 25.971129][ T95] ? lock_release+0x720/0x720 [ 25.975776][ T95] ? pwq_dec_nr_in_flight+0x310/0x310 [ 25.981131][ T95] ? rwlock_bug.part.0+0x90/0x90 [ 25.986038][ T95] worker_thread+0x96/0xe20 [ 25.990513][ T95] ? process_one_work+0x1630/0x1630 [ 25.995693][ T95] kthread+0x326/0x430 [ 25.999734][ T95] ? kthread_create_on_node+0xf0/0xf0 [ 26.005078][ T95] ret_from_fork+0x24/0x30 [ 26.010062][ T95] Kernel Offset: disabled [ 26.014367][ T95] Rebooting in 86400 seconds..