Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 syzkaller login: [ 16.047962][ C1] random: crng init done [ 16.052254][ C1] random: 7 urandom warning(s) missed due to ratelimiting Warning: Permanently added '10.128.1.53' (ECDSA) to the list of known hosts. executing program [ 23.223772][ T5] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 23.743177][ T5] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08 [ 23.752435][ T5] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 23.760501][ T5] usb 1-1: Product: syz [ 23.764734][ T5] usb 1-1: Manufacturer: syz [ 23.769314][ T5] usb 1-1: SerialNumber: syz [ 23.814086][ T5] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested [ 24.432382][ T5] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008 executing program [ 24.834064][ T95] usb 1-1: USB disconnect, device number 2 [ 25.711505][ T5] usb 1-1: Service connection timeout for: 256 [ 25.717919][ T5] ================================================================== [ 25.726313][ T5] BUG: KASAN: use-after-free in kfree_skb+0x32/0x3d0 [ 25.732985][ T5] Read of size 4 at addr ffff8881ce262214 by task kworker/0:0/5 [ 25.742370][ T5] [ 25.744716][ T5] CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 5.7.0-rc6-syzkaller #0 [ 25.752759][ T5] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 25.762825][ T5] Workqueue: events request_firmware_work_func [ 25.770683][ T5] Call Trace: [ 25.774018][ T5] dump_stack+0xef/0x16e [ 25.778243][ T5] print_address_description.constprop.0.cold+0xd3/0x415 [ 25.785258][ T5] ? vprintk_func+0x7d/0x113 [ 25.789827][ T5] ? kfree_skb+0x32/0x3d0 [ 25.794221][ T5] __kasan_report.cold+0x37/0x7d [ 25.799154][ T5] ? kfree_skb+0x32/0x3d0 [ 25.803494][ T5] ? kfree_skb+0x32/0x3d0 [ 25.807822][ T5] kasan_report+0x33/0x50 [ 25.812133][ T5] check_memory_region+0x173/0x1d0 [ 25.817223][ T5] kfree_skb+0x32/0x3d0 [ 25.821362][ T5] htc_connect_service.cold+0xa9/0x109 [ 25.826898][ T5] ath9k_wmi_connect+0xd2/0x1a0 [ 25.831742][ T5] ? ath9k_fatal_work+0x20/0x20 [ 25.837265][ T5] ? ath9k_hif_usb_firmware_cb.cold+0xde/0xde [ 25.843321][ T5] ? ath9k_wmi_event_tasklet+0x440/0x440 [ 25.849381][ T5] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 25.858738][ T5] ? ath9k_reg_rmw_flush+0x2d0/0x2d0 [ 25.864179][ T5] ? lockdep_init_map_waits+0x26a/0x7c0 [ 25.869703][ T5] ? __raw_spin_lock_init+0x34/0x100 [ 25.874995][ T5] ? tasklet_init+0x69/0x110 [ 25.882272][ T5] ath9k_htc_probe_device+0x25a/0x1da0 [ 25.887821][ T5] ? ath9k_init_htc_services.constprop.0+0x650/0x650 [ 25.894502][ T5] ? usb_submit_urb+0x6ed/0x1460 [ 25.899565][ T5] ? usb_free_urb.part.0+0x52/0x110 [ 25.905038][ T5] ? usb_free_urb+0x1b/0x30 [ 25.909555][ T5] ath9k_htc_hw_init+0x31/0x60 [ 25.914325][ T5] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 25.920046][ T5] ? ath9k_hif_usb_resume+0x320/0x320 [ 25.925402][ T5] request_firmware_work_func+0x126/0x242 [ 25.931121][ T5] ? request_firmware_into_buf+0x90/0x90 [ 25.936968][ T5] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 25.942494][ T5] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 25.947766][ T5] ? _raw_spin_unlock_irq+0x1f/0x30 [ 25.953054][ T5] process_one_work+0x965/0x1630 [ 25.957985][ T5] ? lock_release+0x720/0x720 [ 25.962639][ T5] ? pwq_dec_nr_in_flight+0x310/0x310 [ 25.967988][ T5] ? rwlock_bug.part.0+0x90/0x90 [ 25.972989][ T5] worker_thread+0x96/0xe20 [ 25.977468][ T5] ? process_one_work+0x1630/0x1630 [ 25.982641][ T5] kthread+0x326/0x430 [ 25.986791][ T5] ? kthread_create_on_node+0xf0/0xf0 [ 25.992234][ T5] ret_from_fork+0x24/0x30 [ 25.996624][ T5] [ 25.999289][ T5] Allocated by task 5: [ 26.003362][ T5] save_stack+0x1b/0x40 [ 26.007500][ T5] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 26.013125][ T5] kmem_cache_alloc_node+0xdc/0x330 [ 26.018312][ T5] __alloc_skb+0xba/0x5a0 [ 26.022618][ T5] htc_connect_service+0x2cc/0x840 [ 26.027705][ T5] ath9k_wmi_connect+0xd2/0x1a0 [ 26.032966][ T5] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 26.039364][ T5] ath9k_htc_probe_device+0x25a/0x1da0 [ 26.044983][ T5] ath9k_htc_hw_init+0x31/0x60 [ 26.049911][ T5] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 26.057704][ T5] request_firmware_work_func+0x126/0x242 [ 26.063488][ T5] process_one_work+0x965/0x1630 [ 26.070511][ T5] worker_thread+0x96/0xe20 [ 26.075084][ T5] kthread+0x326/0x430 [ 26.079155][ T5] ret_from_fork+0x24/0x30 [ 26.084598][ T5] [ 26.087619][ T5] Freed by task 0: [ 26.091331][ T5] save_stack+0x1b/0x40 [ 26.095465][ T5] __kasan_slab_free+0x117/0x160 [ 26.101086][ T5] kmem_cache_free+0x9b/0x360 [ 26.105747][ T5] kfree_skbmem+0xef/0x1b0 [ 26.110139][ T5] kfree_skb+0x102/0x3d0 [ 26.114359][ T5] ath9k_htc_txcompletion_cb+0x1f8/0x2b0 [ 26.120837][ T5] hif_usb_regout_cb+0x115/0x1c0 [ 26.126717][ T5] __usb_hcd_giveback_urb+0x29a/0x550 [ 26.132154][ T5] usb_hcd_giveback_urb+0x368/0x420 [ 26.137347][ T5] dummy_timer+0x125e/0x32b4 [ 26.141927][ T5] call_timer_fn+0x1ac/0x700 [ 26.146509][ T5] run_timer_softirq+0x5f9/0x1500 [ 26.151609][ T5] __do_softirq+0x21e/0x9aa [ 26.156098][ T5] [ 26.158424][ T5] The buggy address belongs to the object at ffff8881ce262140 [ 26.158424][ T5] which belongs to the cache skbuff_head_cache of size 224 [ 26.173012][ T5] The buggy address is located 212 bytes inside of [ 26.173012][ T5] 224-byte region [ffff8881ce262140, ffff8881ce262220) [ 26.186370][ T5] The buggy address belongs to the page: [ 26.192102][ T5] page:ffffea0007389880 refcount:1 mapcount:0 mapping:00000000c9b3cf06 index:0x0 [ 26.202204][ T5] flags: 0x200000000000200(slab) [ 26.207741][ T5] raw: 0200000000000200 ffffea000733cf80 0000000200000002 ffff8881da175400 [ 26.216338][ T5] raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000 [ 26.224993][ T5] page dumped because: kasan: bad access detected [ 26.231384][ T5] [ 26.233720][ T5] Memory state around the buggy address: [ 26.239434][ T5] ffff8881ce262100: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 26.247512][ T5] ffff8881ce262180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.255572][ T5] >ffff8881ce262200: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 26.263802][ T5] ^ [ 26.268412][ T5] ffff8881ce262280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.276720][ T5] ffff8881ce262300: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 26.285651][ T5] ================================================================== [ 26.293693][ T5] Disabling lock debugging due to kernel taint [ 26.300547][ T5] Kernel panic - not syncing: panic_on_warn set ... [ 26.307832][ T5] CPU: 0 PID: 5 Comm: kworker/0:0 Tainted: G B 5.7.0-rc6-syzkaller #0 [ 26.317275][ T5] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.327349][ T5] Workqueue: events request_firmware_work_func [ 26.333674][ T5] Call Trace: [ 26.336967][ T5] dump_stack+0xef/0x16e [ 26.341187][ T5] panic+0x2aa/0x6e1 [ 26.345072][ T5] ? add_taint.cold+0x16/0x16 [ 26.349911][ T5] ? retint_kernel+0x10/0x10 [ 26.354502][ T5] ? kfree_skb+0x32/0x3d0 [ 26.358812][ T5] ? trace_hardirqs_on+0x55/0x200 [ 26.363819][ T5] ? kfree_skb+0x32/0x3d0 [ 26.368125][ T5] end_report+0x4d/0x53 [ 26.372260][ T5] __kasan_report.cold+0x72/0x7d [ 26.377185][ T5] ? kfree_skb+0x32/0x3d0 [ 26.381654][ T5] ? kfree_skb+0x32/0x3d0 [ 26.385977][ T5] kasan_report+0x33/0x50 [ 26.390308][ T5] check_memory_region+0x173/0x1d0 [ 26.395399][ T5] kfree_skb+0x32/0x3d0 [ 26.399633][ T5] htc_connect_service.cold+0xa9/0x109 [ 26.405088][ T5] ath9k_wmi_connect+0xd2/0x1a0 [ 26.410372][ T5] ? ath9k_fatal_work+0x20/0x20 [ 26.415289][ T5] ? ath9k_hif_usb_firmware_cb.cold+0xde/0xde [ 26.421334][ T5] ? ath9k_wmi_event_tasklet+0x440/0x440 [ 26.426958][ T5] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 26.433360][ T5] ? ath9k_reg_rmw_flush+0x2d0/0x2d0 [ 26.438630][ T5] ? lockdep_init_map_waits+0x26a/0x7c0 [ 26.445118][ T5] ? __raw_spin_lock_init+0x34/0x100 [ 26.450406][ T5] ? tasklet_init+0x69/0x110 [ 26.454977][ T5] ath9k_htc_probe_device+0x25a/0x1da0 [ 26.460429][ T5] ? ath9k_init_htc_services.constprop.0+0x650/0x650 [ 26.467267][ T5] ? usb_submit_urb+0x6ed/0x1460 [ 26.472270][ T5] ? usb_free_urb.part.0+0x52/0x110 [ 26.477440][ T5] ? usb_free_urb+0x1b/0x30 [ 26.484453][ T5] ath9k_htc_hw_init+0x31/0x60 [ 26.489390][ T5] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 26.495013][ T5] ? ath9k_hif_usb_resume+0x320/0x320 [ 26.500360][ T5] request_firmware_work_func+0x126/0x242 [ 26.506056][ T5] ? request_firmware_into_buf+0x90/0x90 [ 26.511663][ T5] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 26.517183][ T5] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 26.522455][ T5] ? _raw_spin_unlock_irq+0x1f/0x30 [ 26.527628][ T5] process_one_work+0x965/0x1630 [ 26.532542][ T5] ? lock_release+0x720/0x720 [ 26.537291][ T5] ? pwq_dec_nr_in_flight+0x310/0x310 [ 26.544134][ T5] ? rwlock_bug.part.0+0x90/0x90 [ 26.549082][ T5] worker_thread+0x96/0xe20 [ 26.554261][ T5] ? process_one_work+0x1630/0x1630 [ 26.559434][ T5] kthread+0x326/0x430 [ 26.563488][ T5] ? kthread_create_on_node+0xf0/0xf0 [ 26.568859][ T5] ret_from_fork+0x24/0x30 [ 26.573960][ T5] Kernel Offset: disabled [ 26.578286][ T5] Rebooting in 86400 seconds..