[ OK ] Started Load/Save RF Kill Switch Status. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.8' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 25.879886][ T94] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 26.399073][ T94] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08 [ 26.408244][ T94] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 26.416310][ T94] usb 1-1: Product: syz [ 26.420548][ T94] usb 1-1: Manufacturer: syz [ 26.425135][ T94] usb 1-1: SerialNumber: syz [ 26.469961][ T94] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested [ 27.098188][ T94] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008 executing program [ 27.499938][ T172] usb 1-1: USB disconnect, device number 2 [ 28.357406][ T94] usb 1-1: Service connection timeout for: 256 [ 28.363683][ T94] ================================================================== [ 28.372045][ T94] BUG: KASAN: use-after-free in kfree_skb+0x32/0x3d0 [ 28.378798][ T94] Read of size 4 at addr ffff8881c51ae854 by task kworker/1:2/94 [ 28.386498][ T94] [ 28.388822][ T94] CPU: 1 PID: 94 Comm: kworker/1:2 Not tainted 5.7.0-rc6-syzkaller #0 [ 28.397056][ T94] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.407114][ T94] Workqueue: events request_firmware_work_func [ 28.413247][ T94] Call Trace: [ 28.416591][ T94] dump_stack+0xef/0x16e [ 28.420850][ T94] print_address_description.constprop.0.cold+0xd3/0x415 [ 28.427859][ T94] ? vprintk_func+0x7d/0x113 [ 28.432446][ T94] ? kfree_skb+0x32/0x3d0 [ 28.436773][ T94] __kasan_report.cold+0x37/0x7d [ 28.441692][ T94] ? kfree_skb+0x32/0x3d0 [ 28.446002][ T94] ? kfree_skb+0x32/0x3d0 [ 28.451264][ T94] kasan_report+0x33/0x50 [ 28.455575][ T94] check_memory_region+0x173/0x1d0 [ 28.460685][ T94] kfree_skb+0x32/0x3d0 [ 28.464848][ T94] htc_connect_service.cold+0xa9/0x109 [ 28.470340][ T94] ath9k_wmi_connect+0xd2/0x1a0 [ 28.475186][ T94] ? ath9k_fatal_work+0x20/0x20 [ 28.480017][ T94] ? ath9k_hif_usb_firmware_cb.cold+0xde/0xde [ 28.486070][ T94] ? ath9k_wmi_event_tasklet+0x440/0x440 [ 28.491683][ T94] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 28.498076][ T94] ? ath9k_reg_rmw_flush+0x2d0/0x2d0 [ 28.503360][ T94] ? lockdep_init_map_waits+0x26a/0x7c0 [ 28.509044][ T94] ? __raw_spin_lock_init+0x34/0x100 [ 28.514374][ T94] ? tasklet_init+0x69/0x110 [ 28.520010][ T94] ath9k_htc_probe_device+0x25a/0x1da0 [ 28.525456][ T94] ? ath9k_init_htc_services.constprop.0+0x650/0x650 [ 28.532808][ T94] ? usb_submit_urb+0x6ed/0x1460 [ 28.537731][ T94] ? usb_free_urb.part.0+0x52/0x110 [ 28.542913][ T94] ? usb_free_urb+0x1b/0x30 [ 28.547437][ T94] ath9k_htc_hw_init+0x31/0x60 [ 28.552964][ T94] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 28.558590][ T94] ? ath9k_hif_usb_resume+0x320/0x320 [ 28.563941][ T94] request_firmware_work_func+0x126/0x242 [ 28.570602][ T94] ? request_firmware_into_buf+0x90/0x90 [ 28.576216][ T94] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 28.581740][ T94] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 28.587023][ T94] ? _raw_spin_unlock_irq+0x1f/0x30 [ 28.592203][ T94] process_one_work+0x965/0x1630 [ 28.597129][ T94] ? lock_release+0x720/0x720 [ 28.601808][ T94] ? pwq_dec_nr_in_flight+0x310/0x310 [ 28.609620][ T94] ? rwlock_bug.part.0+0x90/0x90 [ 28.614539][ T94] worker_thread+0x96/0xe20 [ 28.619038][ T94] ? process_one_work+0x1630/0x1630 [ 28.624224][ T94] kthread+0x326/0x430 [ 28.628280][ T94] ? kthread_create_on_node+0xf0/0xf0 [ 28.633746][ T94] ret_from_fork+0x24/0x30 [ 28.638152][ T94] [ 28.640467][ T94] Allocated by task 94: [ 28.644606][ T94] save_stack+0x1b/0x40 [ 28.648762][ T94] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 28.654414][ T94] kmem_cache_alloc_node+0xdc/0x330 [ 28.659620][ T94] __alloc_skb+0xba/0x5a0 [ 28.663943][ T94] htc_connect_service+0x2cc/0x840 [ 28.669397][ T94] ath9k_wmi_connect+0xd2/0x1a0 [ 28.674226][ T94] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 28.680618][ T94] ath9k_htc_probe_device+0x25a/0x1da0 [ 28.686059][ T94] ath9k_htc_hw_init+0x31/0x60 [ 28.690805][ T94] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 28.696430][ T94] request_firmware_work_func+0x126/0x242 [ 28.702127][ T94] process_one_work+0x965/0x1630 [ 28.707048][ T94] worker_thread+0x96/0xe20 [ 28.711615][ T94] kthread+0x326/0x430 [ 28.715688][ T94] ret_from_fork+0x24/0x30 [ 28.720086][ T94] [ 28.722417][ T94] Freed by task 353: [ 28.726293][ T94] save_stack+0x1b/0x40 [ 28.730443][ T94] __kasan_slab_free+0x117/0x160 [ 28.735356][ T94] kmem_cache_free+0x9b/0x360 [ 28.740010][ T94] kfree_skbmem+0xef/0x1b0 [ 28.744413][ T94] kfree_skb+0x102/0x3d0 [ 28.748747][ T94] ath9k_htc_txcompletion_cb+0x1f8/0x2b0 [ 28.754702][ T94] hif_usb_regout_cb+0x115/0x1c0 [ 28.759689][ T94] __usb_hcd_giveback_urb+0x29a/0x550 [ 28.765041][ T94] usb_hcd_giveback_urb+0x368/0x420 [ 28.770314][ T94] dummy_timer+0x125e/0x32b4 [ 28.774908][ T94] call_timer_fn+0x1ac/0x700 [ 28.779497][ T94] run_timer_softirq+0x5f9/0x1500 [ 28.784518][ T94] __do_softirq+0x21e/0x9aa [ 28.788993][ T94] [ 28.791303][ T94] The buggy address belongs to the object at ffff8881c51ae780 [ 28.791303][ T94] which belongs to the cache skbuff_head_cache of size 224 [ 28.806655][ T94] The buggy address is located 212 bytes inside of [ 28.806655][ T94] 224-byte region [ffff8881c51ae780, ffff8881c51ae860) [ 28.820080][ T94] The buggy address belongs to the page: [ 28.825712][ T94] page:ffffea0007146b80 refcount:1 mapcount:0 mapping:00000000b37f96eb index:0x0 [ 28.834812][ T94] flags: 0x200000000000200(slab) [ 28.839734][ T94] raw: 0200000000000200 dead000000000100 dead000000000122 ffff8881da175400 [ 28.848298][ T94] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000 [ 28.857865][ T94] page dumped because: kasan: bad access detected [ 28.864515][ T94] [ 28.866823][ T94] Memory state around the buggy address: [ 28.872452][ T94] ffff8881c51ae700: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 28.880522][ T94] ffff8881c51ae780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.888567][ T94] >ffff8881c51ae800: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 28.896613][ T94] ^ [ 28.903276][ T94] ffff8881c51ae880: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 28.911331][ T94] ffff8881c51ae900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.920331][ T94] ================================================================== [ 28.928406][ T94] Disabling lock debugging due to kernel taint [ 28.934650][ T94] Kernel panic - not syncing: panic_on_warn set ... [ 28.941264][ T94] CPU: 1 PID: 94 Comm: kworker/1:2 Tainted: G B 5.7.0-rc6-syzkaller #0 [ 28.950796][ T94] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.960859][ T94] Workqueue: events request_firmware_work_func [ 28.967015][ T94] Call Trace: [ 28.970298][ T94] dump_stack+0xef/0x16e [ 28.974526][ T94] panic+0x2aa/0x6e1 [ 28.978395][ T94] ? add_taint.cold+0x16/0x16 [ 28.983133][ T94] ? retint_kernel+0x10/0x10 [ 28.987790][ T94] ? kfree_skb+0x32/0x3d0 [ 28.992095][ T94] ? trace_hardirqs_on+0x55/0x200 [ 28.997093][ T94] ? kfree_skb+0x32/0x3d0 [ 29.001400][ T94] end_report+0x4d/0x53 [ 29.005533][ T94] __kasan_report.cold+0x72/0x7d [ 29.010626][ T94] ? kfree_skb+0x32/0x3d0 [ 29.014944][ T94] ? kfree_skb+0x32/0x3d0 [ 29.019261][ T94] kasan_report+0x33/0x50 [ 29.023566][ T94] check_memory_region+0x173/0x1d0 [ 29.028678][ T94] kfree_skb+0x32/0x3d0 [ 29.032810][ T94] htc_connect_service.cold+0xa9/0x109 [ 29.038510][ T94] ath9k_wmi_connect+0xd2/0x1a0 [ 29.043354][ T94] ? ath9k_fatal_work+0x20/0x20 [ 29.048180][ T94] ? ath9k_hif_usb_firmware_cb.cold+0xde/0xde [ 29.054221][ T94] ? ath9k_wmi_event_tasklet+0x440/0x440 [ 29.060870][ T94] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 29.067257][ T94] ? ath9k_reg_rmw_flush+0x2d0/0x2d0 [ 29.072525][ T94] ? lockdep_init_map_waits+0x26a/0x7c0 [ 29.078045][ T94] ? __raw_spin_lock_init+0x34/0x100 [ 29.083393][ T94] ? tasklet_init+0x69/0x110 [ 29.087958][ T94] ath9k_htc_probe_device+0x25a/0x1da0 [ 29.093391][ T94] ? ath9k_init_htc_services.constprop.0+0x650/0x650 [ 29.100039][ T94] ? usb_submit_urb+0x6ed/0x1460 [ 29.104949][ T94] ? usb_free_urb.part.0+0x52/0x110 [ 29.110119][ T94] ? usb_free_urb+0x1b/0x30 [ 29.114597][ T94] ath9k_htc_hw_init+0x31/0x60 [ 29.119443][ T94] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 29.125071][ T94] ? ath9k_hif_usb_resume+0x320/0x320 [ 29.130417][ T94] request_firmware_work_func+0x126/0x242 [ 29.136110][ T94] ? request_firmware_into_buf+0x90/0x90 [ 29.141736][ T94] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 29.147255][ T94] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 29.152514][ T94] ? _raw_spin_unlock_irq+0x1f/0x30 [ 29.158727][ T94] process_one_work+0x965/0x1630 [ 29.163671][ T94] ? lock_release+0x720/0x720 [ 29.168321][ T94] ? pwq_dec_nr_in_flight+0x310/0x310 [ 29.173683][ T94] ? rwlock_bug.part.0+0x90/0x90 [ 29.178593][ T94] worker_thread+0x96/0xe20 [ 29.183162][ T94] ? process_one_work+0x1630/0x1630 [ 29.188428][ T94] kthread+0x326/0x430 [ 29.192488][ T94] ? kthread_create_on_node+0xf0/0xf0 [ 29.198548][ T94] ret_from_fork+0x24/0x30 [ 29.203547][ T94] Kernel Offset: disabled [ 29.208205][ T94] Rebooting in 86400 seconds..