Starting Update UTMP about System Runlevel Changes... [ OK ] Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch. Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.68' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 50.009953][ T94] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 50.530003][ T94] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08 [ 50.539118][ T94] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 50.547168][ T94] usb 1-1: Product: syz [ 50.551413][ T94] usb 1-1: Manufacturer: syz [ 50.556011][ T94] usb 1-1: SerialNumber: syz [ 50.601025][ T94] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested [ 51.199823][ T94] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008 executing program [ 51.601903][ T168] usb 1-1: USB disconnect, device number 2 [ 52.499640][ T94] usb 1-1: Service connection timeout for: 256 [ 52.506037][ T94] ================================================================== [ 52.514181][ T94] BUG: KASAN: use-after-free in kfree_skb+0x32/0x3d0 [ 52.520855][ T94] Read of size 4 at addr ffff8881c60c0354 by task kworker/0:2/94 [ 52.528553][ T94] [ 52.530935][ T94] CPU: 0 PID: 94 Comm: kworker/0:2 Not tainted 5.7.0-rc6-syzkaller #0 [ 52.539063][ T94] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 52.549111][ T94] Workqueue: events request_firmware_work_func [ 52.555244][ T94] Call Trace: [ 52.558623][ T94] dump_stack+0xef/0x16e [ 52.563841][ T94] print_address_description.constprop.0.cold+0xd3/0x415 [ 52.570861][ T94] ? vprintk_func+0x7d/0x113 [ 52.575461][ T94] ? kfree_skb+0x32/0x3d0 [ 52.579787][ T94] __kasan_report.cold+0x37/0x7d [ 52.584728][ T94] ? kfree_skb+0x32/0x3d0 [ 52.589048][ T94] ? kfree_skb+0x32/0x3d0 [ 52.593371][ T94] kasan_report+0x33/0x50 [ 52.597696][ T94] check_memory_region+0x173/0x1d0 [ 52.602792][ T94] kfree_skb+0x32/0x3d0 [ 52.606935][ T94] htc_connect_service.cold+0xa9/0x109 [ 52.612390][ T94] ath9k_wmi_connect+0xd2/0x1a0 [ 52.617220][ T94] ? ath9k_fatal_work+0x20/0x20 [ 52.622055][ T94] ? ath9k_hif_usb_firmware_cb.cold+0xde/0xde [ 52.628103][ T94] ? ath9k_wmi_event_tasklet+0x440/0x440 [ 52.634515][ T94] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 52.640929][ T94] ? ath9k_reg_rmw_flush+0x2d0/0x2d0 [ 52.646207][ T94] ? lockdep_init_map_waits+0x26a/0x7c0 [ 52.651738][ T94] ? __raw_spin_lock_init+0x34/0x100 [ 52.657007][ T94] ? tasklet_init+0x69/0x110 [ 52.661599][ T94] ath9k_htc_probe_device+0x25a/0x1da0 [ 52.667058][ T94] ? ath9k_init_htc_services.constprop.0+0x650/0x650 [ 52.673713][ T94] ? usb_submit_urb+0x6ed/0x1460 [ 52.678631][ T94] ? usb_free_urb.part.0+0x52/0x110 [ 52.683805][ T94] ? usb_free_urb+0x1b/0x30 [ 52.688288][ T94] ath9k_htc_hw_init+0x31/0x60 [ 52.693032][ T94] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 52.698660][ T94] ? ath9k_hif_usb_resume+0x320/0x320 [ 52.704088][ T94] request_firmware_work_func+0x126/0x242 [ 52.709795][ T94] ? request_firmware_into_buf+0x90/0x90 [ 52.715579][ T94] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 52.721140][ T94] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 52.726439][ T94] ? _raw_spin_unlock_irq+0x1f/0x30 [ 52.731617][ T94] process_one_work+0x965/0x1630 [ 52.736577][ T94] ? lock_release+0x720/0x720 [ 52.741231][ T94] ? pwq_dec_nr_in_flight+0x310/0x310 [ 52.746581][ T94] ? rwlock_bug.part.0+0x90/0x90 [ 52.751529][ T94] worker_thread+0x96/0xe20 [ 52.756016][ T94] ? process_one_work+0x1630/0x1630 [ 52.761210][ T94] kthread+0x326/0x430 [ 52.765433][ T94] ? kthread_create_on_node+0xf0/0xf0 [ 52.770872][ T94] ret_from_fork+0x24/0x30 [ 52.775279][ T94] [ 52.777625][ T94] Allocated by task 94: [ 52.781766][ T94] save_stack+0x1b/0x40 [ 52.785902][ T94] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 52.791523][ T94] kmem_cache_alloc_node+0xdc/0x330 [ 52.796750][ T94] __alloc_skb+0xba/0x5a0 [ 52.801063][ T94] htc_connect_service+0x2cc/0x840 [ 52.806481][ T94] ath9k_wmi_connect+0xd2/0x1a0 [ 52.811599][ T94] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 52.818354][ T94] ath9k_htc_probe_device+0x25a/0x1da0 [ 52.823792][ T94] ath9k_htc_hw_init+0x31/0x60 [ 52.828549][ T94] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 52.834173][ T94] request_firmware_work_func+0x126/0x242 [ 52.839870][ T94] process_one_work+0x965/0x1630 [ 52.844802][ T94] worker_thread+0x96/0xe20 [ 52.849295][ T94] kthread+0x326/0x430 [ 52.853432][ T94] ret_from_fork+0x24/0x30 [ 52.857832][ T94] [ 52.860141][ T94] Freed by task 150: [ 52.864029][ T94] save_stack+0x1b/0x40 [ 52.868163][ T94] __kasan_slab_free+0x117/0x160 [ 52.873566][ T94] kmem_cache_free+0x9b/0x360 [ 52.878751][ T94] kfree_skbmem+0xef/0x1b0 [ 52.883146][ T94] kfree_skb+0x102/0x3d0 [ 52.887377][ T94] ath9k_htc_txcompletion_cb+0x1f8/0x2b0 [ 52.894039][ T94] hif_usb_regout_cb+0x115/0x1c0 [ 52.899222][ T94] __usb_hcd_giveback_urb+0x29a/0x550 [ 52.904586][ T94] usb_hcd_giveback_urb+0x368/0x420 [ 52.909782][ T94] dummy_timer+0x125e/0x32b4 [ 52.914358][ T94] call_timer_fn+0x1ac/0x700 [ 52.918953][ T94] run_timer_softirq+0x5f9/0x1500 [ 52.923958][ T94] __do_softirq+0x21e/0x9aa [ 52.928606][ T94] [ 52.930913][ T94] The buggy address belongs to the object at ffff8881c60c0280 [ 52.930913][ T94] which belongs to the cache skbuff_head_cache of size 224 [ 52.945832][ T94] The buggy address is located 212 bytes inside of [ 52.945832][ T94] 224-byte region [ffff8881c60c0280, ffff8881c60c0360) [ 52.959093][ T94] The buggy address belongs to the page: [ 52.965168][ T94] page:ffffea0007183000 refcount:1 mapcount:0 mapping:00000000a50314f5 index:0x0 [ 52.974262][ T94] flags: 0x200000000000200(slab) [ 52.979288][ T94] raw: 0200000000000200 dead000000000100 dead000000000122 ffff8881da175400 [ 52.988092][ T94] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000 [ 52.996673][ T94] page dumped because: kasan: bad access detected [ 53.003171][ T94] [ 53.005477][ T94] Memory state around the buggy address: [ 53.011608][ T94] ffff8881c60c0200: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 53.019655][ T94] ffff8881c60c0280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.027793][ T94] >ffff8881c60c0300: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 53.035832][ T94] ^ [ 53.042484][ T94] ffff8881c60c0380: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 53.050526][ T94] ffff8881c60c0400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.058589][ T94] ================================================================== [ 53.067306][ T94] Disabling lock debugging due to kernel taint [ 53.073611][ T94] Kernel panic - not syncing: panic_on_warn set ... [ 53.080296][ T94] CPU: 0 PID: 94 Comm: kworker/0:2 Tainted: G B 5.7.0-rc6-syzkaller #0 [ 53.089827][ T94] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 53.100321][ T94] Workqueue: events request_firmware_work_func [ 53.106484][ T94] Call Trace: [ 53.109763][ T94] dump_stack+0xef/0x16e [ 53.113995][ T94] panic+0x2aa/0x6e1 [ 53.118059][ T94] ? add_taint.cold+0x16/0x16 [ 53.122728][ T94] ? retint_kernel+0x10/0x10 [ 53.127298][ T94] ? kfree_skb+0x32/0x3d0 [ 53.131607][ T94] ? trace_hardirqs_on+0x55/0x200 [ 53.136613][ T94] ? kfree_skb+0x32/0x3d0 [ 53.140929][ T94] end_report+0x4d/0x53 [ 53.145069][ T94] __kasan_report.cold+0x72/0x7d [ 53.150093][ T94] ? kfree_skb+0x32/0x3d0 [ 53.154398][ T94] ? kfree_skb+0x32/0x3d0 [ 53.158702][ T94] kasan_report+0x33/0x50 [ 53.163021][ T94] check_memory_region+0x173/0x1d0 [ 53.168121][ T94] kfree_skb+0x32/0x3d0 [ 53.172269][ T94] htc_connect_service.cold+0xa9/0x109 [ 53.177718][ T94] ath9k_wmi_connect+0xd2/0x1a0 [ 53.182558][ T94] ? ath9k_fatal_work+0x20/0x20 [ 53.187403][ T94] ? ath9k_hif_usb_firmware_cb.cold+0xde/0xde [ 53.193476][ T94] ? ath9k_wmi_event_tasklet+0x440/0x440 [ 53.199111][ T94] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 53.205507][ T94] ? ath9k_reg_rmw_flush+0x2d0/0x2d0 [ 53.210859][ T94] ? lockdep_init_map_waits+0x26a/0x7c0 [ 53.216481][ T94] ? __raw_spin_lock_init+0x34/0x100 [ 53.221848][ T94] ? tasklet_init+0x69/0x110 [ 53.227209][ T94] ath9k_htc_probe_device+0x25a/0x1da0 [ 53.232646][ T94] ? ath9k_init_htc_services.constprop.0+0x650/0x650 [ 53.239294][ T94] ? usb_submit_urb+0x6ed/0x1460 [ 53.244222][ T94] ? usb_free_urb.part.0+0x52/0x110 [ 53.249396][ T94] ? usb_free_urb+0x1b/0x30 [ 53.253964][ T94] ath9k_htc_hw_init+0x31/0x60 [ 53.258726][ T94] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 53.264350][ T94] ? ath9k_hif_usb_resume+0x320/0x320 [ 53.269703][ T94] request_firmware_work_func+0x126/0x242 [ 53.275737][ T94] ? request_firmware_into_buf+0x90/0x90 [ 53.281366][ T94] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 53.286893][ T94] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 53.292504][ T94] ? _raw_spin_unlock_irq+0x1f/0x30 [ 53.297678][ T94] process_one_work+0x965/0x1630 [ 53.302618][ T94] ? lock_release+0x720/0x720 [ 53.307285][ T94] ? pwq_dec_nr_in_flight+0x310/0x310 [ 53.313051][ T94] ? rwlock_bug.part.0+0x90/0x90 [ 53.318592][ T94] worker_thread+0x96/0xe20 [ 53.323398][ T94] ? process_one_work+0x1630/0x1630 [ 53.328584][ T94] kthread+0x326/0x430 [ 53.332731][ T94] ? kthread_create_on_node+0xf0/0xf0 [ 53.338253][ T94] ret_from_fork+0x24/0x30 [ 53.343288][ T94] Kernel Offset: disabled [ 53.347707][ T94] Rebooting in 86400 seconds..