[ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 syzkaller login: [ 15.718194][ C1] random: crng init done [ 15.722460][ C1] random: 7 urandom warning(s) missed due to ratelimiting Warning: Permanently added '10.128.0.172' (ECDSA) to the list of known hosts. executing program [ 32.774106][ T5] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 33.293406][ T5] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08 [ 33.302554][ T5] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 33.310616][ T5] usb 1-1: Product: syz [ 33.314994][ T5] usb 1-1: Manufacturer: syz [ 33.319577][ T5] usb 1-1: SerialNumber: syz [ 33.364962][ T5] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested [ 33.963108][ T5] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008 executing program [ 34.365033][ T165] usb 1-1: USB disconnect, device number 2 [ 35.212627][ T5] usb 1-1: Service connection timeout for: 256 [ 35.218896][ T5] ================================================================== [ 35.227480][ T5] BUG: KASAN: use-after-free in kfree_skb+0x32/0x3d0 [ 35.234144][ T5] Read of size 4 at addr ffff8881c6b51c14 by task kworker/0:0/5 [ 35.241983][ T5] [ 35.244305][ T5] CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 5.7.0-rc6-syzkaller #0 [ 35.252617][ T5] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 35.262857][ T5] Workqueue: events request_firmware_work_func [ 35.269033][ T5] Call Trace: [ 35.272320][ T5] dump_stack+0xef/0x16e [ 35.276606][ T5] print_address_description.constprop.0.cold+0xd3/0x415 [ 35.283622][ T5] ? vprintk_func+0x7d/0x113 [ 35.288204][ T5] ? kfree_skb+0x32/0x3d0 [ 35.293138][ T5] __kasan_report.cold+0x37/0x7d [ 35.298979][ T5] ? kfree_skb+0x32/0x3d0 [ 35.303836][ T5] ? kfree_skb+0x32/0x3d0 [ 35.308422][ T5] kasan_report+0x33/0x50 [ 35.312747][ T5] check_memory_region+0x173/0x1d0 [ 35.317845][ T5] kfree_skb+0x32/0x3d0 [ 35.325528][ T5] htc_connect_service.cold+0xa9/0x109 [ 35.331056][ T5] ath9k_wmi_connect+0xd2/0x1a0 [ 35.337289][ T5] ? ath9k_fatal_work+0x20/0x20 [ 35.342145][ T5] ? ath9k_hif_usb_firmware_cb.cold+0xde/0xde [ 35.348211][ T5] ? ath9k_wmi_event_tasklet+0x440/0x440 [ 35.353848][ T5] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 35.361653][ T5] ? ath9k_reg_rmw_flush+0x2d0/0x2d0 [ 35.366965][ T5] ? lockdep_init_map_waits+0x26a/0x7c0 [ 35.372677][ T5] ? __raw_spin_lock_init+0x34/0x100 [ 35.377957][ T5] ? tasklet_init+0x69/0x110 [ 35.382642][ T5] ath9k_htc_probe_device+0x25a/0x1da0 [ 35.388090][ T5] ? ath9k_init_htc_services.constprop.0+0x650/0x650 [ 35.394758][ T5] ? usb_submit_urb+0x6ed/0x1460 [ 35.399692][ T5] ? usb_free_urb.part.0+0x52/0x110 [ 35.405395][ T5] ? usb_free_urb+0x1b/0x30 [ 35.410005][ T5] ath9k_htc_hw_init+0x31/0x60 [ 35.414945][ T5] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 35.420673][ T5] ? ath9k_hif_usb_resume+0x320/0x320 [ 35.426305][ T5] request_firmware_work_func+0x126/0x242 [ 35.432092][ T5] ? request_firmware_into_buf+0x90/0x90 [ 35.437850][ T5] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 35.443497][ T5] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 35.449005][ T5] ? _raw_spin_unlock_irq+0x1f/0x30 [ 35.454192][ T5] process_one_work+0x965/0x1630 [ 35.459117][ T5] ? lock_release+0x720/0x720 [ 35.463782][ T5] ? pwq_dec_nr_in_flight+0x310/0x310 [ 35.469241][ T5] ? rwlock_bug.part.0+0x90/0x90 [ 35.474156][ T5] worker_thread+0x96/0xe20 [ 35.478651][ T5] ? process_one_work+0x1630/0x1630 [ 35.484006][ T5] kthread+0x326/0x430 [ 35.488315][ T5] ? kthread_create_on_node+0xf0/0xf0 [ 35.493689][ T5] ret_from_fork+0x24/0x30 [ 35.498107][ T5] [ 35.500432][ T5] Allocated by task 5: [ 35.504483][ T5] save_stack+0x1b/0x40 [ 35.508617][ T5] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 35.514238][ T5] kmem_cache_alloc_node+0xdc/0x330 [ 35.519504][ T5] __alloc_skb+0xba/0x5a0 [ 35.523827][ T5] htc_connect_service+0x2cc/0x840 [ 35.528953][ T5] ath9k_wmi_connect+0xd2/0x1a0 [ 35.533907][ T5] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 35.540309][ T5] ath9k_htc_probe_device+0x25a/0x1da0 [ 35.546265][ T5] ath9k_htc_hw_init+0x31/0x60 [ 35.551294][ T5] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 35.558644][ T5] request_firmware_work_func+0x126/0x242 [ 35.564629][ T5] process_one_work+0x965/0x1630 [ 35.569548][ T5] worker_thread+0x96/0xe20 [ 35.574508][ T5] kthread+0x326/0x430 [ 35.578599][ T5] ret_from_fork+0x24/0x30 [ 35.583451][ T5] [ 35.585967][ T5] Freed by task 165: [ 35.590160][ T5] save_stack+0x1b/0x40 [ 35.594992][ T5] __kasan_slab_free+0x117/0x160 [ 35.599977][ T5] kmem_cache_free+0x9b/0x360 [ 35.604917][ T5] kfree_skbmem+0xef/0x1b0 [ 35.609414][ T5] kfree_skb+0x102/0x3d0 [ 35.613985][ T5] ath9k_htc_txcompletion_cb+0x1f8/0x2b0 [ 35.619658][ T5] hif_usb_regout_cb+0x115/0x1c0 [ 35.624577][ T5] __usb_hcd_giveback_urb+0x29a/0x550 [ 35.630637][ T5] usb_hcd_giveback_urb+0x368/0x420 [ 35.636019][ T5] dummy_timer+0x125e/0x32b4 [ 35.640619][ T5] call_timer_fn+0x1ac/0x700 [ 35.645187][ T5] run_timer_softirq+0x5f9/0x1500 [ 35.650298][ T5] __do_softirq+0x21e/0x9aa [ 35.654881][ T5] [ 35.657349][ T5] The buggy address belongs to the object at ffff8881c6b51b40 [ 35.657349][ T5] which belongs to the cache skbuff_head_cache of size 224 [ 35.673116][ T5] The buggy address is located 212 bytes inside of [ 35.673116][ T5] 224-byte region [ffff8881c6b51b40, ffff8881c6b51c20) [ 35.687153][ T5] The buggy address belongs to the page: [ 35.692782][ T5] page:ffffea00071ad440 refcount:1 mapcount:0 mapping:000000001b4330a7 index:0x0 [ 35.701932][ T5] flags: 0x200000000000200(slab) [ 35.706989][ T5] raw: 0200000000000200 dead000000000100 dead000000000122 ffff8881da175400 [ 35.715771][ T5] raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000 [ 35.724439][ T5] page dumped because: kasan: bad access detected [ 35.731017][ T5] [ 35.733423][ T5] Memory state around the buggy address: [ 35.739049][ T5] ffff8881c6b51b00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 35.747101][ T5] ffff8881c6b51b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.755154][ T5] >ffff8881c6b51c00: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 35.763208][ T5] ^ [ 35.767800][ T5] ffff8881c6b51c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.775872][ T5] ffff8881c6b51d00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 35.784341][ T5] ================================================================== [ 35.792722][ T5] Disabling lock debugging due to kernel taint [ 35.799063][ T5] Kernel panic - not syncing: panic_on_warn set ... [ 35.805686][ T5] CPU: 0 PID: 5 Comm: kworker/0:0 Tainted: G B 5.7.0-rc6-syzkaller #0 [ 35.815132][ T5] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 35.825308][ T5] Workqueue: events request_firmware_work_func [ 35.831480][ T5] Call Trace: [ 35.835099][ T5] dump_stack+0xef/0x16e [ 35.839327][ T5] panic+0x2aa/0x6e1 [ 35.843198][ T5] ? add_taint.cold+0x16/0x16 [ 35.847965][ T5] ? retint_kernel+0x10/0x10 [ 35.852566][ T5] ? kfree_skb+0x32/0x3d0 [ 35.858051][ T5] ? trace_hardirqs_on+0x55/0x200 [ 35.863076][ T5] ? kfree_skb+0x32/0x3d0 [ 35.867383][ T5] end_report+0x4d/0x53 [ 35.871530][ T5] __kasan_report.cold+0x72/0x7d [ 35.876468][ T5] ? kfree_skb+0x32/0x3d0 [ 35.880778][ T5] ? kfree_skb+0x32/0x3d0 [ 35.885112][ T5] kasan_report+0x33/0x50 [ 35.889429][ T5] check_memory_region+0x173/0x1d0 [ 35.894536][ T5] kfree_skb+0x32/0x3d0 [ 35.898848][ T5] htc_connect_service.cold+0xa9/0x109 [ 35.904284][ T5] ath9k_wmi_connect+0xd2/0x1a0 [ 35.909201][ T5] ? ath9k_fatal_work+0x20/0x20 [ 35.914113][ T5] ? ath9k_hif_usb_firmware_cb.cold+0xde/0xde [ 35.920295][ T5] ? ath9k_wmi_event_tasklet+0x440/0x440 [ 35.926081][ T5] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 35.932500][ T5] ? ath9k_reg_rmw_flush+0x2d0/0x2d0 [ 35.937874][ T5] ? lockdep_init_map_waits+0x26a/0x7c0 [ 35.943446][ T5] ? __raw_spin_lock_init+0x34/0x100 [ 35.948709][ T5] ? tasklet_init+0x69/0x110 [ 35.953344][ T5] ath9k_htc_probe_device+0x25a/0x1da0 [ 35.958800][ T5] ? ath9k_init_htc_services.constprop.0+0x650/0x650 [ 35.965479][ T5] ? usb_submit_urb+0x6ed/0x1460 [ 35.970404][ T5] ? usb_free_urb.part.0+0x52/0x110 [ 35.976036][ T5] ? usb_free_urb+0x1b/0x30 [ 35.980575][ T5] ath9k_htc_hw_init+0x31/0x60 [ 35.985360][ T5] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 35.991005][ T5] ? ath9k_hif_usb_resume+0x320/0x320 [ 35.996361][ T5] request_firmware_work_func+0x126/0x242 [ 36.002091][ T5] ? request_firmware_into_buf+0x90/0x90 [ 36.007710][ T5] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 36.013260][ T5] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 36.018561][ T5] ? _raw_spin_unlock_irq+0x1f/0x30 [ 36.023744][ T5] process_one_work+0x965/0x1630 [ 36.028688][ T5] ? lock_release+0x720/0x720 [ 36.033344][ T5] ? pwq_dec_nr_in_flight+0x310/0x310 [ 36.038733][ T5] ? rwlock_bug.part.0+0x90/0x90 [ 36.043672][ T5] worker_thread+0x96/0xe20 [ 36.048280][ T5] ? process_one_work+0x1630/0x1630 [ 36.054422][ T5] kthread+0x326/0x430 [ 36.058487][ T5] ? kthread_create_on_node+0xf0/0xf0 [ 36.063840][ T5] ret_from_fork+0x24/0x30 [ 36.069233][ T5] Kernel Offset: disabled [ 36.073558][ T5] Rebooting in 86400 seconds..