Warning: Permanently added '10.128.15.193' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [   23.505745][   T83] usb 1-1: new high-speed USB device number 2 using dummy_hcd
[   24.024784][   T83] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08
[   24.033909][   T83] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[   24.041983][   T83] usb 1-1: Product: syz
[   24.046202][   T83] usb 1-1: Manufacturer: syz
[   24.050771][   T83] usb 1-1: SerialNumber: syz
[   24.096227][   T83] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested
[   24.744184][   T83] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008
executing program
[   25.148540][   T95] usb 1-1: USB disconnect, device number 2
[   25.973430][   T83] usb 1-1: Service connection timeout for: 256
[   25.979722][   T83] ==================================================================
[   25.987858][   T83] BUG: KASAN: use-after-free in kfree_skb+0x32/0x3d0
[   25.994528][   T83] Read of size 4 at addr ffff8881cf37c0d4 by task kworker/1:2/83
[   26.002524][   T83] 
[   26.004840][   T83] CPU: 1 PID: 83 Comm: kworker/1:2 Not tainted 5.7.0-rc6-syzkaller #0
[   26.013588][   T83] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   26.023640][   T83] Workqueue: events request_firmware_work_func
[   26.029774][   T83] Call Trace:
[   26.033058][   T83]  dump_stack+0xef/0x16e
[   26.037279][   T83]  print_address_description.constprop.0.cold+0xd3/0x415
[   26.044280][   T83]  ? vprintk_func+0x7d/0x113
[   26.048846][   T83]  ? kfree_skb+0x32/0x3d0
[   26.053164][   T83]  __kasan_report.cold+0x37/0x7d
[   26.058076][   T83]  ? kfree_skb+0x32/0x3d0
[   26.062379][   T83]  ? kfree_skb+0x32/0x3d0
[   26.066696][   T83]  kasan_report+0x33/0x50
[   26.071001][   T83]  check_memory_region+0x173/0x1d0
[   26.076098][   T83]  kfree_skb+0x32/0x3d0
[   26.080231][   T83]  htc_connect_service.cold+0xa9/0x109
[   26.085680][   T83]  ath9k_wmi_connect+0xd2/0x1a0
[   26.090505][   T83]  ? ath9k_fatal_work+0x20/0x20
[   26.095333][   T83]  ? ath9k_hif_usb_firmware_cb.cold+0xde/0xde
[   26.101388][   T83]  ? ath9k_wmi_event_tasklet+0x440/0x440
[   26.106996][   T83]  ath9k_init_htc_services.constprop.0+0xb4/0x650
[   26.113384][   T83]  ? ath9k_reg_rmw_flush+0x2d0/0x2d0
[   26.118645][   T83]  ? lockdep_init_map_waits+0x26a/0x7c0
[   26.124167][   T83]  ? __raw_spin_lock_init+0x34/0x100
[   26.129434][   T83]  ? tasklet_init+0x69/0x110
[   26.134018][   T83]  ath9k_htc_probe_device+0x25a/0x1da0
[   26.139454][   T83]  ? ath9k_init_htc_services.constprop.0+0x650/0x650
[   26.146115][   T83]  ? usb_submit_urb+0x6ed/0x1460
[   26.151027][   T83]  ? usb_free_urb.part.0+0x52/0x110
[   26.156212][   T83]  ? usb_free_urb+0x1b/0x30
[   26.160692][   T83]  ath9k_htc_hw_init+0x31/0x60
[   26.165449][   T83]  ath9k_hif_usb_firmware_cb+0x274/0x510
[   26.171100][   T83]  ? ath9k_hif_usb_resume+0x320/0x320
[   26.176478][   T83]  request_firmware_work_func+0x126/0x242
[   26.184272][   T83]  ? request_firmware_into_buf+0x90/0x90
[   26.190079][   T83]  ? rcu_read_lock_sched_held+0x9c/0xd0
[   26.195619][   T83]  ? rcu_read_lock_bh_held+0xb0/0xb0
[   26.200987][   T83]  ? _raw_spin_unlock_irq+0x1f/0x30
[   26.206179][   T83]  process_one_work+0x965/0x1630
[   26.211099][   T83]  ? lock_release+0x720/0x720
[   26.215755][   T83]  ? pwq_dec_nr_in_flight+0x310/0x310
[   26.221109][   T83]  ? rwlock_bug.part.0+0x90/0x90
[   26.226023][   T83]  worker_thread+0x96/0xe20
[   26.230504][   T83]  ? process_one_work+0x1630/0x1630
[   26.235684][   T83]  kthread+0x326/0x430
[   26.239731][   T83]  ? kthread_create_on_node+0xf0/0xf0
[   26.245089][   T83]  ret_from_fork+0x24/0x30
[   26.249489][   T83] 
[   26.251793][   T83] Allocated by task 83:
[   26.255941][   T83]  save_stack+0x1b/0x40
[   26.260072][   T83]  __kasan_kmalloc.constprop.0+0xbf/0xd0
[   26.265685][   T83]  kmem_cache_alloc_node+0xdc/0x330
[   26.270882][   T83]  __alloc_skb+0xba/0x5a0
[   26.275188][   T83]  htc_connect_service+0x2cc/0x840
[   26.280279][   T83]  ath9k_wmi_connect+0xd2/0x1a0
[   26.285104][   T83]  ath9k_init_htc_services.constprop.0+0xb4/0x650
[   26.291503][   T83]  ath9k_htc_probe_device+0x25a/0x1da0
[   26.296936][   T83]  ath9k_htc_hw_init+0x31/0x60
[   26.301687][   T83]  ath9k_hif_usb_firmware_cb+0x274/0x510
[   26.307295][   T83]  request_firmware_work_func+0x126/0x242
[   26.312999][   T83]  process_one_work+0x965/0x1630
[   26.317908][   T83]  worker_thread+0x96/0xe20
[   26.322471][   T83]  kthread+0x326/0x430
[   26.326529][   T83]  ret_from_fork+0x24/0x30
[   26.330949][   T83] 
[   26.333251][   T83] Freed by task 0:
[   26.336966][   T83]  save_stack+0x1b/0x40
[   26.341096][   T83]  __kasan_slab_free+0x117/0x160
[   26.346007][   T83]  kmem_cache_free+0x9b/0x360
[   26.350670][   T83]  kfree_skbmem+0xef/0x1b0
[   26.355072][   T83]  kfree_skb+0x102/0x3d0
[   26.359303][   T83]  ath9k_htc_txcompletion_cb+0x1f8/0x2b0
[   26.364917][   T83]  hif_usb_regout_cb+0x115/0x1c0
[   26.369845][   T83]  __usb_hcd_giveback_urb+0x29a/0x550
[   26.375210][   T83]  usb_hcd_giveback_urb+0x368/0x420
[   26.380444][   T83]  dummy_timer+0x125e/0x32b4
[   26.385068][   T83]  call_timer_fn+0x1ac/0x700
[   26.389638][   T83]  run_timer_softirq+0x5f9/0x1500
[   26.394655][   T83]  __do_softirq+0x21e/0x9aa
[   26.399141][   T83] 
[   26.401451][   T83] The buggy address belongs to the object at ffff8881cf37c000
[   26.401451][   T83]  which belongs to the cache skbuff_head_cache of size 224
[   26.416000][   T83] The buggy address is located 212 bytes inside of
[   26.416000][   T83]  224-byte region [ffff8881cf37c000, ffff8881cf37c0e0)
[   26.429242][   T83] The buggy address belongs to the page:
[   26.434852][   T83] page:ffffea00073cdf00 refcount:1 mapcount:0 mapping:00000000d7d199b4 index:0x0
[   26.443948][   T83] flags: 0x200000000000200(slab)
[   26.448864][   T83] raw: 0200000000000200 0000000000000000 0000000c00000001 ffff8881da175400
[   26.457428][   T83] raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000
[   26.465996][   T83] page dumped because: kasan: bad access detected
[   26.472376][   T83] 
[   26.474677][   T83] Memory state around the buggy address:
[   26.480289][   T83]  ffff8881cf37bf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   26.488324][   T83]  ffff8881cf37c000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   26.496363][   T83] >ffff8881cf37c080: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
[   26.504395][   T83]                                                  ^
[   26.511148][   T83]  ffff8881cf37c100: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   26.519211][   T83]  ffff8881cf37c180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   26.527364][   T83] ==================================================================
[   26.535509][   T83] Disabling lock debugging due to kernel taint
[   26.541926][   T83] Kernel panic - not syncing: panic_on_warn set ...
[   26.548546][   T83] CPU: 1 PID: 83 Comm: kworker/1:2 Tainted: G    B             5.7.0-rc6-syzkaller #0
[   26.558436][   T83] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   26.569270][   T83] Workqueue: events request_firmware_work_func
[   26.575495][   T83] Call Trace:
[   26.578779][   T83]  dump_stack+0xef/0x16e
[   26.583149][   T83]  panic+0x2aa/0x6e1
[   26.587110][   T83]  ? add_taint.cold+0x16/0x16
[   26.592863][   T83]  ? retint_kernel+0x10/0x10
[   26.597436][   T83]  ? kfree_skb+0x32/0x3d0
[   26.601768][   T83]  ? trace_hardirqs_on+0x55/0x200
[   26.606794][   T83]  ? kfree_skb+0x32/0x3d0
[   26.611099][   T83]  end_report+0x4d/0x53
[   26.615229][   T83]  __kasan_report.cold+0x72/0x7d
[   26.620141][   T83]  ? kfree_skb+0x32/0x3d0
[   26.624457][   T83]  ? kfree_skb+0x32/0x3d0
[   26.628872][   T83]  kasan_report+0x33/0x50
[   26.633472][   T83]  check_memory_region+0x173/0x1d0
[   26.639079][   T83]  kfree_skb+0x32/0x3d0
[   26.643232][   T83]  htc_connect_service.cold+0xa9/0x109
[   26.648685][   T83]  ath9k_wmi_connect+0xd2/0x1a0
[   26.653510][   T83]  ? ath9k_fatal_work+0x20/0x20
[   26.659301][   T83]  ? ath9k_hif_usb_firmware_cb.cold+0xde/0xde
[   26.665366][   T83]  ? ath9k_wmi_event_tasklet+0x440/0x440
[   26.671074][   T83]  ath9k_init_htc_services.constprop.0+0xb4/0x650
[   26.677487][   T83]  ? ath9k_reg_rmw_flush+0x2d0/0x2d0
[   26.683065][   T83]  ? lockdep_init_map_waits+0x26a/0x7c0
[   26.688676][   T83]  ? __raw_spin_lock_init+0x34/0x100
[   26.694134][   T83]  ? tasklet_init+0x69/0x110
[   26.698700][   T83]  ath9k_htc_probe_device+0x25a/0x1da0
[   26.704136][   T83]  ? ath9k_init_htc_services.constprop.0+0x650/0x650
[   26.710800][   T83]  ? usb_submit_urb+0x6ed/0x1460
[   26.715737][   T83]  ? usb_free_urb.part.0+0x52/0x110
[   26.720928][   T83]  ? usb_free_urb+0x1b/0x30
[   26.725423][   T83]  ath9k_htc_hw_init+0x31/0x60
[   26.730164][   T83]  ath9k_hif_usb_firmware_cb+0x274/0x510
[   26.735773][   T83]  ? ath9k_hif_usb_resume+0x320/0x320
[   26.741244][   T83]  request_firmware_work_func+0x126/0x242
[   26.746953][   T83]  ? request_firmware_into_buf+0x90/0x90
[   26.752584][   T83]  ? rcu_read_lock_sched_held+0x9c/0xd0
[   26.758111][   T83]  ? rcu_read_lock_bh_held+0xb0/0xb0
[   26.763458][   T83]  ? _raw_spin_unlock_irq+0x1f/0x30
[   26.769155][   T83]  process_one_work+0x965/0x1630
[   26.774133][   T83]  ? lock_release+0x720/0x720
[   26.778816][   T83]  ? pwq_dec_nr_in_flight+0x310/0x310
[   26.784165][   T83]  ? rwlock_bug.part.0+0x90/0x90
[   26.789081][   T83]  worker_thread+0x96/0xe20
[   26.793671][   T83]  ? process_one_work+0x1630/0x1630
[   26.798847][   T83]  kthread+0x326/0x430
[   26.802902][   T83]  ? kthread_create_on_node+0xf0/0xf0
[   26.808279][   T83]  ret_from_fork+0x24/0x30
[   26.813306][   T83] Kernel Offset: disabled
[   26.817624][   T83] Rebooting in 86400 seconds..