./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor2748559611 <...> forked to background, child pid 3174 no interfaces have a carrier [ 21.069302][ T3175] 8021q: adding VLAN 0 to HW filter on device bond0 [ 21.079618][ T3175] eql: remember to turn off Van-Jacobson compression on your slave devices Starting sshd: OK syzkaller Warning: Permanently added '10.128.0.148' (ECDSA) to the list of known hosts. execve("./syz-executor2748559611", ["./syz-executor2748559611"], 0x7ffe1608e6b0 /* 10 vars */) = 0 brk(NULL) = 0x555555d01000 brk(0x555555d01c40) = 0x555555d01c40 arch_prctl(ARCH_SET_FS, 0x555555d01300) = 0 uname({sysname="Linux", nodename="syzkaller", ...}) = 0 set_tid_address(0x555555d015d0) = 3596 set_robust_list(0x555555d015e0, 24) = 0 rt_sigaction(SIGRTMIN, {sa_handler=0x7f6fda15ff90, sa_mask=[], sa_flags=SA_RESTORER|SA_SIGINFO, sa_restorer=0x7f6fda160660}, NULL, 8) = 0 rt_sigaction(SIGRT_1, {sa_handler=0x7f6fda160030, sa_mask=[], sa_flags=SA_RESTORER|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f6fda160660}, NULL, 8) = 0 rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor2748559611", 4096) = 28 brk(0x555555d22c40) = 0x555555d22c40 brk(0x555555d23000) = 0x555555d23000 mprotect(0x7f6fda221000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 3597 attached , child_tidptr=0x555555d015d0) = 3597 [pid 3597] set_robust_list(0x555555d015e0, 24) = 0 [pid 3597] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3597] setpgid(0, 0) = 0 [pid 3597] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3597] write(3, "1000", 4) = 4 [pid 3597] close(3) = 0 [pid 3597] futex(0x7f6fda2274ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3597] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f6fda12f000 [pid 3597] mprotect(0x7f6fda130000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3597] clone(child_stack=0x7f6fda14f3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3598], tls=0x7f6fda14f700, child_tidptr=0x7f6fda14f9d0) = 3598 ./strace-static-x86_64: Process 3598 attached [pid 3598] set_robust_list(0x7f6fda14f9e0, 24) = 0 [pid 3598] futex(0x7f6fda2274a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3597] futex(0x7f6fda2274a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 3598] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 3597] <... futex resumed>) = 0 [pid 3598] openat(AT_FDCWD, "/dev/raw-gadget", O_RDWR [pid 3597] futex(0x7f6fda2274ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=3, tv_nsec=50000000} [pid 3598] <... openat resumed>) = 3 [pid 3598] ioctl(3, USB_RAW_IOCTL_INIT, 0x7f6fda14e2d0) = 0 [pid 3598] ioctl(3, UI_DEV_CREATE or USB_RAW_IOCTL_RUN, 0) = 0 [pid 3598] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7f6fda14e2d0) = 0 [pid 3598] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7f6fda14e2d0) = 0 [pid 3598] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7f6fda14d2c0) = 18 syzkaller login: [ 41.352270][ T14] usb 1-1: new high-speed USB device number 2 using dummy_hcd [pid 3598] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7f6fda14e2d0) = 0 [pid 3598] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7f6fda14d2c0) = 18 [pid 3598] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7f6fda14e2d0) = 0 [pid 3598] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7f6fda14d2c0) = 9 [pid 3598] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7f6fda14e2d0) = 0 [pid 3598] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7f6fda14d2c0) = 72 [pid 3598] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7f6fda14e2d0) = 0 [pid 3598] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7f6fda14d2c0) = 4 [pid 3598] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7f6fda14e2d0) = 0 [pid 3598] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7f6fda14d2c0) = 8 [pid 3598] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7f6fda14e2d0) = 0 [pid 3598] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7f6fda14d2c0) = 8 [pid 3598] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7f6fda14e2d0) = 0 [pid 3598] ioctl(3, USB_RAW_IOCTL_EP0_WRITE, 0x7f6fda14d2c0) = 8 [pid 3598] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7f6fda14e2d0) = 0 [pid 3598] ioctl(3, USB_RAW_IOCTL_VBUS_DRAW, 0xfa) = 0 [pid 3598] ioctl(3, USB_RAW_IOCTL_CONFIGURE, 0) = 0 [pid 3598] ioctl(3, USB_RAW_IOCTL_EP_ENABLE, 0x7f6fda2275ec) = 9 [pid 3598] ioctl(3, USB_RAW_IOCTL_EP_ENABLE, 0x7f6fda2275fc) = 10 [pid 3598] ioctl(3, USB_RAW_IOCTL_EP_ENABLE, 0x7f6fda22760c) = 12 [pid 3598] ioctl(3, USB_RAW_IOCTL_EP_ENABLE, 0x7f6fda22761c) = 11 [pid 3598] ioctl(3, USB_RAW_IOCTL_EP_ENABLE, 0x7f6fda22762c) = 13 [pid 3598] ioctl(3, USB_RAW_IOCTL_EP_ENABLE, 0x7f6fda22763c) = 14 [pid 3598] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7f6fda14d2c0) = 0 [ 41.872781][ T14] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08 [ 41.882075][ T14] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 41.890182][ T14] usb 1-1: Product: syz [ 41.894348][ T14] usb 1-1: Manufacturer: syz [ 41.898940][ T14] usb 1-1: SerialNumber: syz [pid 3598] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7f6fda14e2d0) = 0 [pid 3598] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7f6fda14d2c0) = 4096 [ 41.943917][ T14] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested [pid 3598] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7f6fda14e2d0) = 0 [pid 3598] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7f6fda14d2c0) = 4096 [pid 3598] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7f6fda14e2d0) = 0 [pid 3598] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7f6fda14d2c0) = 4096 [pid 3598] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7f6fda14e2d0) = 0 [pid 3598] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7f6fda14d2c0) = 4096 [pid 3598] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7f6fda14e2d0) = 0 [pid 3598] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7f6fda14d2c0) = 4096 [pid 3598] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7f6fda14e2d0) = 0 [pid 3598] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7f6fda14d2c0) = 4096 [pid 3598] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7f6fda14e2d0) = 0 [pid 3598] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7f6fda14d2c0) = 4096 [pid 3598] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7f6fda14e2d0) = 0 [pid 3598] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7f6fda14d2c0) = 4096 [pid 3598] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7f6fda14e2d0) = 0 [pid 3598] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7f6fda14d2c0) = 4096 [pid 3598] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7f6fda14e2d0) = 0 [pid 3598] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7f6fda14d2c0) = 4096 [pid 3598] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7f6fda14e2d0) = 0 [pid 3598] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7f6fda14d2c0) = 4096 [pid 3598] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7f6fda14e2d0) = 0 [pid 3598] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7f6fda14d2c0) = 4096 [pid 3598] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7f6fda14e2d0) = 0 [pid 3598] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7f6fda14d2c0) = 1856 [pid 3598] ioctl(3, USB_RAW_IOCTL_EVENT_FETCH, 0x7f6fda14e2d0) = 0 [pid 3598] ioctl(3, USB_RAW_IOCTL_EP0_READ, 0x7f6fda14d2c0) = 0 [ 42.522312][ T14] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008 [pid 3598] futex(0x7f6fda2274ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3597] <... futex resumed>) = 0 [pid 3598] ioctl(3, USB_RAW_IOCTL_EP_WRITE [pid 3597] futex(0x7f6fda2274a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3597] futex(0x7f6fda2274bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3597] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f6fda10e000 [pid 3597] mprotect(0x7f6fda10f000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3597] clone(child_stack=0x7f6fda12e3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 3600 attached [pid 3600] set_robust_list(0x7f6fda12e9e0, 24) = 0 [pid 3600] futex(0x7f6fda2274b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3597] <... clone resumed>, parent_tid=[3600], tls=0x7f6fda12e700, child_tidptr=0x7f6fda12e9d0) = 3600 [pid 3597] futex(0x7f6fda2274b8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3600] <... futex resumed>) = 0 [pid 3600] close(3) = 0 [ 42.742586][ C0] usb 1-1: ath: unknown panic pattern! [ 42.744531][ T27] usb 1-1: USB disconnect, device number 2 [ 42.748339][ C0] ================================================================== [ 42.762140][ C0] BUG: KASAN: use-after-free in kfree_skb_reason+0x2f/0x110 [ 42.769452][ C0] Read of size 4 at addr ffff8880719e571c by task swapper/0/0 [ 42.776881][ C0] [ 42.779176][ C0] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.18.0-rc7-syzkaller-00006-g210e04ff7681 #0 [ 42.788860][ C0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 42.798887][ C0] Call Trace: [ 42.802138][ C0] [ 42.804956][ C0] dump_stack_lvl+0xcd/0x134 [ 42.809530][ C0] print_address_description.constprop.0.cold+0xeb/0x495 [ 42.816533][ C0] ? kfree_skb_reason+0x2f/0x110 [ 42.821445][ C0] kasan_report.cold+0xf4/0x1c6 [ 42.826272][ C0] ? kfree_skb_reason+0x2f/0x110 [ 42.831184][ C0] kasan_check_range+0x13d/0x180 [ 42.836096][ C0] kfree_skb_reason+0x2f/0x110 [ 42.840832][ C0] ath9k_hif_usb_reg_in_cb+0x4c5/0x640 [ 42.846270][ C0] __usb_hcd_giveback_urb+0x2b0/0x5c0 [ 42.851615][ C0] usb_hcd_giveback_urb+0x367/0x410 [ 42.856787][ C0] dummy_timer+0x11f9/0x32b0 [ 42.861374][ C0] ? dummy_dequeue+0x500/0x500 [ 42.866112][ C0] ? dummy_dequeue+0x500/0x500 [ 42.870849][ C0] call_timer_fn+0x1a5/0x6b0 [ 42.875503][ C0] ? timer_fixup_activate+0x350/0x350 [ 42.880849][ C0] ? lock_downgrade+0x6e0/0x6e0 [ 42.885679][ C0] ? _raw_spin_unlock_irq+0x1f/0x40 [ 42.890853][ C0] ? dummy_dequeue+0x500/0x500 [ 42.895589][ C0] __run_timers.part.0+0x679/0xa80 [ 42.900674][ C0] ? call_timer_fn+0x6b0/0x6b0 [ 42.905426][ C0] ? kvm_sched_clock_read+0x14/0x40 [ 42.910598][ C0] ? sched_clock_cpu+0x15/0x1f0 [ 42.915427][ C0] run_timer_softirq+0xb3/0x1d0 [ 42.920251][ C0] __do_softirq+0x29b/0x9c2 [ 42.924729][ C0] __irq_exit_rcu+0x123/0x180 [ 42.929380][ C0] irq_exit_rcu+0x5/0x20 [ 42.933594][ C0] sysvec_apic_timer_interrupt+0x93/0xc0 [ 42.939201][ C0] [ 42.942106][ C0] [ 42.945014][ C0] asm_sysvec_apic_timer_interrupt+0x12/0x20 [ 42.951058][ C0] RIP: 0010:acpi_idle_do_entry+0x1c6/0x250 [ 42.956841][ C0] Code: 89 de e8 8d e7 08 f8 84 db 75 ac e8 a4 e3 08 f8 e8 0f 2c 0f f8 eb 0c e8 98 e3 08 f8 0f 00 2d 81 7c c2 00 e8 8c e3 08 f8 fb f4 <9c> 5b 81 e3 00 02 00 00 fa 31 ff 48 89 de e8 07 e6 08 f8 48 85 db [ 42.976425][ C0] RSP: 0018:ffffffff8ba07d38 EFLAGS: 00000293 [ 42.982569][ C0] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 [pid 3597] futex(0x7f6fda2274bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=350000000} [pid 3598] <... ioctl resumed>, 0x7f6fda14e300) = 257 [ 42.990512][ C0] RDX: ffffffff8babc700 RSI: ffffffff89705d04 RDI: 0000000000000000 [ 42.998471][ C0] RBP: ffff888015dc7864 R08: 0000000000000001 R09: 0000000000000001 [ 43.006422][ C0] R10: ffffffff817f8938 R11: 0000000000000000 R12: 0000000000000001 [ 43.014388][ C0] R13: ffff888015dc7800 R14: ffff888015dc7864 R15: ffff888147087004 [ 43.022356][ C0] ? trace_hardirqs_on+0x38/0x1c0 [ 43.027378][ C0] ? acpi_idle_do_entry+0x1c4/0x250 [ 43.032556][ C0] ? acpi_idle_do_entry+0x1c4/0x250 [ 43.037732][ C0] acpi_idle_enter+0x361/0x500 [pid 3597] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 3597] futex(0x7f6fda2274bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=0}) = -1 ETIMEDOUT (Connection timed out) [ 43.042663][ C0] cpuidle_enter_state+0x1b1/0xc80 [ 43.047756][ C0] cpuidle_enter+0x4a/0xa0 [ 43.052316][ C0] do_idle+0x3e8/0x590 [ 43.056466][ C0] ? arch_cpu_idle_exit+0x30/0x30 [ 43.061474][ C0] cpu_startup_entry+0x14/0x20 [ 43.066217][ C0] rest_init+0x169/0x270 [ 43.070443][ C0] ? trace_init_perf_perm_irq_work_exit+0xe/0xe [ 43.076681][ C0] arch_call_rest_init+0xf/0x14 [ 43.081510][ C0] start_kernel+0x47f/0x4a0 [ 43.086695][ C0] secondary_startup_64_no_verify+0xc3/0xcb [ 43.092578][ C0] [ 43.095584][ C0] [ 43.097886][ C0] Allocated by task 14: [ 43.102021][ C0] kasan_save_stack+0x1e/0x40 [ 43.106682][ C0] __kasan_slab_alloc+0x90/0xc0 [ 43.111534][ C0] kmem_cache_alloc_node+0x255/0x3f0 [ 43.116800][ C0] __alloc_skb+0x215/0x340 [ 43.121207][ C0] ath9k_hif_usb_alloc_urbs+0x91d/0x1050 [ 43.126903][ C0] ath9k_hif_usb_firmware_cb+0x148/0x530 [ 43.132516][ C0] request_firmware_work_func+0x12c/0x230 [ 43.138230][ C0] process_one_work+0x996/0x1610 [ 43.143147][ C0] worker_thread+0x665/0x1080 [ 43.147799][ C0] kthread+0x2e9/0x3a0 [ 43.151846][ C0] ret_from_fork+0x1f/0x30 [ 43.156257][ C0] [ 43.158575][ C0] Freed by task 0: [ 43.162268][ C0] kasan_save_stack+0x1e/0x40 [ 43.166939][ C0] kasan_set_track+0x21/0x30 [ 43.171511][ C0] kasan_set_free_info+0x20/0x30 [ 43.176443][ C0] ____kasan_slab_free+0x166/0x1a0 [ 43.181533][ C0] slab_free_freelist_hook+0x8b/0x1c0 [ 43.186881][ C0] kmem_cache_free+0xdd/0x5a0 [pid 3598] futex(0x7f6fda2274ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3598] futex(0x7f6fda2274a8, FUTEX_WAIT_PRIVATE, 0, NULL [ 43.191536][ C0] kfree_skbmem+0xef/0x1b0 [ 43.195947][ C0] kfree_skb_reason+0x85/0x110 [ 43.200688][ C0] ath9k_htc_rx_msg+0x1f0/0xb70 [ 43.205531][ C0] ath9k_hif_usb_reg_in_cb+0x1ac/0x640 [ 43.210974][ C0] __usb_hcd_giveback_urb+0x2b0/0x5c0 [ 43.216330][ C0] usb_hcd_giveback_urb+0x367/0x410 [ 43.221524][ C0] dummy_timer+0x11f9/0x32b0 [ 43.226109][ C0] call_timer_fn+0x1a5/0x6b0 [ 43.230684][ C0] __run_timers.part.0+0x679/0xa80 [ 43.235793][ C0] run_timer_softirq+0xb3/0x1d0 [ 43.240656][ C0] __do_softirq+0x29b/0x9c2 [ 43.245142][ C0] [ 43.247461][ C0] The buggy address belongs to the object at ffff8880719e5640 [ 43.247461][ C0] which belongs to the cache skbuff_head_cache of size 232 [ 43.262032][ C0] The buggy address is located 220 bytes inside of [ 43.262032][ C0] 232-byte region [ffff8880719e5640, ffff8880719e5728) [ 43.275305][ C0] [ 43.277615][ C0] The buggy address belongs to the physical page: [ 43.284010][ C0] page:ffffea0001c67940 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x719e5 [ 43.294149][ C0] flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff) [ 43.301674][ C0] raw: 00fff00000000200 0000000000000000 dead000000000122 ffff888011a98140 [ 43.310236][ C0] raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000 [ 43.318791][ C0] page dumped because: kasan: bad access detected [ 43.325173][ C0] page_owner tracks the page as allocated [ 43.330859][ C0] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 14, tgid 14 (kworker/0:1), ts 42532027766, free_ts 34934149237 [ 43.348720][ C0] get_page_from_freelist+0xba2/0x3e00 [ 43.354165][ C0] __alloc_pages+0x1b2/0x500 [ 43.358734][ C0] alloc_pages+0x1aa/0x310 [ 43.363140][ C0] allocate_slab+0x26c/0x3c0 [ 43.367707][ C0] ___slab_alloc+0x8df/0xf20 [ 43.372271][ C0] __slab_alloc.constprop.0+0x4d/0xa0 [ 43.377616][ C0] kmem_cache_alloc_node+0x122/0x3f0 [ 43.382876][ C0] __alloc_skb+0x215/0x340 [ 43.387270][ C0] ath9k_hif_usb_alloc_urbs+0x670/0x1050 [ 43.392877][ C0] ath9k_hif_usb_firmware_cb+0x148/0x530 [ 43.398484][ C0] request_firmware_work_func+0x12c/0x230 [ 43.404182][ C0] process_one_work+0x996/0x1610 [ 43.409104][ C0] worker_thread+0x665/0x1080 [ 43.413755][ C0] kthread+0x2e9/0x3a0 [ 43.417796][ C0] ret_from_fork+0x1f/0x30 [ 43.422193][ C0] page last free stack trace: [ 43.426841][ C0] free_pcp_prepare+0x549/0xd20 [ 43.431675][ C0] free_unref_page+0x19/0x6a0 [ 43.436343][ C0] __put_page+0x145/0x280 [ 43.440652][ C0] anon_pipe_buf_release+0x362/0x4b0 [ 43.445933][ C0] pipe_read+0x610/0x1100 [ 43.450248][ C0] new_sync_read+0x4f9/0x5f0 [ 43.454814][ C0] vfs_read+0x492/0x5d0 [ 43.458947][ C0] ksys_read+0x1e8/0x250 [ 43.463173][ C0] do_syscall_64+0x35/0xb0 [ 43.467571][ C0] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 43.473443][ C0] [ 43.475742][ C0] Memory state around the buggy address: [ 43.481355][ C0] ffff8880719e5600: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [ 43.489387][ C0] ffff8880719e5680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.497420][ C0] >ffff8880719e5700: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc [ 43.505467][ C0] ^ [ 43.510287][ C0] ffff8880719e5780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 43.518321][ C0] ffff8880719e5800: 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc [ 43.526355][ C0] ================================================================== [ 43.534395][ C0] Kernel panic - not syncing: panic_on_warn set ... [ 43.540949][ C0] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.18.0-rc7-syzkaller-00006-g210e04ff7681 #0 [ 43.550642][ C0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.560672][ C0] Call Trace: [ 43.563932][ C0] [ 43.566763][ C0] dump_stack_lvl+0xcd/0x134 [ 43.571340][ C0] panic+0x2d7/0x636 [ 43.575233][ C0] ? panic_print_sys_info.part.0+0x10b/0x10b [ 43.583286][ C0] ? kfree_skb_reason+0x2f/0x110 [ 43.588202][ C0] end_report.part.0+0x3f/0x7c [ 43.592944][ C0] kasan_report.cold+0x93/0x1c6 [ 43.597781][ C0] ? kfree_skb_reason+0x2f/0x110 [ 43.602711][ C0] kasan_check_range+0x13d/0x180 [ 43.607630][ C0] kfree_skb_reason+0x2f/0x110 [ 43.612368][ C0] ath9k_hif_usb_reg_in_cb+0x4c5/0x640 [ 43.617811][ C0] __usb_hcd_giveback_urb+0x2b0/0x5c0 [ 43.623187][ C0] usb_hcd_giveback_urb+0x367/0x410 [ 43.628363][ C0] dummy_timer+0x11f9/0x32b0 [ 43.632954][ C0] ? dummy_dequeue+0x500/0x500 [ 43.637727][ C0] ? dummy_dequeue+0x500/0x500 [ 43.642468][ C0] call_timer_fn+0x1a5/0x6b0 [ 43.647044][ C0] ? timer_fixup_activate+0x350/0x350 [ 43.652408][ C0] ? lock_downgrade+0x6e0/0x6e0 [ 43.657259][ C0] ? _raw_spin_unlock_irq+0x1f/0x40 [ 43.662439][ C0] ? dummy_dequeue+0x500/0x500 [ 43.667181][ C0] __run_timers.part.0+0x679/0xa80 [ 43.672275][ C0] ? call_timer_fn+0x6b0/0x6b0 [ 43.677024][ C0] ? kvm_sched_clock_read+0x14/0x40 [ 43.682355][ C0] ? sched_clock_cpu+0x15/0x1f0 [ 43.687197][ C0] run_timer_softirq+0xb3/0x1d0 [ 43.692219][ C0] __do_softirq+0x29b/0x9c2 [ 43.696705][ C0] __irq_exit_rcu+0x123/0x180 [ 43.701356][ C0] irq_exit_rcu+0x5/0x20 [ 43.705582][ C0] sysvec_apic_timer_interrupt+0x93/0xc0 [ 43.711208][ C0] [ 43.714118][ C0] [ 43.717024][ C0] asm_sysvec_apic_timer_interrupt+0x12/0x20 [ 43.722983][ C0] RIP: 0010:acpi_idle_do_entry+0x1c6/0x250 [ 43.728771][ C0] Code: 89 de e8 8d e7 08 f8 84 db 75 ac e8 a4 e3 08 f8 e8 0f 2c 0f f8 eb 0c e8 98 e3 08 f8 0f 00 2d 81 7c c2 00 e8 8c e3 08 f8 fb f4 <9c> 5b 81 e3 00 02 00 00 fa 31 ff 48 89 de e8 07 e6 08 f8 48 85 db [ 43.748370][ C0] RSP: 0018:ffffffff8ba07d38 EFLAGS: 00000293 [ 43.754414][ C0] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 [ 43.762359][ C0] RDX: ffffffff8babc700 RSI: ffffffff89705d04 RDI: 0000000000000000 [ 43.770307][ C0] RBP: ffff888015dc7864 R08: 0000000000000001 R09: 0000000000000001 [ 43.778260][ C0] R10: ffffffff817f8938 R11: 0000000000000000 R12: 0000000000000001 [ 43.786236][ C0] R13: ffff888015dc7800 R14: ffff888015dc7864 R15: ffff888147087004 [ 43.794706][ C0] ? trace_hardirqs_on+0x38/0x1c0 [ 43.799711][ C0] ? acpi_idle_do_entry+0x1c4/0x250 [ 43.804892][ C0] ? acpi_idle_do_entry+0x1c4/0x250 [ 43.810068][ C0] acpi_idle_enter+0x361/0x500 [ 43.814810][ C0] cpuidle_enter_state+0x1b1/0xc80 [ 43.819902][ C0] cpuidle_enter+0x4a/0xa0 [ 43.824295][ C0] do_idle+0x3e8/0x590 [ 43.828343][ C0] ? arch_cpu_idle_exit+0x30/0x30 [ 43.833347][ C0] cpu_startup_entry+0x14/0x20 [ 43.838090][ C0] rest_init+0x169/0x270 [ 43.842333][ C0] ? trace_init_perf_perm_irq_work_exit+0xe/0xe [ 43.848557][ C0] arch_call_rest_init+0xf/0x14 [ 43.853392][ C0] start_kernel+0x47f/0x4a0 [ 43.857886][ C0] secondary_startup_64_no_verify+0xc3/0xcb [ 43.863769][ C0] [ 43.867467][ C0] Kernel Offset: disabled [ 43.871829][ C0] Rebooting in 86400 seconds..