Warning: Permanently added '10.128.10.47' (ECDSA) to the list of known hosts.
executing program
[   35.332002][  T159] usb 1-1: new high-speed USB device number 2 using dummy_hcd
[   35.711387][  T159] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08
[   35.720560][  T159] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[   35.728626][  T159] usb 1-1: Product: syz
[   35.732861][  T159] usb 1-1: Manufacturer: syz
[   35.737627][  T159] usb 1-1: SerialNumber: syz
[   35.782453][  T159] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested
[   36.391186][  T159] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008
executing program
[   36.793159][   T83] usb 1-1: USB disconnect, device number 2
[   37.690715][  T159] usb 1-1: Service connection timeout for: 256
[   37.697213][  T159] ==================================================================
[   37.705507][  T159] BUG: KASAN: use-after-free in kfree_skb+0x32/0x3d0
[   37.712322][  T159] Read of size 4 at addr ffff8881cb301c14 by task kworker/1:3/159
[   37.720108][  T159] 
[   37.722551][  T159] CPU: 1 PID: 159 Comm: kworker/1:3 Not tainted 5.6.0-rc7-syzkaller #0
[   37.730774][  T159] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   37.740881][  T159] Workqueue: events request_firmware_work_func
[   37.747019][  T159] Call Trace:
[   37.750307][  T159]  dump_stack+0xef/0x16e
[   37.754539][  T159]  ? kfree_skb+0x32/0x3d0
[   37.758856][  T159]  ? kfree_skb+0x32/0x3d0
[   37.763795][  T159]  print_address_description.constprop.0.cold+0xd3/0x314
[   37.770906][  T159]  ? kfree_skb+0x32/0x3d0
[   37.775243][  T159]  ? kfree_skb+0x32/0x3d0
[   37.779555][  T159]  __kasan_report.cold+0x37/0x77
[   37.784891][  T159]  ? kfree_skb+0x32/0x3d0
[   37.789220][  T159]  kasan_report+0xe/0x20
[   37.793467][  T159]  check_memory_region+0x152/0x1c0
[   37.798572][  T159]  kfree_skb+0x32/0x3d0
[   37.802739][  T159]  htc_connect_service.cold+0xa9/0x109
[   37.808186][  T159]  ath9k_wmi_connect+0xd2/0x1a0
[   37.813040][  T159]  ? ath9k_fatal_work+0x20/0x20
[   37.817876][  T159]  ? ath9k_hif_usb_firmware_cb.cold+0xde/0xde
[   37.823936][  T159]  ? ath9k_wmi_event_tasklet+0x440/0x440
[   37.829562][  T159]  ath9k_init_htc_services.constprop.0+0xb4/0x650
[   37.835969][  T159]  ? ath9k_reg_rmw_flush+0x2d0/0x2d0
[   37.841247][  T159]  ? lockdep_init_map+0x1b0/0x5e0
[   37.846258][  T159]  ? lockdep_init_map+0x1b0/0x5e0
[   37.851267][  T159]  ? tasklet_init+0x69/0x110
[   37.856902][  T159]  ath9k_htc_probe_device+0x25a/0x1d80
[   37.862367][  T159]  ? ath9k_init_htc_services.constprop.0+0x650/0x650
[   37.869027][  T159]  ? usb_submit_urb+0x6ed/0x1460
[   37.873957][  T159]  ? usb_free_urb.part.0+0x52/0x110
[   37.879139][  T159]  ? usb_free_urb+0x1b/0x30
[   37.883648][  T159]  ath9k_htc_hw_init+0x31/0x60
[   37.888408][  T159]  ath9k_hif_usb_firmware_cb+0x26b/0x500
[   37.894037][  T159]  ? ath9k_hif_usb_resume+0x320/0x320
[   37.899417][  T159]  request_firmware_work_func+0x126/0x242
[   37.905130][  T159]  ? request_firmware_into_buf+0x90/0x90
[   37.910869][  T159]  ? rcu_read_lock_sched_held+0x9c/0xd0
[   37.916451][  T159]  ? rcu_read_lock_bh_held+0xb0/0xb0
[   37.921748][  T159]  process_one_work+0x94b/0x1620
[   37.926708][  T159]  ? pwq_dec_nr_in_flight+0x310/0x310
[   37.932112][  T159]  ? do_raw_spin_lock+0x129/0x290
[   37.937280][  T159]  worker_thread+0x96/0xe20
[   37.941844][  T159]  ? process_one_work+0x1620/0x1620
[   37.947120][  T159]  kthread+0x318/0x420
[   37.951301][  T159]  ? kthread_create_on_node+0xf0/0xf0
[   37.956907][  T159]  ret_from_fork+0x24/0x30
[   37.961411][  T159] 
[   37.963732][  T159] Allocated by task 159:
[   37.967971][  T159]  save_stack+0x1b/0x80
[   37.972108][  T159]  __kasan_kmalloc.constprop.0+0xbf/0xd0
[   37.977797][  T159]  kmem_cache_alloc_node+0xdc/0x330
[   37.983004][  T159]  __alloc_skb+0xba/0x5a0
[   37.987413][  T159]  htc_connect_service+0x2cc/0x840
[   37.992513][  T159]  ath9k_wmi_connect+0xd2/0x1a0
[   37.997359][  T159]  ath9k_init_htc_services.constprop.0+0xb4/0x650
[   38.003752][  T159]  ath9k_htc_probe_device+0x25a/0x1d80
[   38.009211][  T159]  ath9k_htc_hw_init+0x31/0x60
[   38.013976][  T159]  ath9k_hif_usb_firmware_cb+0x26b/0x500
[   38.019597][  T159]  request_firmware_work_func+0x126/0x242
[   38.025420][  T159]  process_one_work+0x94b/0x1620
[   38.030360][  T159]  worker_thread+0x96/0xe20
[   38.034853][  T159]  kthread+0x318/0x420
[   38.038960][  T159]  ret_from_fork+0x24/0x30
[   38.043396][  T159] 
[   38.045734][  T159] Freed by task 0:
[   38.049449][  T159]  save_stack+0x1b/0x80
[   38.053588][  T159]  __kasan_slab_free+0x117/0x160
[   38.058821][  T159]  kmem_cache_free+0x9b/0x360
[   38.063492][  T159]  kfree_skbmem+0xef/0x1b0
[   38.067891][  T159]  kfree_skb+0x102/0x3d0
[   38.072121][  T159]  ath9k_htc_txcompletion_cb+0x1f8/0x2b0
[   38.077749][  T159]  hif_usb_regout_cb+0x10b/0x1b0
[   38.082705][  T159]  __usb_hcd_giveback_urb+0x1f2/0x470
[   38.088088][  T159]  usb_hcd_giveback_urb+0x368/0x420
[   38.093329][  T159]  dummy_timer+0x1258/0x32ae
[   38.097912][  T159]  call_timer_fn+0x195/0x6f0
[   38.102535][  T159]  run_timer_softirq+0x5f9/0x1500
[   38.107546][  T159]  __do_softirq+0x21e/0x950
[   38.112113][  T159] 
[   38.114438][  T159] The buggy address belongs to the object at ffff8881cb301b40
[   38.114438][  T159]  which belongs to the cache skbuff_head_cache of size 224
[   38.129019][  T159] The buggy address is located 212 bytes inside of
[   38.129019][  T159]  224-byte region [ffff8881cb301b40, ffff8881cb301c20)
[   38.142286][  T159] The buggy address belongs to the page:
[   38.148174][  T159] page:ffffea00072cc040 refcount:1 mapcount:0 mapping:ffff8881da16b400 index:0x0
[   38.157263][  T159] flags: 0x200000000000200(slab)
[   38.163960][  T159] raw: 0200000000000200 dead000000000100 dead000000000122 ffff8881da16b400
[   38.172578][  T159] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
[   38.181139][  T159] page dumped because: kasan: bad access detected
[   38.187555][  T159] 
[   38.189864][  T159] Memory state around the buggy address:
[   38.195581][  T159]  ffff8881cb301b00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   38.203634][  T159]  ffff8881cb301b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   38.211702][  T159] >ffff8881cb301c00: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
[   38.219842][  T159]                          ^
[   38.224418][  T159]  ffff8881cb301c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   38.232471][  T159]  ffff8881cb301d00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
[   38.240632][  T159] ==================================================================
[   38.248781][  T159] Disabling lock debugging due to kernel taint
[   38.254994][  T159] Kernel panic - not syncing: panic_on_warn set ...
[   38.261686][  T159] CPU: 1 PID: 159 Comm: kworker/1:3 Tainted: G    B             5.6.0-rc7-syzkaller #0
[   38.271330][  T159] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   38.281411][  T159] Workqueue: events request_firmware_work_func
[   38.287548][  T159] Call Trace:
[   38.290995][  T159]  dump_stack+0xef/0x16e
[   38.295222][  T159]  panic+0x2aa/0x6e1
[   38.299096][  T159]  ? add_taint.cold+0x16/0x16
[   38.303759][  T159]  ? kfree_skb+0x32/0x3d0
[   38.308088][  T159]  ? trace_hardirqs_on+0x55/0x200
[   38.313093][  T159]  ? kfree_skb+0x32/0x3d0
[   38.317425][  T159]  end_report+0x43/0x49
[   38.321589][  T159]  ? kfree_skb+0x32/0x3d0
[   38.325903][  T159]  __kasan_report.cold+0x55/0x77
[   38.330837][  T159]  ? kfree_skb+0x32/0x3d0
[   38.335146][  T159]  kasan_report+0xe/0x20
[   38.339381][  T159]  check_memory_region+0x152/0x1c0
[   38.344474][  T159]  kfree_skb+0x32/0x3d0
[   38.348620][  T159]  htc_connect_service.cold+0xa9/0x109
[   38.354069][  T159]  ath9k_wmi_connect+0xd2/0x1a0
[   38.359056][  T159]  ? ath9k_fatal_work+0x20/0x20
[   38.364191][  T159]  ? ath9k_hif_usb_firmware_cb.cold+0xde/0xde
[   38.370274][  T159]  ? ath9k_wmi_event_tasklet+0x440/0x440
[   38.375900][  T159]  ath9k_init_htc_services.constprop.0+0xb4/0x650
[   38.382312][  T159]  ? ath9k_reg_rmw_flush+0x2d0/0x2d0
[   38.387580][  T159]  ? lockdep_init_map+0x1b0/0x5e0
[   38.392583][  T159]  ? lockdep_init_map+0x1b0/0x5e0
[   38.397586][  T159]  ? tasklet_init+0x69/0x110
[   38.402163][  T159]  ath9k_htc_probe_device+0x25a/0x1d80
[   38.407608][  T159]  ? ath9k_init_htc_services.constprop.0+0x650/0x650
[   38.414516][  T159]  ? usb_submit_urb+0x6ed/0x1460
[   38.419996][  T159]  ? usb_free_urb.part.0+0x52/0x110
[   38.425176][  T159]  ? usb_free_urb+0x1b/0x30
[   38.429661][  T159]  ath9k_htc_hw_init+0x31/0x60
[   38.434527][  T159]  ath9k_hif_usb_firmware_cb+0x26b/0x500
[   38.440538][  T159]  ? ath9k_hif_usb_resume+0x320/0x320
[   38.445933][  T159]  request_firmware_work_func+0x126/0x242
[   38.451752][  T159]  ? request_firmware_into_buf+0x90/0x90
[   38.457370][  T159]  ? rcu_read_lock_sched_held+0x9c/0xd0
[   38.462985][  T159]  ? rcu_read_lock_bh_held+0xb0/0xb0
[   38.468252][  T159]  process_one_work+0x94b/0x1620
[   38.473187][  T159]  ? pwq_dec_nr_in_flight+0x310/0x310
[   38.478551][  T159]  ? do_raw_spin_lock+0x129/0x290
[   38.483556][  T159]  worker_thread+0x96/0xe20
[   38.488054][  T159]  ? process_one_work+0x1620/0x1620
[   38.493256][  T159]  kthread+0x318/0x420
[   38.497307][  T159]  ? kthread_create_on_node+0xf0/0xf0
[   38.503023][  T159]  ret_from_fork+0x24/0x30
[   38.508157][  T159] Kernel Offset: disabled
[   38.512470][  T159] Rebooting in 86400 seconds..