[ OK ] Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch. [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 syzkaller login: [ 16.278725][ C1] random: crng init done [ 16.283211][ C1] random: 7 urandom warning(s) missed due to ratelimiting Warning: Permanently added '10.128.10.35' (ECDSA) to the list of known hosts. executing program [ 29.867380][ T83] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 30.396534][ T83] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08 [ 30.406422][ T83] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 30.414666][ T83] usb 1-1: Product: syz [ 30.419012][ T83] usb 1-1: Manufacturer: syz [ 30.425532][ T83] usb 1-1: SerialNumber: syz [ 30.467420][ T83] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested [ 31.036066][ T83] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008 executing program [ 31.438682][ T95] usb 1-1: USB disconnect, device number 2 [ 32.285359][ T83] usb 1-1: Service connection timeout for: 256 [ 32.291676][ T83] ================================================================== [ 32.299970][ T83] BUG: KASAN: use-after-free in kfree_skb+0x32/0x3d0 [ 32.307005][ T83] Read of size 4 at addr ffff8881d2300494 by task kworker/1:2/83 [ 32.315216][ T83] [ 32.317967][ T83] CPU: 1 PID: 83 Comm: kworker/1:2 Not tainted 5.7.0-rc6-syzkaller #0 [ 32.327354][ T83] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.337535][ T83] Workqueue: events request_firmware_work_func [ 32.344464][ T83] Call Trace: [ 32.347849][ T83] dump_stack+0xef/0x16e [ 32.352100][ T83] print_address_description.constprop.0.cold+0xd3/0x415 [ 32.359642][ T83] ? vprintk_func+0x7d/0x113 [ 32.364218][ T83] ? kfree_skb+0x32/0x3d0 [ 32.369342][ T83] __kasan_report.cold+0x37/0x7d [ 32.374870][ T83] ? kfree_skb+0x32/0x3d0 [ 32.379467][ T83] ? kfree_skb+0x32/0x3d0 [ 32.384398][ T83] kasan_report+0x33/0x50 [ 32.389930][ T83] check_memory_region+0x173/0x1d0 [ 32.395537][ T83] kfree_skb+0x32/0x3d0 [ 32.400202][ T83] htc_connect_service.cold+0xa9/0x109 [ 32.405660][ T83] ath9k_wmi_connect+0xd2/0x1a0 [ 32.410505][ T83] ? ath9k_fatal_work+0x20/0x20 [ 32.415366][ T83] ? ath9k_hif_usb_firmware_cb.cold+0xde/0xde [ 32.421420][ T83] ? ath9k_wmi_event_tasklet+0x440/0x440 [ 32.427158][ T83] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 32.433561][ T83] ? ath9k_reg_rmw_flush+0x2d0/0x2d0 [ 32.438825][ T83] ? lockdep_init_map_waits+0x26a/0x7c0 [ 32.444351][ T83] ? __raw_spin_lock_init+0x34/0x100 [ 32.449617][ T83] ? tasklet_init+0x69/0x110 [ 32.454191][ T83] ath9k_htc_probe_device+0x25a/0x1da0 [ 32.459662][ T83] ? ath9k_init_htc_services.constprop.0+0x650/0x650 [ 32.466335][ T83] ? usb_submit_urb+0x6ed/0x1460 [ 32.471265][ T83] ? usb_free_urb.part.0+0x52/0x110 [ 32.476442][ T83] ? usb_free_urb+0x1b/0x30 [ 32.481037][ T83] ath9k_htc_hw_init+0x31/0x60 [ 32.485859][ T83] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 32.491479][ T83] ? ath9k_hif_usb_resume+0x320/0x320 [ 32.496852][ T83] request_firmware_work_func+0x126/0x242 [ 32.502557][ T83] ? request_firmware_into_buf+0x90/0x90 [ 32.508177][ T83] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 32.513911][ T83] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 32.519204][ T83] ? _raw_spin_unlock_irq+0x1f/0x30 [ 32.524389][ T83] process_one_work+0x965/0x1630 [ 32.529326][ T83] ? lock_release+0x720/0x720 [ 32.533982][ T83] ? pwq_dec_nr_in_flight+0x310/0x310 [ 32.539331][ T83] ? rwlock_bug.part.0+0x90/0x90 [ 32.544295][ T83] worker_thread+0x96/0xe20 [ 32.548777][ T83] ? process_one_work+0x1630/0x1630 [ 32.553996][ T83] kthread+0x326/0x430 [ 32.558057][ T83] ? kthread_create_on_node+0xf0/0xf0 [ 32.563422][ T83] ret_from_fork+0x24/0x30 [ 32.567868][ T83] [ 32.570201][ T83] Allocated by task 83: [ 32.574449][ T83] save_stack+0x1b/0x40 [ 32.578678][ T83] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 32.584401][ T83] kmem_cache_alloc_node+0xdc/0x330 [ 32.589683][ T83] __alloc_skb+0xba/0x5a0 [ 32.594061][ T83] htc_connect_service+0x2cc/0x840 [ 32.599161][ T83] ath9k_wmi_connect+0xd2/0x1a0 [ 32.603996][ T83] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 32.610392][ T83] ath9k_htc_probe_device+0x25a/0x1da0 [ 32.616016][ T83] ath9k_htc_hw_init+0x31/0x60 [ 32.620873][ T83] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 32.626493][ T83] request_firmware_work_func+0x126/0x242 [ 32.632194][ T83] process_one_work+0x965/0x1630 [ 32.637112][ T83] worker_thread+0x96/0xe20 [ 32.641677][ T83] kthread+0x326/0x430 [ 32.645764][ T83] ret_from_fork+0x24/0x30 [ 32.650174][ T83] [ 32.652482][ T83] Freed by task 371: [ 32.656362][ T83] save_stack+0x1b/0x40 [ 32.660653][ T83] __kasan_slab_free+0x117/0x160 [ 32.665578][ T83] kmem_cache_free+0x9b/0x360 [ 32.670497][ T83] kfree_skbmem+0xef/0x1b0 [ 32.674908][ T83] kfree_skb+0x102/0x3d0 [ 32.679334][ T83] ath9k_htc_txcompletion_cb+0x1f8/0x2b0 [ 32.684965][ T83] hif_usb_regout_cb+0x115/0x1c0 [ 32.690212][ T83] __usb_hcd_giveback_urb+0x29a/0x550 [ 32.695579][ T83] usb_hcd_giveback_urb+0x368/0x420 [ 32.700782][ T83] dummy_timer+0x125e/0x32b4 [ 32.705372][ T83] call_timer_fn+0x1ac/0x700 [ 32.709969][ T83] run_timer_softirq+0x5f9/0x1500 [ 32.714989][ T83] __do_softirq+0x21e/0x9aa [ 32.719481][ T83] [ 32.721816][ T83] The buggy address belongs to the object at ffff8881d23003c0 [ 32.721816][ T83] which belongs to the cache skbuff_head_cache of size 224 [ 32.737068][ T83] The buggy address is located 212 bytes inside of [ 32.737068][ T83] 224-byte region [ffff8881d23003c0, ffff8881d23004a0) [ 32.750349][ T83] The buggy address belongs to the page: [ 32.755965][ T83] page:ffffea000748c000 refcount:1 mapcount:0 mapping:000000002a1c3263 index:0x0 [ 32.765050][ T83] flags: 0x200000000000200(slab) [ 32.769982][ T83] raw: 0200000000000200 dead000000000100 dead000000000122 ffff8881da175400 [ 32.778603][ T83] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000 [ 32.787163][ T83] page dumped because: kasan: bad access detected [ 32.793755][ T83] [ 32.796061][ T83] Memory state around the buggy address: [ 32.801690][ T83] ffff8881d2300380: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 32.809845][ T83] ffff8881d2300400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.817892][ T83] >ffff8881d2300480: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 32.825937][ T83] ^ [ 32.830660][ T83] ffff8881d2300500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.838727][ T83] ffff8881d2300580: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 32.846775][ T83] ================================================================== [ 32.854822][ T83] Disabling lock debugging due to kernel taint [ 32.861028][ T83] Kernel panic - not syncing: panic_on_warn set ... [ 32.867627][ T83] CPU: 1 PID: 83 Comm: kworker/1:2 Tainted: G B 5.7.0-rc6-syzkaller #0 [ 32.877161][ T83] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.887226][ T83] Workqueue: events request_firmware_work_func [ 32.893477][ T83] Call Trace: [ 32.896815][ T83] dump_stack+0xef/0x16e [ 32.901044][ T83] panic+0x2aa/0x6e1 [ 32.904922][ T83] ? add_taint.cold+0x16/0x16 [ 32.909574][ T83] ? retint_kernel+0x10/0x10 [ 32.914140][ T83] ? kfree_skb+0x32/0x3d0 [ 32.918462][ T83] ? trace_hardirqs_on+0x55/0x200 [ 32.923471][ T83] ? kfree_skb+0x32/0x3d0 [ 32.927780][ T83] end_report+0x4d/0x53 [ 32.931932][ T83] __kasan_report.cold+0x72/0x7d [ 32.936847][ T83] ? kfree_skb+0x32/0x3d0 [ 32.941170][ T83] ? kfree_skb+0x32/0x3d0 [ 32.945474][ T83] kasan_report+0x33/0x50 [ 32.949799][ T83] check_memory_region+0x173/0x1d0 [ 32.954890][ T83] kfree_skb+0x32/0x3d0 [ 32.959050][ T83] htc_connect_service.cold+0xa9/0x109 [ 32.964489][ T83] ath9k_wmi_connect+0xd2/0x1a0 [ 32.969453][ T83] ? ath9k_fatal_work+0x20/0x20 [ 32.974438][ T83] ? ath9k_hif_usb_firmware_cb.cold+0xde/0xde [ 32.980634][ T83] ? ath9k_wmi_event_tasklet+0x440/0x440 [ 32.986258][ T83] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 32.992661][ T83] ? ath9k_reg_rmw_flush+0x2d0/0x2d0 [ 32.998128][ T83] ? lockdep_init_map_waits+0x26a/0x7c0 [ 33.003658][ T83] ? __raw_spin_lock_init+0x34/0x100 [ 33.008919][ T83] ? tasklet_init+0x69/0x110 [ 33.013487][ T83] ath9k_htc_probe_device+0x25a/0x1da0 [ 33.018942][ T83] ? ath9k_init_htc_services.constprop.0+0x650/0x650 [ 33.025620][ T83] ? usb_submit_urb+0x6ed/0x1460 [ 33.030575][ T83] ? usb_free_urb.part.0+0x52/0x110 [ 33.035777][ T83] ? usb_free_urb+0x1b/0x30 [ 33.040320][ T83] ath9k_htc_hw_init+0x31/0x60 [ 33.045241][ T83] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 33.050869][ T83] ? ath9k_hif_usb_resume+0x320/0x320 [ 33.056224][ T83] request_firmware_work_func+0x126/0x242 [ 33.061920][ T83] ? request_firmware_into_buf+0x90/0x90 [ 33.067530][ T83] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 33.073067][ T83] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 33.078344][ T83] ? _raw_spin_unlock_irq+0x1f/0x30 [ 33.083518][ T83] process_one_work+0x965/0x1630 [ 33.088450][ T83] ? lock_release+0x720/0x720 [ 33.093119][ T83] ? pwq_dec_nr_in_flight+0x310/0x310 [ 33.098508][ T83] ? rwlock_bug.part.0+0x90/0x90 [ 33.103425][ T83] worker_thread+0x96/0xe20 [ 33.108172][ T83] ? process_one_work+0x1630/0x1630 [ 33.113524][ T83] kthread+0x326/0x430 [ 33.117595][ T83] ? kthread_create_on_node+0xf0/0xf0 [ 33.122955][ T83] ret_from_fork+0x24/0x30 [ 33.128168][ T83] Kernel Offset: disabled [ 33.132490][ T83] Rebooting in 86400 seconds..