Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ 13.322294][ C0] random: crng init done [ 13.326742][ C0] random: 7 urandom warning(s) missed due to ratelimiting [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.1' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 33.135886][ T95] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 33.655668][ T95] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08 [ 33.664861][ T95] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 33.673259][ T95] usb 1-1: Product: syz [ 33.677613][ T95] usb 1-1: Manufacturer: syz [ 33.682190][ T95] usb 1-1: SerialNumber: syz [ 33.726590][ T95] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested [ 34.315227][ T95] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008 executing program [ 34.717158][ T158] usb 1-1: USB disconnect, device number 2 [ 35.554551][ T95] usb 1-1: Service connection timeout for: 256 [ 35.560866][ T95] ================================================================== [ 35.569125][ T95] BUG: KASAN: use-after-free in kfree_skb+0x32/0x3d0 [ 35.576186][ T95] Read of size 4 at addr ffff8881d8913c14 by task kworker/1:2/95 [ 35.584030][ T95] [ 35.586372][ T95] CPU: 1 PID: 95 Comm: kworker/1:2 Not tainted 5.7.0-rc6-syzkaller #0 [ 35.595292][ T95] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 35.605695][ T95] Workqueue: events request_firmware_work_func [ 35.611828][ T95] Call Trace: [ 35.615098][ T95] dump_stack+0xef/0x16e [ 35.619328][ T95] print_address_description.constprop.0.cold+0xd3/0x415 [ 35.626742][ T95] ? vprintk_func+0x7d/0x113 [ 35.631510][ T95] ? kfree_skb+0x32/0x3d0 [ 35.635818][ T95] __kasan_report.cold+0x37/0x7d [ 35.640825][ T95] ? kfree_skb+0x32/0x3d0 [ 35.645234][ T95] ? kfree_skb+0x32/0x3d0 [ 35.649551][ T95] kasan_report+0x33/0x50 [ 35.653991][ T95] check_memory_region+0x173/0x1d0 [ 35.659448][ T95] kfree_skb+0x32/0x3d0 [ 35.664042][ T95] htc_connect_service.cold+0xa9/0x109 [ 35.669725][ T95] ath9k_wmi_connect+0xd2/0x1a0 [ 35.674774][ T95] ? ath9k_fatal_work+0x20/0x20 [ 35.679792][ T95] ? ath9k_hif_usb_firmware_cb.cold+0xde/0xde [ 35.686024][ T95] ? ath9k_wmi_event_tasklet+0x440/0x440 [ 35.691859][ T95] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 35.699137][ T95] ? ath9k_reg_rmw_flush+0x2d0/0x2d0 [ 35.704714][ T95] ? lockdep_init_map_waits+0x26a/0x7c0 [ 35.710393][ T95] ? __raw_spin_lock_init+0x34/0x100 [ 35.715682][ T95] ? tasklet_init+0x69/0x110 [ 35.720560][ T95] ath9k_htc_probe_device+0x25a/0x1da0 [ 35.726122][ T95] ? ath9k_init_htc_services.constprop.0+0x650/0x650 [ 35.733158][ T95] ? usb_submit_urb+0x6ed/0x1460 [ 35.738085][ T95] ? usb_free_urb.part.0+0x52/0x110 [ 35.743872][ T95] ? usb_free_urb+0x1b/0x30 [ 35.748363][ T95] ath9k_htc_hw_init+0x31/0x60 [ 35.753158][ T95] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 35.758836][ T95] ? ath9k_hif_usb_resume+0x320/0x320 [ 35.765039][ T95] request_firmware_work_func+0x126/0x242 [ 35.770984][ T95] ? request_firmware_into_buf+0x90/0x90 [ 35.776698][ T95] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 35.782674][ T95] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 35.788683][ T95] ? _raw_spin_unlock_irq+0x1f/0x30 [ 35.793903][ T95] process_one_work+0x965/0x1630 [ 35.798931][ T95] ? lock_release+0x720/0x720 [ 35.803590][ T95] ? pwq_dec_nr_in_flight+0x310/0x310 [ 35.809060][ T95] ? rwlock_bug.part.0+0x90/0x90 [ 35.814039][ T95] worker_thread+0x96/0xe20 [ 35.818539][ T95] ? process_one_work+0x1630/0x1630 [ 35.823733][ T95] kthread+0x326/0x430 [ 35.827783][ T95] ? kthread_create_on_node+0xf0/0xf0 [ 35.833148][ T95] ret_from_fork+0x24/0x30 [ 35.837624][ T95] [ 35.839944][ T95] Allocated by task 95: [ 35.844081][ T95] save_stack+0x1b/0x40 [ 35.848260][ T95] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 35.854504][ T95] kmem_cache_alloc_node+0xdc/0x330 [ 35.859705][ T95] __alloc_skb+0xba/0x5a0 [ 35.864029][ T95] htc_connect_service+0x2cc/0x840 [ 35.869213][ T95] ath9k_wmi_connect+0xd2/0x1a0 [ 35.874062][ T95] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 35.880460][ T95] ath9k_htc_probe_device+0x25a/0x1da0 [ 35.885909][ T95] ath9k_htc_hw_init+0x31/0x60 [ 35.890671][ T95] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 35.896292][ T95] request_firmware_work_func+0x126/0x242 [ 35.902175][ T95] process_one_work+0x965/0x1630 [ 35.907091][ T95] worker_thread+0x96/0xe20 [ 35.911594][ T95] kthread+0x326/0x430 [ 35.915644][ T95] ret_from_fork+0x24/0x30 [ 35.920081][ T95] [ 35.922403][ T95] Freed by task 0: [ 35.926119][ T95] save_stack+0x1b/0x40 [ 35.930431][ T95] __kasan_slab_free+0x117/0x160 [ 35.935358][ T95] kmem_cache_free+0x9b/0x360 [ 35.940025][ T95] kfree_skbmem+0xef/0x1b0 [ 35.944420][ T95] kfree_skb+0x102/0x3d0 [ 35.948656][ T95] ath9k_htc_txcompletion_cb+0x1f8/0x2b0 [ 35.954309][ T95] hif_usb_regout_cb+0x115/0x1c0 [ 35.959226][ T95] __usb_hcd_giveback_urb+0x29a/0x550 [ 35.964696][ T95] usb_hcd_giveback_urb+0x368/0x420 [ 35.969883][ T95] dummy_timer+0x125e/0x32b4 [ 35.974833][ T95] call_timer_fn+0x1ac/0x700 [ 35.979408][ T95] run_timer_softirq+0x5f9/0x1500 [ 35.984409][ T95] __do_softirq+0x21e/0x9aa [ 35.988882][ T95] [ 35.991199][ T95] The buggy address belongs to the object at ffff8881d8913b40 [ 35.991199][ T95] which belongs to the cache skbuff_head_cache of size 224 [ 36.010092][ T95] The buggy address is located 212 bytes inside of [ 36.010092][ T95] 224-byte region [ffff8881d8913b40, ffff8881d8913c20) [ 36.023349][ T95] The buggy address belongs to the page: [ 36.028983][ T95] page:ffffea00076244c0 refcount:1 mapcount:0 mapping:000000007c92793b index:0x0 [ 36.038091][ T95] flags: 0x200000000000200(slab) [ 36.043013][ T95] raw: 0200000000000200 dead000000000100 dead000000000122 ffff8881da175400 [ 36.051689][ T95] raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000 [ 36.060345][ T95] page dumped because: kasan: bad access detected [ 36.066841][ T95] [ 36.069151][ T95] Memory state around the buggy address: [ 36.074762][ T95] ffff8881d8913b00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 36.082905][ T95] ffff8881d8913b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.091041][ T95] >ffff8881d8913c00: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 36.099079][ T95] ^ [ 36.103678][ T95] ffff8881d8913c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.111906][ T95] ffff8881d8913d00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 36.119940][ T95] ================================================================== [ 36.127998][ T95] Disabling lock debugging due to kernel taint [ 36.134224][ T95] Kernel panic - not syncing: panic_on_warn set ... [ 36.140820][ T95] CPU: 1 PID: 95 Comm: kworker/1:2 Tainted: G B 5.7.0-rc6-syzkaller #0 [ 36.150787][ T95] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 36.160851][ T95] Workqueue: events request_firmware_work_func [ 36.167008][ T95] Call Trace: [ 36.170425][ T95] dump_stack+0xef/0x16e [ 36.174674][ T95] panic+0x2aa/0x6e1 [ 36.178556][ T95] ? add_taint.cold+0x16/0x16 [ 36.183221][ T95] ? retint_kernel+0x10/0x10 [ 36.187790][ T95] ? kfree_skb+0x32/0x3d0 [ 36.192095][ T95] ? trace_hardirqs_on+0x55/0x200 [ 36.197096][ T95] ? kfree_skb+0x32/0x3d0 [ 36.201410][ T95] end_report+0x4d/0x53 [ 36.205550][ T95] __kasan_report.cold+0x72/0x7d [ 36.210476][ T95] ? kfree_skb+0x32/0x3d0 [ 36.214778][ T95] ? kfree_skb+0x32/0x3d0 [ 36.219081][ T95] kasan_report+0x33/0x50 [ 36.223426][ T95] check_memory_region+0x173/0x1d0 [ 36.228532][ T95] kfree_skb+0x32/0x3d0 [ 36.232758][ T95] htc_connect_service.cold+0xa9/0x109 [ 36.238908][ T95] ath9k_wmi_connect+0xd2/0x1a0 [ 36.243742][ T95] ? ath9k_fatal_work+0x20/0x20 [ 36.248579][ T95] ? ath9k_hif_usb_firmware_cb.cold+0xde/0xde [ 36.254634][ T95] ? ath9k_wmi_event_tasklet+0x440/0x440 [ 36.260242][ T95] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 36.266749][ T95] ? ath9k_reg_rmw_flush+0x2d0/0x2d0 [ 36.272016][ T95] ? lockdep_init_map_waits+0x26a/0x7c0 [ 36.277537][ T95] ? __raw_spin_lock_init+0x34/0x100 [ 36.282799][ T95] ? tasklet_init+0x69/0x110 [ 36.287365][ T95] ath9k_htc_probe_device+0x25a/0x1da0 [ 36.292801][ T95] ? ath9k_init_htc_services.constprop.0+0x650/0x650 [ 36.299589][ T95] ? usb_submit_urb+0x6ed/0x1460 [ 36.304510][ T95] ? usb_free_urb.part.0+0x52/0x110 [ 36.309752][ T95] ? usb_free_urb+0x1b/0x30 [ 36.314523][ T95] ath9k_htc_hw_init+0x31/0x60 [ 36.319281][ T95] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 36.325845][ T95] ? ath9k_hif_usb_resume+0x320/0x320 [ 36.331314][ T95] request_firmware_work_func+0x126/0x242 [ 36.337059][ T95] ? request_firmware_into_buf+0x90/0x90 [ 36.342845][ T95] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 36.348562][ T95] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 36.353939][ T95] ? _raw_spin_unlock_irq+0x1f/0x30 [ 36.359214][ T95] process_one_work+0x965/0x1630 [ 36.364130][ T95] ? lock_release+0x720/0x720 [ 36.368909][ T95] ? pwq_dec_nr_in_flight+0x310/0x310 [ 36.374359][ T95] ? rwlock_bug.part.0+0x90/0x90 [ 36.379342][ T95] worker_thread+0x96/0xe20 [ 36.384008][ T95] ? process_one_work+0x1630/0x1630 [ 36.389404][ T95] kthread+0x326/0x430 [ 36.393557][ T95] ? kthread_create_on_node+0xf0/0xf0 [ 36.398905][ T95] ret_from_fork+0x24/0x30 [ 36.403896][ T95] Kernel Offset: disabled [ 36.408210][ T95] Rebooting in 86400 seconds..