[�[0;32m OK �[0m] Started Load/Save RF Kill Switch Status.
[�[0;32m OK �[0m] Reached target Multi-User System.
[�[0;32m OK �[0m] Reached target Graphical Interface.
Starting Update UTMP about System Runlevel Changes...
[�[0;32m OK �[0m] Started Update UTMP about System Runlevel Changes.
Debian GNU/Linux 9 syzkaller ttyS0
Warning: Permanently added '10.128.0.211' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [ 94.608798][ T37] audit: type=1400 audit(1622528155.603:8): avc: denied { execmem } for pid=8411 comm="syz-executor060" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1
[ 94.886842][ T7] usb 1-1: new high-speed USB device number 2 using dummy_hcd
[ 95.407010][ T7] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08
[ 95.416834][ T7] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 95.424972][ T7] usb 1-1: Product: syz
[ 95.431779][ T7] usb 1-1: Manufacturer: syz
[ 95.436416][ T7] usb 1-1: SerialNumber: syz
[ 95.495120][ T7] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested
[ 96.117008][ T7] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008
[ 96.526823][ C0] ==================================================================
[ 96.535061][ C0] BUG: KASAN: slab-out-of-bounds in ath9k_hif_usb_rx_cb+0x3d3/0x1050
[ 96.543285][ C0] Read of size 49146 at addr ffff88803c2f0000 by task swapper/0/0
[ 96.551113][ C0]
[ 96.553435][ C0] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.13.0-rc4-syzkaller #0
[ 96.561423][ C0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 96.571490][ C0] Call Trace:
[ 96.575121][ C0]
[ 96.577963][ C0] dump_stack+0x141/0x1d7
[ 96.582310][ C0] ? ath9k_hif_usb_rx_cb+0x3d3/0x1050
[ 96.587806][ C0] print_address_description.constprop.0.cold+0x5b/0x2c6
[ 96.594829][ C0] ? ath9k_hif_usb_rx_cb+0x3d3/0x1050
[ 96.600250][ C0] ? ath9k_hif_usb_rx_cb+0x3d3/0x1050
[ 96.605640][ C0] kasan_report.cold+0x7c/0xd8
[ 96.610402][ C0] ? rwlock_bug.part.0+0x60/0x90
[ 96.615353][ C0] ? ath9k_hif_usb_rx_cb+0x3d3/0x1050
[ 96.620736][ C0] kasan_check_range+0x13d/0x180
[ 96.625675][ C0] memcpy+0x20/0x60
[ 96.629475][ C0] ath9k_hif_usb_rx_cb+0x3d3/0x1050
[ 96.634669][ C0] ? hif_usb_start+0xa0/0xa0
[ 96.639252][ C0] ? __usb_hcd_giveback_urb+0x413/0x5c0
[ 96.644796][ C0] ? lock_downgrade+0x6e0/0x6e0
[ 96.649650][ C0] __usb_hcd_giveback_urb+0x2b0/0x5c0
[ 96.655037][ C0] usb_hcd_giveback_urb+0x367/0x410
[ 96.660239][ C0] dummy_timer+0x11f4/0x32a0
[ 96.664872][ C0] ? dummy_dequeue+0x500/0x500
[ 96.669629][ C0] ? dummy_dequeue+0x500/0x500
[ 96.674389][ C0] call_timer_fn+0x1a5/0x6b0
[ 96.678988][ C0] ? add_timer_on+0x4a0/0x4a0
[ 96.683675][ C0] ? lock_downgrade+0x6e0/0x6e0
[ 96.688867][ C0] ? _find_next_bit+0x1e3/0x260
[ 96.693712][ C0] ? _raw_spin_unlock_irq+0x1f/0x40
[ 96.698907][ C0] ? dummy_dequeue+0x500/0x500
[ 96.703720][ C0] __run_timers.part.0+0x67c/0xa50
[ 96.708834][ C0] ? call_timer_fn+0x6b0/0x6b0
[ 96.713612][ C0] ? lapic_next_event+0x4d/0x80
[ 96.718463][ C0] ? kvm_sched_clock_read+0x14/0x40
[ 96.723664][ C0] ? sched_clock_cpu+0x18/0x1f0
[ 96.728523][ C0] run_timer_softirq+0xb3/0x1d0
[ 96.733369][ C0] __do_softirq+0x29b/0x9f6
[ 96.737887][ C0] __irq_exit_rcu+0x136/0x200
[ 96.742555][ C0] irq_exit_rcu+0x5/0x20
[ 96.746810][ C0] sysvec_apic_timer_interrupt+0x93/0xc0
[ 96.752440][ C0]
[ 96.755373][ C0] asm_sysvec_apic_timer_interrupt+0x12/0x20
[ 96.761468][ C0] RIP: 0010:acpi_idle_do_entry+0x1c9/0x250
[ 96.767322][ C0] Code: 4d c4 5a f8 84 db 75 ac e8 34 bc 5a f8 e8 af cc 60 f8 e9 0c 00 00 00 e8 25 bc 5a f8 0f 00 2d 5e 9c b4 00 e8 19 bc 5a f8 fb f4 <9c> 5b 81 e3 00 02 00 00 fa 31 ff 48 89 de e8 c4 c2 5a f8 48 85 db
[ 96.787035][ C0] RSP: 0018:ffffffff8bc07d60 EFLAGS: 00000293
[ 96.793120][ C0] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
[ 96.801085][ C0] RDX: ffffffff8bcbc540 RSI: ffffffff89195547 RDI: 0000000000000000
[ 96.809116][ C0] RBP: ffff888019a46064 R08: 0000000000000001 R09: 0000000000000001
[ 96.817129][ C0] R10: ffffffff817a2218 R11: 0000000000000000 R12: 0000000000000001
[ 96.825099][ C0] R13: ffff888019a46000 R14: ffff888019a46064 R15: ffff888145a40804
[ 96.833085][ C0] ? trace_hardirqs_on+0x38/0x1c0
[ 96.838133][ C0] ? acpi_idle_do_entry+0x1c7/0x250
[ 96.843330][ C0] acpi_idle_enter+0x361/0x500
[ 96.848338][ C0] cpuidle_enter_state+0x1b1/0xc80
[ 96.853754][ C0] cpuidle_enter+0x4a/0xa0
[ 96.858175][ C0] do_idle+0x3e8/0x590
[ 96.862246][ C0] ? arch_cpu_idle_exit+0x30/0x30
[ 96.867270][ C0] ? trace_init_perf_perm_irq_work_exit+0xe/0xe
[ 96.873529][ C0] cpu_startup_entry+0x14/0x20
[ 96.878327][ C0] start_kernel+0x475/0x496
[ 96.882836][ C0] secondary_startup_64_no_verify+0xb0/0xbb
[ 96.888728][ C0]
[ 96.891280][ C0] Allocated by task 7:
[ 96.895357][ C0] kasan_save_stack+0x1b/0x40
[ 96.900044][ C0] __kasan_kmalloc+0x98/0xc0
[ 96.904640][ C0] __alloc_skb+0xde/0x340
[ 96.908960][ C0] ath9k_hif_usb_alloc_urbs+0x665/0x1040
[ 96.914604][ C0] ath9k_hif_usb_firmware_cb+0x148/0x530
[ 96.920235][ C0] request_firmware_work_func+0x12c/0x230
[ 96.925968][ C0] process_one_work+0x98d/0x1600
[ 96.930900][ C0] worker_thread+0x64c/0x1120
[ 96.935683][ C0] kthread+0x3b1/0x4a0
[ 96.939757][ C0] ret_from_fork+0x1f/0x30
[ 96.944295][ C0]
[ 96.946631][ C0] The buggy address belongs to the object at ffff88803c2f0000
[ 96.946631][ C0] which belongs to the cache kmalloc-32k of size 32768
[ 96.961048][ C0] The buggy address is located 0 bytes inside of
[ 96.961048][ C0] 32768-byte region [ffff88803c2f0000, ffff88803c2f8000)
[ 96.974336][ C0] The buggy address belongs to the page:
[ 96.979977][ C0] page:ffffea0000f0bc00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x3c2f0
[ 96.990487][ C0] head:ffffea0000f0bc00 order:4 compound_mapcount:0 compound_pincount:0
[ 96.998827][ C0] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
[ 97.006817][ C0] raw: 00fff00000010200 ffffea0000f0b808 ffffea0000e21808 ffff888011040c00
[ 97.015403][ C0] raw: 0000000000000000 ffff88803c2f0000 0000000100000001 0000000000000000
[ 97.024516][ C0] page dumped because: kasan: bad access detected
[ 97.030915][ C0] page_owner tracks the page as allocated
[ 97.036630][ C0] page last allocated via order 4, migratetype Unmovable, gfp_mask 0x2c20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_THISNODE), pid 7, ts 96131291030, free_ts 94738197457
[ 97.055844][ C0] get_page_from_freelist+0x1033/0x2b60
[ 97.061431][ C0] __alloc_pages+0x1b2/0x500
[ 97.066171][ C0] cache_grow_begin+0x75/0x460
[ 97.070951][ C0] cache_alloc_refill+0x27f/0x380
[ 97.075968][ C0] kmem_cache_alloc_node_trace+0x4da/0x5b0
[ 97.081894][ C0] __kmalloc_node_track_caller+0x38/0x60
[ 97.087527][ C0] __alloc_skb+0xde/0x340
[ 97.091957][ C0] ath9k_hif_usb_alloc_urbs+0x665/0x1040
[ 97.097844][ C0] ath9k_hif_usb_firmware_cb+0x148/0x530
[ 97.103475][ C0] request_firmware_work_func+0x12c/0x230
[ 97.109832][ C0] process_one_work+0x98d/0x1600
[ 97.114765][ C0] worker_thread+0x64c/0x1120
[ 97.119522][ C0] kthread+0x3b1/0x4a0
[ 97.125466][ C0] ret_from_fork+0x1f/0x30
[ 97.130060][ C0] page last free stack trace:
[ 97.134717][ C0] __free_pages_ok+0x476/0xce0
[ 97.139471][ C0] slabs_destroy+0x89/0xc0
[ 97.143881][ C0] ___cache_free+0x58b/0x7a0
[ 97.148469][ C0] qlist_free_all+0x4e/0x110
[ 97.153054][ C0] kasan_quarantine_reduce+0x180/0x200
[ 97.158507][ C0] __kasan_slab_alloc+0x8b/0xa0
[ 97.163376][ C0] kmem_cache_alloc_trace+0x26c/0x480
[ 97.168841][ C0] usb_control_msg+0xb9/0x4a0
[ 97.173513][ C0] hub_ext_port_status+0x112/0x450
[ 97.178646][ C0] hub_event+0x66a/0x4330
[ 97.183058][ C0] process_one_work+0x98d/0x1600
[ 97.188003][ C0] worker_thread+0x64c/0x1120
[ 97.192685][ C0] kthread+0x3b1/0x4a0
[ 97.196742][ C0] ret_from_fork+0x1f/0x30
[ 97.201164][ C0]
[ 97.203484][ C0] Memory state around the buggy address:
[ 97.209114][ C0] ffff88803c2f7f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 97.217353][ C0] ffff88803c2f7f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 97.225412][ C0] >ffff88803c2f8000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 97.233477][ C0] ^
[ 97.237551][ C0] ffff88803c2f8080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 97.245600][ C0] ffff88803c2f8100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 97.253771][ C0] ==================================================================
[ 97.261988][ C0] Disabling lock debugging due to kernel taint
[ 97.268171][ C0] Kernel panic - not syncing: panic_on_warn set ...
[ 97.274785][ C0] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G B 5.13.0-rc4-syzkaller #0
[ 97.284313][ C0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 97.294360][ C0] Call Trace:
[ 97.297642][ C0]
[ 97.300483][ C0] dump_stack+0x141/0x1d7
[ 97.304800][ C0] panic+0x306/0x73d
[ 97.308691][ C0] ? __warn_printk+0xf3/0xf3
[ 97.313278][ C0] ? ath9k_hif_usb_rx_cb+0x3d3/0x1050
[ 97.318649][ C0] ? ath9k_hif_usb_rx_cb+0x3d3/0x1050
[ 97.324136][ C0] end_report.cold+0x5a/0x5a
[ 97.328721][ C0] kasan_report.cold+0x6a/0xd8
[ 97.333470][ C0] ? rwlock_bug.part.0+0x60/0x90
[ 97.338428][ C0] ? ath9k_hif_usb_rx_cb+0x3d3/0x1050
[ 97.343792][ C0] kasan_check_range+0x13d/0x180
[ 97.348744][ C0] memcpy+0x20/0x60
[ 97.352624][ C0] ath9k_hif_usb_rx_cb+0x3d3/0x1050
[ 97.357823][ C0] ? hif_usb_start+0xa0/0xa0
[ 97.362397][ C0] ? __usb_hcd_giveback_urb+0x413/0x5c0
[ 97.367949][ C0] ? lock_downgrade+0x6e0/0x6e0
[ 97.372787][ C0] __usb_hcd_giveback_urb+0x2b0/0x5c0
[ 97.378184][ C0] usb_hcd_giveback_urb+0x367/0x410
[ 97.383382][ C0] dummy_timer+0x11f4/0x32a0
[ 97.387961][ C0] ? dummy_dequeue+0x500/0x500
[ 97.392710][ C0] ? dummy_dequeue+0x500/0x500
[ 97.397459][ C0] call_timer_fn+0x1a5/0x6b0
[ 97.402043][ C0] ? add_timer_on+0x4a0/0x4a0
[ 97.406909][ C0] ? lock_downgrade+0x6e0/0x6e0
[ 97.411866][ C0] ? _find_next_bit+0x1e3/0x260
[ 97.416802][ C0] ? _raw_spin_unlock_irq+0x1f/0x40
[ 97.421991][ C0] ? dummy_dequeue+0x500/0x500
[ 97.426854][ C0] __run_timers.part.0+0x67c/0xa50
[ 97.431965][ C0] ? call_timer_fn+0x6b0/0x6b0
[ 97.436743][ C0] ? lapic_next_event+0x4d/0x80
[ 97.441581][ C0] ? kvm_sched_clock_read+0x14/0x40
[ 97.446789][ C0] ? sched_clock_cpu+0x18/0x1f0
[ 97.451648][ C0] run_timer_softirq+0xb3/0x1d0
[ 97.456490][ C0] __do_softirq+0x29b/0x9f6
[ 97.462084][ C0] __irq_exit_rcu+0x136/0x200
[ 97.466762][ C0] irq_exit_rcu+0x5/0x20
[ 97.470998][ C0] sysvec_apic_timer_interrupt+0x93/0xc0
[ 97.476789][ C0]
[ 97.479804][ C0] asm_sysvec_apic_timer_interrupt+0x12/0x20
[ 97.485774][ C0] RIP: 0010:acpi_idle_do_entry+0x1c9/0x250
[ 97.491581][ C0] Code: 4d c4 5a f8 84 db 75 ac e8 34 bc 5a f8 e8 af cc 60 f8 e9 0c 00 00 00 e8 25 bc 5a f8 0f 00 2d 5e 9c b4 00 e8 19 bc 5a f8 fb f4 <9c> 5b 81 e3 00 02 00 00 fa 31 ff 48 89 de e8 c4 c2 5a f8 48 85 db
[ 97.511186][ C0] RSP: 0018:ffffffff8bc07d60 EFLAGS: 00000293
[ 97.517257][ C0] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
[ 97.525223][ C0] RDX: ffffffff8bcbc540 RSI: ffffffff89195547 RDI: 0000000000000000
[ 97.533215][ C0] RBP: ffff888019a46064 R08: 0000000000000001 R09: 0000000000000001
[ 97.541318][ C0] R10: ffffffff817a2218 R11: 0000000000000000 R12: 0000000000000001
[ 97.549279][ C0] R13: ffff888019a46000 R14: ffff888019a46064 R15: ffff888145a40804
[ 97.557255][ C0] ? trace_hardirqs_on+0x38/0x1c0
[ 97.562530][ C0] ? acpi_idle_do_entry+0x1c7/0x250
[ 97.567715][ C0] acpi_idle_enter+0x361/0x500
[ 97.572464][ C0] cpuidle_enter_state+0x1b1/0xc80
[ 97.577563][ C0] cpuidle_enter+0x4a/0xa0
[ 97.582040][ C0] do_idle+0x3e8/0x590
[ 97.586095][ C0] ? arch_cpu_idle_exit+0x30/0x30
[ 97.591146][ C0] ? trace_init_perf_perm_irq_work_exit+0xe/0xe
[ 97.597393][ C0] cpu_startup_entry+0x14/0x20
[ 97.602154][ C0] start_kernel+0x475/0x496
[ 97.606664][ C0] secondary_startup_64_no_verify+0xb0/0xbb
[ 97.613309][ C0] Kernel Offset: disabled
[ 97.617656][ C0] Rebooting in 86400 seconds..