[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch. Debian GNU/Linux 9 syzkaller ttyS0 syzkaller login: [ 16.005231][ C1] random: crng init done [ 16.011987][ C1] random: 7 urandom warning(s) missed due to ratelimiting Warning: Permanently added '10.128.0.34' (ECDSA) to the list of known hosts. executing program [ 34.182779][ T5] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 34.702516][ T5] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08 [ 34.712060][ T5] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 34.720718][ T5] usb 1-1: Product: syz [ 34.725158][ T5] usb 1-1: Manufacturer: syz [ 34.730220][ T5] usb 1-1: SerialNumber: syz [ 34.773573][ T5] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested [ 35.382087][ T5] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008 executing program [ 35.784012][ T156] usb 1-1: USB disconnect, device number 2 [ 36.631337][ T5] usb 1-1: Service connection timeout for: 256 [ 36.639123][ T5] ================================================================== [ 36.648188][ T5] BUG: KASAN: use-after-free in kfree_skb+0x32/0x3d0 [ 36.654864][ T5] Read of size 4 at addr ffff8881c7d0e214 by task kworker/0:0/5 [ 36.670298][ T5] [ 36.672634][ T5] CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 5.7.0-rc6-syzkaller #0 [ 36.680991][ T5] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 36.691237][ T5] Workqueue: events request_firmware_work_func [ 36.697475][ T5] Call Trace: [ 36.700836][ T5] dump_stack+0xef/0x16e [ 36.705596][ T5] print_address_description.constprop.0.cold+0xd3/0x415 [ 36.714155][ T5] ? vprintk_func+0x7d/0x113 [ 36.719917][ T5] ? kfree_skb+0x32/0x3d0 [ 36.724523][ T5] __kasan_report.cold+0x37/0x7d [ 36.729513][ T5] ? kfree_skb+0x32/0x3d0 [ 36.733835][ T5] ? kfree_skb+0x32/0x3d0 [ 36.738208][ T5] kasan_report+0x33/0x50 [ 36.742847][ T5] check_memory_region+0x173/0x1d0 [ 36.747946][ T5] kfree_skb+0x32/0x3d0 [ 36.752115][ T5] htc_connect_service.cold+0xa9/0x109 [ 36.757699][ T5] ath9k_wmi_connect+0xd2/0x1a0 [ 36.762640][ T5] ? ath9k_fatal_work+0x20/0x20 [ 36.767518][ T5] ? ath9k_hif_usb_firmware_cb.cold+0xde/0xde [ 36.774187][ T5] ? ath9k_wmi_event_tasklet+0x440/0x440 [ 36.780318][ T5] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 36.786738][ T5] ? ath9k_reg_rmw_flush+0x2d0/0x2d0 [ 36.792020][ T5] ? lockdep_init_map_waits+0x26a/0x7c0 [ 36.797745][ T5] ? __raw_spin_lock_init+0x34/0x100 [ 36.803019][ T5] ? tasklet_init+0x69/0x110 [ 36.808019][ T5] ath9k_htc_probe_device+0x25a/0x1da0 [ 36.813746][ T5] ? ath9k_init_htc_services.constprop.0+0x650/0x650 [ 36.820441][ T5] ? usb_submit_urb+0x6ed/0x1460 [ 36.825497][ T5] ? usb_free_urb.part.0+0x52/0x110 [ 36.830920][ T5] ? usb_free_urb+0x1b/0x30 [ 36.835661][ T5] ath9k_htc_hw_init+0x31/0x60 [ 36.840430][ T5] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 36.846160][ T5] ? ath9k_hif_usb_resume+0x320/0x320 [ 36.851527][ T5] request_firmware_work_func+0x126/0x242 [ 36.857266][ T5] ? request_firmware_into_buf+0x90/0x90 [ 36.863141][ T5] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 36.868695][ T5] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 36.874282][ T5] ? _raw_spin_unlock_irq+0x1f/0x30 [ 36.879742][ T5] process_one_work+0x965/0x1630 [ 36.884762][ T5] ? lock_release+0x720/0x720 [ 36.889438][ T5] ? pwq_dec_nr_in_flight+0x310/0x310 [ 36.895273][ T5] ? rwlock_bug.part.0+0x90/0x90 [ 36.900219][ T5] worker_thread+0x96/0xe20 [ 36.904745][ T5] ? process_one_work+0x1630/0x1630 [ 36.909964][ T5] kthread+0x326/0x430 [ 36.914185][ T5] ? kthread_create_on_node+0xf0/0xf0 [ 36.919661][ T5] ret_from_fork+0x24/0x30 [ 36.924060][ T5] [ 36.926391][ T5] Allocated by task 5: [ 36.930547][ T5] save_stack+0x1b/0x40 [ 36.934705][ T5] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 36.940542][ T5] kmem_cache_alloc_node+0xdc/0x330 [ 36.945744][ T5] __alloc_skb+0xba/0x5a0 [ 36.950063][ T5] htc_connect_service+0x2cc/0x840 [ 36.956365][ T5] ath9k_wmi_connect+0xd2/0x1a0 [ 36.961284][ T5] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 36.968593][ T5] ath9k_htc_probe_device+0x25a/0x1da0 [ 36.974061][ T5] ath9k_htc_hw_init+0x31/0x60 [ 36.978823][ T5] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 36.984672][ T5] request_firmware_work_func+0x126/0x242 [ 36.990586][ T5] process_one_work+0x965/0x1630 [ 36.995546][ T5] worker_thread+0x96/0xe20 [ 37.000054][ T5] kthread+0x326/0x430 [ 37.004135][ T5] ret_from_fork+0x24/0x30 [ 37.008539][ T5] [ 37.010876][ T5] Freed by task 156: [ 37.014939][ T5] save_stack+0x1b/0x40 [ 37.019109][ T5] __kasan_slab_free+0x117/0x160 [ 37.024056][ T5] kmem_cache_free+0x9b/0x360 [ 37.028717][ T5] kfree_skbmem+0xef/0x1b0 [ 37.033243][ T5] kfree_skb+0x102/0x3d0 [ 37.038460][ T5] ath9k_htc_txcompletion_cb+0x1f8/0x2b0 [ 37.044090][ T5] hif_usb_regout_cb+0x115/0x1c0 [ 37.049221][ T5] __usb_hcd_giveback_urb+0x29a/0x550 [ 37.054869][ T5] usb_hcd_giveback_urb+0x368/0x420 [ 37.060460][ T5] dummy_timer+0x125e/0x32b4 [ 37.065281][ T5] call_timer_fn+0x1ac/0x700 [ 37.070595][ T5] run_timer_softirq+0x5f9/0x1500 [ 37.075743][ T5] __do_softirq+0x21e/0x9aa [ 37.080228][ T5] [ 37.082563][ T5] The buggy address belongs to the object at ffff8881c7d0e140 [ 37.082563][ T5] which belongs to the cache skbuff_head_cache of size 224 [ 37.097127][ T5] The buggy address is located 212 bytes inside of [ 37.097127][ T5] 224-byte region [ffff8881c7d0e140, ffff8881c7d0e220) [ 37.110671][ T5] The buggy address belongs to the page: [ 37.116306][ T5] page:ffffea00071f4380 refcount:1 mapcount:0 mapping:0000000003c09a21 index:0x0 [ 37.125567][ T5] flags: 0x200000000000200(slab) [ 37.130502][ T5] raw: 0200000000000200 dead000000000100 dead000000000122 ffff8881da175400 [ 37.140409][ T5] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000 [ 37.148981][ T5] page dumped because: kasan: bad access detected [ 37.155424][ T5] [ 37.157745][ T5] Memory state around the buggy address: [ 37.163359][ T5] ffff8881c7d0e100: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 37.172113][ T5] ffff8881c7d0e180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.180156][ T5] >ffff8881c7d0e200: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 37.188198][ T5] ^ [ 37.192862][ T5] ffff8881c7d0e280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.201113][ T5] ffff8881c7d0e300: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 37.209706][ T5] ================================================================== [ 37.217785][ T5] Disabling lock debugging due to kernel taint [ 37.224127][ T5] Kernel panic - not syncing: panic_on_warn set ... [ 37.230723][ T5] CPU: 0 PID: 5 Comm: kworker/0:0 Tainted: G B 5.7.0-rc6-syzkaller #0 [ 37.240174][ T5] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 37.250254][ T5] Workqueue: events request_firmware_work_func [ 37.256424][ T5] Call Trace: [ 37.259699][ T5] dump_stack+0xef/0x16e [ 37.263921][ T5] panic+0x2aa/0x6e1 [ 37.267809][ T5] ? add_taint.cold+0x16/0x16 [ 37.272463][ T5] ? retint_kernel+0x10/0x10 [ 37.277058][ T5] ? kfree_skb+0x32/0x3d0 [ 37.281393][ T5] ? trace_hardirqs_on+0x55/0x200 [ 37.286527][ T5] ? kfree_skb+0x32/0x3d0 [ 37.290863][ T5] end_report+0x4d/0x53 [ 37.295011][ T5] __kasan_report.cold+0x72/0x7d [ 37.299936][ T5] ? kfree_skb+0x32/0x3d0 [ 37.304274][ T5] ? kfree_skb+0x32/0x3d0 [ 37.308957][ T5] kasan_report+0x33/0x50 [ 37.313288][ T5] check_memory_region+0x173/0x1d0 [ 37.318537][ T5] kfree_skb+0x32/0x3d0 [ 37.322690][ T5] htc_connect_service.cold+0xa9/0x109 [ 37.328129][ T5] ath9k_wmi_connect+0xd2/0x1a0 [ 37.333001][ T5] ? ath9k_fatal_work+0x20/0x20 [ 37.337832][ T5] ? ath9k_hif_usb_firmware_cb.cold+0xde/0xde [ 37.343897][ T5] ? ath9k_wmi_event_tasklet+0x440/0x440 [ 37.349513][ T5] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 37.355909][ T5] ? ath9k_reg_rmw_flush+0x2d0/0x2d0 [ 37.361196][ T5] ? lockdep_init_map_waits+0x26a/0x7c0 [ 37.366738][ T5] ? __raw_spin_lock_init+0x34/0x100 [ 37.372004][ T5] ? tasklet_init+0x69/0x110 [ 37.376747][ T5] ath9k_htc_probe_device+0x25a/0x1da0 [ 37.382188][ T5] ? ath9k_init_htc_services.constprop.0+0x650/0x650 [ 37.388842][ T5] ? usb_submit_urb+0x6ed/0x1460 [ 37.393776][ T5] ? usb_free_urb.part.0+0x52/0x110 [ 37.398959][ T5] ? usb_free_urb+0x1b/0x30 [ 37.403464][ T5] ath9k_htc_hw_init+0x31/0x60 [ 37.408226][ T5] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 37.413860][ T5] ? ath9k_hif_usb_resume+0x320/0x320 [ 37.419228][ T5] request_firmware_work_func+0x126/0x242 [ 37.424944][ T5] ? request_firmware_into_buf+0x90/0x90 [ 37.430562][ T5] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 37.436103][ T5] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 37.441374][ T5] ? _raw_spin_unlock_irq+0x1f/0x30 [ 37.446552][ T5] process_one_work+0x965/0x1630 [ 37.451474][ T5] ? lock_release+0x720/0x720 [ 37.456152][ T5] ? pwq_dec_nr_in_flight+0x310/0x310 [ 37.461504][ T5] ? rwlock_bug.part.0+0x90/0x90 [ 37.466698][ T5] worker_thread+0x96/0xe20 [ 37.471310][ T5] ? process_one_work+0x1630/0x1630 [ 37.476507][ T5] kthread+0x326/0x430 [ 37.480576][ T5] ? kthread_create_on_node+0xf0/0xf0 [ 37.485945][ T5] ret_from_fork+0x24/0x30 [ 37.491063][ T5] Kernel Offset: disabled [ 37.495505][ T5] Rebooting in 86400 seconds..