[ OK ] Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch. [ OK ] Started Getty on tty6. [ OK ] Started Getty on tty5. [ OK ] Started Getty on tty4. [ OK ] Started Getty on tty3. [ OK ] Started Getty on tty2. [ OK ] Started Serial Getty on ttyS0. [ OK ] Started Getty on tty1. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.66' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 134.682142][ T2018] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 135.052454][ T2018] usb 1-1: config index 0 descriptor too short (expected 160, got 129) [ 135.060982][ T2018] usb 1-1: config 1 has an invalid descriptor of length 0, skipping remainder of the config [ 135.262366][ T2018] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08 [ 135.271660][ T2018] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 135.279904][ T2018] usb 1-1: Product: syz [ 135.284359][ T2018] usb 1-1: Manufacturer: syz [ 135.289082][ T2018] usb 1-1: SerialNumber: syz [ 135.353642][ T2018] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested [ 136.002337][ T5] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008 [ 136.222512][ T5] ===================================================== [ 136.229485][ T5] BUG: KMSAN: kernel-usb-infoleak in kmsan_handle_urb+0x28/0x40 [ 136.231938][ T5] CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 5.11.0-rc7-syzkaller #0 [ 136.242114][ T5] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 136.253497][ T5] Workqueue: events request_firmware_work_func [ 136.253497][ T5] Call Trace: [ 136.262042][ T5] dump_stack+0x21c/0x280 [ 136.262042][ T5] kmsan_report+0xfb/0x1e0 [ 136.262042][ T5] kmsan_internal_check_memory+0x202/0x520 [ 136.262042][ T5] ? kmsan_get_metadata+0x116/0x180 [ 136.262042][ T5] kmsan_handle_urb+0x28/0x40 [ 136.262042][ T5] usb_submit_urb+0x89f/0x2590 [ 136.262042][ T5] ? __msan_metadata_ptr_for_store_1+0x13/0x20 [ 136.262042][ T5] hif_usb_send+0x5f5/0x1720 [ 136.262042][ T5] ? kmsan_get_metadata+0x116/0x180 [ 136.262042][ T5] ? kmsan_get_shadow_origin_ptr+0x84/0xb0 [ 136.262042][ T5] htc_connect_service+0x14b2/0x19f0 [ 136.262042][ T5] ? hif_usb_sta_drain+0x6b0/0x6b0 [ 136.262042][ T5] ath9k_wmi_connect+0x178/0x2c0 [ 136.262042][ T5] ? ath9k_wmi_connect+0x2c0/0x2c0 [ 136.262042][ T5] ? ath9k_wmi_ctrl_tx+0x50/0x50 [ 136.262042][ T5] ath9k_init_htc_services+0xf3/0x1190 [ 136.262042][ T5] ath9k_htc_probe_device+0x4fb/0x3e10 [ 136.262042][ T5] ? ath9k_hif_usb_alloc_urbs+0x1b64/0x1ed0 [ 136.262042][ T5] ath9k_htc_hw_init+0xdf/0x190 [ 136.262042][ T5] ath9k_hif_usb_firmware_cb+0x42b/0xab0 [ 136.262042][ T5] request_firmware_work_func+0x1b8/0x2e0 [ 136.262042][ T5] ? ath9k_hif_request_firmware+0x930/0x930 [ 136.262042][ T5] ? request_firmware_nowait+0x7c0/0x7c0 [ 136.262042][ T5] process_one_work+0x1219/0x1fe0 [ 136.262042][ T5] worker_thread+0x10ec/0x2340 [ 136.262042][ T5] kthread+0x521/0x560 [ 136.262042][ T5] ? process_one_work+0x1fe0/0x1fe0 [ 136.262042][ T5] ? kthread_blkcg+0x110/0x110 [ 136.407665][ T2016] usb 1-1: USB disconnect, device number 2 [ 136.405792][ T5] ret_from_fork+0x1f/0x30 [ 136.405792][ T5] [ 136.405792][ T5] Uninit was created at: [ 136.421323][ T5] kmsan_internal_poison_shadow+0x5c/0xf0 [ 136.421323][ T5] kmsan_slab_alloc+0x8d/0xe0 [ 136.421323][ T5] __kmalloc_node_track_caller+0xa37/0x1430 [ 136.421323][ T5] __alloc_skb+0x2f8/0xb30 [ 136.421323][ T5] htc_connect_service+0x1057/0x19f0 [ 136.421323][ T5] ath9k_wmi_connect+0x178/0x2c0 [ 136.421323][ T5] ath9k_init_htc_services+0xf3/0x1190 [ 136.421323][ T5] ath9k_htc_probe_device+0x4fb/0x3e10 [ 136.421323][ T5] ath9k_htc_hw_init+0xdf/0x190 [ 136.421323][ T5] ath9k_hif_usb_firmware_cb+0x42b/0xab0 [ 136.421323][ T5] request_firmware_work_func+0x1b8/0x2e0 [ 136.421323][ T5] process_one_work+0x1219/0x1fe0 [ 136.421323][ T5] worker_thread+0x10ec/0x2340 [ 136.421323][ T5] kthread+0x521/0x560 [ 136.421323][ T5] ret_from_fork+0x1f/0x30 [ 136.421323][ T5] [ 136.421323][ T5] Bytes 4-7 of 18 are uninitialized [ 136.421323][ T5] Memory access of size 18 starts at ffff888124638400 [ 136.421323][ T5] ===================================================== [ 136.421323][ T5] Disabling lock debugging due to kernel taint [ 136.421323][ T5] Kernel panic - not syncing: panic_on_warn set ... [ 136.539042][ T5] CPU: 0 PID: 5 Comm: kworker/0:0 Tainted: G B 5.11.0-rc7-syzkaller #0 [ 136.539042][ T5] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 136.539042][ T5] Workqueue: events request_firmware_work_func [ 136.539042][ T5] Call Trace: [ 136.539042][ T5] dump_stack+0x21c/0x280 [ 136.539042][ T5] panic+0x4c6/0xea7 [ 136.539042][ T5] ? add_taint+0x17c/0x210 [ 136.539042][ T5] kmsan_report+0x1de/0x1e0 [ 136.539042][ T5] kmsan_internal_check_memory+0x202/0x520 [ 136.539042][ T5] ? kmsan_get_metadata+0x116/0x180 [ 136.539042][ T5] kmsan_handle_urb+0x28/0x40 [ 136.539042][ T5] usb_submit_urb+0x89f/0x2590 [ 136.539042][ T5] ? __msan_metadata_ptr_for_store_1+0x13/0x20 [ 136.539042][ T5] hif_usb_send+0x5f5/0x1720 [ 136.539042][ T5] ? kmsan_get_metadata+0x116/0x180 [ 136.539042][ T5] ? kmsan_get_shadow_origin_ptr+0x84/0xb0 [ 136.539042][ T5] htc_connect_service+0x14b2/0x19f0 [ 136.539042][ T5] ? hif_usb_sta_drain+0x6b0/0x6b0 [ 136.539042][ T5] ath9k_wmi_connect+0x178/0x2c0 [ 136.539042][ T5] ? ath9k_wmi_connect+0x2c0/0x2c0 [ 136.539042][ T5] ? ath9k_wmi_ctrl_tx+0x50/0x50 [ 136.539042][ T5] ath9k_init_htc_services+0xf3/0x1190 [ 136.539042][ T5] ath9k_htc_probe_device+0x4fb/0x3e10 [ 136.539042][ T5] ? ath9k_hif_usb_alloc_urbs+0x1b64/0x1ed0 [ 136.539042][ T5] ath9k_htc_hw_init+0xdf/0x190 [ 136.539042][ T5] ath9k_hif_usb_firmware_cb+0x42b/0xab0 [ 136.539042][ T5] request_firmware_work_func+0x1b8/0x2e0 [ 136.539042][ T5] ? ath9k_hif_request_firmware+0x930/0x930 [ 136.539042][ T5] ? request_firmware_nowait+0x7c0/0x7c0 [ 136.539042][ T5] process_one_work+0x1219/0x1fe0 [ 136.539042][ T5] worker_thread+0x10ec/0x2340 [ 136.539042][ T5] kthread+0x521/0x560 [ 136.539042][ T5] ? process_one_work+0x1fe0/0x1fe0 [ 136.539042][ T5] ? kthread_blkcg+0x110/0x110 [ 136.539042][ T5] ret_from_fork+0x1f/0x30 [ 136.539042][ T5] Kernel Offset: disabled [ 136.539042][ T5] Rebooting in 86400 seconds..