DUID 00:04:fb:87:82:62:74:5a:87:37:86:23:e7:72:30:e3:bc:00
forked to background, child pid 3180
[ 26.140300][ T3181] 8021q: adding VLAN 0 to HW filter on device bond0
[ 26.148228][ T3181] eql: remember to turn off Van-Jacobson compression on your slave devices
Starting sshd: OK
syzkaller
Warning: Permanently added '10.128.0.5' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [ 47.868672][ T1503] usb 1-1: new high-speed USB device number 2 using dummy_hcd
[ 48.388809][ T1503] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08
[ 48.388825][ T1503] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 48.388835][ T1503] usb 1-1: Product: syz
[ 48.388842][ T1503] usb 1-1: Manufacturer: syz
[ 48.388848][ T1503] usb 1-1: SerialNumber: syz
[ 48.430456][ T1503] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested
[ 48.998731][ T1503] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008
[ 50.058718][ T1503] ath9k_htc 1-1:1.0: ath9k_htc: Target is unresponsive
[ 50.058976][ T1503] ath9k_htc: Failed to initialize the device
[ 50.098620][ C1] ==================================================================
[ 50.098631][ C1] BUG: KASAN: slab-out-of-bounds in ath9k_hif_usb_rx_cb+0x1120/0x1130
[ 50.098662][ C1] Read of size 4 at addr ffff88807ab942f4 by task swapper/1/0
[ 50.098671][ C1]
[ 50.098674][ C1] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.18.0-syzkaller-11080-g664a393a2663 #0
[ 50.098684][ C1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 50.098689][ C1] Call Trace:
[ 50.098693][ C1]
[ 50.098698][ C1] dump_stack_lvl+0x1e3/0x2cb
[ 50.098713][ C1] ? bfq_pos_tree_add_move+0x436/0x436
[ 50.098721][ C1] ? _printk+0xcf/0x10f
[ 50.098730][ C1] ? __wake_up_klogd+0xd6/0x100
[ 50.098740][ C1] ? __wake_up_klogd+0xcd/0x100
[ 50.098749][ C1] ? panic+0x76e/0x76e
[ 50.098757][ C1] ? _printk+0xcf/0x10f
[ 50.098766][ C1] print_address_description+0x65/0x4b0
[ 50.098779][ C1] print_report+0xf4/0x210
[ 50.098787][ C1] ? __lock_acquire+0x1f80/0x1f80
[ 50.098796][ C1] ? do_raw_spin_lock+0x148/0x360
[ 50.098806][ C1] ? ath9k_hif_usb_rx_cb+0x1120/0x1130
[ 50.098814][ C1] kasan_report+0xfb/0x130
[ 50.098823][ C1] ? ath9k_hif_usb_rx_cb+0x1120/0x1130
[ 50.098832][ C1] ath9k_hif_usb_rx_cb+0x1120/0x1130
[ 50.098843][ C1] ? do_raw_spin_lock+0x148/0x360
[ 50.098852][ C1] ? ath9k_hif_usb_alloc_urbs+0xe90/0xe90
[ 50.098865][ C1] __usb_hcd_giveback_urb+0x369/0x530
[ 50.098877][ C1] dummy_timer+0x86b/0x3110
[ 50.098898][ C1] ? dummy_free_streams+0x320/0x320
[ 50.098907][ C1] ? trace_lock_release+0x7a/0x190
[ 50.098917][ C1] ? dummy_free_streams+0x320/0x320
[ 50.098925][ C1] call_timer_fn+0xf5/0x210
[ 50.098934][ C1] ? dummy_free_streams+0x320/0x320
[ 50.098942][ C1] ? dummy_free_streams+0x320/0x320
[ 50.098950][ C1] ? __run_timers+0x980/0x980
[ 50.098959][ C1] ? do_raw_spin_unlock+0x134/0x8a0
[ 50.098968][ C1] ? dummy_free_streams+0x320/0x320
[ 50.098976][ C1] ? _raw_spin_unlock_irq+0x1f/0x40
[ 50.098985][ C1] ? lockdep_hardirqs_on+0x95/0x140
[ 50.098994][ C1] ? dummy_free_streams+0x320/0x320
[ 50.099003][ C1] __run_timers+0x76a/0x980
[ 50.099014][ C1] ? trace_timer_cancel+0x210/0x210
[ 50.099025][ C1] run_timer_softirq+0x63/0xf0
[ 50.099035][ C1] __do_softirq+0x382/0x793
[ 50.099044][ C1] ? __irq_exit_rcu+0xec/0x170
[ 50.099058][ C1] ? __entry_text_end+0x1fec88/0x1fec88
[ 50.099071][ C1] __irq_exit_rcu+0xec/0x170
[ 50.099079][ C1] ? irq_exit_rcu+0x20/0x20
[ 50.099088][ C1] irq_exit_rcu+0x5/0x20
[ 50.099095][ C1] sysvec_apic_timer_interrupt+0x91/0xb0
[ 50.099105][ C1]
[ 50.099107][ C1]
[ 50.099110][ C1] asm_sysvec_apic_timer_interrupt+0x1b/0x20
[ 50.099120][ C1] RIP: 0010:acpi_idle_enter+0x43d/0x7c0
[ 50.099132][ C1] Code: ff e8 67 72 f4 fc 48 83 e3 08 44 8b 7c 24 04 0f 85 21 01 00 00 e8 93 15 fb fc eb 0c e8 8c 6d f4 fc 0f 00 2d 75 66 62 06 fb f4 <4c> 89 e3 48 c1 eb 03 42 80 3c 2b 00 74 08 4c 89 e7 e8 8d 5b 47 fd
[ 50.099139][ C1] RSP: 0018:ffffc90000187c00 EFLAGS: 00000286
[ 50.099148][ C1] RAX: fb1fa0b746f46800 RBX: 0000000000000000 RCX: ffffffff90bc5603
[ 50.099155][ C1] RDX: dffffc0000000000 RSI: ffffffff8a8d2280 RDI: ffffffff8ae99480
[ 50.099161][ C1] RBP: ffffc90000187cb0 R08: ffffffff818e1a80 R09: ffffed10022c7761
[ 50.099167][ C1] R10: ffffed10022c7761 R11: 1ffff110022c7760 R12: ffffc90000187c40
[ 50.099173][ C1] R13: dffffc0000000000 R14: ffff88814588e800 R15: 0000000000000001
[ 50.099180][ C1] ? trace_hardirqs_on+0x30/0x80
[ 50.099194][ C1] ? acpi_idle_lpi_enter+0xe0/0xe0
[ 50.099205][ C1] cpuidle_enter_state+0x517/0xed0
[ 50.099217][ C1] ? cpuidle_enter_s2idle+0x6b0/0x6b0
[ 50.099227][ C1] ? menu_enable_device+0x370/0x370
[ 50.099236][ C1] cpuidle_enter+0x59/0x90
[ 50.099245][ C1] do_idle+0x3d2/0x640
[ 50.099255][ C1] ? idle_inject_timer_fn+0x60/0x60
[ 50.099264][ C1] ? _raw_spin_unlock_irqrestore+0xd9/0x130
[ 50.099274][ C1] ? complete+0xb9/0x1c0
[ 50.099282][ C1] cpu_startup_entry+0x15/0x20
[ 50.099291][ C1] start_secondary+0xe4/0xf0
[ 50.099299][ C1] secondary_startup_64_no_verify+0xcf/0xdb
[ 50.099312][ C1]
[ 50.099315][ C1]
[ 50.099316][ C1] Allocated by task 0:
[ 50.099320][ C1] (stack is not available)
[ 50.099321][ C1]
[ 50.099323][ C1] The buggy address belongs to the object at ffff88807ab94000
[ 50.099323][ C1] which belongs to the cache kmalloc-4k of size 4096
[ 50.099330][ C1] The buggy address is located 756 bytes inside of
[ 50.099330][ C1] 4096-byte region [ffff88807ab94000, ffff88807ab95000)
[ 50.099337][ C1]
[ 50.099339][ C1] The buggy address belongs to the physical page:
[ 50.099344][ C1] page:ffffea0001eae400 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7ab90
[ 50.099354][ C1] head:ffffea0001eae400 order:3 compound_mapcount:0 compound_pincount:0
[ 50.099361][ C1] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
[ 50.099374][ C1] raw: 00fff00000010200 0000000000000000 dead000000000122 ffff888011442140
[ 50.099381][ C1] raw: 0000000000000000 0000000080040004 00000001ffffffff 0000000000000000
[ 50.099384][ C1] page dumped because: kasan: bad access detected
[ 50.099388][ C1] page_owner tracks the page as allocated
[ 50.099391][ C1] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 3602, tgid 3602 (syz-executor306), ts 50081736232, free_ts 50058949286
[ 50.099407][ C1] get_page_from_freelist+0x72b/0x7a0
[ 50.099416][ C1] __alloc_pages+0x259/0x560
[ 50.099423][ C1] alloc_slab_page+0x70/0xf0
[ 50.099430][ C1] allocate_slab+0x5e/0x520
[ 50.099437][ C1] ___slab_alloc+0x41e/0xcd0
[ 50.099443][ C1] __kmalloc+0x2ba/0x370
[ 50.099449][ C1] tomoyo_realpath_from_path+0xd8/0x5f0
[ 50.099459][ C1] tomoyo_path_number_perm+0x219/0x7b0
[ 50.099467][ C1] security_file_ioctl+0x55/0xb0
[ 50.099477][ C1] __se_sys_ioctl+0x48/0x170
[ 50.099486][ C1] do_syscall_64+0x2b/0x70
[ 50.099493][ C1] entry_SYSCALL_64_after_hwframe+0x46/0xb0
[ 50.099501][ C1] page last free stack trace:
[ 50.099504][ C1] free_pcp_prepare+0x812/0x900
[ 50.099512][ C1] free_unref_page+0x7d/0x390
[ 50.099519][ C1] free_large_kmalloc+0xeb/0x1a0
[ 50.099526][ C1] kfree+0x188/0x210
[ 50.099536][ C1] device_release+0x98/0x1c0
[ 50.099545][ C1] kobject_cleanup+0x235/0x470
[ 50.099554][ C1] ath9k_htc_probe_device+0xfe8/0x2090
[ 50.099562][ C1] ath9k_htc_hw_init+0x30/0x70
[ 50.099569][ C1] ath9k_hif_usb_firmware_cb+0x250/0x4d0
[ 50.099576][ C1] request_firmware_work_func+0x198/0x270
[ 50.099584][ C1] process_one_work+0x81c/0xd10
[ 50.099593][ C1] worker_thread+0xb14/0x1330
[ 50.099601][ C1] kthread+0x266/0x300
[ 50.099608][ C1] ret_from_fork+0x1f/0x30
[ 50.099615][ C1]
[ 50.099616][ C1] Memory state around the buggy address:
[ 50.099621][ C1] ffff88807ab94180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 50.099626][ C1] ffff88807ab94200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 50.099631][ C1] >ffff88807ab94280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 50.099634][ C1] ^
[ 50.099639][ C1] ffff88807ab94300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 50.099644][ C1] ffff88807ab94380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 50.099647][ C1] ==================================================================
[ 50.099651][ C1] Kernel panic - not syncing: panic_on_warn set ...
[ 50.831416][ C1] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.18.0-syzkaller-11080-g664a393a2663 #0
[ 50.840791][ C1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 50.850917][ C1] Call Trace:
[ 50.854240][ C1]
[ 50.857072][ C1] dump_stack_lvl+0x1e3/0x2cb
[ 50.861749][ C1] ? bfq_pos_tree_add_move+0x436/0x436
[ 50.867219][ C1] ? panic+0x76e/0x76e
[ 50.871278][ C1] ? vscnprintf+0x59/0x80
[ 50.875682][ C1] panic+0x312/0x76e
[ 50.879566][ C1] ? fb_is_primary_device+0xcc/0xcc
[ 50.884763][ C1] ? _raw_spin_unlock_irqrestore+0xd9/0x130
[ 50.890648][ C1] ? ath9k_hif_usb_rx_cb+0x1120/0x1130
[ 50.896096][ C1] end_report+0x91/0xa0
[ 50.900250][ C1] kasan_report+0x108/0x130
[ 50.904741][ C1] ? ath9k_hif_usb_rx_cb+0x1120/0x1130
[ 50.910187][ C1] ath9k_hif_usb_rx_cb+0x1120/0x1130
[ 50.915463][ C1] ? do_raw_spin_lock+0x148/0x360
[ 50.920476][ C1] ? ath9k_hif_usb_alloc_urbs+0xe90/0xe90
[ 50.926188][ C1] __usb_hcd_giveback_urb+0x369/0x530
[ 50.931550][ C1] dummy_timer+0x86b/0x3110
[ 50.936064][ C1] ? dummy_free_streams+0x320/0x320
[ 50.941250][ C1] ? trace_lock_release+0x7a/0x190
[ 50.946350][ C1] ? dummy_free_streams+0x320/0x320
[ 50.951531][ C1] call_timer_fn+0xf5/0x210
[ 50.956019][ C1] ? dummy_free_streams+0x320/0x320
[ 50.961218][ C1] ? dummy_free_streams+0x320/0x320
[ 50.966401][ C1] ? __run_timers+0x980/0x980
[ 50.971077][ C1] ? do_raw_spin_unlock+0x134/0x8a0
[ 50.976265][ C1] ? dummy_free_streams+0x320/0x320
[ 50.981509][ C1] ? _raw_spin_unlock_irq+0x1f/0x40
[ 50.986720][ C1] ? lockdep_hardirqs_on+0x95/0x140
[ 50.991925][ C1] ? dummy_free_streams+0x320/0x320
[ 50.997134][ C1] __run_timers+0x76a/0x980
[ 51.001642][ C1] ? trace_timer_cancel+0x210/0x210
[ 51.006925][ C1] run_timer_softirq+0x63/0xf0
[ 51.011684][ C1] __do_softirq+0x382/0x793
[ 51.016199][ C1] ? __irq_exit_rcu+0xec/0x170
[ 51.020954][ C1] ? __entry_text_end+0x1fec88/0x1fec88
[ 51.026493][ C1] __irq_exit_rcu+0xec/0x170
[ 51.031070][ C1] ? irq_exit_rcu+0x20/0x20
[ 51.035560][ C1] irq_exit_rcu+0x5/0x20
[ 51.039786][ C1] sysvec_apic_timer_interrupt+0x91/0xb0
[ 51.045414][ C1]
[ 51.048419][ C1]
[ 51.051337][ C1] asm_sysvec_apic_timer_interrupt+0x1b/0x20
[ 51.057307][ C1] RIP: 0010:acpi_idle_enter+0x43d/0x7c0
[ 51.062843][ C1] Code: ff e8 67 72 f4 fc 48 83 e3 08 44 8b 7c 24 04 0f 85 21 01 00 00 e8 93 15 fb fc eb 0c e8 8c 6d f4 fc 0f 00 2d 75 66 62 06 fb f4 <4c> 89 e3 48 c1 eb 03 42 80 3c 2b 00 74 08 4c 89 e7 e8 8d 5b 47 fd
[ 51.082641][ C1] RSP: 0018:ffffc90000187c00 EFLAGS: 00000286
[ 51.088803][ C1] RAX: fb1fa0b746f46800 RBX: 0000000000000000 RCX: ffffffff90bc5603
[ 51.096779][ C1] RDX: dffffc0000000000 RSI: ffffffff8a8d2280 RDI: ffffffff8ae99480
[ 51.104874][ C1] RBP: ffffc90000187cb0 R08: ffffffff818e1a80 R09: ffffed10022c7761
[ 51.112949][ C1] R10: ffffed10022c7761 R11: 1ffff110022c7760 R12: ffffc90000187c40
[ 51.120945][ C1] R13: dffffc0000000000 R14: ffff88814588e800 R15: 0000000000000001
[ 51.128926][ C1] ? trace_hardirqs_on+0x30/0x80
[ 51.134131][ C1] ? acpi_idle_lpi_enter+0xe0/0xe0
[ 51.139506][ C1] cpuidle_enter_state+0x517/0xed0
[ 51.144617][ C1] ? cpuidle_enter_s2idle+0x6b0/0x6b0
[ 51.149995][ C1] ? menu_enable_device+0x370/0x370
[ 51.155205][ C1] cpuidle_enter+0x59/0x90
[ 51.159624][ C1] do_idle+0x3d2/0x640
[ 51.163698][ C1] ? idle_inject_timer_fn+0x60/0x60
[ 51.168894][ C1] ? _raw_spin_unlock_irqrestore+0xd9/0x130
[ 51.174794][ C1] ? complete+0xb9/0x1c0
[ 51.179032][ C1] cpu_startup_entry+0x15/0x20
[ 51.183787][ C1] start_secondary+0xe4/0xf0
[ 51.188365][ C1] secondary_startup_64_no_verify+0xcf/0xdb
[ 51.194339][ C1]
[ 51.197549][ C1] Kernel Offset: disabled
[ 51.201952][ C1] Rebooting in 86400 seconds..