Warning: Permanently added '10.128.0.67' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 33.564329][ T83] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 34.084181][ T83] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08 [ 34.093336][ T83] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 34.101939][ T83] usb 1-1: Product: syz [ 34.106168][ T83] usb 1-1: Manufacturer: syz [ 34.110753][ T83] usb 1-1: SerialNumber: syz [ 34.155207][ T83] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested [ 34.743727][ T83] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008 executing program [ 35.147857][ T95] usb 1-1: USB disconnect, device number 2 [ 35.993248][ T83] usb 1-1: Service connection timeout for: 256 [ 35.999553][ T83] ================================================================== [ 36.007687][ T83] BUG: KASAN: use-after-free in kfree_skb+0x32/0x3d0 [ 36.014364][ T83] Read of size 4 at addr ffff8881ce159854 by task kworker/1:2/83 [ 36.022049][ T83] [ 36.024376][ T83] CPU: 1 PID: 83 Comm: kworker/1:2 Not tainted 5.7.0-rc6-syzkaller #0 [ 36.032512][ T83] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 36.042556][ T83] Workqueue: events request_firmware_work_func [ 36.048700][ T83] Call Trace: [ 36.051972][ T83] dump_stack+0xef/0x16e [ 36.056195][ T83] print_address_description.constprop.0.cold+0xd3/0x415 [ 36.063195][ T83] ? vprintk_func+0x7d/0x113 [ 36.067761][ T83] ? kfree_skb+0x32/0x3d0 [ 36.072069][ T83] __kasan_report.cold+0x37/0x7d [ 36.076983][ T83] ? kfree_skb+0x32/0x3d0 [ 36.081302][ T83] ? kfree_skb+0x32/0x3d0 [ 36.085607][ T83] kasan_report+0x33/0x50 [ 36.089922][ T83] check_memory_region+0x173/0x1d0 [ 36.095009][ T83] kfree_skb+0x32/0x3d0 [ 36.099160][ T83] htc_connect_service.cold+0xa9/0x109 [ 36.104611][ T83] ath9k_wmi_connect+0xd2/0x1a0 [ 36.109451][ T83] ? ath9k_fatal_work+0x20/0x20 [ 36.114307][ T83] ? ath9k_hif_usb_firmware_cb.cold+0xde/0xde [ 36.120354][ T83] ? ath9k_wmi_event_tasklet+0x440/0x440 [ 36.125962][ T83] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 36.132364][ T83] ? ath9k_reg_rmw_flush+0x2d0/0x2d0 [ 36.137645][ T83] ? lockdep_init_map_waits+0x26a/0x7c0 [ 36.143168][ T83] ? __raw_spin_lock_init+0x34/0x100 [ 36.148442][ T83] ? tasklet_init+0x69/0x110 [ 36.153009][ T83] ath9k_htc_probe_device+0x25a/0x1da0 [ 36.158444][ T83] ? ath9k_init_htc_services.constprop.0+0x650/0x650 [ 36.165094][ T83] ? usb_submit_urb+0x6ed/0x1460 [ 36.170013][ T83] ? usb_free_urb.part.0+0x52/0x110 [ 36.175188][ T83] ? usb_free_urb+0x1b/0x30 [ 36.179695][ T83] ath9k_htc_hw_init+0x31/0x60 [ 36.184447][ T83] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 36.190069][ T83] ? ath9k_hif_usb_resume+0x320/0x320 [ 36.195416][ T83] request_firmware_work_func+0x126/0x242 [ 36.201110][ T83] ? request_firmware_into_buf+0x90/0x90 [ 36.206807][ T83] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 36.212326][ T83] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 36.217591][ T83] ? _raw_spin_unlock_irq+0x1f/0x30 [ 36.222806][ T83] process_one_work+0x965/0x1630 [ 36.227742][ T83] ? lock_release+0x720/0x720 [ 36.232416][ T83] ? pwq_dec_nr_in_flight+0x310/0x310 [ 36.237784][ T83] ? rwlock_bug.part.0+0x90/0x90 [ 36.242713][ T83] worker_thread+0x96/0xe20 [ 36.247207][ T83] ? process_one_work+0x1630/0x1630 [ 36.252397][ T83] kthread+0x326/0x430 [ 36.256450][ T83] ? kthread_create_on_node+0xf0/0xf0 [ 36.261797][ T83] ret_from_fork+0x24/0x30 [ 36.266183][ T83] [ 36.268492][ T83] Allocated by task 83: [ 36.272635][ T83] save_stack+0x1b/0x40 [ 36.276774][ T83] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 36.282397][ T83] kmem_cache_alloc_node+0xdc/0x330 [ 36.287589][ T83] __alloc_skb+0xba/0x5a0 [ 36.291921][ T83] htc_connect_service+0x2cc/0x840 [ 36.297008][ T83] ath9k_wmi_connect+0xd2/0x1a0 [ 36.301847][ T83] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 36.308250][ T83] ath9k_htc_probe_device+0x25a/0x1da0 [ 36.313685][ T83] ath9k_htc_hw_init+0x31/0x60 [ 36.318436][ T83] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 36.324056][ T83] request_firmware_work_func+0x126/0x242 [ 36.329789][ T83] process_one_work+0x965/0x1630 [ 36.334700][ T83] worker_thread+0x96/0xe20 [ 36.339193][ T83] kthread+0x326/0x430 [ 36.343253][ T83] ret_from_fork+0x24/0x30 [ 36.347641][ T83] [ 36.349942][ T83] Freed by task 0: [ 36.353658][ T83] save_stack+0x1b/0x40 [ 36.357788][ T83] __kasan_slab_free+0x117/0x160 [ 36.362719][ T83] kmem_cache_free+0x9b/0x360 [ 36.367398][ T83] kfree_skbmem+0xef/0x1b0 [ 36.371806][ T83] kfree_skb+0x102/0x3d0 [ 36.376119][ T83] ath9k_htc_txcompletion_cb+0x1f8/0x2b0 [ 36.381733][ T83] hif_usb_regout_cb+0x115/0x1c0 [ 36.386682][ T83] __usb_hcd_giveback_urb+0x29a/0x550 [ 36.392029][ T83] usb_hcd_giveback_urb+0x368/0x420 [ 36.397223][ T83] dummy_timer+0x125e/0x32b4 [ 36.401792][ T83] call_timer_fn+0x1ac/0x700 [ 36.406390][ T83] run_timer_softirq+0x5f9/0x1500 [ 36.411443][ T83] __do_softirq+0x21e/0x9aa [ 36.416005][ T83] [ 36.418313][ T83] The buggy address belongs to the object at ffff8881ce159780 [ 36.418313][ T83] which belongs to the cache skbuff_head_cache of size 224 [ 36.432868][ T83] The buggy address is located 212 bytes inside of [ 36.432868][ T83] 224-byte region [ffff8881ce159780, ffff8881ce159860) [ 36.446173][ T83] The buggy address belongs to the page: [ 36.451927][ T83] page:ffffea0007385640 refcount:1 mapcount:0 mapping:0000000069b6d56d index:0x0 [ 36.461027][ T83] flags: 0x200000000000200(slab) [ 36.465969][ T83] raw: 0200000000000200 dead000000000100 dead000000000122 ffff8881da175400 [ 36.474533][ T83] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000 [ 36.485119][ T83] page dumped because: kasan: bad access detected [ 36.491615][ T83] [ 36.493945][ T83] Memory state around the buggy address: [ 36.499561][ T83] ffff8881ce159700: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 36.507610][ T83] ffff8881ce159780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.515646][ T83] >ffff8881ce159800: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 36.523696][ T83] ^ [ 36.530359][ T83] ffff8881ce159880: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 36.538409][ T83] ffff8881ce159900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.546532][ T83] ================================================================== [ 36.554570][ T83] Disabling lock debugging due to kernel taint [ 36.560771][ T83] Kernel panic - not syncing: panic_on_warn set ... [ 36.567704][ T83] CPU: 1 PID: 83 Comm: kworker/1:2 Tainted: G B 5.7.0-rc6-syzkaller #0 [ 36.577238][ T83] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 36.587304][ T83] Workqueue: events request_firmware_work_func [ 36.593446][ T83] Call Trace: [ 36.596721][ T83] dump_stack+0xef/0x16e [ 36.600964][ T83] panic+0x2aa/0x6e1 [ 36.604854][ T83] ? add_taint.cold+0x16/0x16 [ 36.609512][ T83] ? retint_kernel+0x10/0x10 [ 36.614079][ T83] ? kfree_skb+0x32/0x3d0 [ 36.618386][ T83] ? trace_hardirqs_on+0x55/0x200 [ 36.623384][ T83] ? kfree_skb+0x32/0x3d0 [ 36.627944][ T83] end_report+0x4d/0x53 [ 36.632199][ T83] __kasan_report.cold+0x72/0x7d [ 36.637210][ T83] ? kfree_skb+0x32/0x3d0 [ 36.641530][ T83] ? kfree_skb+0x32/0x3d0 [ 36.645873][ T83] kasan_report+0x33/0x50 [ 36.650201][ T83] check_memory_region+0x173/0x1d0 [ 36.655379][ T83] kfree_skb+0x32/0x3d0 [ 36.659775][ T83] htc_connect_service.cold+0xa9/0x109 [ 36.665227][ T83] ath9k_wmi_connect+0xd2/0x1a0 [ 36.670059][ T83] ? ath9k_fatal_work+0x20/0x20 [ 36.674899][ T83] ? ath9k_hif_usb_firmware_cb.cold+0xde/0xde [ 36.680947][ T83] ? ath9k_wmi_event_tasklet+0x440/0x440 [ 36.686567][ T83] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 36.692983][ T83] ? ath9k_reg_rmw_flush+0x2d0/0x2d0 [ 36.698242][ T83] ? lockdep_init_map_waits+0x26a/0x7c0 [ 36.703766][ T83] ? __raw_spin_lock_init+0x34/0x100 [ 36.709024][ T83] ? tasklet_init+0x69/0x110 [ 36.713589][ T83] ath9k_htc_probe_device+0x25a/0x1da0 [ 36.719022][ T83] ? ath9k_init_htc_services.constprop.0+0x650/0x650 [ 36.725670][ T83] ? usb_submit_urb+0x6ed/0x1460 [ 36.730593][ T83] ? usb_free_urb.part.0+0x52/0x110 [ 36.735809][ T83] ? usb_free_urb+0x1b/0x30 [ 36.740290][ T83] ath9k_htc_hw_init+0x31/0x60 [ 36.745032][ T83] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 36.750670][ T83] ? ath9k_hif_usb_resume+0x320/0x320 [ 36.756016][ T83] request_firmware_work_func+0x126/0x242 [ 36.761707][ T83] ? request_firmware_into_buf+0x90/0x90 [ 36.767338][ T83] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 36.772857][ T83] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 36.778119][ T83] ? _raw_spin_unlock_irq+0x1f/0x30 [ 36.783344][ T83] process_one_work+0x965/0x1630 [ 36.788268][ T83] ? lock_release+0x720/0x720 [ 36.792921][ T83] ? pwq_dec_nr_in_flight+0x310/0x310 [ 36.798267][ T83] ? rwlock_bug.part.0+0x90/0x90 [ 36.808560][ T83] worker_thread+0x96/0xe20 [ 36.813484][ T83] ? process_one_work+0x1630/0x1630 [ 36.818845][ T83] kthread+0x326/0x430 [ 36.822908][ T83] ? kthread_create_on_node+0xf0/0xf0 [ 36.828276][ T83] ret_from_fork+0x24/0x30 [ 36.833350][ T83] Kernel Offset: disabled [ 36.837663][ T83] Rebooting in 86400 seconds..