[ OK ] Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch. Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ 16.128382][ C1] random: crng init done [ 16.128413][ C1] random: 7 urandom warning(s) missed due to ratelimiting Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.195' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 23.502490][ T17] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 23.711793][ T17] usb 1-1: config 1 has an invalid descriptor of length 9, skipping remainder of the config [ 23.722051][ T17] usb 1-1: config 1 interface 0 altsetting 0 has 3 endpoint descriptors, different from the interface descriptor's value: 6 [ 23.891580][ T17] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08 [ 23.900643][ T17] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 23.908860][ T17] usb 1-1: Product: syz [ 23.913136][ T17] usb 1-1: Manufacturer: syz [ 23.917732][ T17] usb 1-1: SerialNumber: syz [ 23.962502][ T17] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested [ 24.551050][ T17] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008 [ 24.771141][ T17] ath9k_htc 1-1:1.0: ath9k_htc: Unable to initialize HTC services [ 24.779637][ T17] ath9k_htc: Failed to initialize the device [ 24.970710][ C1] ================================================================== [ 24.979000][ C1] BUG: KASAN: use-after-free in ath9k_wmi_ctrl_rx+0x416/0x500 [ 24.986642][ C1] Read of size 1 at addr ffff8881cef1417c by task swapper/1/0 [ 24.994089][ C1] [ 24.996404][ C1] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.6.0-rc5-syzkaller #0 [ 25.004281][ C1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 25.015266][ C1] Call Trace: [ 25.018572][ C1] [ 25.021427][ C1] dump_stack+0xef/0x16e [ 25.025674][ C1] ? ath9k_wmi_ctrl_rx+0x416/0x500 [ 25.030791][ C1] ? ath9k_wmi_ctrl_rx+0x416/0x500 [ 25.036079][ C1] print_address_description.constprop.0.cold+0xd3/0x314 [ 25.043088][ C1] ? ath9k_wmi_ctrl_rx+0x416/0x500 [ 25.048178][ C1] ? ath9k_wmi_ctrl_rx+0x416/0x500 [ 25.053268][ C1] __kasan_report.cold+0x37/0x77 [ 25.058189][ C1] ? ath9k_wmi_ctrl_rx+0x416/0x500 [ 25.063338][ C1] ? ath9k_wmi_event_tasklet+0x440/0x440 [ 25.068981][ C1] kasan_report+0xe/0x20 [ 25.073220][ C1] ath9k_wmi_ctrl_rx+0x416/0x500 [ 25.078544][ C1] ? ath9k_wmi_event_tasklet+0x440/0x440 [ 25.084164][ C1] ath9k_htc_rx_msg+0x2da/0xaf0 [ 25.088996][ C1] ath9k_hif_usb_reg_in_cb+0x1ba/0x630 [ 25.094567][ C1] ? trace_hardirqs_off+0x50/0x200 [ 25.099680][ C1] __usb_hcd_giveback_urb+0x29a/0x550 [ 25.105045][ C1] usb_hcd_giveback_urb+0x368/0x420 [ 25.110222][ C1] dummy_timer+0x1258/0x32ae [ 25.114806][ C1] ? dummy_udc_probe+0x930/0x930 [ 25.119725][ C1] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 25.125249][ C1] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 25.130508][ C1] call_timer_fn+0x195/0x6f0 [ 25.135090][ C1] ? dummy_udc_probe+0x930/0x930 [ 25.140023][ C1] ? msleep_interruptible+0x130/0x130 [ 25.145376][ C1] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 25.150913][ C1] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 25.156465][ C1] ? _raw_spin_unlock_irq+0x1f/0x30 [ 25.161661][ C1] ? dummy_udc_probe+0x930/0x930 [ 25.166595][ C1] run_timer_softirq+0x5f9/0x1500 [