Warning: Permanently added '10.128.0.31' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [ 37.980187][ T72] usb 1-1: new high-speed USB device number 2 using dummy_hcd
[ 38.270171][ T72] usb 1-1: too many configurations: 160, using maximum allowed: 8
[ 38.349981][ T72] usb 1-1: config index 0 descriptor too short (expected 65204, got 72)
[ 38.429980][ T72] usb 1-1: config index 1 descriptor too short (expected 65204, got 72)
[ 38.509931][ T72] usb 1-1: config index 2 descriptor too short (expected 65204, got 72)
[ 38.589912][ T72] usb 1-1: config index 3 descriptor too short (expected 65204, got 72)
[ 38.679882][ T72] usb 1-1: config index 4 descriptor too short (expected 65204, got 72)
[ 38.759883][ T72] usb 1-1: config index 5 descriptor too short (expected 65204, got 72)
[ 38.839831][ T72] usb 1-1: config index 6 descriptor too short (expected 65204, got 72)
[ 38.919803][ T72] usb 1-1: config index 7 descriptor too short (expected 65204, got 72)
[ 39.089776][ T72] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08
[ 39.098851][ T72] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 39.106923][ T72] usb 1-1: Product: syz
[ 39.111182][ T72] usb 1-1: Manufacturer: syz
[ 39.115761][ T72] usb 1-1: SerialNumber: syz
[ 39.161003][ T72] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested
[ 39.839457][ T72] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008
[ 40.889085][ T72] ath9k_htc 1-1:1.0: ath9k_htc: Target is unresponsive
[ 40.896130][ T72] ath9k_htc: Failed to initialize the device
executing program
[ 41.061987][ T21] usb 1-1: USB disconnect, device number 2
[ 41.090858][ T21] usb 1-1: ath9k_htc: USB layer deinitialized
[ 41.468871][ T21] usb 1-1: new high-speed USB device number 3 using dummy_hcd
[ 41.748905][ T21] usb 1-1: too many configurations: 160, using maximum allowed: 8
[ 41.828897][ T21] usb 1-1: config index 0 descriptor too short (expected 65204, got 72)
[ 41.908848][ T21] usb 1-1: config index 1 descriptor too short (expected 65204, got 72)
[ 41.988840][ T21] usb 1-1: config index 2 descriptor too short (expected 65204, got 72)
[ 42.078803][ T21] usb 1-1: config index 3 descriptor too short (expected 65204, got 72)
[ 42.158811][ T21] usb 1-1: config index 4 descriptor too short (expected 65204, got 72)
[ 42.238770][ T21] usb 1-1: config index 5 descriptor too short (expected 65204, got 72)
[ 42.318726][ T21] usb 1-1: config index 6 descriptor too short (expected 65204, got 72)
[ 42.398754][ T21] usb 1-1: config index 7 descriptor too short (expected 65204, got 72)
[ 42.558701][ T21] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08
[ 42.567754][ T21] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 42.575820][ T21] usb 1-1: Product: syz
[ 42.580034][ T21] usb 1-1: Manufacturer: syz
[ 42.584616][ T21] usb 1-1: SerialNumber: syz
[ 42.650926][ T21] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested
[ 43.238448][ T21] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008
[ 44.328136][ T21] ath9k_htc 1-1:1.0: ath9k_htc: Target is unresponsive
[ 44.335087][ T21] ath9k_htc: Failed to initialize the device
executing program
[ 44.460190][ T72] usb 1-1: USB disconnect, device number 3
[ 44.472540][ T72] usb 1-1: ath9k_htc: USB layer deinitialized
[ 44.837985][ T72] usb 1-1: new high-speed USB device number 4 using dummy_hcd
[ 45.118025][ T72] usb 1-1: too many configurations: 160, using maximum allowed: 8
[ 45.198003][ T72] usb 1-1: config index 0 descriptor too short (expected 65204, got 72)
[ 45.278006][ T72] usb 1-1: config index 1 descriptor too short (expected 65204, got 72)
[ 45.367990][ T72] usb 1-1: config index 2 descriptor too short (expected 65204, got 72)
[ 45.447983][ T72] usb 1-1: config index 3 descriptor too short (expected 65204, got 72)
[ 45.527940][ T72] usb 1-1: config index 4 descriptor too short (expected 65204, got 72)
[ 45.617879][ T72] usb 1-1: config index 5 descriptor too short (expected 65204, got 72)
[ 45.697874][ T72] usb 1-1: config index 6 descriptor too short (expected 65204, got 72)
[ 45.777889][ T72] usb 1-1: config index 7 descriptor too short (expected 65204, got 72)
[ 45.937831][ T72] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08
[ 45.946887][ T72] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 45.954931][ T72] usb 1-1: Product: syz
[ 45.959145][ T72] usb 1-1: Manufacturer: syz
[ 45.963723][ T72] usb 1-1: SerialNumber: syz
[ 46.008437][ T72] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested
[ 46.577732][ T72] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008
[ 47.607411][ T72] ath9k_htc 1-1:1.0: ath9k_htc: Target is unresponsive
[ 47.614424][ T72] ath9k_htc: Failed to initialize the device
[ 47.620702][ C1] ==================================================================
[ 47.620763][ C1] BUG: KASAN: use-after-free in ath9k_hif_usb_rx_cb+0xc67/0xf80
[ 47.620774][ C1] Read of size 4 at addr ffff8881cc4740a4 by task kworker/1:2/72
[ 47.620777][ C1]
[ 47.620791][ C1] CPU: 1 PID: 72 Comm: kworker/1:2 Not tainted 5.9.0-rc1-syzkaller #0
[ 47.620799][ C1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 47.620813][ C1] Workqueue: events request_firmware_work_func
[ 47.620819][ C1] Call Trace:
[ 47.620824][ C1]
[ 47.620839][ C1] dump_stack+0xf6/0x16e
[ 47.620850][ C1] ? ath9k_hif_usb_rx_cb+0xc67/0xf80
[ 47.620872][ C1] ? ath9k_hif_usb_rx_cb+0xc67/0xf80
[ 47.620887][ C1] print_address_description.constprop.0+0x1c/0x210
[ 47.620900][ C1] ? vprintk_func+0x93/0x133
[ 47.620912][ C1] ? ath9k_hif_usb_rx_cb+0xc67/0xf80
[ 47.620926][ C1] ? ath9k_hif_usb_rx_cb+0xc67/0xf80
[ 47.620939][ C1] kasan_report.cold+0x37/0x7c
[ 47.620951][ C1] ? ath9k_hif_usb_rx_cb+0xc67/0xf80
[ 47.620964][ C1] ath9k_hif_usb_rx_cb+0xc67/0xf80
[ 47.620979][ C1] ? __usb_hcd_giveback_urb+0x302/0x560
[ 47.620991][ C1] ? hif_usb_start+0xa0/0xa0
[ 47.621005][ C1] ? lock_downgrade+0x740/0x740
[ 47.621018][ C1] ? trace_hardirqs_off+0x27/0x1f0
[ 47.621033][ C1] __usb_hcd_giveback_urb+0x32d/0x560
[ 47.621048][ C1] usb_hcd_giveback_urb+0x367/0x410
[ 47.621062][ C1] dummy_timer+0x11f2/0x3240
[ 47.621075][ C1] ? lock_downgrade+0x740/0x740
[ 47.621086][ C1] ? dummy_dequeue+0x490/0x490
[ 47.621098][ C1] call_timer_fn+0x1ac/0x6e0
[ 47.621111][ C1] ? dummy_dequeue+0x490/0x490
[ 47.621123][ C1] ? timer_fixup_init+0x60/0x60
[ 47.621138][ C1] ? _raw_spin_unlock_irq+0x1f/0x30
[ 47.621150][ C1] ? lockdep_hardirqs_on_prepare+0x19c/0x4f0
[ 47.621159][ C1] ? trace_hardirqs_on+0x5f/0x200
[ 47.621169][ C1] ? dummy_dequeue+0x490/0x490
[ 47.621180][ C1] __run_timers.part.0+0x67c/0xa60
[ 47.621192][ C1] ? call_timer_fn+0x6e0/0x6e0
[ 47.621204][ C1] ? mark_lock+0xbc/0x1590
[ 47.621220][ C1] ? clockevents_program_event+0x12b/0x350
[ 47.621232][ C1] ? mark_held_locks+0x9f/0xe0
[ 47.621244][ C1] run_timer_softirq+0x80/0x120
[ 47.621259][ C1] __do_softirq+0x1af/0x91c
[ 47.621273][ C1] asm_call_on_stack+0xf/0x20
[ 47.621279][ C1]
[ 47.621295][ C1] do_softirq_own_stack+0x73/0x90
[ 47.621307][ C1] irq_exit_rcu+0x107/0x1a0
[ 47.621323][ C1] sysvec_apic_timer_interrupt+0x43/0x90
[ 47.621337][ C1] asm_sysvec_apic_timer_interrupt+0x12/0x20
[ 47.621350][ C1] RIP: 0010:console_unlock+0xa99/0xcd0
[ 47.621366][ C1] Code: 00 89 ee 48 c7 c7 a0 0a 35 87 e8 12 b9 03 00 65 ff 0d 3b 48 d8 7e e9 87 f9 ff ff e8 f1 59 16 00 e8 dc f2 1b 00 ff 74 24 30 9d 20 fe ff ff e8 dd 59 16 00 48 8d 7d 08 48 89 f8 48 c1 e8 03 42
[ 47.621374][ C1] RSP: 0018:ffff8881d476fa18 EFLAGS: 00000293
[ 47.621386][ C1] RAX: 0000000000005d3f RBX: 0000000000000200 RCX: 0000000000000006
[ 47.621395][ C1] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff8129a6d4
[ 47.621403][ C1] RBP: 0000000000000000 R08: 0000000000000001 R09: ffffffff895c65e7
[ 47.621412][ C1] R10: fffffbfff12b8cbc R11: 0000000000003754 R12: ffffffff82b3d6f0
[ 47.621421][ C1] R13: ffffffff876fa450 R14: 0000000000000042 R15: dffffc0000000000
[ 47.621436][ C1] ? netconsole_netdev_event+0x2b0/0x2b0
[ 47.621448][ C1] ? console_unlock+0xa94/0xcd0
[ 47.621461][ C1] vprintk_emit+0x1b2/0x460
[ 47.621473][ C1] vprintk_func+0x8b/0x133
[ 47.621485][ C1] printk+0xba/0xed
[ 47.621497][ C1] ? log_store.cold+0x16/0x16
[ 47.621509][ C1] ? usb_submit_urb+0xb56/0x13e0
[ 47.621520][ C1] ? usb_free_urb+0x5c/0x110
[ 47.621535][ C1] ? ath9k_htc_hw_init.cold+0x5/0x2a
[ 47.621549][ C1] ? ath9k_htc_hw_init+0x3d/0x60
[ 47.621564][ C1] ath9k_htc_hw_init.cold+0x17/0x2a
[ 47.621581][ C1] ath9k_hif_usb_firmware_cb+0x274/0x530
[ 47.621597][ C1] ? ath9k_hif_usb_alloc_urbs+0x1010/0x1010
[ 47.621613][ C1] request_firmware_work_func+0x126/0x250
[ 47.621626][ C1] ? do_raw_spin_lock+0x120/0x260
[ 47.621649][ C1] ? request_firmware_into_buf+0x90/0x90
[ 47.621665][ C1] ? lockdep_hardirqs_on_prepare+0x322/0x4f0
[ 47.621678][ C1] process_one_work+0x94c/0x15f0
[ 47.621693][ C1] ? lock_release+0x7f0/0x7f0
[ 47.621713][ C1] ? pwq_dec_nr_in_flight+0x2d0/0x2d0
[ 47.621725][ C1] ? rwlock_bug.part.0+0x90/0x90
[ 47.621738][ C1] worker_thread+0x64c/0x1120
[ 47.621754][ C1] ? __kthread_parkme+0x118/0x1d0
[ 47.621767][ C1] ? process_one_work+0x15f0/0x15f0
[ 47.621781][ C1] kthread+0x392/0x470
[ 47.621797][ C1] ? kthread_create_worker_on_cpu+0xf0/0xf0
[ 47.621813][ C1] ? kthread_create_worker_on_cpu+0xf0/0xf0
[ 47.621825][ C1] ret_from_fork+0x1f/0x30
[ 47.621831][ C1]
[ 47.621836][ C1] The buggy address belongs to the page:
[ 47.621852][ C1] page:000000001c5d6751 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1cc474
[ 47.621862][ C1] flags: 0x200000000000000()
[ 47.621880][ C1] raw: 0200000000000000 0000000000000000 ffffea0007311d08 0000000000000000
[ 47.621894][ C1] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[ 47.621899][ C1] page dumped because: kasan: bad access detected
[ 47.621902][ C1]
[ 47.621907][ C1] Memory state around the buggy address:
[ 47.621917][ C1] ffff8881cc473f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 47.621928][ C1] ffff8881cc474000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 47.621939][ C1] >ffff8881cc474080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 47.621945][ C1] ^
[ 47.621957][ C1] ffff8881cc474100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 47.621966][ C1] ffff8881cc474180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 47.621971][ C1] ==================================================================
[ 47.621976][ C1] Disabling lock debugging due to kernel taint
[ 47.621982][ C1] Kernel panic - not syncing: panic_on_warn set ...
[ 47.621998][ C1] CPU: 1 PID: 72 Comm: kworker/1:2 Tainted: G B 5.9.0-rc1-syzkaller #0
[ 47.622005][ C1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 47.622018][ C1] Workqueue: events request_firmware_work_func
[ 47.622023][ C1] Call Trace:
[ 47.622027][ C1]
[ 47.622039][ C1] dump_stack+0xf6/0x16e
[ 47.622052][ C1] ? ath9k_hif_usb_rx_cb+0xc30/0xf80
[ 47.622063][ C1] panic+0x2aa/0x6e1
[ 47.622075][ C1] ? __warn_printk+0xf3/0xf3
[ 47.622089][ C1] ? _raw_spin_unlock_irqrestore+0x2a/0x40
[ 47.622100][ C1] ? trace_hardirqs_off+0x27/0x1f0
[ 47.622112][ C1] ? ath9k_hif_usb_rx_cb+0xc67/0xf80
[ 47.622124][ C1] ? ath9k_hif_usb_rx_cb+0xc67/0xf80
[ 47.622136][ C1] end_report+0x4d/0x53
[ 47.622149][ C1] kasan_report.cold+0x72/0x7c
[ 47.622160][ C1] ? ath9k_hif_usb_rx_cb+0xc67/0xf80
[ 47.622173][ C1] ath9k_hif_usb_rx_cb+0xc67/0xf80
[ 47.622185][ C1] ? __usb_hcd_giveback_urb+0x302/0x560
[ 47.622197][ C1] ? hif_usb_start+0xa0/0xa0
[ 47.622210][ C1] ? lock_downgrade+0x740/0x740
[ 47.622221][ C1] ? trace_hardirqs_off+0x27/0x1f0
[ 47.622234][ C1] __usb_hcd_giveback_urb+0x32d/0x560
[ 47.622248][ C1] usb_hcd_giveback_urb+0x367/0x410
[ 47.622259][ C1] dummy_timer+0x11f2/0x3240
[ 47.622272][ C1] ? lock_downgrade+0x740/0x740
[ 47.622283][ C1] ? dummy_dequeue+0x490/0x490
[ 47.622294][ C1] call_timer_fn+0x1ac/0x6e0
[ 47.622307][ C1] ? dummy_dequeue+0x490/0x490
[ 47.622316][ C1] ? timer_fixup_init+0x60/0x60
[ 47.622328][ C1] ? _raw_spin_unlock_irq+0x1f/0x30
[ 47.622342][ C1] ? lockdep_hardirqs_on_prepare+0x19c/0x4f0
[ 47.622351][ C1] ? trace_hardirqs_on+0x5f/0x200
[ 47.622363][ C1] ? dummy_dequeue+0x490/0x490
[ 47.622372][ C1] __run_timers.part.0+0x67c/0xa60
[ 47.622384][ C1] ? call_timer_fn+0x6e0/0x6e0
[ 47.622395][ C1] ? mark_lock+0xbc/0x1590
[ 47.622409][ C1] ? clockevents_program_event+0x12b/0x350
[ 47.622421][ C1] ? mark_held_locks+0x9f/0xe0
[ 47.622432][ C1] run_timer_softirq+0x80/0x120
[ 47.622444][ C1] __do_softirq+0x1af/0x91c
[ 47.622457][ C1] asm_call_on_stack+0xf/0x20
[ 47.622461][ C1]
[ 47.622475][ C1] do_softirq_own_stack+0x73/0x90
[ 47.622485][ C1] irq_exit_rcu+0x107/0x1a0
[ 47.622500][ C1] sysvec_apic_timer_interrupt+0x43/0x90
[ 47.622514][ C1] asm_sysvec_apic_timer_interrupt+0x12/0x20
[ 47.622526][ C1] RIP: 0010:console_unlock+0xa99/0xcd0
[ 47.622540][ C1] Code: 00 89 ee 48 c7 c7 a0 0a 35 87 e8 12 b9 03 00 65 ff 0d 3b 48 d8 7e e9 87 f9 ff ff e8 f1 59 16 00 e8 dc f2 1b 00 ff 74 24 30 9d 20 fe ff ff e8 dd 59 16 00 48 8d 7d 08 48 89 f8 48 c1 e8 03 42
[ 47.622546][ C1] RSP: 0018:ffff8881d476fa18 EFLAGS: 00000293
[ 47.622554][ C1] RAX: 0000000000005d3f RBX: 0000000000000200 RCX: 0000000000000006
[ 47.622559][ C1] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff8129a6d4
[ 47.622566][ C1] RBP: 0000000000000000 R08: 0000000000000001 R09: ffffffff895c65e7
[ 47.622572][ C1] R10: fffffbfff12b8cbc R11: 0000000000003754 R12: ffffffff82b3d6f0
[ 47.622579][ C1] R13: ffffffff876fa450 R14: 0000000000000042 R15: dffffc0000000000
[ 47.622589][ C1] ? netconsole_netdev_event+0x2b0/0x2b0
[ 47.622597][ C1] ? console_unlock+0xa94/0xcd0
[ 47.622606][ C1] vprintk_emit+0x1b2/0x460
[ 47.622616][ C1] vprintk_func+0x8b/0x133
[ 47.622626][ C1] printk+0xba/0xed
[ 47.622637][ C1] ? log_store.cold+0x16/0x16
[ 47.622654][ C1] ? usb_submit_urb+0xb56/0x13e0
[ 47.622663][ C1] ? usb_free_urb+0x5c/0x110
[ 47.622676][ C1] ? ath9k_htc_hw_init.cold+0x5/0x2a
[ 47.622686][ C1] ? ath9k_htc_hw_init+0x3d/0x60
[ 47.622700][ C1] ath9k_htc_hw_init.cold+0x17/0x2a
[ 47.622710][ C1] ath9k_hif_usb_firmware_cb+0x274/0x530
[ 47.622732][ C1] ? ath9k_hif_usb_alloc_urbs+0x1010/0x1010
[ 47.622747][ C1] request_firmware_work_func+0x126/0x250
[ 47.622758][ C1] ? do_raw_spin_lock+0x120/0x260
[ 47.622771][ C1] ? request_firmware_into_buf+0x90/0x90
[ 47.622785][ C1] ? lockdep_hardirqs_on_prepare+0x322/0x4f0
[ 47.622796][ C1] process_one_work+0x94c/0x15f0
[ 47.622809][ C1] ? lock_release+0x7f0/0x7f0
[ 47.622820][ C1] ? pwq_dec_nr_in_flight+0x2d0/0x2d0
[ 47.622831][ C1] ? rwlock_bug.part.0+0x90/0x90
[ 47.622842][ C1] worker_thread+0x64c/0x1120
[ 47.622856][ C1] ? __kthread_parkme+0x118/0x1d0
[ 47.622867][ C1] ? process_one_work+0x15f0/0x15f0
[ 47.622879][ C1] kthread+0x392/0x470
[ 47.622893][ C1] ? kthread_create_worker_on_cpu+0xf0/0xf0
[ 47.622907][ C1] ? kthread_create_worker_on_cpu+0xf0/0xf0
[ 47.622918][ C1] ret_from_fork+0x1f/0x30
[ 47.623707][ C1] Kernel Offset: disabled
[ 48.653285][ C1] Rebooting in 86400 seconds..