[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch. [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 syzkaller login: [ 15.151226][ C1] random: crng init done [ 15.155857][ C1] random: 7 urandom warning(s) missed due to ratelimiting Warning: Permanently added '10.128.0.188' (ECDSA) to the list of known hosts. executing program [ 22.395540][ T83] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 22.914600][ T83] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08 [ 22.923995][ T83] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 22.932040][ T83] usb 1-1: Product: syz [ 22.936347][ T83] usb 1-1: Manufacturer: syz [ 22.940936][ T83] usb 1-1: SerialNumber: syz [ 22.985382][ T83] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested [ 23.583913][ T83] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008 [ 23.793751][ C1] ================================================================== [ 23.801927][ C1] BUG: KASAN: use-after-free in ath9k_htc_rx_msg+0xa25/0xaf0 [ 23.809715][ C1] Write of size 2 at addr ffff8881cdb18190 by task swapper/1/0 [ 23.817281][ C1] [ 23.819597][ C1] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.7.0-rc6-syzkaller #0 [ 23.827482][ C1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 23.837518][ C1] Call Trace: [ 23.840794][ C1] [ 23.843797][ C1] dump_stack+0xef/0x16e [ 23.848013][ C1] print_address_description.constprop.0.cold+0xd3/0x415 [ 23.855008][ C1] ? vprintk_func+0x7d/0x113 [ 23.859585][ C1] ? ath9k_htc_rx_msg+0xa25/0xaf0 [ 23.864578][ C1] __kasan_report.cold+0x37/0x7d [ 23.869502][ C1] ? ath9k_htc_rx_msg+0xa25/0xaf0 [ 23.874507][ C1] ? ath9k_htc_rx_msg+0xa25/0xaf0 [ 23.879512][ C1] kasan_report+0x33/0x50 [ 23.883813][ C1] ath9k_htc_rx_msg+0xa25/0xaf0 [ 23.888639][ C1] ath9k_hif_usb_reg_in_cb+0x1c0/0x630 [ 23.894086][ C1] ? _raw_read_unlock+0x1a/0x30 [ 23.898906][ C1] ? led_trigger_blink_oneshot+0xb4/0xe0 [ 23.904506][ C1] __usb_hcd_giveback_urb+0x1f2/0x470 [ 23.909860][ C1] usb_hcd_giveback_urb+0x368/0x420 [ 23.915030][ C1] dummy_timer+0x125e/0x32b4 [ 23.919591][ C1] ? dummy_udc_probe+0x980/0x980 [ 23.924497][ C1] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 23.930011][ C1] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 23.935265][ C1] call_timer_fn+0x1ac/0x700 [ 23.939851][ C1] ? dummy_udc_probe+0x980/0x980