[ 12.639925][ C1] random: crng init done
[ 12.641260][ C1] random: 7 urandom warning(s) missed due to ratelimiting
Debian GNU/Linux 9 syzkaller ttyS0
syzkaller login: [ 22.172880][ T375] can: request_module (can-proto-0) failed.
[ 22.505871][ T375] can: request_module (can-proto-0) failed.
[ 22.515710][ T375] can: request_module (can-proto-7) failed.
[ 22.526165][ T375] can: request_module (can-proto-0) failed.
Warning: Permanently added '10.128.0.223' (ECDSA) to the list of known hosts.
2020/04/01 05:12:04 parsed 1 programs
2020/04/01 05:12:04 executed programs: 0
[ 29.832486][ T527] cgroup: Unknown subsys name 'perf_event'
[ 29.835509][ T531] cgroup: Unknown subsys name 'perf_event'
[ 29.839010][ T530] cgroup: Unknown subsys name 'perf_event'
[ 29.856725][ T533] cgroup: Unknown subsys name 'perf_event'
[ 29.856742][ T536] cgroup: Unknown subsys name 'perf_event'
[ 29.862919][ T533] cgroup: Unknown subsys name 'net_cls'
[ 29.869668][ T536] cgroup: Unknown subsys name 'net_cls'
[ 29.874912][ T535] cgroup: Unknown subsys name 'perf_event'
[ 29.880065][ T527] cgroup: Unknown subsys name 'net_cls'
[ 29.888108][ T535] cgroup: Unknown subsys name 'net_cls'
[ 29.892791][ T530] cgroup: Unknown subsys name 'net_cls'
[ 29.905212][ T531] cgroup: Unknown subsys name 'net_cls'
[ 37.902275][ T83] usb 1-1: new high-speed USB device number 2 using dummy_hcd
[ 37.962229][ T95] usb 3-1: new high-speed USB device number 2 using dummy_hcd
[ 38.162139][ T17] usb 2-1: new high-speed USB device number 2 using dummy_hcd
[ 38.202081][ T3223] usb 4-1: new high-speed USB device number 2 using dummy_hcd
[ 38.262112][ T12] usb 5-1: new high-speed USB device number 2 using dummy_hcd
[ 38.269774][ T5] usb 6-1: new high-speed USB device number 2 using dummy_hcd
[ 38.272521][ T83] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08
[ 38.286705][ T83] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 38.294968][ T83] usb 1-1: Product: syz
[ 38.299260][ T83] usb 1-1: Manufacturer: syz
[ 38.304051][ T83] usb 1-1: SerialNumber: syz
[ 38.353492][ T83] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested
[ 38.372582][ T95] usb 3-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08
[ 38.381645][ T95] usb 3-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 38.389933][ T95] usb 3-1: Product: syz
[ 38.394245][ T95] usb 3-1: Manufacturer: syz
[ 38.398846][ T95] usb 3-1: SerialNumber: syz
[ 38.442712][ T95] usb 3-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested
[ 38.562100][ T17] usb 2-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08
[ 38.571212][ T17] usb 2-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 38.579280][ T17] usb 2-1: Product: syz
[ 38.583569][ T17] usb 2-1: Manufacturer: syz
[ 38.588156][ T17] usb 2-1: SerialNumber: syz
[ 38.632179][ T3223] usb 4-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08
[ 38.641447][ T3223] usb 4-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 38.649534][ T3223] usb 4-1: Product: syz
[ 38.653954][ T3223] usb 4-1: Manufacturer: syz
[ 38.658545][ T3223] usb 4-1: SerialNumber: syz
[ 38.664241][ T17] usb 2-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested
[ 38.672599][ T5] usb 6-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08
[ 38.681771][ T5] usb 6-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 38.689974][ T5] usb 6-1: Product: syz
[ 38.694204][ T5] usb 6-1: Manufacturer: syz
[ 38.698975][ T5] usb 6-1: SerialNumber: syz
[ 38.703906][ T12] usb 5-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08
[ 38.712657][ T3223] usb 4-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested
[ 38.713247][ T12] usb 5-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 38.729390][ T12] usb 5-1: Product: syz
[ 38.733775][ T12] usb 5-1: Manufacturer: syz
[ 38.738385][ T12] usb 5-1: SerialNumber: syz
[ 38.782507][ T5] usb 6-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested
[ 38.791190][ T12] usb 5-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested
[ 38.951978][ T83] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008
[ 39.081939][ T95] usb 3-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008
[ 39.171975][ C1] ==================================================================
[ 39.180360][ C1] BUG: KASAN: use-after-free in ath9k_htc_rx_msg+0xa25/0xaf0
[ 39.187718][ C1] Write of size 2 at addr ffff8881d8adb1b0 by task swapper/1/0
[ 39.195246][ C1]
[ 39.197562][ C1] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.6.0-rc7-syzkaller #0
[ 39.205440][ C1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 39.215493][ C1] Call Trace:
[ 39.218771][ C1]
[ 39.221676][ C1] dump_stack+0xef/0x16e
[ 39.225909][ C1] ? ath9k_htc_rx_msg+0xa25/0xaf0
[ 39.231047][ C1] ? ath9k_htc_rx_msg+0xa25/0xaf0
[ 39.236060][ C1] print_address_description.constprop.0.cold+0xd3/0x314
[ 39.243073][ C1] ? ath9k_htc_rx_msg+0xa25/0xaf0
[ 39.248083][ C1] ? ath9k_htc_rx_msg+0xa25/0xaf0
[ 39.253089][ C1] __kasan_report.cold+0x37/0x77
[ 39.258031][ C1] ? ath9k_htc_rx_msg+0xa25/0xaf0
[ 39.263037][ C1] kasan_report+0xe/0x20
[ 39.267266][ C1] ath9k_htc_rx_msg+0xa25/0xaf0
[ 39.272106][ C1] ath9k_hif_usb_reg_in_cb+0x1ba/0x630
[ 39.277609][ C1] ? _raw_read_unlock+0x1a/0x30
[ 39.282462][ C1] ? led_trigger_blink_oneshot+0xb4/0xe0
[ 39.288133][ C1] __usb_hcd_giveback_urb+0x1f2/0x470
[ 39.293491][ C1] usb_hcd_giveback_urb+0x368/0x420
[ 39.298673][ C1] dummy_timer+0x1258/0x32ae
[ 39.303347][ C1] ? dummy_udc_probe+0x930/0x930
[ 39.308284][ C1] ? rcu_read_lock_sched_held+0x9c/0xd0
[ 39.313812][ C1] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 39.319265][ C1] call_timer_fn+0x195/0x6f0
[ 39.323879][ C1] ? dummy_udc_probe+0x930/0x930
[ 39.328811][ C1] ? msleep_interruptible+0x130/0x130
[ 39.334186][ C1] ? rcu_read_lock_sched_held+0x9c/0xd0
[ 39.339716][ C1] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 39.344987][ C1] ? _raw_spin_unlock_irq+0x1f/0x30
[ 39.350873][ C1] ? dummy_udc_probe+0x930/0x930
[ 39.354105][ T3243] usb 1-1: USB disconnect, device number 2
[ 39.355825][ C1] run_timer_softirq+0x5f9/0x1500
[ 39.366655][ C1] ? add_timer+0x7a0/0x7a0
[ 39.371088][ C1] ? rcu_read_lock_sched_held+0x9c/0xd0
[ 39.376667][ C1] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 39.381969][ C1] __do_softirq+0x21e/0x950
[ 39.386490][ C1] irq_exit+0x178/0x1a0
[ 39.390655][ C1] smp_apic_timer_interrupt+0x141/0x540
[ 39.396307][ C1] apic_timer_interrupt+0xf/0x20
[ 39.401233][ C1]
[ 39.404217][ C1] RIP: 0010:default_idle+0x28/0x300
[ 39.409401][ C1] Code: cc cc 41 56 41 55 65 44 8b 2d 04 3b 72 7a 41 54 55 53 0f 1f 44 00 00 e8 b6 27 b5 fb e9 07 00 00 00 0f 00 2d aa d0 52 00 fb f4 <65> 44 8b 2d e0 3a 72 7a 0f 1f 44 00 00 5b 5d 41 5c 41 5d 41 5e c3
[ 39.428989][ C1] RSP: 0018:ffff8881da22fda8 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
[ 39.437391][ C1] RAX: 0000000000000007 RBX: ffff8881da213100 RCX: 0000000000000000
[ 39.445368][ C1] RDX: 0000000000000000 RSI: 0000000000000006 RDI: ffff8881da21394c
[ 39.453335][ C1] RBP: ffffed103b442620 R08: ffff8881da213100 R09: 0000000000000000
[ 39.461301][ C1] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001
[ 39.469380][ C1] R13: 0000000000000001 R14: ffffffff87e61400 R15: 0000000000000000
[ 39.477357][ C1] ? default_idle+0x1a/0x300
[ 39.481937][ C1] do_idle+0x3e0/0x500
[ 39.483002][ T3250] usb 3-1: USB disconnect, device number 2
[ 39.486026][ C1] ? __wake_up_common+0x147/0x650
[ 39.496994][ C1] ? arch_cpu_idle_exit+0x40/0x40
[ 39.502030][ C1] ? _raw_spin_unlock_irqrestore+0x39/0x40
[ 39.507853][ C1] ? lockdep_hardirqs_on+0x382/0x580
[ 39.513268][ C1] cpu_startup_entry+0x14/0x20
[ 39.518048][ C1] start_secondary+0x2a4/0x390
[ 39.522843][ C1] ? set_cpu_sibling_map+0x1e90/0x1e90
[ 39.528350][ C1] secondary_startup_64+0xb6/0xc0
[ 39.533366][ C1]
[ 39.535699][ C1] Allocated by task 150:
[ 39.539948][ C1] save_stack+0x1b/0x80
[ 39.544425][ C1] __kasan_kmalloc.constprop.0+0xbf/0xd0
[ 39.550061][ C1] sk_prot_alloc+0x1f6/0x2c0
[ 39.554641][ C1] sk_alloc+0x36/0x710
[ 39.558708][ C1] __netlink_create+0x63/0x280
[ 39.563456][ C1] netlink_create+0x3a1/0x5d0
[ 39.568121][ C1] __sock_create+0x3d1/0x740
[ 39.572694][ C1] __sys_socket+0xef/0x200
[ 39.577092][ C1] __x64_sys_socket+0x6f/0xb0
[ 39.581773][ C1] do_syscall_64+0xb6/0x5a0
[ 39.586271][ C1] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 39.592283][ C1]
[ 39.594747][ C1] Freed by task 0:
[ 39.598457][ C1] save_stack+0x1b/0x80
[ 39.602594][ C1] __kasan_slab_free+0x117/0x160
[ 39.607514][ C1] kfree+0xd5/0x300
[ 39.611304][ C1] __sk_destruct+0x545/0x740
[ 39.615969][ C1] sk_destruct+0xc6/0x100
[ 39.620286][ C1] __sk_free+0xef/0x3d0
[ 39.624467][ C1] sk_free+0x78/0xa0
[ 39.628456][ C1] deferred_put_nlk_sk+0x151/0x2e0
[ 39.633599][ C1] rcu_core+0x5ae/0x1b00
[ 39.637827][ C1] __do_softirq+0x21e/0x950
[ 39.642323][ C1]
[ 39.644637][ C1] The buggy address belongs to the object at ffff8881d8adb000
[ 39.644637][ C1] which belongs to the cache kmalloc-2k of size 2048
[ 39.659029][ C1] The buggy address is located 432 bytes inside of
[ 39.659029][ C1] 2048-byte region [ffff8881d8adb000, ffff8881d8adb800)
[ 39.672379][ C1] The buggy address belongs to the page:
[ 39.678000][ C1] page:ffffea000762b600 refcount:1 mapcount:0 mapping:ffff8881da00c000 index:0x0 compound_mapcount: 0
[ 39.689083][ C1] flags: 0x200000000010200(slab|head)
[ 39.694438][ C1] raw: 0200000000010200 dead000000000100 dead000000000122 ffff8881da00c000
[ 39.703001][ C1] raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
[ 39.711567][ C1] page dumped because: kasan: bad access detected
[ 39.718051][ C1]
[ 39.720363][ C1] Memory state around the buggy address:
[ 39.725980][ C1] ffff8881d8adb080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 39.734040][ C1] ffff8881d8adb100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 39.742084][ C1] >ffff8881d8adb180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 39.750232][ C1] ^
[ 39.755853][ C1] ffff8881d8adb200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 39.764000][ C1] ffff8881d8adb280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 39.772138][ C1] ==================================================================
[ 39.780433][ C1] Disabling lock debugging due to kernel taint
[ 39.786638][ C1] Kernel panic - not syncing: panic_on_warn set ...
[ 39.793333][ C1] CPU: 1 PID: 0 Comm: swapper/1 Tainted: G B 5.6.0-rc7-syzkaller #0
[ 39.802661][ C1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 39.812757][ C1] Call Trace:
[ 39.816033][ C1]
[ 39.818913][ C1] dump_stack+0xef/0x16e
[ 39.823173][ C1] panic+0x2aa/0x6e1
[ 39.827049][ C1] ? add_taint.cold+0x16/0x16
[ 39.831723][ C1] ? print_shadow_for_address+0xb8/0x114
[ 39.837450][ C1] ? trace_hardirqs_off+0x50/0x200
[ 39.842570][ C1] ? ath9k_htc_rx_msg+0xa25/0xaf0
[ 39.847668][ C1] end_report+0x43/0x49
[ 39.851810][ C1] ? ath9k_htc_rx_msg+0xa25/0xaf0
[ 39.856827][ C1] __kasan_report.cold+0x55/0x77
[ 39.861762][ C1] ? ath9k_htc_rx_msg+0xa25/0xaf0
[ 39.866771][ C1] kasan_report+0xe/0x20
[ 39.871001][ C1] ath9k_htc_rx_msg+0xa25/0xaf0
[ 39.875840][ C1] ath9k_hif_usb_reg_in_cb+0x1ba/0x630
[ 39.881280][ C1] ? _raw_read_unlock+0x1a/0x30
[ 39.886120][ C1] ? led_trigger_blink_oneshot+0xb4/0xe0
[ 39.891877][ C1] __usb_hcd_giveback_urb+0x1f2/0x470
[ 39.897300][ C1] usb_hcd_giveback_urb+0x368/0x420
[ 39.902648][ C1] dummy_timer+0x1258/0x32ae
[ 39.907232][ C1] ? dummy_udc_probe+0x930/0x930
[ 39.912166][ C1] ? rcu_read_lock_sched_held+0x9c/0xd0
[ 39.917693][ C1] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 39.922976][ C1] call_timer_fn+0x195/0x6f0
[ 39.927677][ C1] ? dummy_udc_probe+0x930/0x930
[ 39.932611][ C1] ? msleep_interruptible+0x130/0x130
[ 39.938081][ C1] ? rcu_read_lock_sched_held+0x9c/0xd0
[ 39.943634][ C1] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 39.948938][ C1] ? _raw_spin_unlock_irq+0x1f/0x30
[ 39.954115][ C1] ? dummy_udc_probe+0x930/0x930
[ 39.959051][ C1] run_timer_softirq+0x5f9/0x1500
[ 39.964059][ C1] ? add_timer+0x7a0/0x7a0
[ 39.968464][ C1] ? rcu_read_lock_sched_held+0x9c/0xd0
[ 39.974002][ C1] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 39.979264][ C1] __do_softirq+0x21e/0x950
[ 39.983763][ C1] irq_exit+0x178/0x1a0
[ 39.987920][ C1] smp_apic_timer_interrupt+0x141/0x540
[ 39.993462][ C1] apic_timer_interrupt+0xf/0x20
[ 39.998498][ C1]
[ 40.001441][ C1] RIP: 0010:default_idle+0x28/0x300
[ 40.006628][ C1] Code: cc cc 41 56 41 55 65 44 8b 2d 04 3b 72 7a 41 54 55 53 0f 1f 44 00 00 e8 b6 27 b5 fb e9 07 00 00 00 0f 00 2d aa d0 52 00 fb f4 <65> 44 8b 2d e0 3a 72 7a 0f 1f 44 00 00 5b 5d 41 5c 41 5d 41 5e c3
[ 40.026329][ C1] RSP: 0018:ffff8881da22fda8 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
[ 40.034736][ C1] RAX: 0000000000000007 RBX: ffff8881da213100 RCX: 0000000000000000
[ 40.042687][ C1] RDX: 0000000000000000 RSI: 0000000000000006 RDI: ffff8881da21394c
[ 40.050654][ C1] RBP: ffffed103b442620 R08: ffff8881da213100 R09: 0000000000000000
[ 40.058605][ C1] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001
[ 40.066556][ C1] R13: 0000000000000001 R14: ffffffff87e61400 R15: 0000000000000000
[ 40.074626][ C1] ? default_idle+0x1a/0x300
[ 40.079195][ C1] do_idle+0x3e0/0x500
[ 40.083276][ C1] ? __wake_up_common+0x147/0x650
[ 40.088288][ C1] ? arch_cpu_idle_exit+0x40/0x40
[ 40.093300][ C1] ? _raw_spin_unlock_irqrestore+0x39/0x40
[ 40.099106][ C1] ? lockdep_hardirqs_on+0x382/0x580
[ 40.104385][ C1] cpu_startup_entry+0x14/0x20
[ 40.109129][ C1] start_secondary+0x2a4/0x390
[ 40.113881][ C1] ? set_cpu_sibling_map+0x1e90/0x1e90
[ 40.119317][ C1] secondary_startup_64+0xb6/0xc0
[ 40.125258][ C1] Kernel Offset: disabled
[ 40.129568][ C1] Rebooting in 86400 seconds..