Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. [ 13.756287][ C1] random: crng init done [ 13.760636][ C1] random: 7 urandom warning(s) missed due to ratelimiting Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.173' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 23.790122][ T95] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 24.319239][ T95] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08 [ 24.328352][ T95] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 24.336540][ T95] usb 1-1: Product: syz [ 24.340779][ T95] usb 1-1: Manufacturer: syz [ 24.345359][ T95] usb 1-1: SerialNumber: syz [ 24.390154][ T95] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested [ 24.958811][ T95] usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size: 51008 executing program [ 25.360693][ T12] usb 1-1: USB disconnect, device number 2 [ 26.198057][ T95] usb 1-1: Service connection timeout for: 256 [ 26.204319][ T95] ================================================================== [ 26.212443][ T95] BUG: KASAN: use-after-free in kfree_skb+0x32/0x3d0 [ 26.219100][ T95] Read of size 4 at addr ffff8881c306b0d4 by task kworker/0:2/95 [ 26.226790][ T95] [ 26.229122][ T95] CPU: 0 PID: 95 Comm: kworker/0:2 Not tainted 5.7.0-rc6-syzkaller #0 [ 26.237252][ T95] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.247290][ T95] Workqueue: events request_firmware_work_func [ 26.253414][ T95] Call Trace: [ 26.256696][ T95] dump_stack+0xef/0x16e [ 26.260929][ T95] print_address_description.constprop.0.cold+0xd3/0x415 [ 26.268013][ T95] ? vprintk_func+0x7d/0x113 [ 26.272578][ T95] ? kfree_skb+0x32/0x3d0 [ 26.276981][ T95] __kasan_report.cold+0x37/0x7d [ 26.281895][ T95] ? kfree_skb+0x32/0x3d0 [ 26.286196][ T95] ? kfree_skb+0x32/0x3d0 [ 26.290500][ T95] kasan_report+0x33/0x50 [ 26.294804][ T95] check_memory_region+0x173/0x1d0 [ 26.299892][ T95] kfree_skb+0x32/0x3d0 [ 26.304041][ T95] htc_connect_service.cold+0xa9/0x109 [ 26.309513][ T95] ath9k_wmi_connect+0xd2/0x1a0 [ 26.314347][ T95] ? ath9k_fatal_work+0x20/0x20 [ 26.319179][ T95] ? ath9k_hif_usb_firmware_cb.cold+0xde/0xde [ 26.325254][ T95] ? ath9k_wmi_event_tasklet+0x440/0x440 [ 26.330866][ T95] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 26.337268][ T95] ? ath9k_reg_rmw_flush+0x2d0/0x2d0 [ 26.342529][ T95] ? lockdep_init_map_waits+0x26a/0x7c0 [ 26.348050][ T95] ? __raw_spin_lock_init+0x34/0x100 [ 26.353324][ T95] ? tasklet_init+0x69/0x110 [ 26.357914][ T95] ath9k_htc_probe_device+0x25a/0x1da0 [ 26.363350][ T95] ? ath9k_init_htc_services.constprop.0+0x650/0x650 [ 26.370015][ T95] ? usb_submit_urb+0x6ed/0x1460 [ 26.374939][ T95] ? usb_free_urb.part.0+0x52/0x110 [ 26.380109][ T95] ? usb_free_urb+0x1b/0x30 [ 26.384599][ T95] ath9k_htc_hw_init+0x31/0x60 [ 26.389340][ T95] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 26.394951][ T95] ? ath9k_hif_usb_resume+0x320/0x320 [ 26.400395][ T95] request_firmware_work_func+0x126/0x242 [ 26.406372][ T95] ? request_firmware_into_buf+0x90/0x90 [ 26.411991][ T95] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 26.417533][ T95] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 26.422797][ T95] ? _raw_spin_unlock_irq+0x1f/0x30 [ 26.427972][ T95] process_one_work+0x965/0x1630 [ 26.432899][ T95] ? lock_release+0x720/0x720 [ 26.437564][ T95] ? pwq_dec_nr_in_flight+0x310/0x310 [ 26.442917][ T95] ? rwlock_bug.part.0+0x90/0x90 [ 26.447841][ T95] worker_thread+0x96/0xe20 [ 26.452333][ T95] ? process_one_work+0x1630/0x1630 [ 26.457514][ T95] kthread+0x326/0x430 [ 26.461566][ T95] ? kthread_create_on_node+0xf0/0xf0 [ 26.466911][ T95] ret_from_fork+0x24/0x30 [ 26.471313][ T95] [ 26.473631][ T95] Allocated by task 95: [ 26.477769][ T95] save_stack+0x1b/0x40 [ 26.481902][ T95] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 26.487521][ T95] kmem_cache_alloc_node+0xdc/0x330 [ 26.492703][ T95] __alloc_skb+0xba/0x5a0 [ 26.497008][ T95] htc_connect_service+0x2cc/0x840 [ 26.502092][ T95] ath9k_wmi_connect+0xd2/0x1a0 [ 26.506919][ T95] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 26.513307][ T95] ath9k_htc_probe_device+0x25a/0x1da0 [ 26.518740][ T95] ath9k_htc_hw_init+0x31/0x60 [ 26.523479][ T95] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 26.529086][ T95] request_firmware_work_func+0x126/0x242 [ 26.534779][ T95] process_one_work+0x965/0x1630 [ 26.539690][ T95] worker_thread+0x96/0xe20 [ 26.544164][ T95] kthread+0x326/0x430 [ 26.548219][ T95] ret_from_fork+0x24/0x30 [ 26.552603][ T95] [ 26.554904][ T95] Freed by task 0: [ 26.558599][ T95] save_stack+0x1b/0x40 [ 26.562728][ T95] __kasan_slab_free+0x117/0x160 [ 26.567638][ T95] kmem_cache_free+0x9b/0x360 [ 26.572290][ T95] kfree_skbmem+0xef/0x1b0 [ 26.576680][ T95] kfree_skb+0x102/0x3d0 [ 26.580906][ T95] ath9k_htc_txcompletion_cb+0x1f8/0x2b0 [ 26.586772][ T95] hif_usb_regout_cb+0x115/0x1c0 [ 26.591688][ T95] __usb_hcd_giveback_urb+0x29a/0x550 [ 26.597648][ T95] usb_hcd_giveback_urb+0x368/0x420 [ 26.602833][ T95] dummy_timer+0x125e/0x32b4 [ 26.607398][ T95] call_timer_fn+0x1ac/0x700 [ 26.611959][ T95] run_timer_softirq+0x5f9/0x1500 [ 26.616957][ T95] __do_softirq+0x21e/0x9aa [ 26.621436][ T95] [ 26.623765][ T95] The buggy address belongs to the object at ffff8881c306b000 [ 26.623765][ T95] which belongs to the cache skbuff_head_cache of size 224 [ 26.638572][ T95] The buggy address is located 212 bytes inside of [ 26.638572][ T95] 224-byte region [ffff8881c306b000, ffff8881c306b0e0) [ 26.651811][ T95] The buggy address belongs to the page: [ 26.657422][ T95] page:ffffea00070c1ac0 refcount:1 mapcount:0 mapping:000000005b26f4ba index:0x0 [ 26.666510][ T95] flags: 0x200000000000200(slab) [ 26.671423][ T95] raw: 0200000000000200 dead000000000100 dead000000000122 ffff8881da175400 [ 26.680068][ T95] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000 [ 26.688622][ T95] page dumped because: kasan: bad access detected [ 26.695011][ T95] [ 26.697331][ T95] Memory state around the buggy address: [ 26.702949][ T95] ffff8881c306af80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 26.710986][ T95] ffff8881c306b000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.719020][ T95] >ffff8881c306b080: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 26.727052][ T95] ^ [ 26.733697][ T95] ffff8881c306b100: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 26.741732][ T95] ffff8881c306b180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 26.749765][ T95] ================================================================== [ 26.757814][ T95] Disabling lock debugging due to kernel taint [ 26.764016][ T95] Kernel panic - not syncing: panic_on_warn set ... [ 26.770953][ T95] CPU: 0 PID: 95 Comm: kworker/0:2 Tainted: G B 5.7.0-rc6-syzkaller #0 [ 26.780485][ T95] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 26.790540][ T95] Workqueue: events request_firmware_work_func [ 26.796673][ T95] Call Trace: [ 26.799938][ T95] dump_stack+0xef/0x16e [ 26.804153][ T95] panic+0x2aa/0x6e1 [ 26.808028][ T95] ? add_taint.cold+0x16/0x16 [ 26.812680][ T95] ? retint_kernel+0x10/0x10 [ 26.817240][ T95] ? kfree_skb+0x32/0x3d0 [ 26.821541][ T95] ? trace_hardirqs_on+0x55/0x200 [ 26.826535][ T95] ? kfree_skb+0x32/0x3d0 [ 26.830834][ T95] end_report+0x4d/0x53 [ 26.834968][ T95] __kasan_report.cold+0x72/0x7d [ 26.839876][ T95] ? kfree_skb+0x32/0x3d0 [ 26.844174][ T95] ? kfree_skb+0x32/0x3d0 [ 26.848472][ T95] kasan_report+0x33/0x50 [ 26.852775][ T95] check_memory_region+0x173/0x1d0 [ 26.858030][ T95] kfree_skb+0x32/0x3d0 [ 26.862159][ T95] htc_connect_service.cold+0xa9/0x109 [ 26.867596][ T95] ath9k_wmi_connect+0xd2/0x1a0 [ 26.872436][ T95] ? ath9k_fatal_work+0x20/0x20 [ 26.877261][ T95] ? ath9k_hif_usb_firmware_cb.cold+0xde/0xde [ 26.883309][ T95] ? ath9k_wmi_event_tasklet+0x440/0x440 [ 26.888914][ T95] ath9k_init_htc_services.constprop.0+0xb4/0x650 [ 26.895299][ T95] ? ath9k_reg_rmw_flush+0x2d0/0x2d0 [ 26.900556][ T95] ? lockdep_init_map_waits+0x26a/0x7c0 [ 26.906083][ T95] ? __raw_spin_lock_init+0x34/0x100 [ 26.911340][ T95] ? tasklet_init+0x69/0x110 [ 26.915911][ T95] ath9k_htc_probe_device+0x25a/0x1da0 [ 26.921355][ T95] ? ath9k_init_htc_services.constprop.0+0x650/0x650 [ 26.928003][ T95] ? usb_submit_urb+0x6ed/0x1460 [ 26.933275][ T95] ? usb_free_urb.part.0+0x52/0x110 [ 26.938447][ T95] ? usb_free_urb+0x1b/0x30 [ 26.942944][ T95] ath9k_htc_hw_init+0x31/0x60 [ 26.947681][ T95] ath9k_hif_usb_firmware_cb+0x274/0x510 [ 26.953295][ T95] ? ath9k_hif_usb_resume+0x320/0x320 [ 26.958643][ T95] request_firmware_work_func+0x126/0x242 [ 26.964366][ T95] ? request_firmware_into_buf+0x90/0x90 [ 26.969974][ T95] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 26.975677][ T95] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 26.980943][ T95] ? _raw_spin_unlock_irq+0x1f/0x30 [ 26.986114][ T95] process_one_work+0x965/0x1630 [ 26.991025][ T95] ? lock_release+0x720/0x720 [ 26.995674][ T95] ? pwq_dec_nr_in_flight+0x310/0x310 [ 27.001020][ T95] ? rwlock_bug.part.0+0x90/0x90 [ 27.005931][ T95] worker_thread+0x96/0xe20 [ 27.010476][ T95] ? process_one_work+0x1630/0x1630 [ 27.015646][ T95] kthread+0x326/0x430 [ 27.019706][ T95] ? kthread_create_on_node+0xf0/0xf0 [ 27.025139][ T95] ret_from_fork+0x24/0x30 [ 27.030077][ T95] Kernel Offset: disabled [ 27.034385][ T95] Rebooting in 86400 seconds..